Federal Cyber Grants for States Are Authorized but Unfunded, Officials Say
New York became the first state to set prescriptive baseline cyber rules for water systems on March 11.
SAN FRANCISCO, March 25, 2026 — Federal cybersecurity funding for states and cities is stalling in Congress just as Chinese and Russian operators escalate attacks on the infrastructure that keeps American communities running, officials from New York state, UC Berkeley, and Washington said Tuesday at the RSA Conference here.
Threat landscape
China has pre-positioned malware across American rail, aviation, and port networks as operational preparation for potential conflict, said Mark Montgomery, executive director of the Foundation for Defense of Democracies. The foundation is a Washington-based national security policy organization. Chinese operators have concentrated on the 20,000 miles of strategic rail, 69 strategic airfields, and 18 strategic seaports the United States publicly identifies as essential to military force movement, bypassing hundreds of lower-priority facilities entirely.
The federal government issued three major strategy documents last year, covering national defense, national security, and cybersecurity, and none mentioned Volt Typhoon, the Chinese government hacking operation that spent years tunneling into American infrastructure. States and cities will not receive the resources they need to defend against it if Washington will not acknowledge it exists, Montgomery said.
Hybrid warfare at the state level
New York has enacted tiered cybersecurity regulations across the sectors adversaries have explicitly targeted: energy distribution, hospitals, public safety, and water and wastewater systems. The state became the first to apply prescriptive baseline cyber rules to the water sector as of March 11, pairing the regulations with a technical assistance program staffed by full-time civil servants and a dedicated grant fund.
New York has enacted tiered cybersecurity regulations for energy distribution, hospitals, public safety, and water and wastewater systems, making it the first state to apply prescriptive baseline cyber rules to the water sector as of March 11. Regulations are tiered by entity size and paired with a technical assistance program staffed by full-time civil servants and a dedicated grant fund.
Federal funding gap
The state and local cybersecurity grant program, the primary federal mechanism for pushing resources to municipalities, water utilities, K-12 schools, and rural operators, is being reauthorized by Congress without new appropriations.
Montgomery estimated a pending Defense Department supplemental bill, framed publicly at $200 billion, will land closer to $50 billion once defense priorities are sorted. He argued $2 billion of that should fund the grant program, disbursed over three to four years.
Fourteen of sixteen sector risk management agencies, the federal entities coordinating cybersecurity within specific industries, are severely underfunded. Education and agriculture sector agencies operate on roughly $250,000 annually.
The Transportation Security Administration, which also oversees airport and pipeline security, handles rail cybersecurity as a secondary mission, leaving thousands of small rural junction operators exposed. Chinese operators are not targeting rail cars, Montgomery said. They are targeting the junction networks those small operators manage.
Broadband and core network security
Telecommunications drew pointed criticism from multiple panelists. Broadband networks now carry the voice, data, and emergency communications that once ran on separate, tightly regulated lines, but those protections never carried over to the internet, Ahern said. Network operators spend heavily securing their corporate networks but leave the core infrastructure connecting homes, hospitals, and governments inconsistently protected.
"That's where you need regulation," Ahern said. Operators push back on cybersecurity upgrades that slow network speeds, but uniform federal standards would level the playing field.
No state can solve this alone, he said. Broadband is an interstate problem and requires a federal fix, Ahern added.
Community-level gaps
States are stepping up despite constrained budgets, said Ann Cleaveland, executive director of the UC Berkeley Center for Long-Term Cybersecurity. Thirty-seven states passed bipartisan cybersecurity legislation last year, with much of it focused on K-12 schools and high-risk but under-resourced infrastructure. More than 40 university-based cybersecurity clinics now operate across 28 states, and six states have stood up civilian cyber corps that deploy volunteers for local incident response.
The structural gap, Cleaveland said, is continuity. Small organizations receive a one-time assessment and are left to sustain progress alone. The National Guard reflects the same disparity, Montgomery said. Maryland and Virginia have strong cyber units, but some states have only two or three cyber operators in their entire guard.
"The future of cybersecurity is local," Cleaveland said.
Member discussion