Local governments struggle to defend critical infrastructure as threats grow

A small-town water system, a county hospital, and a local school district may not seem like front-line targets in global conflict, but they are. These organizations face daily cyber attacks, from ransomware to foreign adversaries probing for weak points. What happens to them can ripple into national security, disrupting everything from healthcare to transportation.

That is the warning in a new report from the Multi-State Information Sharing and Analysis Center (MS-ISAC), which reviews the current threat environment, recent successes, and the top needs identified by state, local, tribal, and territorial (SLTT) organizations.

The report stresses that SLTT organizations are responsible for much of the country’s critical infrastructure, including water systems, hospitals, schools, transportation, and emergency services. Attacks on these organizations have national consequences because federal and private sector operations depend on the continuity of these services.

A complex and growing threat landscape

According to the report, SLTTs face constant cyber and physical threats. Ransomware remains one of the most damaging risks, with hundreds of schools, hospitals, and local governments disrupted in recent years. Supply chain compromises and poorly configured cloud services are also growing concerns.

The report points to foreign adversaries, particularly China, Russia, Iran, and North Korea, as major sources of risk. In some cases, attackers have gained persistent access to U.S. critical infrastructure without detection for months. Hacktivists and terrorist groups are also targeting SLTT systems, raising the risk of physical consequences from online actions.

Emerging technologies add another layer of difficulty. Generative AI is enabling more convincing phishing, deepfake audio, and other social engineering tactics. Adversaries are also moving quickly across cloud, endpoint, and identity systems, making traditional defenses less effective.

Barriers to stronger defense

While the threat environment is becoming more complex, SLTTs are limited by funding and staffing constraints. The report highlights that many operate with less than $100,000 annually for cybersecurity and some have no dedicated budget at all. Most lack the ability to borrow funds or make large emergency investments. Legacy systems and limited staff add further challenges, leaving many organizations unable to keep up with rapid changes.

Randy Rose, VP of Security Operations and Intelligence at the Center for Internet Security, told Help Net Security that these gaps cannot be solved by local governments alone. “Sustaining progress in SLTT cybersecurity requires both federal and state investment,” Rose explained. “Continued federal funding for the MS-ISAC is essential to ensure all communities, especially small and under-resourced ones, can access critical services.”

Physical security risks compound the problem. Schools face persistent threats from both violence and false alarms, while public officials have seen a rise in targeted threats. Mass events also remain vulnerable to simple but high-impact attacks.

Progress through collaboration

Despite the challenges, the report emphasizes that SLTTs have made significant progress through collective action. Shared services, such as regional security operations centers and managed detection tools, allow even small jurisdictions to access enterprise-grade defenses.

The MS-ISAC plays a central role in this model, providing 24/7 monitoring, threat intelligence, and incident response support to more than 18,000 member organizations. By pooling information, SLTTs are able to detect threats more quickly and respond more effectively than they could alone.

Rose noted that state governments are increasingly stepping in to bolster this work. “States are stepping up to support a fee-based MS-ISAC membership, supporting whole-of-state models that unify efforts across agencies and jurisdictions,” he said. These models allow states to coordinate standards, share tools, and reduce redundant spending.

The report also highlights examples of state and regional initiatives, such as cyber workforce development programs, risk assessments funded through grants, and statewide coordination efforts. These projects show how states can amplify local capacity by organizing support at a larger scale.

Priorities for the years ahead

Looking forward, SLTT organizations identified five main priorities:

1. Stronger information sharing across jurisdictions and agencies
2. Whole-of-state coordination to unify standards and response
3. Deeper collaboration with federal and non-governmental partners
4. Streamlined access to grant funding for cybersecurity programs
5. Expanded managed detection and response capabilities

Underlying these goals is a call for stable and predictable funding. The report notes that short-term grants make it hard for local governments to hire full-time staff or invest in long-term solutions. A reliable financial foundation is described as the most important accelerator of progress.

Rose warned that without sustained federal involvement, local governments could be left increasingly exposed. “Without federal support, communities face greater risk from cyber attacks that can disrupt services and threaten citizens’ safety and privacy,” he said. “A shared funding approach involving federal investment alongside state commitment ensures every community has the tools to defend against these threats and strengthens our national cyber resilience.”