Key Insights Gleaned at the 2025 Cybersecurity Defense Convention

Key Insights Gleaned at the 2025 Cybersecurity Defense Convention

In the modern digital age, the interconnectedness of essential services across territories has created a complex infrastructure ecosystem, where a single point of failure can cascade across the entire system. This vulnerability has been exacerbated by recent changes in the political landscape.

The Trump Administration has announced plans to reduce the staff of the Cybersecurity and Infrastructure Security Agency (CISA) by a third and shrink its budget by 17%. This decision has raised concerns, as the agency plays a crucial role in protecting the nation's critical infrastructure. Additionally, the administration has ended cooperative agreements with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

Amidst these challenges, state legislatures are taking the lead in formulating and advancing prescriptive cybersecurity regulations across critical sectors like electric utilities, water, and healthcare. However, this approach has resulted in a fragmented state-by-state patchwork of standards and regulations rather than a uniform national approach.

About a quarter of new cybersecurity legislative actions in 2025 focused on establishing leadership and governance frameworks within critical infrastructure and public-serving organizations. States are required to develop Cybersecurity Plans approved by their cybersecurity committees and CIO/CISO equivalents, which include risk assessments, resource and timeline outlines, and metrics to measure progress.

However, challenges arise in terms of funding and federal support. There is a dwindling federal cybersecurity support for critical infrastructure, including hospitals and water utilities, as proposed cuts under the current federal administration reduce federal agency roles and resources dedicated to cyber resilience. This situation threatens to exacerbate vulnerabilities, especially for smaller and rural critical infrastructure operators who have historically relied on federal partnerships and support for cybersecurity expertise and incident response.

For example, the National Institute of Standards and Technology (NIST), which leads critical AI and biosecurity initiatives relevant to cybersecurity, faces proposed budget cuts of nearly 30%, potentially limiting federal capability to support state and local cybersecurity needs.

The decreasing federal role shifts greater responsibility onto states, which may be under-resourced to fully address cybersecurity risks in complex critical sectors. This raises concerns about preparedness and investment gaps, especially in island territories that often have poor internet infrastructure, making them especially vulnerable to cyberattacks.

In response to these challenges, the next Cyber Civil Defense Summit, scheduled for 2026, aims to address the cybersecurity of essential public service providers that lack the budget to hire cybersecurity talent or purchase necessary tools. The Summit's theme was "Collaborative Advantage: Uniting Forces to Achieve More," reflecting the need for cooperation and resource sharing to overcome these challenges.

Private companies can also contribute to cyber civil defense, particularly as vendors of essential technology and software for public interest organizations. Industry leaders play a crucial role in this effort, with companies like Signal committed to upholding user privacy and defending end-to-end encryption. Signal's default privacy features set a benchmark for the tech industry to improve cybersecurity.

More outreach is needed to inform under-resourced public agencies about free cybersecurity resources. Cybersecurity regulation remains a rare area of bipartisan agreement within state legislatures, but funding remains the largest barrier to passage. Bipartisan consensus is the norm in state legislatures regarding cybersecurity, with cybersecurity-related bills often receiving bipartisan, if not unanimous, support from both Democratic and Republican lawmakers.

Rep. Stacey E. Plaskett, who represents the U.S Virgin Islands in the U.S. House of Representatives, has called for ensuring that U.S. territories are not left behind in efforts to harden the nation's critical infrastructure against cyber threats. Rep. Plaskett argued for updated standards and funding models that better account for the realities of rural healthcare systems, small island utilities, and isolated communities.

In conclusion, while states are taking leadership in regulating and governing cybersecurity in critical sectors with increasing specificity, the reduction in federal funding and support undermines their ability to fully secure those systems, especially for smaller and less-resourced operators. This calls for careful coordination and resource allocation to avoid a fragmented and underfunded cybersecurity landscape for critical infrastructure. The Summit's focus on collaboration and resource sharing offers a promising approach to addressing these challenges.

1. The complex infrastructure ecosystem, with a single point of failure leading to cascading effects, requires robust cybersecurity initiatives for protection.
2. The Trump Administration's decision to cut the Cybersecurity and Infrastructure Security Agency (CISA) staff and budget by a third has raised concerns about national protection.
3. State legislatures are leading in formulating prescriptive cybersecurity regulations, but the approach has resulted in a fragmented system rather than a unified national approach.
4. In 2025, a quarter of new cybersecurity legislative actions aimed to establish leadership and governance frameworks within critical infrastructure organizations.
5. The decreasing federal role in cybersecurity support for critical sectors, like healthcare and water utilities, could exacerbate vulnerabilities, particularly for smaller and rural operators.
6. The National Institute of Standards and Technology (NIST), a leader in critical AI and biosecurity initiatives, faces proposed budget cuts, which could limit federal support for state and local cybersecurity needs.
7. The Cyber Civil Defense Summit of 2026 intends to address the cybersecurity of essential public service providers with budget constraints.
8. Private companies can contribute significantly to cyber civil defense, especially as vendors of essential technology and software for public interest organizations.
9. Bipartisan consensus is the norm in state legislatures regarding cybersecurity, but funding remains the largest barrier to the passage of necessary regulations.
10. Rep. Stacey E. Plaskett, representing the U.S. Virgin Islands, has advocated for updated standards and funding models to account for the unique challenges faced by rural healthcare systems, small island utilities, and isolated communities.

Read also: