{"id":2459,"date":"2025-03-24T07:30:00","date_gmt":"2025-03-24T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2459"},"modified":"2025-03-24T07:30:00","modified_gmt":"2025-03-24T07:30:00","slug":"trump-shifts-cyberattack-readiness-to-state-and-local-governments-in-wake-of-info-sharing-cuts","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2459","title":{"rendered":"Trump shifts cyberattack readiness to state and local governments in wake of info-sharing cuts"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

On March 19, the White House issued the first executive order<\/a> (EO) to directly address cybersecurity policies under Trump\u2019s second term. The order, \u201cAchieving Efficiency Through State and Local Preparedness,\u201d pushes down to state and local governments an elevated responsibility for emergency preparedness \u201csupported by a competent, accessible, and efficient Federal Government.\u201d<\/p>\n

\u201cCitizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyberattacks, wildfires, hurricanes, and space weather,\u201d the EO states. \u201cWhen States are empowered to make smart infrastructure choices, taxpayers benefit.\u201d<\/p>\n

Within this executive order, Bob Kolasky, SVP of critical infrastructure at Exiger and founding director of CISA\u2019s National Risk Management Center, sees \u201ca new way of looking at what the priorities are for critical infrastructure security for cyberattacks,\u201d he says. \u00a0<\/p>\n

\u201cThere\u2019s an element of talking about shifts in roles and responsibilities and who owns certain elements of the burdens,\u201d he tells CSO. \u201cThat\u2019s certainly part of the overall state-local change where it\u2019s trying to say, \u2018Okay, the role of state and local governments is to get us prepared.\u2019\u201d<\/p>\n

But, according to experts, the order also raises questions about how cash-strapped state and local governments can pay for the increased responsibilities.<\/p>\n

Moreover, local CISOs and CIOs who have participated in state and local cybersecurity information-sharing organizations might have nowhere to go to discuss many of the EO\u2019s objectives following the Trump administration\u2019s cutback or elimination of federal organizations that previously facilitated these discussions.<\/p>\n

What the EO requires<\/h2>\n

The EO outlines five broad actions to facilitate states and local governments taking on a more significant role in critical infrastructure resilience and preparedness. These actions include:<\/p>\n

Creating a national resilience strategy<\/h4>\n

The EO requires the assistant to the President for national security affairs (APNSA), in coordination with the assistant to the President for economic policy and the heads of relevant executive departments and agencies, to publish within 90 days (by June 17) a National Resilience Strategy that articulates the priorities, means, and ways to advance the resilience of the nation.<\/p>\n

Creating a national critical infrastructure policy<\/h4>\n

The order says that within 180 days (by Sept. 15) the APNSA, in coordination with the director of the Office of Science and Technology Policy and the heads of relevant agencies, should review all critical infrastructure policies and recommend to the President the revisions, \u201crecissions, and replacements necessary to achieve a more resilient posture.\u201d<\/p>\n

It also suggests the new posture should shift critical infrastructure policy from an all-hazards approach to a risk-informed approach and move beyond information sharing to action. Although the EO deals with all emergencies, this shift in approach may impact cybersecurity-related emergencies the most.<\/p>\n

\u201cWe do exercises and plan for earthquakes and windstorms and asteroid strikes and wildfires and hurricanes, all that stuff,\u201d Mike Hamilton, CISO of Lumifi Cyber and former CISO of Seattle, tells CSO. \u201cThat\u2019s an all-hazards approach and stretches resources if you\u2019re trying to worry about all those things.\u201d<\/p>\n

But, he says, \u201cGoing to a risk-based approach means you have to concentrate on the thing that is most likely to happen and its impact. The most likely thing to happen is not an earthquake, although that will happen someday. The most likely thing to happen is a cyberattack against critical infrastructure that is destabilizing and disruptive.\u201d<\/p>\n

Creating a national continuity policy<\/h4>\n

Under the EO, within 180 days (by Sept. 15) the APNSA, in coordination with the heads of relevant agencies, must review all national continuity policies and propose recommended changes to develop a new national continuity policy.<\/p>\n

Developing new preparedness and response policies<\/h4>\n

The order directs APNSA, in coordination with the heads of relevant agencies and informed by the reports and findings of the Federal Emergency Management Agency (FEMA) Council, within 240 days (by Nov. 14) to revise or replace national preparedness and response policies as needed in order to reformulate the process and metrics for federal responsibility, move away from an all-hazards approach, and implement the National Resilience Strategy.<\/p>\n

Creating a national risk register<\/h4>\n

Under the order, within 240 days, the APNSA, in coordination with the director of the Office of Management and Budget (OMB) and the heads of relevant agencies, must work together to create a national risk register that \u201cidentifies, articulates, and quantifies natural and malign risks to our national infrastructure, related systems, and their users.\u201d The register will inform the intelligence community, private sector investments, state investments, and federal budget priorities, according to the EO.<\/p>\n

No funding for local cyber emergencies<\/h2>\n

The EO is silent, however, on how states and local governments will pick up the costs of their new responsibilities. \u201cIt looks like an unfunded mandate,\u201d Lumifi\u2019s Hamilton says. \u201cThere\u2019s an enumeration of a whole bunch of federal policies, standards, etc., and it says, \u2018States, you got to do all this stuff that the federal government has been doing,\u2019 but there\u2019s no mention of funding in there.\u201d<\/p>\n

\u201cThis EO devolves the risk and the management to states and local entities,\u201d Munish Walther-Puri, former director of cyber risk for the city of New York Cyber Command and currently adjunct faculty at the Center for Global Affairs at NYU, tells CSO. \u201cThat would be fine in a world where they also had the resources and the capacity to execute on that risk management. But they don\u2019t.\u201d<\/p>\n

Walther-Puri says that at one level, it\u2019s logical to push emergency preparedness down to the local level because disasters are local. But he says, \u201cWhere there\u2019s a mismatch is that these state and local governments don\u2019t have those resources, and they\u2019re not getting funding or investment. State and local entities are already outgunned and underfunded, especially against nation-states.\u201d<\/p>\n

He adds, \u201cAs this federal safety net is taken away, state and local governments are left to navigate this on their own with fewer and fewer lifelines. Therefore, we should not be surprised when there are greater consequences of those local cyber emergencies.\u201d<\/p>\n

The loss of information-sharing groups could hamper the process<\/h2>\n

The EO comes on the heels of a $10 million funding cut<\/a> that hits the operations of the Multi-State Information Sharing and Analysis Center (MS-ISAC). It also follows the severing of support for the Elections Infrastructure Information Sharing and Analysis Center (E-ISAC). Both groups were operated by the nonprofit organization the Center for Internet Security (CIS).<\/p>\n

These cutbacks came after Homeland Security Director Kristi Noem\u2019s decision to eliminate<\/a> the Critical Infrastructure Partnership Advisory Council (CIPAC), which enabled the free flow of sensitive information between government and industry without fear of disclosure.<\/p>\n

All three of these groups served as forums to support federal government communications with state and local entities. However, the cooperative agreement between CISA and CIS, which operates the MS-ISAC, is still in place. CISA currently has allocated $25 million to CIS, which represents just over 70% of the initial planned and nothing is stopping CIS from allocating funds to get the EI-ISAC going again.<\/p>\n

Nevertheless, experts say that new mechanisms should be mounted if the EO is to attain its objectives.<\/p>\n

\u201cThere needs to be a state and local information-sharing mechanism,\u201d Kolasky says. \u201cIf it\u2019s not the MS-ISAC, something needs to be established in its place, even if it\u2019s not federally funded. But if that doesn\u2019t happen, state and local governments will be on their back foot for cybersecurity,\u201d he says.<\/p>\n

Without some replacement for the MS-ISAC and CIPAC, local CIOs and CISOs might be left out in the cold. \u201cThe MS-ISAC was an effective coordinating structure with state and local CIOs and CISOs,\u201d Kolasky says. \u201cAbsent the MS-ISAC in place, I don\u2019t know what the existing coordinating structure for a broad set of state and local CISOs and CIOs would be.\u201d<\/p>\n

Unless the feds re-create new information-sharing groups, states must mount \u201cthat information-sharing mechanism so that state governments and the private sector are talking, sharing information, sharing threat intel,\u201d Hamilton says. \u201cWe\u2019re going to have to replace the fact that the federal government was doing that for us.\u201d<\/p>\n

\u201cCISA will work with state and local officials to ensure they have the information and support they need to make these decisions and improve their resilience,\u201d a spokesman for CISA tells CSO.<\/p>\n

See also:<\/p>\n

White House exempts cyber pros from mass layoffs; Judge reinstates CISA firings<\/a><\/p>\n

Trump nominates cyber vet Sean Plankey for CISA chief amid DOGE cuts and firings<\/a><\/p>\n

US Cybercom, CISA retreat in fight against Russian cyber threats: reports<\/a><\/p>\n

Trump disbands Cyber Safety Review Board, Salt Typhoon inquiry in limbo<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

On March 19, the White House issued the first executive order (EO) to directly address cybersecurity policies under Trump\u2019s second term. The order, \u201cAchieving Efficiency Through State and Local Preparedness,\u201d pushes down to state and local governments an elevated responsibility for emergency preparedness \u201csupported by a competent, accessible, and efficient Federal Government.\u201d \u201cCitizens are the […]<\/p>\n","protected":false},"author":0,"featured_media":2460,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2459","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2459"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2459"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2459\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2460"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2459"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2459"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2459"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}