Trump’s ‘preparedness’ executive order would shift cyber defense burden where it doesn’t belong, experts say – CyberScoop
Many cyber experts are panning a new Trump administration executive order that would shift more responsibilities for responding to cyberattacks to state and local governments, saying it will leave states holding the bag for a job they aren’t best equipped to handle.
The executive order, issued last week, is entitled “Achieving Efficiency Through State and Local Preparedness.” Its stated purpose is to improve defenses against cyberattacks and other risks, but many expect it will do the opposite.
“Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government,” it reads. “Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes, and space weather.”
A number of cyber experts said it was a misguided document, sometimes in harsh terms, especially as it pertains to where they believe responsibilities should be assigned.
“US defense against incoming missiles and other kinetic strikes to be delegated to states,” Joe Slowik, who works on cyber issues in a variety of roles, wrote on the Bluesky social media site. “If that sounds f—ed up to you, then why do the equivalent for state-sponsored cyber ops?”
The order also says its goal is to reduce “taxpayer burdens,” something that Tim Harper, senior policy analyst for elections and democracy at the Center for Democracy & Technology, said it would not do.
“Cuts to federal preparedness and cyber support will not reduce ‘taxpayer burdens,’ they’ll actually shift the cost of cybersecurity services to states and counties, and leave communities more open to cyberattacks on schools, emergency services, and local governments,” Harper said in a statement. “These cuts aren’t about efficiency — they’re about defunding national security and leaving local governments with the bill.”
Some experts were less harsh, even saying the order has praiseworthy elements; it makes sense to ensure states have the capacity to defend against cyber threats, and in many ways states best know their needs and risks, they said.
But it could be challenging for them to ramp up their cyber capabilities quickly, and there’s still a major size mismatch with the biggest foreign cyber threats like the People’s Republic of China (PRC), said Nitin Natarajan, until recently deputy director at the Cybersecurity and Infrastructure Security Agency (CISA).
“There’s value in having states more engaged in cybersecurity within their state, both for local entities and jurisdictions, as well as supporting critical infrastructure. I think the challenge, though, is going to be the time it’ll take to scale,” said Natarajan, now owner of the NN Global advisory firm. At the same time, he remarked that “asking a small rural town to defend against the PRC is not fair to them, and frankly, it’s setting them up for failure.”
Jack Danahy, a vice president at NuHarbor Security, which provides cyber services to state and local governments, said his reading of the order was perhaps an “optimistic” one.
“Cybersecurity, I believe, is much more effective when I’m managing it at the local level,” he said, citing the different needs of rural areas versus cities. But he still said he had questions about how the order would be implemented, and whether feds would follow up with funding to state and local governments.
The Trump administration earlier sought to pause federal grant programs, leaving cyber aid in a state of confusion.
Federal cybersecurity efforts haven’t proven immune from the Trump administration’s sweeping campaign to curtail federal spending and chop down the size of the bureaucracy, despite some internal work to limit the damage. The executive order issued last week was just the latest attempt to limit the federal portfolio on cyber.
The administration fired approximately 130 people at CISA but has sought to bring them back amid legal challenges. It has cut funding for the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), leading to its closure, and the Multi-State ISAC that states rely on. States that don’t comply with an election executive order have been threatened with the loss of federal funding. The cutbacks coincide with warnings that state and local governments face tremendous threats.
Pennsylvania Secretary of State Al Schmidt on Thursday raised concerns with the apparent removal of federal resources that state and county governments have long relied upon for support in protecting the nation’s election systems.
“It’s not about an acronym. It’s not about an initialism or some specific agency within some department,” Schmidt, a Republican, said during a press briefing organized by the civic education nonprofit Keep Our Republic. “It’s about the resources the federal government provides to our counties, that only the federal government can provide to our counties, that makes all this so concerning.”
Schmidt said that states and counties can’t replicate the resources that have been provided by agencies like CISA, such as the threat assessments, tabletop exercises, training and bulk discounts they’ve provided state and local governments in recent years. Former CISA Director Jen Easterly testified last May that her agency had provided 340 cyber assessments and hosted cybersecurity training for more than 9,000 participants since the beginning of 2023.
Attempts to organize replacements to information-sharing groups like the EI-ISAC or CISA functions will be challenged by legal restrictions. Pennsylvania is among the majority of states legally barred from accepting services or information from non-government organizations for the purposes of protecting election systems.
The preparedness executive order could also have a negative ripple effect.
“I do not know how much more clearly I can say this to the small businesses and managed service providers I speak with every day: there is no one coming to save you,” Tarah Wheeler, CEO of Red Queen Dynamics, said on Bluesky in response to a story about the executive order.
But it might also have some boons, some said.
Erik Avakian, a cybersecurity executive counselor with the tech services firm Info-Tech Research Group who spent 12 years as Pennsylvania’s chief information security officer, said he thinks the order will “force innovation” among state and local governments, though he admitted that replacing the many resources traditionally provided by CISA and other agencies will be a challenge.
Avakian believes that states best equipped to handle reduced federal resources are those with “whole-of-state” cybersecurity strategies. These strategies include all government levels, university research centers, and the private sector, and have become common due to the $1 billion State and Local Cybersecurity Grant Program created by the 2021 Infrastructure Investment and Jobs Act.
“I think states are going to have to rely more either on their third-party vendors, who are providing threat intelligence, or sharing information with each other,” he said. “And states are already doing this. There’s a great state CISO community.”
Avakian pointed to organizations like the National Association of State Chief Information Officers, which many state CISOs use to meet and regularly share information. He suggested that state and local governments may also need to create cross-state or regional organizations that can be used to share information, though he cautioned against creating an uncoordinated “patchwork” of resources in absence of federal guidance.
The post Trump’s ‘preparedness’ executive order would shift cyber defense burden where it doesn’t belong, experts say appeared first on CyberScoop.
–
Read More – CyberScoop