Nation-state hackers aren’t just probing Washington, D.C., they continue to hit city halls, water plants and school districts across the U.S. — and these local government bodies are defending critical infrastructure against international adversaries, often on the smallest of budgets.
International cyber criminals continue to show up in headlines and reports such as the CrowdStrike 2025 Global Threat Report. There’s a clear mismatch: state, local, tribal and territorial governments are facing well-funded attackers, even as their own resources shrink.
The pattern is exemplified in several instances. July’s SharePoint vulnerability is the most recent, reportedly resulting in exploits by Linen Typhoon and Violet Typhoon. A Pennsylvania municipal water system had a breach Thanksgiving weekend in 2023, when a group calling itself Cyber Avengers took advantage of weak passwords on programmable logic controllers. And in 2019, 23 Texas municipalities were hit by REvil ransomware, prompting the state to call in its emergency operations center. Each case underscores how foreign adversaries can disrupt local services, regardless of the maturity of a state or local cybersecurity program.
“We’re defending against nation-state adversaries on municipal budgets,” Robert Beach recently said. “It’s not a local government problem.This is a national problem.”
Beach is chief technology officer of Cocoa, Fla., and a Multi-State Information Sharing and Analysis Center (MS-ISAC) executive committee member. MS-ISAC has historically provided free cybersecurity resources to more than 18,000 members across the public sector. But with federal funding cuts, the organization has shifted to a membership model based on the size of the participating entity and will end free services Oct. 1. Beach said the change raises concerns that under-resourced jurisdictions may not be able to participate, a challenge when federal support remains uncertain.
“The communities most at risk are the small, under-resourced ones,” he said. “Larger organizations have constraints too, but smaller jurisdictions often don’t even have IT staff. That makes it difficult for them to recover when something does happen.”
In 2024 alone, MS-ISAC detected more than 43,000 potential cyber attacks, blocked more than 59,000 malware and ransomware incidents, prevented 25 billion connections to malicious sites and stopped 5.4 million harmful emails, according to itslatest report. These numbers represent state, local, tribal and territorial governments (SLTT) that operate resident services but also hospitals, airports, water plants and other services that can touch multiple municipalities and federal operations.
The report points to best practices and encourages entities to work together, by way of shared services and regional security operations centers, cyber navigator programs and peer-to-peer networks. Case studies include CyberOhio, a state cybersecurity advisory board; Oregon’s Cybersecurity Center of Excellence; and North Dakota’s central cybersecurity operations center supporting 400 state and local government bodies.
These examples show what states can do to build stronger defenses through collaboration across entities. The MS-ISAC report notes, however, that many local governments are still defending critical infrastructure with limited resources. The report found that 68 percent of SLTT organizations lack the budget for cyber priorities, and small and rural communities are “disproportionately vulnerable.”
“We need to stabilize funding for resources like MS-ISAC and [the Cybersecurity and Infrastructure Security Agency] CISA,” Beach said. “They can get capabilities like multifactor authentication and endpoint protection out to smaller jurisdictions, because they’re trusted partners that local governments choose to work with.”
