White House Transfers Cyber Risk Responsibilities to State and Local Agencies

In a significant policy shift, the White House has announced a transition of cybersecurity risk management from federal oversight to state and local entities. This decision represents a critical change in the federal government’s approach to safeguarding elections and essential infrastructure.

This new direction was formalized on Wednesday when President Donald Trump signed an executive order establishing a National Resilience Strategy to be implemented within 90 days. The initiative aims to empower states to “make informed infrastructure decisions” that mitigate risks posed by cyberattacks and physical disasters. The executive order underscores the belief that both state and local governments, along with individuals, should become more integral to the nation’s resilience and preparedness efforts.

Coming on the heels of budget cuts affecting federal agencies, this order reflects an ongoing initiative led by Trump and his adviser, Elon Musk, to streamline cybersecurity resources. This has resulted in the reduction or elimination of essential cybersecurity committees and programs that states depend on for protecting elections and other vital infrastructures from an increasing array of cyber threats. As noted in prior reports, these cuts have notably impacted the Cybersecurity and Infrastructure Security Agency (CISA), which has significantly reduced its funding for security resources, particularly for state and election hubs.

Experts have voiced concerns over the implications of diminished federal cybersecurity assistance, which typically includes critical services such as vulnerability bulletins and support for the National Vulnerability Database. The implementation of this executive order may force states to navigate through inconsistent capabilities, leading to disparities in cybersecurity defenses based on local resources and policy selections.

Michael Hamilton, who previously served as the chief information security officer for Seattle, expressed alarm over the potential consequences of losing real-time cyber threat intelligence, stating that it could destabilize response frameworks and leave states vulnerable. He emphasized the importance of collaborative efforts between public and private sectors to create state-controlled threat information centers, particularly in states like Washington.

While CISA has defended its funding cuts as a measure to enhance fiscal responsibility and eliminate redundancy, the agency’s operational reductions since the Trump administration took office have heightened concerns for many unreliably funded states. A commentary from Travis Rosiek, public sector chief technology officer at Rubrik, pointed to the significant reliance that many states have on the federal infrastructure and acknowledged a growing urgency to enhance local cybersecurity frameworks, particularly for schools and municipalities amid a national talent shortage in cybersecurity professionals.

The White House has not responded to requests for further commentary regarding this policy shift. This decision marks a clear departure from the previous bipartisan efforts, which included expanding federal cybersecurity support for states during Trump’s first term.

Experts caution that this decentralization of cybersecurity responsibilities may lead to fragmented responses to cyber threats, resulting in delays and inefficiencies. The executive order could also introduce transitional risks as states adapt to increased responsibilities, with concerns raised that they could become the “weakest link” in national security strategies.