State and local governments are under digital siege.

During a recent House and Homeland Security Committee hearing, state IT leaders described near-miss ransomware attacks on airports and emergency services — incidents that were only thwarted because of federal grants that provided critical cybersecurity tools and training. Programs like the State and Local Cybersecurity Grant Program (SLCGP) have quietly protected vital infrastructure across the country, helping small towns and major cities alike guard against relentless cyber threats.

Yet even as these successes are being shared on Capitol Hill, the very lifeline that made them possible is at risk of disappearing. The SLCGP is set to expire in September 2025, and without reauthorization, thousands of local governments will be left to defend themselves against nation-state hackers and sophisticated criminal gangs, often with little more than outdated equipment and overworked staff.

This erosion of federal support isn’t limited to cybersecurity grants. While CISA’s overall budget is proposed to increase slightly, critical funding for state and local initiatives remains uncertain, and FEMA’s grant programs face proposed cuts. Together, these changes paint a broader picture of Washington retreating from its role in national preparedness just as threats intensify.

Recent federal actions have encouraged greater reliance on state and local governments for disaster response, including cybersecurity — even as even as potential funding reductions for intelligence-sharing programs like the Multi-State Information Sharing and Analysis Center (MS-ISAC) raise concerns about depriving communities of the early warnings they depend on. Meanwhile, the legislative backbone of the nation’s cyber defense is also under threat: both the SLCGP and key provisions of the CISA Authorization Act are set to expire this year.

Together, these developments signal a dangerous trend — Washington is pulling back from the front lines of cybersecurity at precisely the moment when attackers are surging forward.

This is not a partisan issue. Cybersecurity is a whole-of-nation problem. If Washington intends to shift the burden to states and localities, then giving them the funding and resources they need to succeed is not optional — it’s an urgent national imperative. Congress must extend the SLCGP, and provide federal leadership in cybersecurity to ensure that every community — regardless of size or resources — has the tools to defend itself against growing digital threats.

On the Front Lines: Local Governments Under Fire

Local governments have always been targets for cybercriminals, but today’s attacks are more frequent, more severe, and more sophisticated. Schools, hospitals, police departments, utilities — all are increasingly in the crosshairs of ransomware gangs and hostile foreign powers.

The hearing made clear just how high the stakes are. State officials from Utah testified that SLCGP funds helped block seven serious cyber incidents in just six months. In Connecticut, a statewide assessment revealed that 41% of local governments were deemed “high risk,” lacking even basic cyber protections. And in Louisville, Kentucky, SLCGP grant funding  enabled the city to build a real-time threat intelligence platform, allowing public and private organizations to share warnings before attacks spread.

When local governments have the resources, they can defend themselves. But most operate on razor-thin budgets, with small IT teams stretched across daily operations and emergency response. Many lack dedicated cybersecurity staff altogether. Without federal grants like SLCGP, they cannot afford the monitoring, response, or training necessary to keep their systems secure.

Meanwhile, cyber threats targeting schools, hospitals, police departments and utilities continue to escalate. Attackers target local governments not because they hold national secrets, but because they’re easy points of entry into larger networks. The fallout doesn’t stop at city lines — disruptions to local services ripple across regional economies and critical supply chains.

What Washington Must Do Next

If Washington expects state and local governments to carry more responsibility for cybersecurity, it cannot leave them to fight alone.

First and foremost, Congress must reauthorize the SLCGP and the CISA Authorization Act. These programs have proven their value, helping communities strengthen their defenses and respond to real-world attacks. Letting them lapse would be a serious failure of national security.

Beyond reauthorization, lawmakers should:
– Simplify the grant process so under-resourced communities can access funding.
– Invest in workforce development to close persistent cybersecurity talent gaps.
– Strengthen public-private partnerships, giving communities access to industry tools and intelligence.
– Sustain intelligence-sharing programs like the Multi-State Information Sharing and Analysis Center (MS-ISAC), which serve as critical lifelines for state and local defense — and ensure they receive stable, long-term funding.

This is not charity. It’s an investment in the safety of our communities and the resilience of our nation.

Cybersecurity is national security. Without federal support, the cracks in our defenses become open doors for our adversaries.