The U.S. government is shifting its cybersecurity burden to state and local governments — but the resources, talent and strategy to support this shift simply aren’t there.

In just the first months of 2025, the new administration has triggered a wave of changes reshaping America’s cyber defense posture.

• The Cybersecurity and Infrastructure Security Agency (CISA), long the nation’s frontline defense for critical infrastructure attacks, faces staffing reductions and budgetary pressures that could limit its capacity to assist state and local governments. Insiders expect that as many as 900 more dismissals may take place soon along with budget cuts of 50 to 90 percent, slashing the agency’s capacity to assist state and local governments.
• General Timothy Haugh, head of both the NSA and U.S. Cyber Command, was dismissed, alongside his civilian deputy. The move has raised alarm among lawmakers and national security experts, who warn that the sudden leadership change creates a dangerous vacuum at the highest levels of U.S. cyber operations.
• Reduced investment in federal intelligence-sharing programs, including the Multi-State Information Sharing and Analysis Center (MS-ISAC), has created dangerous blind spots across state and local networks. Without timely updates from federal agencies like CISA, NSA and the FBI, local defenders are left in the dark as threats evolve — slowing detection, response and mitigation efforts when every second counts.

The administration has indicated this is all part of a deliberate policy shift: an effort to transfer primary responsibility for cybersecurity to state and local governments.

The idea, according to administration officials, is to “empower” local entities to defend their own digital infrastructure. However, state and local governments simply don’t have the resources, talent or tools to fend off the barrage of ransomware crews, foreign intelligence units and nation-state-sponsored hackers probing America’s digital backbone every day.

Decentralizing our cyber defenses at a time of escalating threats doesn’t strengthen the nation — it fractures it. And unless this strategy changes, we risk turning every city, county and small-town utility into a battleground we are dangerously unprepared to defend.

The Case Against Shifting Cybersecurity to State and Local Governments

At a time when cyberattacks are growing more frequent and sophisticated, this policy shift is not only premature, but dangerously shortsighted. Here are just a few reasons:

1. Chronic Underfunding

Many state and local governments struggle to fund even basic cybersecurity protections. Nearly 40% of state Chief Information Security Officers (CISOs) say their cybersecurity budgets are insufficient to safeguard critical assets and citizen data. Without sustained federal investment, these gaps will only widen.

The reality is sophisticated adversaries — from ransomware syndicates to nation-state operators — exploit the weakest links. Underfunded municipal networks, county hospitals and local utilities are prime targets.

2. Critical Talent Shortages

The cybersecurity workforce shortage is a national issue, but it’s even more acute at the state and local levels. Over 20% of government IT security teams report being understaffed, leaving major gaps in their ability to monitor, detect and respond to threats.

Without competitive salaries and specialized training, local governments simply can’t attract or retain the talent needed to defend against advanced cyber threats.

3. Limited Access to Intelligence

The administration’s concurrent decision to reduce federal intelligence sharing only compounds the problem. State and local entities rely heavily on timely threat intelligence from agencies like CISA, the NSA and the FBI to understand fast-evolving risks. Cuts to these intelligence-sharing programs weaken their visibility into active threats and slow down response times.

When attackers move at machine speed, delays of even minutes can mean the difference between containment and catastrophe.

4. Inconsistent Capabilities Across States

Cyber readiness isn’t evenly distributed across the country. Some states have well-resourced cyber units and public-private partnerships, while others — particularly rural and lower-income regions — lack even basic protections. Fragmenting cybersecurity responsibility across thousands of jurisdictions guarantees an uneven, vulnerable national posture.

As cybercriminals and nation-state adversaries well know, an attack on one weak node can cascade across interconnected networks.

5. Sophistication of Threat Actors

The biggest risk of all: the assumption that decentralized entities can handle attacks from professional adversaries like China, Russia and Iran.

These are not low-level criminals. These are well-funded, highly organized teams capable of stealthy intrusions, supply chain compromises and pre-positioning malware inside critical infrastructure. Placing the burden of defense on state and local governments — without the resources of federal intelligence and military support — is a gamble the nation cannot afford.

Bottom line: State and local governments are essential partners in cybersecurity. But they were never designed to be the front line. Stripping away federal leadership and leaving municipalities to fight advanced adversaries alone is not empowerment — it’s abandonment.

Federal Cybersecurity in Flux: What’s Changed in 2025

The United States has long relied on a network of federal agencies to coordinate national cybersecurity efforts. Each brings unique capabilities — from military defense to criminal investigations, standards-setting and emergency response.

But in 2025, that ecosystem is showing cracks.

The table below captures the most significant changes so far this year. Together, they illustrate how the federal cyber defense framework is being hollowed out, just as responsibility is shifting to less-prepared state and local agencies.

---

Agency	Pre-2025 Role	2025 Changes	Impact
CISA	Frontline defense for critical infrastructure; threat sharing; incident response coordination	130 fired; insider reports more firings and budget cuts to come (source)	Weakened ability to support state/local entities and respond rapidly to incidents
NSA / USCYBERCOM	National defense and foreign intelligence; military cyber operations	General Timothy Haugh and deputy dismissed (source)	Leadership vacuum at the top of U.S. cyber military operations; heightened concerns over national cyber readiness and continuity of operations
FBI Cyber Division	Lead on cybercrime investigations and nation-state espionage cases	No structural changes reported, but potential intelligence-sharing challenges due to broader federal ecosystem strain	Maintains investigative role, but faces challenges from reduced coordination with federal partners
ONCD (Office of the National Cyber Director)	Cyber strategy and interagency coordination	Under review for potential restructuring; role uncertain	Strategic leadership unclear; risks fragmentation in national cyber policy
NIST	Cybersecurity frameworks and standards; public-private guidance	No major changes reported	Continues to provide guidance, but relies on federal agencies for enforcement and implementation
DOGE (Department of Government Efficiency)	Administrative oversight, not traditionally cyber-facing	Expanded access to sensitive federal systems (source)	Raises concerns over data security and oversight as DOGE takes on unexpected cyber responsibilities

What Needs to Happen Next

The federal government’s pivot toward decentralizing cybersecurity leaves the U.S. at a dangerous crossroads. The best-case scenario is clear: federal leadership should remain central to our national defense strategy. But if the current trajectory continues, and responsibility shifts further to the state and local level, we need immediate, focused action to prepare for the risks ahead.

Option 1: The Federal Government Steps Up

The first and most effective path forward is maintaining a strong, centralized federal role in cybersecurity.

• Restore federal capacity: Reinvest in agencies like CISA, NSA and Cyber Command to ensure they have the resources and leadership needed to lead national defense efforts.
• Reinforce intelligence sharing: Federal intelligence should flow consistently to both private-sector partners and state/local authorities to close visibility gaps.
• Preserve policy leadership: Keep the Office of the National Cyber Director (ONCD) empowered to drive cohesive, whole-of-government cybersecurity strategy.

Centralized coordination is not bureaucracy for bureaucracy’s sake — it’s the backbone of our collective cyber resilience.

Option 2: Preparing States and Localities (If the Shift Proceeds)

If the administration continues down the path of decentralization, state and local governments will need immediate and unprecedented support.

• Massive funding increases: States cannot protect critical infrastructure on shoestring budgets. Federal grants and sustained investments must flow quickly and consistently.
• Accelerated workforce development: Local governments need dedicated cybersecurity training programs and competitive salaries to attract skilled professionals.
• Robust public-private partnerships: State and local leaders must build strong alliances with private industry to access advanced tools, threat intelligence and incident response capabilities.
• Mandatory incident reporting and drills: States should adopt standardized protocols for reporting cyber incidents and regularly conduct joint response exercises with federal counterparts.

Anything less is a gamble with national security.

Cybersecurity Demands Unity, Not Fragmentation

The digital battlefield does not respect jurisdictional boundaries. Whether it’s ransomware gangs shutting down hospitals or foreign intelligence services probing our power grids, cyber adversaries move fluidly across state lines — and they are counting on fragmentation.

State and local governments are crucial partners in our national defense, but they were never intended to stand alone. If we are serious about defending the nation’s digital frontlines, we need federal leadership that is not only present but decisive.

Otherwise, we’re leaving our communities to fight a war they cannot win on their own.