Insights Gleaned from the 2025 Cybersecurity Defense Conference

Insights Gleaned from the 2025 Cybersecurity Defense Conference

The Cyber Civil Defense Summit 2025, hosted by the CLTC, took place on June 11, 2025, at the Ronald Reagan Building and International Trade Center in Washington, D.C. The event brought together nearly 200 members of the public interest cybersecurity community, aiming to address questions around the cybersecurity of essential public service providers that lack the budget to hire cybersecurity talent or purchase necessary tools.

One of the key topics discussed was the need for private communications to be treated as a fundamental utility, deserving the same level of urgency as critical infrastructure. The Summit also focused on the unique cybersecurity challenges facing America's water and wastewater infrastructure, with the Environmental Protection Agency (EPA) designated as the federal government lead for managing cyber risk and ensuring cyber resilience in these sectors.

However, federal cybersecurity funding for underserved communities is declining following the Trump Administration era and Congress’s failure to renew critical grant programs. The State and Local Cybersecurity Grant Program, a key source of federal funding for cybersecurity initiatives benefiting rural hospitals, K-12 schools, and community water and wastewater systems, is in its final year in fiscal 2025 and is unlikely to be reauthorized, which puts future federal funding for these entities at significant risk.

The Department of Homeland Security (DHS) released the final notice of funding opportunity for the grant program, expecting to issue 56 awards totaling about $91.7 million for fiscal 2025. Every state receives a minimum of $1 million, with territorial entities getting at least $250,000. However, new rules prohibit using grant funds for certain expenses, including services from the Multi-State Information Sharing and Analysis Center (MS-ISAC), which has been a critical provider of cybersecurity intelligence and support to states and localities for over two decades.

This impending loss of federal funding and support means states and local governments may need to rely more heavily on their own cybersecurity programs to protect vulnerable institutions like rural hospitals and K-12 schools. Some federal funding for cybersecurity has been channeled through other programs, but these cover only part of the broader underserved landscape and do not substitute the comprehensive grant program.

The MS-ISAC’s federal funding has dwindled sharply; after losing $8.5 million in federal support in March 2025, it began emergency funding using its reserves but plans to shift to a subscription model for states starting October 2025. Its cooperative agreement with DHS expires at the end of September 2025, and renewal appears unlikely, raising concerns about the continuity of cybersecurity support for underserved entities traditionally assisted by MS-ISAC.

Cybersecurity remains an issue around which bipartisan consensus is the norm in state legislatures, but funding remains the largest barrier to passage. State legislatures are leading the way in formulating and advancing prescriptive cybersecurity regulations across critical sectors like electric utilities, water, and healthcare. Industry plays a crucial role in cyber civil defense, particularly as vendors of technology and software used by public interest organizations.

More outreach is needed to raise awareness and convey the value of free cybersecurity resources available to under-resourced public agencies. A 'one-size-fits-all' approach to cybersecurity standards and resourcing often leaves smaller, underserved communities behind. The Summit discussed the role of philanthropy in supporting organizations operating on the 'cyber poverty line' by providing free or discounted cybersecurity services.

Private companies can contribute to cyber civil defense by embracing secure-by-default principles. Tech companies like Signal prioritize data minimization and privacy, aiming to set a benchmark for the tech industry in improving cybersecurity. The administration has ended cooperative agreements with the MS-ISAC and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

The geographic and economic circumstances of island territories create distinct vulnerabilities that exacerbate traditional cybersecurity challenges. Rep. Stacey E. Plaskett, who represents the U.S Virgin Islands in the U.S. House of Representatives, called for ensuring that U.S. territories are not left behind in efforts to harden the nation's critical infrastructure against cyber threats.

The Trump Administration’s earlier cybersecurity policies focused on enhancing national cybersecurity resilience but did not establish permanent solutions for ongoing funding to state and local entities. The current situation reflects the lack of Congressional action to reauthorize or replace the State and Local Cybersecurity Grant Program, meaning federal support for cybersecurity in underserved communities is diminishing despite increasing threats.

In summary, the decline in federal cybersecurity funding for underserved communities is placing greater responsibility on states and local governments to fill the gap amid escalating cyber threats and evolving infrastructure needs. The Summit focused on exploring how cyber civil defenders can work together to continue advancing their work, with or without aid from the federal government.

1. The Cyber Civil Defense Summit 2025, held at the Ronald Reagan Building and International Trade Center, discussed the importance of treating private communications as a fundamental utility, similar to critical infrastructure.
2. The Summit emphasized the unique cybersecurity challenges facing America's water and wastewater infrastructure, with the Environmental Protection Agency (EPA) as the federal government lead for managing cyber risk.
3. Federal cybersecurity funding for underserved communities is diminishing, putting future funding for rural hospitals, K-12 schools, and community water and wastewater systems at risk.
4. The Department of Homeland Security (DHS) has issued a notice of funding opportunity for the State and Local Cybersecurity Grant Program, which is in its final year and unlikely to be reauthorized.
5. Sharp declines in the MS-ISAC’s federal funding have prompted it to shift toward a subscription model for states, raising concerns about continuity of support for underserved entities.
6. State legislatures are playing a vital role in formulating and advancing prescriptive cybersecurity regulations across critical sectors, while industry plays a crucial role in providing technology and software to public interest organizations.
7. More outreach is needed to highlight free cybersecurity resources available to under-resourced public agencies, as a 'one-size-fits-all' approach often leaves smaller, underserved communities behind.
8. Tech companies like Signal prioritize data minimization and privacy, aiming to set standards for the tech industry in improving cybersecurity.
9. Rep. Stacey E. Plaskett has called for ensuring that U.S. territories are not left behind in efforts to harden the nation's critical infrastructure against cyber threats, given their unique geographic and economic circumstances.

Read also: