Government Cybersecurity at a Federal/State Crossroads: How to Engage Now

The media headlines are filled with stories of federal government cuts, disruptions and radical change. Here are some recent examples:

• CNN: "How Trump and Musk have shaken the federal workforce"
• Reuters: "Is Elon Musk's government efficiency drive legal?"
• CBS News: "New York and other states plan to sue Trump administration over DOGE access to federal systems"
• BBC News: "USAID could slash staff to hundreds after placing most on leave"

No doubt, the massive changes are difficult to just keep track of, much less react to. Many federal government employees are facing a reduction in force or may accept a deferred resignation deal, if they accept by the (changing) deadline.

RESPONDING TO 2025 STATE AND LOCAL CYBER CHALLENGES

In the midst of this once-in-a-lifetime set of changes for most federal employees, state, local and federal government leaders in technology and cybersecurity continue to battle with global cyber threats.

Enter a unique cyber event that is perfectly timed to help answer the myriad questions facing the cyber industry at this moment in history. The Second Annual Billington State and Local CyberSecurity Summit will be held from March 10-12, 2025, at the Ronald Reagan Building in Washington, D.C.

In addition, the first day of the event will feature an important 2025 StateRAMP Cybersecurity Framework Harmonization Symposium. That event will cover topics such as:

• Panel 1: Advancing a Unified Standard for the Public Good — Explore the latest efforts to unify federal cybersecurity frameworks and their implications for state and local governments.
• Panel 2: Building Bridges: Regulatory Harmonization Through Public-Private Partnerships — Discover how collaborations, including those led by the StateRAMP CJIS-Aligned Task Force, showcase the power of cross-sector harmonization.
• Final Session: Shaping the Future of Harmonization — Engage in collaborative discussions to identify actionable steps for operationalizing harmonization across government and industry.

Side note: My views on this regulatory harmonization topic were expressed in this recent article for Government Technology: "It's Time to Consolidate Cybersecurity Regulations."

SUMMIT PREVIEW WITH ORGANIZERS INTERVIEWS

To gain a better perspective of this upcoming event, I interviewed Tom Billington, CEO of Billington Cybersecurity. I have known Tom for almost a decade, and first moderated a session at his Inaugural Global Automotive Cybersecurity Summit in Detroit in 2016. (That panel can still be seen on C-SPAN here.)  

The Billington team led by Tom has a unique ability to enable federal-state cyber and tech conversations and interactions that are unmatched in my professional experience. Their agenda is different than other events, and that team is led by Terry Burruss, a former federal government leader and the senior content manager for this cyber summit. I interviewed Terry as well.

Dan Lohrmann (DL): What do you see as the most important cybersecurity challenges that state and local governments face right now, and how will this event address them?
Tom Billington: The challenges state and local governments face are very similar to what the federal government faces. The offense needs to be successful only once — the defense needs to be successful all the time. And how is that possible when the risks involve such broad attack surfaces like people, processes and technologies spanning an interconnected continent? Not to mention the supply chain. Addressing the problem at the state and local level is both extraordinarily complex and incredibly important.

You’d think we’d have whipped this problem. The decentralized nature of our country, the competition, the market forces make us the strongest country and richest country on earth. The greatest tech companies in the world based in the U.S. (AWS, Google, Microsoft, Cisco, etc.) have market values exceeding many countries’ economies combined.

So why is cybersecurity such a big problem? The computers and networks and the Internet itself were not built with security in mind. The data is dispersed. The basic cyber hygiene isn’t readily in place. And the adversaries are enacting a “death by a thousand cuts” by exploiting all our weaknesses minute by minute.

Since most all of cybersecurity really happens at the local level, this event will bring together all the stakeholders to address one of the great threats of the 20th century: cybersecurity. It’s the one place you will find folks like local county CISOs talking directly — whether it be in a roundtable, a workshop, in the exhibit hall or in the main sessions — with federal CISOs.

Side note: As I, Dan Lohrmann, experienced last year, the conversations happening at Billington CyberSecurity are not happening elsewhere.

We must talk together, build trust together, learn from each other to defend our citizens and we need to hear from the new administration how offense may increasingly escalate to counter the adversary threats. It’s all here — and free for ALL government as a public service.

There will again be over 1,000 registrants, more than 50 speakers, 50-plus sponsors and dozens of media. Register today.

DL: What are some of the specific sessions that will address the challenges Tom has identified?  
Terry Burruss: This year at Billington's Second State and Local Summit, we are focused on some of the key issues of primary concern not only of state and local cybersecurity officials, but also to the national-level cybersecurity professionals. These include a session on how folks should be planning for a likely Chinese invasion of Taiwan, of how that effort might impact them at their particular role in protecting America's critical infrastructure. We will be hosting a regional California panel focused on how state and local efforts are working together to protect their water supplies from suffering a cyber attack. We also will be hosting a panel highlighting how various state and local efforts are proactively leveraging third parties to stress test their own cybersecurity programs, a session focused on next-generation cyber efforts directed at cloud and cloud services programs, and several sessions focused on AI and its impact on cyber programs. Overall, I really like our balanced, cross-technology, cross-government-level focus areas.

DL: Who will be speaking on those panels/keynotes?

Burruss: We have a wealth of talent that will be speaking at our summit this year. This includes the CIOs from Arizona, Maryland and Texas and the CISOs from California; Virginia; Florida; New Jersey; North Dakota; Wyoming; Boston; Boise, Idaho; Fairfax County, Va.; and Orange County, Calif., to name a few. We also have strong participation from the federal government to include senior leaders at the FBI's Cyber Division, cyber leaders working with the National Guard, and senior leaders from both the Department of Defense (DOD) and the Cybersecurity and Infrastructure Security Agency (CISA) to name a few.

DL: In what ways does this Billington State and Local CyberSecurity Summit address federal/state/local partnerships?

Burruss: Billington prides itself on building cross-public and -private relationships at both the state and local level as well as the federal sector. This year, we are hosting many discussions where federal and state leaders will be able to highlight both key similarities and differences in key cyber issues and actions. To name a few, we will be hosting a discussion where key federal leaders will discuss their approaches to taking more proactive actions against cyber adversaries — we will have discussions on what state and local cyber officials should be considering to prepare for a likely Chinese invasion of Taiwan, we will host a discussion on cyber threat intelligence and how federal, state and local cyber leaders can work to share this intelligence in more productive ways, and we will host a group of AI researchers from academia funded to think about how AI can enhance cybersecurity for everyone, just to name a few direct federal and state engagement areas.

DL: I have often expressed my view that many governments seem to have a "check-the-box" mentality around tabletop exercises and planning. How will this cyber summit address cyber exercises in new ways? 

Burruss: Billington prides itself on building in multiple ways for all participants — whether you be speaker or attendee — to engage with everyone throughout the summit. This year, we are planning to host roundtable conversations during lunchtime based off of state and local surveys conducted by CIS (Center for Internet Security). Additionally, we will kick-start the conference with two workshops highlighting how real practitioners are leveraging third-party organizations and AI/machine learning to proactively enhance their cybersecurity programs. These workshops are designed for Chatham House rules lesson learned discussions with plenty of audience question time baked into the agenda. The summit will also provide multiple social events for more direct one-on-one engagement time as well as provide a chance for participants to talk to entities who are doing novel things to enhance the cybersecurity business.

DL: Is there anything else you would like to add?

Burruss: This Billington Cyber Summit provides an excellent venue for government participants to identify and meet with a host of private-sector entities in one place to help them match their requirements with company capabilities.

Billington events strive to bring topics to the table that are not being discussed in other state and local cyber venues. For example, this year, our state and local event will bring in the AI academic crowd to talk about what they are doing in the AI research space that is helping improve cybersecurity. We will also have DOD and CISA experts talking who can bring state and local cyber professionals up to date on how CISA is leveraging things such as their Joint Cyber Defense Collaborative or how DOD is thinking about building, growing and sustaining their cybersecurity employees.

Given that Billington's State and Local Summit is held in Washington, state and local senior cyber officials can also bundle their time to meet with their state's congressional delegations, meet with CISA and other federal government risk manager partners, all while engaging with a private-sector crowd that is devoted to meeting state and local cybersecurity mission requirements. We like to call it "the one-stop shop" for the cyber business professional.

FINAL THOUGHTS

After attending the first Billington State and Local CyberSecurity Summit last March in D.C., I wrote this blog summary, which contained highlights and links to event videos.

What frankly shocked me was the level of openness shown with panel participants. For example:

"[Andrew Scott, associate director for China operations with the Cybersecurity and Infrastructure Security Agency] said, 'In the last six months, our incident response effort has confirmed that the People’s Republic of China cyber actors have been on our critical infrastructure networks for in some cases up to the last five years.'

“'They have the access that they need, and if the order was given, they could disrupt some services in this country right now,' he added."

I expect some similar (very direct, scary, timely) assessments to come out of this 2025 event with all that’s going on in Washington, D.C., now.

I urge you to engage and join the conversations now. There has never been a more important time to engage on cyber government initiatives.