US states urge Congress to renew cybersecurity grants

U.S. state cybersecurity officials warned lawmakers that with cyber threats targeting public infrastructure, Congress must renew the State and Local Cybersecurity Grant Program and strengthen the Cybersecurity and Infrastructure Security Agency.

During the House Committee on Homeland Security hearing, officials from Florida, New York and Tennessee noted international digital threats, ransomware and AI-powered cyberattacks are overwhelming many states' cybersecurity resources. They highlighted the importance of the SLCGP, indicating the USD1 billion initiative would help state governments strengthen cybersecurity defenses.

"If Congress doesn't reauthorize the State and Local Cybersecurity Grant Program, the message will be reinforcing that you are on your own, and I find that to be unacceptable," said U.S. Rep. Delia Ramirez, D-Ill. "We have to change course, and we need to renew the state and local cybersecurity grant program, because that is a step in the right direction."

Rep. Andy Ogles, R-Tenn., also highlighted the proposed Protecting Information by Local Leaders for Agency Resilience Act, which would reauthorize the grant program while modifying aspects of its structure and oversight. Ogles said reauthorization "alone is not enough."

"We have four years of program history now, and we owe it to taxpayers to ask whether the money is being spent well, whether the structure is right, and whether the outcomes match the investment," he added.

State concerns

Tennessee Chief Information Officer Kristin Darby said the state has had an increase in cyberattacks using AI technology to breach individuals' personal data.

"The pace of these threats continues to accelerate," Darby said, pointing to how many local governments across Tennessee have limited resources to manage evolving threats, creating "a dangerous imbalance between highly sophisticated attackers and severely resource-constrained defenders."

Tennessee's cybersecurity efforts have engaged approximately 90,000 endpoints across local governments, according to Darby. The state also trained more than 21,000 local government employees and expanded access to cybersecurity training, firewalls and recovery services.

"Many of these local governments simply could not deploy or sustain these capabilities on their own," she said.

Without federal funding, many local governments managing cyber threats may not have access to certain services that could strengthen digital systems.

Darby said federal grants provide the "type of flexibility to allow us to come to the table with any solution to help the local communities in need in the time of an attack is absolutely essential."

States also face challenges navigating cyber threats from foreign threat actors. New York Director of Security and Intelligence Colin Ahern said states are "being asked to manage nation-state risks while our federal partners step back."

Ahern noted cuts to federal cybersecurity resources, including reductions to CISA, have impacted multistate information sharing programs.

Florida Chief Information Officer Warren Sponholtz also warned of downstream implications around potential cuts to information sharing programs, noting federal intelligence provides "national visibility that no individual state can replicate."

Operational impacts

States are also concerned and monitoring potential impacts stemming from the release of frontier AI systems that could detect and exploit cybersecurity vulnerabilities. Those concerns stretch from online government services to local business operations.

Center for Democracy and Technology Vice President of Policy Samir Jain said AI systems such as Anthropic's Claude Mythos Preview model, show the "offensive cyber landscape is poised to change dramatically, and small and under-resourced jurisdictions are likely to be particularly vulnerable to that change."

Additionally, an increase in cyberattacks could also have broader implications for U.S. consumers.

"When Americans see a county hospital or their child's school district suffer a major breach, their confidence that the government can serve them effectively and protect their personal information necessarily is shaken," Jain said. "That erosion of trust has consequences far beyond any single incident."

Though cyberattacks have targeted a vast number of private organizations, Jain noted personal data stolen from government databases are especially sensitive. He said, "information that people have no choice but to provide to state and local governments to participate in getting benefits or to get critical services, is not a voluntary relationship necessarily in all cases."

Darby noted state and federal partnerships will be necessary as cyber threats continue evolving faster than many organizations can respond.

"Cyber adversaries are not slowing down, and neither can we," Darby said.