Insights Gained from the 2025 Cybersecurity Defense Strategies Convention

Insights Gained from the 2025 Cybersecurity Defense Strategies Convention

In the face of growing cybersecurity threats, smaller, underserved communities often struggle due to resource scarcity and single points of failure in critical infrastructure. These communities, which typically operate essential services such as hospitals, schools, and water systems, are increasingly turning to state legislatures for support.

At the Cyber Civil Defense Summit 2025, hosted by CLTC, the focus was on exploring how cyber civil defenders can work together to continue advancing their vital work, with or without aid from the federal government. Udbhav Tiwari of Signal, a private company, emphasised data minimization and privacy as key aspects of its mission, advocating for end-to-end encryption as the default setting for communication applications.

State legislatures are leading the way in formulating and advancing prescriptive cybersecurity regulations across critical sectors like electric utilities, water, and healthcare. However, funding remains a significant barrier. Congress is unlikely to reauthorize the State and Local Cybersecurity Grant Program, a federal initiative providing cybersecurity funding to state, local, tribal, and territorial governments.

To address these issues, state legislatures are creating supportive frameworks, resource-sharing programs, and targeted funding. For example, Connecticut offers comprehensive cybersecurity protections and broadband access to all school districts through its Connecticut Education Network. North Carolina operates a Joint Cybersecurity Task Force including the FBI and National Guard to coordinate cyber defense for schools.

States like Arizona and Texas have developed statewide cyber readiness programs that provide free or discounted security tools and training to local and tribal governments. Recognising the multi-layered nature of vulnerabilities in election jurisdictions and local offices, states are increasingly tasked with filling gaps left by federal programs as agencies like CISA reduce local engagement.

Beyond government programs, there are initiatives fostering local collaboration and capacity building, especially in Indigenous, rural, and youth communities. Cybersecurity training hubs and cyber attack simulations led by cultural and educational organisations are becoming more common.

However, challenges remain in scaling these efforts due to continued funding constraints at the federal level, the limited presence of cybersecurity experts in rural areas, and the need to bridge technical policy with community realities. Tony Sauerhoff warned that funding alone is not a solution, as organisations may lack the expertise or understanding to utilise free resources effectively.

Cybersecurity remains an issue around which bipartisan consensus is the norm in state legislatures. Rep. Stacey E. Plaskett argued that island territories require special consideration in federal cybersecurity funding formulas due to their geographic and economic circumstances. Sauerhoff also highlighted the importance of vendors in the critical infrastructure sector adopting secure-by-design principles.

The administration's approach to cyber defense has also shifted. The Trump Administration has limited the federal government's role in cyber defense, including by reducing the staff of the Cybersecurity and Infrastructure Security Agency (CISA) and shrinking its budget. The administration has ended cooperative agreements with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

In summary, state legislatures are increasingly stepping in to provide coordinated support, resource sharing, training programs, and funding to mitigate cyber risks while federal support diminishes. A 'one-size-fits-all' approach to cybersecurity standards and resourcing often leaves smaller, underserved communities behind. More outreach is needed to inform under-resourced public agencies about available free cybersecurity resources, and to raise awareness and convey the value of these resources. Private companies can also contribute to cyber civil defense by adopting secure-by-design principles.

1. Smaller, underserved communities are turning to state legislatures for support in addressing cybersecurity threats due to resource scarcity and single points of failure in critical infrastructure.
2. At the Cyber Civil Defense Summit 2025, Udbhav Tiwari of Signal emphasized data minimization and privacy as key aspects of its mission, advocating for end-to-end encryption as the default setting for communication applications.
3. State legislatures are formulating and advancing prescriptive cybersecurity regulations across critical sectors, but funding remains a significant barrier.
4. Connecticut offers comprehensive cybersecurity protections and broadband access to all school districts through its Connecticut Education Network as an example of supportive frameworks and resource-sharing programs.
5. Recognizing the multi-layered nature of vulnerabilities, states are increasingly tasked with filling gaps left by federal programs, such as in election jurisdictions and local offices.
6. Beyond government programs, there are initiatives fostering local collaboration and capacity building, including cybersecurity training hubs and cyber attack simulations led by cultural and educational organizations.
7. Challenges remain in scaling these efforts due to continued funding constraints at the federal level, the limited presence of cybersecurity experts in rural areas, and the need to bridge technical policy with community realities.
8. Cybersecurity remains an issue around which bipartisan consensus is the norm in state legislatures, with important considerations for island territories requiring special consideration in federal cybersecurity funding formulas.
9. Private companies can contribute to cyber civil defense by adopting secure-by-design principles, as highlighted by Tony Sauerhoff, and the Trump Administration's approach to cyber defense has diminished federal support, including reduced staff and budget for the Cybersecurity and Infrastructure Security Agency (CISA).

Read also: