Trump EO Presses States to Bear the Weight of CI Resilience – Source: securityboulevard.com

Even as he aggressively moves to amass power in the executive, President Trump has made no secret his desire to shift responsibility for numerous aspects of government and legislation, from education to disaster relief to abortion, to the states.

In recent weeks, the flourish of a Sharpie has reduced funding and workforce in the Department of Education and FEMA and moved responsibility for student loans to the Small Business Administration. So last month’s Executive Order empowering state and local governments “to make smart infrastructure choices” to increase their jurisdictions’ preparedness for natural disasters, weather events and cyberattacks comes as no surprise.

States, the order suggests, are best positioned to own and manage preparedness and make risk-informed decisions that increase infrastructure resilience. And there’s some truth to that.

Keeper Security CEO and co-founder Darren Guccione says, “Allowing state and local governments more flexibility could lead to cost savings and efficiency.” Given “the autonomy to implement modern, cloud-first solutions and adjust their budgets as needed, state and local governments could act more nimbly and prioritize cybersecurity measures specific to their needs,” he explains. The resulting autonomy and agility might just let states “respond more quickly to emerging threats without waiting for broader federal guidance or funding.”

But while, as J Stephen Kowski, Field CTO at SlashNext Email Security+, says, “state and local governments are crucial first responders in disasters,” they do not have the resources and wherewithal to go it alone. 

“Without the proper funding, staffing and frameworks in place, shifting more responsibility from the federal government could present challenges,” says Guccione. Take, for instance, CISA’s responsibilities — vulnerability disclosure, advisories, guidance and reporting. If those functions “were instead pushed to the states, there could be concerns about adequate information, consistency and the speed of response,” he says. What would arise will likely be an inequity in proficiency and response among states. Those “with more resources would likely fare better while smaller states and those with tighter budgets could struggle to stay ahead of cyberthreats in the rapidly evolving cybersecurity landscape,” Guccione warns.

Effective cybersecurity preparedness, he stresses, “hinges on the balance between state, local and federal roles.”

That collaboration makes for “a robust model that leverages the strengths of each level,” says Jason Soroko, Senior Fellow at Sectigo. While federal agencies provide strategic guidelines and funding, he says, “state and local bodies customize automation and resilience strategies to meet specific needs.”

Taking an integrated approach “bridges disparities in capabilities and resources, ensuring coordinated and efficient responses to cyberthreats and infrastructure challenges.”

Just how that integrated approach might shake out and what kind of resources will be available, given DOGE’s claimed funding slashes and rout through the federal workforce, is unclear. Guccione says that to manage “expanded responsibilities, state and local budgets, staffing and prioritization will all need to increase,” noting that without resources and guidance from the likes of CISA and NIST, “states may face critical gaps in their cybersecurity programs, leading to vulnerabilities that could be exploited.”

There is another player crucial to building resilience. The U.S. is sort of unique among countries when it comes to infrastructure — much of it is owned and operated by private industry. And private industry provides the solutions and even guidance that can be used to bolster infrastructure that supports cybersecurity. “If federal resources become more limited, partnerships with industry experts can provide essential threat intelligence and access to technology,” says Guccione, “strengthening the ability of state and local governments to defend against the modern threat landscape.”

No doubt, states and local jurisdictions likely will find relief through automation. “Automation streamlines cyberdefense and business continuity tasks, reducing reliance on scarce skilled personnel while lowering costs,” says Soloki. “Tailored digital solutions allow jurisdictions with fewer resources to rapidly respond to emergencies without the overhead of broad, costly programs.”

Clarification of how all the parts fit and the flow of resources will come later rather than sooner.  The EO requires the Assistant to the President for National Security Affairs (APNSA), within 90 days, to publish a National Resilience Strategy, coordinating with agencies and department heads and the Assistant to the President for Economic Policy. The APNSA also has 180 days to work with agencies and the Director of the Office of Science and Technology Policy to recommend revisions to the nation’s critical infrastructure policies, then implement the National Resilience Strategy. 

However, it will be a year until the Secretary of Homeland Security proposes “changes to the policies outlining this framework and any implementing documents to ensure state and local governments and individuals have improved communications with federal officials and a better understanding of the federal role.”

A lot can change in that timeframe — and even well-intentioned EOs falter under their own weight—but that is particularly true under an administration bent on disruption and which already has had to backtrack on some of its policies and actions.