Washington, D.C. — Cybersecurity officials from the U.S. federal government, as well as those from state and local governments, gathered this week in the nation’s capital to discuss shared security challenges.
At the second annual State & Local Cybersecurity Conference hosted by Billington Cybersecurity, panelists emphasized the importance of collaboration between state, local and federal agencies to protect citizens from escalating cyber threats. They also highlighted the need for strong cybersecurity training and education programs.
Over two days of discussions, speakers underscored the challenges posed by legacy systems and the urgent need for modernization. Greg McCarthy, Boston’s first chief information security officer, was among the panelists who addressed the difficulties of upgrading outdated systems.
“When it comes to what keeps us up at night, it’s our legacy systems—something governments have in abundance,” McCarthy said. “These systems are so old and unique that they can’t be patched according to best practices.” He noted that this makes it difficult for local governments to implement standard cyber hygiene controls.
The growing threats to critical infrastructure—particularly water systems—were a major focus, driven by concerns over the Chinese state-sponsored operation Volt Typhoon, which seeks to compromise critical infrastructure sectors, including water, for potential future disruption or conflict. Speakers discussed the complexities of incident response structures and the challenges of securing cybersecurity funding, especially for smaller water utilities.
- Related article: Chinese hacker group Volt Typhoon expands reach, targeting aging infrastructure worldwide READ MORE
- Related article: US alerts 50 governors to cyberattack threats on water systems READ MORE
Maria Thompson, AWS State and Local Government (SLG) executive advisor on cybersecurity, opened Tuesday’s discussions by highlighting the rise in cyberattacks on water systems. She referenced alarming reports from government agencies, including the Office of the Director of National Intelligence (DNI), the House Committee on Homeland Security, and the Environmental Protection Agency (EPA).
A DNI investigation found that between November 2023 and April 2024, there were 29 reported attacks on critical infrastructure and industrial control systems, 11 of which targeted water municipalities. The report also revealed that in January 2024, a pro-Russian hacktivist group breached control systems at two Texas water facilities, tampering with water pumps and alarms. The intrusion caused water levels to exceed designated shutoff points, leading to overfilled storage tanks.
“The EPA estimated that a single day of disruption to the California State Water Project—a network of canals, pipelines and reservoirs—could cost the state $91 billion in revenue. And that’s just the water project,” Thompson emphasized.
Thompson engaged panelists from California—State CISO Vitaliy Panych, Orange County CISO Andrew Alipanah and Metropolitan Water District of Southern California CISO Jake Margolis—in a discussion about the challenges of coordinating cybersecurity efforts across various government agencies and private entities. The experts emphasized that collaboration, incident response planning and resilience-building are essential for effective cyber defense and rapid recovery in the face of cyber threats.
“Design your program as a resiliency program, not just a prevention program,” said Margolis. “I hate to break it to you, but you can’t truly prevent a cyberattack. Given enough time, effort, and determination, an adversary will eventually breach your system if they’re determined. So, it’s all about resilience.”
The panelists also agreed that the silos between information technology (IT) and operational technology (OT) adds another hurdle to protecting the nation from external threats. “There are many attacks of opportunity that arise between the various gaps between OT and IT,” explained California State CISO Panych. “That’s why we bring in about 50 OT operators each month to the California Cybersecurity Integration Center. Additionally, we provide incident response services to assist local municipalities by offering resources and deploying a trained workforce through our labs. The collaboration between IT and OT is the only way we’ll really get better at cyber,” the security leader added.
The National Security Agency’s (NSA) Cybersecurity Director and the Department of Defense’s Chief Information Officer (CIO) highlighted the challenges of attracting and retaining talent in the field, emphasizing the need for public-private partnerships to address workforce gaps.
Dave Luber, Cybersecurity Director at NSA, discussed the agency’s talent development programs, which are tailored to different career stages: early, mid, and senior levels. “Throughout a person’s career cycle at the NSA, we look at all the different opportunities available to help them continue developing their skills, leadership and talent,” said Luber.
U.S. Defense Department CIO Mark Gorak emphasized that to acquire the cyber workforce the government needs, the public hiring process must “fundamentally shift to be agile, flexible and responsive to the workforce.” He believes this shift will be possible with the help of artificial intelligence, which can enable human resources managers to engage with potential candidates more effectively. According to Gorak, the main issue with current public sector HR systems is that they do not prioritize applicants in the hiring process. In short, using AI to streamline HR processes will enhance communication with applicants and promote skills-based hiring.
Katie Savage from the State of Maryland and Tony Sauerhoff from the State of Texas emphasized the need for standardized training and workforce development to address the cybersecurity skills gap.
According to the speakers, the primary challenges states face in recruiting and retaining cybersecurity professionals are high demand and competition from the private sector. States often struggle to compete with the higher salaries and benefits offered by private companies due to limited funding and resources, making it difficult to attract and retain skilled professionals. Additionally, a lack of awareness and understanding of cybersecurity is another issue states must address. Many people, especially those outside the tech industry, lack a clear understanding of what cybersecurity is and why it’s important, a condition which hinders efforts to attract talent from diverse backgrounds.
Baltimore, a city in Maryland, recently announced its “Cyber Range” initiative, a training center connected to the University of Maryland. “I love the idea of cyber clubs and doing something at the high school level,” said Kaie Savage, Secretary of the Maryland Department of Information Technology. “By focusing more on these initiatives and university-level partnerships, we can bring students directly into the workforce.”
Texas State CISO Tony Sauerhoff shared another example: the State of Texas invites high school students between their junior and senior years to spend the summer working with his team. “We are trying to reach the potential talent pool as early as we can,” the official explained. “The goal is to build a pipeline from high school through college and into the workforce. Ideally, this approach doesn’t rely on finding and hiring the most highly skilled, expensive individuals, but rather on growing and developing talent from the ground up.”
