President Donald Trump at a 2018 signing ceremony establishing the Cybersecurity and Infrastructure Security Agency. Some worry that in his next term, the agency could be disbanded and complicate state cyber efforts.

President Donald Trump at a 2018 signing ceremony establishing the Cybersecurity and Infrastructure Security Agency. Some worry that in his next term, the agency could be disbanded and complicate state cyber efforts. Pool via Getty Images

Could states’ cyber get trickier under a Trump administration?

Some Republicans have proposed eliminating CISA altogether, which could complicate information sharing efforts. More pressing, though, is the ending of federal cyber grants.

Amid speculation about President-elect Donald Trump’s administration and the Republican-controlled Congress, one proposal might have given state and local cybersecurity officials pause: eliminating the Cybersecurity and Infrastructure Security Agency.

Sen. Rand Paul, R-Ky., who is set to chair the Senate Homeland Security Committee, told POLITICO earlier this month that he would like to eliminate or severely limit CISA’s powers over his concerns about its work to counter disinformation.

“While it’s unlikely we could get rid of CISA, we survived for, what, 248 years without them,” Paul said. The agency has existed since 2018, when Trump signed it into law.

But CISA plays a crucial role for states as they look to stay on top of cybersecurity threats and eliminating it altogether could wreak havoc on those efforts. CISA works with the Multi-State Information Sharing and Analysis Center to help bring together state, local, tribal and territorial governments to share information on vulnerabilities and cyber threats, as well as allowing members to share cybersecurity best practices.

CISA also helps with fusion centers, which serve as state-owned and operated information repositories that help with initial responses to cyberattacks, and provides threat and vulnerability intelligence to vendors who work with government clients. Its reach is vast and touches virtually every aspect of state and local cybersecurity.

“We're all out there trying to do the right thing: stop the evil and, ultimately, make sure that people are safe from a cyber perspective,” said Jim Coyle, U.S. public sector chief technology officer at cybersecurity company Lookout. “When federal funding that helps drive these programs dries up, there's a lot that can be affected.”

A CISA spokesperson said the agency is “committed to a seamless transition,” and referred all other questions to the Trump transition team. In an email, Karoline Leavitt, a spokesperson for the transition, offered no specifics but said in an email Trump was elected “by a resounding margin giving him a mandate to implement the promises he made on the campaign trail. He will deliver.”

Most observers are unconvinced that Paul’s talk will translate into action, not just because of the bipartisan support CISA enjoys in Congress, but also because of its many roles. “It's a function that we'd certainly like to see continue,” said Mark Ritacco, chief government affairs officer for the National Association of Counties.

“That feels a lot like the sort of things people say when they're angry that they don't mean,” said Angelina Panettieri, legislative director for IT and communications for the National League of Cities. “Cybersecurity is one of those areas that is truly bipartisan, because people understand the consequences of not handling it.”

Funding for state and local government cybersecurity might be a more pressing concern. The four-year, $1 billion State and Local Cybersecurity Grant Program created under the 2021 bipartisan infrastructure law sunsets at the end of next year, while other federal programs may see cuts as Trump looks to slash the federal budget.

While the grant program was never going to be enough to satisfy states’ budgetary needs, it has been a good start and showed a willingness from the federal government to help address cybersecurity challenges.

But it needs to continue in some form, experts argued. 

“This is a continuing thing,” said Sundaram Lakshmanan, Lookout’s chief technology officer. “It's not a one and done. It is a commitment they have to make to keep up.”

Outside organizations have made similar arguments. The National Association of State Chief Information Officers has consistently argued for more work to make sure the program is effective, and that cybersecurity must be a “top priority.” A NASCIO spokesperson declined to comment further, except to say that their federal priorities next year will be “very similar” to this.

States may wish to try and make up some of the shortfall in cyber funding if the federal grant program ends, Panettieri said, but that could be challenging. Many state chief information security officers have said they do not have a reliable budget, staff or expertise to protect themselves, according to a survey earlier this year by NASCIO and Deloitte.

“I'm not sure that's feasible, just because the level of need is so great,” she said. “It would be a real shame to discontinue it because states had to develop a lot of capacity in this area, not just cybersecurity, but grant making from within their cybersecurity entities at the state level. That's been an adjustment, and they've done a lot of learning over the last few years around it, and I think that's something we want to keep building on.”

Despite the uncertainty, Panettieri said cybersecurity is something that has “transcended partisanship.” Even if things change in programs or federal help, the support will always be there, she predicted.

“I don't see a world in which it's not a priority, just because it is too abundantly clear that the threat to infrastructure in particular is not lessening over time, and it is such a national security issue,” she said.