Recently, the U.S. president signed an executive order (EO) that transferred some of the responsibility to improve their key infrastructure from the federal government to states.  The move comes at a time when the current Administration has been cutting federal jobs, some with cybersecurity missions such as at the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, which was originally established under the president’s first term. The EO has been met with concern, especially at a juncture where cyber attacks have exposed vulnerabilities in the United States’ critical infrastructure cybersecurity posture, and a concern that the United States is not prepared to be in an escalated cyber conflict with other, nearly equally capable adversaries.

The EO is designed to empower states to take responsibility over their own cybersecurity postures, allowing each to prioritize how resources are allocated and invested via “risk-informed decisions” in the face of global threats.  The idea behind this decision is to have states take ownership of protecting their own resources and be responsible and accountable having more skin in the game and not relying heavily on the government to fill the role of protector. Notably, the EO also launches a National Resilience Strategy “that articulates the priorities, means, and ways to advance the resilience of the nation.” This would ostensibly serve as a blueprint with which states would be able to align their individual efforts, thereby creating an ecosystem where states could work concurrently toward the same goals. 

The idea of states taking a more active role in their own cybersecurity may not be as radical as it sounds. In fact, there are early signs that many states have already started moving toward greater independence in this space, especially given the lack of a cohesive, nationwide strategy. According to the National Conference of State Legislatures, more than 30 states passed some form of cybersecurity-related legislation in 2024. These new laws show that states are willing to act when necessary to protect their critical sectors. Several states have focused their efforts on tightening cybersecurity requirements for key industries such as healthcare, energy, and water systems — sectors that, if compromised, could have devastating effects on public safety and trust. Others have taken aim at deterrence, introducing tougher criminal and civil penalties for those caught attempting to disrupt critical infrastructure operations. Beyond critical infrastructure protection, states have also stepped forward on broader cybersecurity issues. They have led efforts to crack down on cybercrime and have taken the initiative on data privacy legislation, all while national-level action has largely stalled. These moves demonstrate that states recognize the risks — and, increasingly, that they are willing to lead the charge where federal efforts have lagged.

There are clear, tangible benefits to a state-led approach to cybersecurity. First and foremost, states understand their own environments better than anyone else. This local knowledge allows them to target their specific needs, stretch their budgets further, and address critical gaps with precision. Instead of relying on a one-size-fits-all federal strategy, states can develop cybersecurity plans that match their unique priorities and constraints. Flexibility is another major advantage: states can build strategies that reflect their available resources, industries, and risk profiles, rather than trying to fit into a rigid federal framework.  Additionally, tapping into local expertise gives states a powerful edge. Many regions have specialized industries — energy, agriculture, healthcare, finance — that demand tailored cybersecurity defenses. A state-focused effort ensures cybersecurity strategies are not only effective but relevant. States also have an opportunity to strengthen their teams by recruiting cyber talent displaced from recent federal cuts. These professionals bring deep experience in dealing with complex threats and can immediately bolster state operations without a steep learning curve. In short, a proactive, state-driven cybersecurity push could transform what has long been a fragmented, under-resourced patchwork into a more resilient and responsive defense across the nation.

While these advantages sound promising, the new EO has its fair share of critics who believe the move will not improve states’ abilities to defend against cyber attacks and other cyber-enabled threats.  The former head of CISA called moves like this EO and the overall reduction of U.S. cybersecurity apparatus as “dangerously degrading” U.S. cyber defenses.  He is not alone.  Other experts have expressed that the cuts impacting cybersecurity resources such as the National Vulnerability Database will force states to try to compensate, which they may not be positioned to do at present.  Indeed, all of these are valid concerns and ones that need to be fully addressed as the EO is carried out over the timelines that have been highlighted.  Additional areas that need to be considered are coordination between 50 states, resource constraints that states may have, and how their actions will feed into the national security picture.  There needs to be harmony, a tough endeavor with so many moving parts and stakeholders.

Still, one can’t help but wonder if states are so far behind in cybersecurity because they were never truly asked — or expected — to step up. For too long, they haven’t been held responsible or accountable for their role in the broader national cybersecurity posture. Imagine how different the landscape might look if states had been brought into the fight much earlier.  Sure, not every state is ready to take on that responsibility today. But continuing to lean on the federal government — while avoiding real ownership — only ensures they remain dependent and unprepared. As long as states can deflect blame and point fingers elsewhere, they’ll have little real incentive to build the capabilities they urgently need to protect the organizations and individuals under their purviews.

States are behind the curve when it comes to cyber defense, and catching up won’t happen overnight. Scaling up cyber capabilities will take time, and in the short term, that’s a real concern given the surge in sophisticated, relentless threats. However, what is clear is that to maintain a status quo where the United States is still victimized by highly capable state and nonstate actors despite vast cyber resources is untenable.  Greater state involvement could not only strengthen local defenses but also free up the federal government to focus on the most dangerous threats and threat actors. A more balanced approach — one that pairs streamlined federal leadership, perhaps through a more agile, coordination-focused CISA, with empowered, well-resourced states — could be exactly what’s needed to tackle an increasingly hostile cyber landscape.  Without that shift in strategy, we’re just waiting for the next major breach.