On June 11, 2025, CLTC hosted its third annual Cyber Civil Defense Summit at the Ronald Reagan Building and International Trade Center in Washington, D.C. This was CLTC’s largest Summit yet, bringing together nearly 200 members of the public interest cybersecurity community – leaders who are actively working to fortify regional cyber defense. Attendees included leaders from academia, government, and industry who are positioned at the forefront of grassroots efforts to secure the systems and networks of our nation’s most vulnerable critical infrastructure.
The Summit provides a platform for conversations that rarely receive airtime at mainstream cybersecurity conferences. It aims to address questions around how to strengthen the cybersecurity of essential public service providers that fall below the “cyber poverty line,” including community water and wastewater systems, electric utilities, rural hospitals, and K-12 schools. These organizations often lack the budget to hire cybersecurity talent or purchase the necessary tools to secure their networks and systems.
Collaborative Advantage: Uniting Forces to Achieve More
This year’s theme, Collaborative Advantage: Uniting Forces to Achieve More, was especially timely. The Summit took place during a time of growing uncertainty and upheaval in the cybersecurity field. The Trump Administration is reversing course and limiting the federal government’s role after six years of expanded federal leadership in cyber defense – including by reducing the staff of the Cybersecurity and Infrastructure Security Agency (CISA) staff by a third and shrinking its budget by 17%.
The administration has also ended cooperative agreements with the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) which provide local assistance for cybersecurity support to state and local governments and election offices. Trump also signed an executive order that transfers responsibility for cybersecurity preparedness to state and local governments. On top of that, Congress is unlikely to reauthorize the State and Local Cybersecurity Grant Program, a federal initiative providing cybersecurity funding to state, local, tribal, and territorial (SLTT) governments, which is scheduled to expire in September 2025.
In response to these challenging headwinds, this year’s Summit focused on exploring how cyber civil defenders can work together to continue advancing their vital work, with or without aid from the federal government.
“Interdependency helps us all reach farther,” said CLTC Executive Director Ann Cleaveland in her opening remarks. “The people in this room, and the relationships between us, are what genuinely move the needle on the technology, the policy, and the behaviors and beliefs that drive better cybersecurity in our communities.”
Rather than dwell on the problem of cybersecurity have-not’s and reduced funding, participants spent the day discussing solutions for how we can better align, combine, and grow our collective efforts to achieve more together.
In a fireside chat with POLITICO’s Maggie Miller, Colin Ahern, Chief Cyber Officer of the State of New York, aptly framed the challenge: “We can either choose to fail separately, or choose to potentially succeed together.”
Key Learnings
The Summit featured a stacked roster of keynote addresses, fireside chats, panels, and research presentations, many of which left the audience feeling hopeful about the road ahead. Four key learnings surfaced throughout the day:
- A ‘one-size-fits-all’ approach to cybersecurity standards and resourcing often leaves smaller, underserved communities behind.
- Cybersecurity regulation remains a rare area of bipartisan agreement within state legislatures, but funding remains the largest barrier.
- More outreach is needed to raise awareness and convey the value of free cybersecurity resources available to under-resourced public agencies.
- Private companies can play a greater role in cyber civil defense, including by embracing secure-by-design principles.
1) A ‘one-size-fits-all’ approach to cybersecurity standards and resourcing often leaves smaller, underserved communities behind.
A central theme of the Summit was the need for tailored cybersecurity regulations and solutions that address the unique constraints of public interest organizations, such as limited capacity to implement redundant systems or hire specialized cybersecurity staff. These limitations create distinct vulnerabilities that compound traditional cybersecurity challenges.
This idea was understored in a keynote address by Congresswoman Stacey E. Plaskett, who represents the U.S Virgin Islands in the U.S. House of Representatives. She opened with a call to ensure that U.S. territories are not left behind in efforts to harden the nation’s critical infrastructure against cyber threats.
“The digital divide is also a cybersecurity divide,” Rep. Plaskett said. “Communities with poor internet infrastructure are often the most vulnerable to attack.”
Rep. Plaskett explained that the geographic and economic circumstances of island territories create distinct vulnerabilities that exacerbate traditional cybersecurity challenges. For example, territories typically rely heavily on interconnected systems for essential services (e.g., power generation, telecommunications), creating single points of failure that can cascade across the entire infrastructure ecosystem. Island territories also tend to have poor internet infrastructure, making them especially vulnerable to cyberattacks. For the U.S. Virgin Islands specifically, the economy depends heavily on tourism. A cyberattack targeting port systems, airport infrastructure, or hotel reservation systems could cripple the local economy for months.
Given these particular conditions, Rep. Plaskett argued that “[island] territories require special consideration in federal cybersecurity funding formulas.” Rep. Plaskett explained that current federal grant programs often use population-based allocation formulas, which systematically underfund rural and territorial areas – exacerbating both inequality and vulnerability. These formulas often do not consider factors such as geographic isolation, economic vulnerability, critical infrastructure density, and threat exposure levels.
Rep. Plaskett noted that cybersecurity requirements for critical infrastructure often fail to consider the unique circumstances of island territories. These requirements can create compliance burdens the territories cannot meet, while also failing to address the islands’ specific risk profiles. Rep. Plaskett argued for updated standards and funding models that better account for the realities of rural healthcare systems, small island utilities, and isolated communities – many of which cannot easily implement redundant systems or hire specialized cybersecurity staff on their own.
2) Cybersecurity regulation remains a rare area of bipartisan agreement within state legislatures, but funding remains the largest barrier to passage.
Amidst political gridlock in Congress, state legislatures are leading the way in formulating and advancing prescriptive cybersecurity regulations across critical sectors like electric utilities, water, and healthcare. This year’s Summit spotlighted state-level cybersecurity regulation efforts by featuring state lawmakers from Indiana, Maryland, and Texas, who shared lessons from championing cybersecurity legislation in their respective states.
CLTC Non-Resident Fellow Iranga Kahangama led a discussion with Indiana State Senator Liz Brown (R, District 15) Maryland State Senator Katie Fry Hester (D, District 9) and Texas House Representative Giovanni Capriglione (R, District 98).
All three lawmakers agreed that cybersecurity remains an issue around which bipartisan consensus is the norm in state legislatures. Cybersecurity-related bills often receive bipartisan, if not unanimous support from both Democratic and Republican lawmakers.
“Cybersecurity isn’t partisan in nature,” Rep. Capriglione said. “Everyone has constituents who have had a phishing attack against them, or they work for a company that had their passwords breached or their information stolen….Almost every tech bill that I have passed has had one or more Democrat as joint authors.”
Despite the unusual bipartisan consensus, the lawmakers noted that the biggest hurdles to passage of cybersecurity-related regulation stem from questions around funding. The panelists described instances when their bills had to be changed or were outright rejected simply because they might require funding.
“When I passed the Cybersecurity Task Force bill, for example, it actually started as a risk pool for schools for cybersecurity insurance,” Sen. Brown said. ”I couldn’t get that done because there was a fear we might put money in it, and we weren’t going to fund it. And so we were left with just the show of the task force.”
Sen. Hester echoed this challenge, adding that resistance also stems from regulated entities, like counties, school districts, and hospitals, that are often reluctant to adopt new cybersecurity requirements.
“We’ve got many, many stakeholders who don’t want to raise their game, but they still expect the state to bail them out when everything goes wrong,” said Sen. Hester. “We balance our budget every year, so we’re trying to make this make financial sense. It’s more of a funding and cost issue than a partisan issue.”
This message was echoed in a separate fireside chat between POLITICO’s Maggie Miller and Colin Ahern, Chief Cyber Officer of New York. Ahern stressed that the need for cybersecurity regulation and funding must go hand-in-hand with setting regulated entities up for success when the state requires them to comply with new standards. He argued that federal, state, and local governments cannot effectively protect the critical infrastructure assets they do not invest in.
3) More outreach is needed to raise awareness and convey the value of free cybersecurity resources available to under-resourced public agencies.
Throughout the day, speakers spotlighted initiatives that support organizations operating on the ‘cyber poverty line’ by providing free or discounted cybersecurity services. These included organizers of programs like cyber volunteering initiatives that harness the expertise of professionals working in the private sector, university-based cybersecurity clinics, and free government-provided services.
These efforts fill critical service gaps for organizations that cannot afford to hire dedicated cybersecurity staff, use external managed security service providers (MSSPs) and managed service providers (MSPs), or pay for pricey cybersecurity software.
However, several panelists identified that while a growing number of programs now offer pro -bono cybersecurity services, the organizations most in need often do not know these resources exist.
“We have to get out into the field and let folks know about these resources. That is one of the biggest challenges,” said Brandon Carter, Senior Cybersecurity analyst at the Environmental Protection Agency (EPA). “We have the ability in our programs to scale up as needed, but it’s just the matter of […] convincing water and wastewater utilities that, one, these programs are designed and tailored for you, and two, they are free and they are super beneficial.”
Carter spoke on a panel discussion entitled “Sealing the Leak for Good: Rethinking Philanthropy’s Role in Water and Wastewater System Resilience,” alongside leaders from Dragos, Water-ISAC, and I&C Secure Inc. Moderated by Sasha Cohen O’Connell of Aspen Digital, the panel focused on the unique cybersecurity challenges facing America’s water and wastewater infrastructure – sectors for which the EPA is designated as the federal government lead for managing cyber risk and ensuring cyber resilience. As part of that responsibility, the EPA offers a variety of free services, including technical cybersecurity assistance and free cybersecurity assessment of water and wastewater utilities’ IT and OT systems.
A similar point was raised by Tony Sauerhoff, CISO for the State of Texas, during a panel entitled, “Without Washington?: Rethinking Shared Responsibility for Regional Cyber Resilience.” Sauerhoff’s office established Texas’s regional security operations centers (RSOCs), university-based programs that offer free cybersecurity incident response services to local governmental entities.
Despite the value these programs provide, Sauerhoff noted that it is difficult to get entities to participate. “I can tell you from experience: it’s tougher than you might think to give away free, valuable resources,” he said. “It’s a lot of work to get entities on board….A lot of education is involved. But it’s also really important.”
Sauerhoff described the significant effort required to bring clients onboard and help them understand the cyber risks their organizations face. He described the challenge of getting leaders at local government offices to grasp the likelihood that their networks could be compromised, or to understand the potential impacts, available mitigation options, and how they can take ownership of the challenge.
He also cautioned that funding alone is not a cure-all remedy. Even free resources and services go unused – particularly in rural areas – because organizations may lack the expertise or understanding to seek them out or make use of them. Sauerhoff stressed that improving rates of adoption depends on education, relationship building, and a mindset shift among local leaders.
4) Private companies can play a greater role in cyber civil defense, including by embracing secure-by-design principles.
Another prominent theme at the Summit was the role industry plays in cyber civil defense, particularly as vendors of the technology and software that public interest organizations rely on to facilitate their operations and deliver their public services. By embracing secure-by-design principles that are turned on by default, companies can help shift the burden away from ‘cyber poor’ organizations that lack the capacity to secure their systems on their own.
“There’s a really important role for companies to play in this work,” said Michael Klein, Senior Director for Preparedness and Response at the Institute for Security and Technology (IST). “In each sector, there’s probably 20 to 30 companies that make up critical infrastructure. There is a small number of incredibly important vendors…. We need these companies to be more secure by design. If you hand us software that’s insecure out of the box, most people won’t fix it.”
Udbhav Tiwari, Vice President of Strategy and Global Affairs at Signal, delivered a keynote address about Signal’s mission to uphold user privacy and defend end-to-end encryption. He spoke about Signal’s commitment to data minimization principles and described its efforts to counter surveillance-based business practices within tech industry products that undermine encryption, such as client-side scanning– referring to systems that scan message contents for objectionable content prior to sending to a recipient.
“We don’t think that end-to-end encryption should be a feature or something you enable in order to protect yourself,” said Tiwari. “It should be the default, because privacy is the entire point.”
He argued that Signal’s default privacy features set the benchmark for what others in the tech industry should do to improve cybersecurity for everyone, highlighting the app’s most recent privacy feature innovations, such as decoupling private communications from phone numbers by introducing a username feature, deploying post-quantum cryptography by upgrading to the PQXDH protocol, and updating the Signal app for Windows block AI-enabled features from taking screenshots by implementing digital rights management (DRM) technology.
At the end of his talk, Tiwari issued a call to action for the cyber civil defenders in the audience to work to ensure there are spaces for secure, private communications, where society can organize, dissent, and connect freely.
“You cannot defend the nation by only hardening networks,” said Tiwari. “You must defend private communications that happen on them as well. Treat private communications as the fundamental utility it is. Nurture it, fund it, and defend it with the same urgency that you give the power grid. The future of a free society depends on it.”
We look forward to the next Cyber Civil Defense Summit in 2026. CLTC thanks those that made this year’s Summit possible, especially Craig Newmark Philanthropies, Okta for Good, and Google.org. Event sponsorship opportunities are available, and inquiries and suggestions for speakers and topics are welcomed at cltc@berkeley.edu.
