Officials also said those pressures have grown as more cybersecurity responsibility shifts from federal programs to state, tribal and local jurisdictions. The panel at the event included Cherokee Nation Chief Information Officer Paula Starr, New Jersey Chief Information Security Officer Michael Geraghty, Texas Cyber Command Chief Timothy James “TJ” White, and Ann Cleaveland, executive director of the University of California, Berkeley Center for Long-Term Cybersecurity.
Geraghty said the federal executive order issued in March placed more preparedness responsibility on state and local governments but didn’t include additional resources. He described initial frustration, followed by a recognition that the state would need to find ways to expand its existing capabilities.
New Jersey, a home-rule state, first enacted its Domestic Security Preparedness Act in October 2001, just after 9/11, and it has evolved over time to include various disaster preparedness efforts, including pandemic readiness and information security, Geraghty explained during the panel. It is a statewide, multipronged effort. He also has oversight of the state’s Cybersecurity and Communications Integration Cell — or NJCCIC, pronounced “kick” — established in 2015.
“It is a fusion center of sorts, and we’re responsible for all aspects of cybersecurity in New Jersey, providing support to local government, state, counties, as well as small businesses and the like,” Geraghty said.
He also said the state’s population of 9.5 million and high concentration of critical infrastructure add complexity.
Meanwhile, the Cherokee Nation is the largest tribal nation in the U.S., spanning 7,000 square miles across 14 Oklahoma counties. There are 480,000 tribal citizens with about 141,000 living within reservation boundaries. Technology there is gaining ground, said CIO Paula Starr, describing a fast pace as they mature their technology infrastructure and cybersecurity.
In just five years, they appointed the first full-time cybersecurity employee, launched the tribe’s first online citizen portal, and now are working on a tribal mandate to not only give cybersecurity and artificial intelligence education to employees, but also to the wider community, she said. The nation is a member of the Tribal Information Sharing and Analysis Center, but Starr indicated that it is no longer a member of the Multi-State Information Sharing and Analysis Center (MS-ISAC), which offered complimentary memberships under its former model.
“We, surprisingly, have very little collaboration with other governments,” she said. “We work closely with other tribal nations in information sharing, but really, when it comes to having a state relationship, we don’t really work with the state. We have worked a little bit with the federal government in the past, but there’s not a lot of collaboration there. What we do [is] we reach out to academic partners, often to work through projects with them.”
Texas Cyber Command Chief TJ White emphasized that losing the MS-ISAC complimentary memberships meant that information sharing will be limited for many, and, in response, Texas purchased statewide membership. Even so, institutional awareness remains a significant challenge in a state of 31 million and 254 counties.
He noted that Texas’ federated structure means cybersecurity incidents often begin and end at the local level, with city managers or utility leaders determining when an event is declared and when it is resolved. That structure requires state agencies to build trust and maintain awareness across hundreds of independent jurisdictions, he said. White also pointed to gaps in visibility and information sharing between sectors, describing how organizations may possess different pieces of threat information without a clear way to coordinate a response.
While their internal structures differ, all three governments said the next challenge lies outside their walls: supporting the community institutions that increasingly depend on them for cybersecurity. Volunteerism may be helpful, said White and Geraghty. While New Jersey is leaning into a volunteer corps, using talent from all sectors, in Texas there are 120 to 150 volunteers for the state incident response team.
Those most in need of support continue to face limited resources and fragmented assistance. UC Berkeley’s Cleaveland noted that community-level efforts from cyber volunteer teams to academic clinics remain disconnected, leaving organizations uncertain where to turn for help.
“The federal cavalry is not coming,” White said. “I think the problem we’re trying to solve for is everybody knows something, but nobody knows everything.”
