A

Hello and welcome to statescoop's Priorities podcast. I'm Colin Wood, statescoop's Editor in chief. This week I interviewed two officials from the nonprofit center for Internet Security about what's new with their organization after losing federal funding and what's ahead for state and local cyber in 2026. But first, here's what's happening in state and local IT. Former California Chief Information Officer Amy Tong has retired from state government. Tong, whose most recent role was as a senior counselor to Governor Gab Gavin Newsom, capped a 30 year career in public service. Tarek Tomes, Minnesota CIO, has also stepped down, accepting a role as CIO with the University of Minnesota. Tomes spent nearly seven years with the state government in Pennsylvania. CIO Brianna Pardo recently shared how her first months in the role have been going. After spending two years leading the state's digital services efforts, she said she wants to bring that experience to the CIO role. This week I interviewed Carlos Kazee, Senior Vice President of the center for Internet Security's Ms. ISAC Strategy and Plans, and John Cohen, Executive director of the CIS's Office of Strategic Programs and Initiatives. After losing federal funding, CIS last year switched to a paid membership model. Kazee explained why this change hasn't changed the nonprofit's mission.

B

A lot is going on. A lot of our jurisdictions in the state, local, tribal and territorial community are adjusting to reduced funding. In some areas, increasingly sophisticated threats, both cyber and you know, all hazards. Things that are flowing from a bunch of different directions. I think that we're going through another cycle or another series of new normal in the state, local, tribal and territorial community and I'm just really proud of how our members in the community are adjusting to that and are really taking seriously what's been thrown at them and are doing the absolute best they can with the resources that they provide to protect their data, their networks, their systems and their citizens interests.

A

What are you seeing? John?

C

Yeah, to build on what Carlos is saying, what we're seeing is that foreign and domestic threat actors, whether it's foreign intelligence services, terrorist groups, violent extremists here at home, criminal organizations have fully embraced the power of the Internet and are regularly using emerging technologies, Internet based communication capabilities and even cyber attack and data exfiltration operations as a part of their day to day criminal activity. There's virtually no area of homeland security and or law enforcement that hasn't somehow been impacted by the fact that these threat actors are using these technological tools to when they're carrying out a broad range of threat related and criminal activity, whether it's human trafficking, drug smuggling, terrorist attacks, efforts to spy on our law enforcement or other governmental entities, they're all using the Internet. So what we've also seen is that, and I say this with love and affection to my profession, that law enforcement has been a little bit slow in adapting their investigative and threat mitigation activities accordingly. So one of the areas where we're working very closely with law enforcement, homeland security, emergency management, and CISOs across the country is to make them more aware of how the threat is involving, often at Internet speed, and make sure that they have the tools they need to combat the threat.

A

Right. And the center for Internet Security has long been one of the resources that state and local governments have relied upon, among many, I suppose. But these days, the narrative, at least the one that I'm hearing, is that there are fewer of those resources. And so I guess that would logically lead me to conclude that you guys are increasing or are kind of becoming more important for states if they have fewer places to turn. Know the cuts at CISA and other federal supports that are. That are kind of diminishing. That's a story we've definitely told on State Scoop. So one of the consequences of that has been a different relationship that CIS has with the federal government now, and that's led you to change your membership structure. Carlos, can you tell me a little bit about those changes and how that's going and how that has changed, if it has changed at all your relationship with your members?

B

Oh, definitely. I think it's important to note we have always been a strategic partner in strategic partnership with the federal government. We always will be in strategic partnership with the federal government. You know, funding will not change. The importance of there being a central point of coordination between state, local, tribal and territorial governments and the federal government. What we have seen and the construct of that is with the reduction and then the elimination of federal funding for state, local, tribal and territorial through the Ms. Isac, for governments through the Ms. Isac, State and local governments have had to adjust their profiles. They've had to reevaluate their priorities. They've had to, with no notice, modify their, you know, their budgets and attempt to take on some of the challenges that the federal government funding allowed us to support them in, either taking that on in the form of Ms. ISAC membership or in the form of activities that states are doing as they mature and as they develop, that they're doing for themselves and in some cases that they're doing for and with local governments leveraging Programs like the state and local cyber grant program or other state initiatives and activities. The plus of that is everybody is having to think about what are we doing and how can we do it best. And the minus of that is there's a big incentive for that thought to be more focused on my county, my city, my town, my state, rather than the overall ecosystem where as the water rises, all boats rise. So our challenge is, as a nonprofit, to continue to try to leverage our relationship and our role, maintain strategic partnership with the federal government, different federal agencies, but also to ensure that there's still an alignment and a unity among state, local, tribal and territorial governments and their departments and agencies. And it is a huge challenge. One thing I want to add to that is all of this isn't happening in a vacuum. We have threat actors that when any change happens, it's a chum in the water situation for them. So threat actors will take advantage of fear, uncertainty, doubt, or other opportunities where they can target municipalities, they can target entities who may not have the capability or capacity. And these threat actors are becoming increasingly sophisticated in the tools that they use based on their collaboration with one another and the market of tools and capabilities for their illicit activities. So we must continue working together and we must continue kind of protecting as one across state, local, tribal and territorial government organizations and activities.

A

Right. And I didn't address this specifically. So for anyone who doesn't know, you guys shifted from a model in which essentially the federal government was subsidizing membership, and now states are required if they want to participate, to. To pay their own fees. Although you guys are doing everything you can to encourage participation. If they can't afford it, they can pay, I think, half. And if they can't afford that, I think it's free. But the cybersecurity officials, I've asked about this, when I've asked about, like, is it, you know, is the cost worth it? There was no equivocating there. They, they said just absolutely. It's not even, you know, they didn't even blink to say that. I'm curious, though, if, you know, because I know some places just, you know, governments being funded the way they are, sometimes any extra cost is difficult. Have you heard much? I'm just curious how, how many places are having to take you up on the discount offers?

B

It's a really, really good question. And let me, let me unpack that a little bit. In terms of funding, membership, transitioning from federal funding, where there's now zero federal dol, state, local, tribal and territorial government funding, what We've done is we've created a model where states can pay for the entire state. Every, you know, county, city, town and state organization is covered by 1, 1, 1 fee. The alternative to that is, you know, in addition to that, there's also where states will pay just for themselves and where local governments, municipal governments will pay as single organizations. In the latter, where governments are paying as a single organization, we've created and maintain a hardship opportunity where states can say, you know, based on hardship, can we seek some sort of waiver of payment or some other degree of favorable payment terms. We've had out of almost 3,000 organizations, we've had just under 200 organizations take advantage of that. But it is important to note that there probably are many other organizations that could take advantage of that and possibly see the first year of their Ms. ISAC membership dues covered under a hardship category. So we would encourage any organization that is interested in Ms. ISAC membership not covered by a statewide purchase to reach out to us and particularly organizations that are in the category of under $25 million of annual operating budget. That's where the hardship category is focused upon. We currently have again, as I said, just under 3,000 single organization members. And we are in the process of onboarding states. We have 24 states that are in statewide or state only membership. And of those 24 states, there are probably about seven or eight that are completing their process and closing out. And there are several other states that are looking at future budget year, you know, future budget years for stepping forward with that. Again, that is a phenomenal, phenomenal outcome given that there was absolutely no notice in the state and local budget cycle of the federal government's removal of funding. And you know, if we look at this in one way, when a state purchases a membership for its entire state, which is a pretty significant thing for a state to do, that opens up membership eligibility for every single city, town, county, department and agency in that state to take advantage of Ms. ISAC services. And more importantly, the benefit of being a member and collaborating with their peers and sharing and receiving threat information focused and tailored on state, local, tribal and territorial governments.

A

Right. Anything to add there, John?

C

No, I think Carlos, spot on. You know, I think I would just add is that, you know, the concept of collective defense where state, local, tribal governments, private sector entities working with the federal authorities has become fundamental to our ability to protect our nation as a whole, but our communities specifically, and that's really what we advocate through the Ms. ISAC membership is this concept of collective

A

times to start out with you both referenced the. And this has been a kind of cybersecurity truism for a long time, the increasing sophistication of threat actors. But people aren't saying it for no reason, I suppose. So what are you specifically looking at these days? I hear that you're developing some new reports that might be coming out this year or in the coming months. What are you working on right now?

C

Well, I think in addition to sort of it's beyond just new reports, it's a different way of looking at the world. You know, I think traditionally when we thought of cybersecurity, we thought of it as primarily a technology issue. How do you protect your network from being compromised? How do you protect your information and communication systems from being disabled? How do you protect against your sensitive data being exfiltrated? Still focused on that, still focused on understanding that threat, providing CISOs and CIOs the technical data they need to evaluate the risks to their systems, but also protect their systems as the threat evolves. But what we're also looking at is what we call multidimensional threats. Recognizing that increasingly these foreign and domestic threat actors were concerned about use cyber, physical attacks, information operations, disruptive techniques in an integrated way. And you know, we recognized that a cyber attack targeting a public safety answering point, a 911 center can be problematic if it's, if it occurs alone. But if the 911 center is taken offline because of a denial of service attack, at the same time you have a kinetic or a physical attack directed at a government location, or you have large scale demonstrations that are facilitated by a, by Iran, for example, something we've seen in the past, then it becomes even more detrimental. So I think from my perspective the biggest shift in focus is tying that which is taking place in the digital world to that which is occurring in the physical world and not only helping Ms. ISAC members make those causal, those connections and understand those connections, but to work holistically, whether it's the CISO working with law enforcement, public safety emergency managers, you know, the homeland security advisors, others in the state and local governments to be prepared operationally to deal with the

B

impact of the cyber.

A

Right. And I know another thing that you're looking at is large special events that are happening this year. That's something that we've at State Scoop have covered over the years and even recently covered large events and all what that entails. One thing I've always been curious about is what's the, you know, for local law enforcement it's Obvious if there's a, you know, a Super bowl in your city or some other large sporting event, obviously, you know, as like I think in New Orleans there was concerns after what had happened there that, that something, another, another tragedy could occur. It's clear what, you know, why local law enforcement would be, would be interested in that. But for a state government, I'm also interested in what is the role of state CyberSecurity officials and IT officials and in managing such events. So question is for either of you, but, or both of you, but what special events coming up are you looking at and what are the considerations for state and local.

C

Well, first of all, you know, Carlos and I first met each other when we both were working at the Home Depot Department of Homeland Security two decades ago. Carlos, I think it was a long time ago and after September 11, there was greater recognition not only at the federal level, but amongst state and local as well, that high profile sporting events, entertainment events, even political conventions, any place where large groups of the of people gather in a, in a single location in order to engage in some type of public event is an attractive target to a terrorist group. And as time went on to others as well. It's an opportunity for them to create mass casualties and at the same time bring attention. Because these events are often televised or subject to attention, whatever ideological cause or even personal grievance they want to bring attention to. But as time has progress and as, you know, as work, as more and more of these events have occurred, the threats facing these types of events have become more multidimensional as well. So what are the concerns? You know, we have the super bowl just ended. There will be another one next year. We have the Olympics taking, the Winter Olympics taking place in Milan, Italy currently. We have the World cup games in the United States, Mexico and Canada. You know, this coming summer, we have the 2028 Olympics in Los Angeles. And as with the planners and the state and local jurisdictions and even the feds are focusing on today, we're working with our members and with others to make sure that they have the tools to be prepared for this. Are threats that fall under basically four categories. There's the physical threats, such as, you know, targeted attacks directed at the fans or the event itself by a terrorist group, a load actor, an individual. You know, we've had attacks at major constants. The Ariana Grande concert, the threat posed in Vienna to the Taylor Swift concert, where counterterrorism forces were able to disrupt an attack. Drone proliferation. You know, the NFL alone has recorded thousands of drone incursions that were intended to be disruptive to a sporting event. And that's something that every major event has to deal with. Crowd issues. It's not only the targeting of the crowds, but it's interactions between different groups. In work that we've done for international soccer events, I learned of the term hooliganism, where you have people who go to these events and they engage very often in violence with people who are fans from opposing clubs. Cyber attacks the 2024 Olympics in Paris documented over 140 tires targeted cyber attacks either directly focused on the Games itself or on secondary critical infrastructure. The goal was to disrupt the Games. Information operations intended to cause confusion, facilitate criminal activities such as ticketing and ticket fraud and other type of fraud. Targeted harassment of athletes trying to inspire violence or disruption, Disruptive events directed at specific athletes and then disruption of the game. You know, there's nothing that brings greater attention to a cause if you're able to, through bomb threats and swatting, disrupt the game itself or transportation to the game. We saw efforts to disrupt transportation access to the Paris Olympics, which was a real priority for certain terrorist organizations. So these are all examples of the types of activities that, whether you're the planner of an event like FIFA or the Olympic committee, or you're a host city or a host region or state. And that's the other thing. It's not just where the venue is located. It's the venue. It's the bars and restaurants, the banks, the ATMs, the mass transit, the electrical grid, all in the area of the venue. But it's also secondary locations. When you look at World cup, for example, teams will come into certain regions, they will stay throughout the region, they will go to practice facilities. So it's not, you know, it goes well beyond just the city where the event is taking place. It's the it's region. So what we've been doing is that we've been working with our Ms. ISAC members who happen to be hosting these events. The eyes of the world will be on these, these cities and towns and counties and states. And we're working with them to make sure that from a cyber and physical threat perspective, they have the tools they need to be able to mitigate any potential risks that may arise.

B

Colin I would add to that, just really briefly, that the tactics and techniques and the vulnerabilities that threat actors will exploit at any one of these special events or activities, we want to make sure at the state level, at both state and local level, among our tribes, among our territories, that all Governments and their departments and agencies are aware of those tactics and are able to harden their defenses and to work together to not only be aware of what the threats are, but aware of the best practices necessary to improve their security posture. It's important to note that the Ms. ISAC is still here. The elections infrastructure ISAC is still here. We are going strong and working hard to care, you know, for that unique area that I think we're in the business of and that's creating a collaborative opportunity for focus among state, local, tribal and territorial organizations. We have, you know, elections that are coming up and the protection of elections officials, judicial officials, the coordination between law enforcement and local government officials. For all of the activities that we're talking about. There's a lot of work out there. We, we're working in strong partnership with some awesome organizations. You know, the Consortium of school networks for K12 Security, Nasio, Naco, League of Cities, you know, a lot of strategic partners. We're all focused on the same problem set and we're excited to be a part of that. It is more important now than ever and our citizens deserve the best that we can offer them to keep them safe.

C

Yeah. My message would be to those in state and local government who are not CISOs and CIOs is that the cyber threat has evolved to the point where one state and local governments are a primary target for state, non state, foreign and domestic threat actors. They're trying to disrupt your operational capabilities. They're trying to gain information about the work that you do. They in some cases are even using cyber penetration and data exfiltration to gain sensitive information from on investigations or that can threaten and the safety of your personnel. You can no longer you know and this is a message to police chief, sheriffs, emergency managers. You can no longer afford to think of cybersecurity as something simply your IT department or your CISO is going to take care of. You have to understand that it threatens your ability to provide emergency and non emergency service. If you're targeted successfully, it may impact your operational capabilities. Not just for data was at a meeting the other day with some sheriffs. They've been offline for four months. Four months of not being able to access their jail management systems, their communication capabilities, their record management systems. So in addition to being paired technically, you need to be prepared operationally.

A

That was Carlos Kazee and John Cohen with the center for Internet Security. That's it for this episode. This podcast is a production of Scoop News Group in Washington DC. Production work is done by Adam Butler and Carlin Fisher. I'm Colin Wood. Thanks for listening.