Whole-of-state cybersecurity: Protecting the public information ecosystem

Why the whole-of-state ecosystem may need state support

Cybercriminals, including state-sponsored foreign agents, tend to target public assets that aren’t sufficiently protected—the most vulnerable.⁴ These cyber-underserved entities often include local governments and K-12 school districts. Other potential targets are public colleges and universities, utilities, and critical infrastructure such as ports, airports, and dams.⁵ If compromised, any of these could cause widespread disruption.

There are also many quasi-public and public-adjacent institutions—private hospitals, transit systems, convention centers, port authorities—that often operate outside direct government control but are connected to public systems.

Taken together, these entities represent the whole-of-state cyber ecosystem.

The journey to “whole-of-state” cybersecurity

Whole-of-state cybersecurity is not one-size-fits-all. Each state’s circumstances help determine the appropriate course of action. Many states may also be plowing new ground, as there are few established “leading practices” or mature examples of whole-of-state cybersecurity currently in place.

To address these challenges, the Deloitte Center for Government Insights has identified five select questions an effective strategy should answer (figure 3). These questions form a strategic choice cascade, meaning the answers should align with one another. The questions are:

• What is your whole-of-state cybersecurity aspiration?
• What areas or entities should you protect?
• What is your approach to achieving effective results?
• What capabilities are needed?
• What governance structures are needed?

Case studies: How states are defending the whole-of-state ecosystem

Texas: A regional support model in collaboration with public universities

Texas has significantly strengthened its cybersecurity capabilities on the path toward providing whole-of-state cyber defense. In 2021, the state enacted Senate Bill 475, which funded the Texas Department of Information Resources (DIR) to coordinate cybersecurity initiatives and established 12 regional zones for enhanced local collaboration. In 2025, House Bill 150 was passed, establishing the Texas Cyber Command (TCC) with an allocation of $135 million to support operations through 2027. The TCC will operate within the University of Texas System and be led by a chief appointed by the governor.¹⁸

The TCC will act as the state’s cybersecurity hub, encompassing sectors such as energy, water, health care, transportation, communications, and finance. It is empowered to receive cyber incident reports, conduct digital forensics, develop threat intelligence, and support workforce training.

In 2022, the DIR launched the first regional security operations center (RSOC) in partnership with Angelo State University in San Angelo, Texas. The state’s commitment to Angelo State University—both in terms of funding and expertise— is intended to enable the university to provide cybersecurity services to local governments. Housed on campus and staffed in part by students, the RSOC provides 24/7 monitoring of servers, systems, and network traffic for local governments and other public entities, identifying threats in real time.¹⁹

The RSOC also provides policy guidance, training, and support to anyone who signs up. To receive services, an entity—such as a city, county, school district, special district, state agency, public junior college, or utility—needs to contact the RSOC to inquire about eligibility. Once qualified, the entity enters into a local contract with the RSOC and can start receiving services. By involving students in hands-on cybersecurity work, RSOCs help build a pipeline of local cyber talent while also reducing staffing costs.

One strength of the RSOC model is its geographic proximity to local government entities. Although local governments aren’t required to follow state security standards, a nearby RSOC operated by a familiar university or organization can help build trust. This personal touch makes local agencies more likely to participate and accept help.²⁰ Looking ahead, the Texas Cyber Command will continue this regional framework and seek to establish an RSOC in each of the state’s 12 designated economic regions.²¹ It will work closely with RSOCs to coordinate cybersecurity efforts for all covered entities within the state.

Oregon: State universities delivering cybersecurity for local entities

In July 2023, Oregon Governor Tina Kotek signed House Bill 2049 into law, officially launching the Oregon Cybersecurity Center of Excellence (OCCoE) with the goal of strengthening the state’s cyber resilience while building a cybersecurity talent pipeline. Through this legislation, three state-run universities provide security monitoring operations and other cybersecurity services to local governments and other entities, while also training the next generation of cyber professionals in Oregon.²²

The OCCoE is a collaborative effort among Portland State University (PSU), Oregon State University (OSU), and the University of Oregon (UO). Each university receives operational funding and supports the state’s chief information security officer across a range of cybersecurity functions, including threat information-sharing, security assessments, and security services for local governments.²³

The SOC services are provided, for the time being, free of cost to eligible entities, including local governments and other public entities. The idea is to involve students in providing critical monitoring services to public entities that may lack sufficient cybersecurity capabilities. (OSU already has a functional research-SOC—ORTSOC—serving local governments and school districts, while UO is in the process of launching its own.)²⁴ “These SOCs are teaching labs, designed like a medical school,” explains Birol Yesilada, professor and director of PSU’s Mark O. Hatfield Cybersecurity and Cyber Defense Center and founding director of the OCCoE. Just like teaching hospitals that both treat patients and train medical students, these research-SOCs serve government entities and prepare future cyber professionals in a real-world setting. “Fourth-year students monitor networks … They rotate through different tasks, learning every facet of SOC operations,” notes Yesilada.²⁵

At PSU, the impact goes beyond students. The university offers a cybersecurity resilience certification for local governments, school districts, and special districts. In 2025, 50 people completed a program funded through a congressional earmark. “Some special districts have just two or three employees managing everything,” says Yesilada. “Our virtual program helps them build cyber resilience through simulations and tabletop exercises.”²⁶

At Oregon State University, the SOC—formally known as ORTSOC—operates weekdays from 7 a.m. to 7 p.m., with plans to expand hours in the near future. Rakesh Bobba, associate professor at OSU and associate director of the Oregon Cybersecurity Center of Excellence, says, “ORTSOC is eager to partner with clients who believe in the workforce development mission of ORTSOC and who have at least one (part-time) IT person who can respond in case the ORTSOC detects a threat.” Bobba notes that some clients are small local governments with only a few computers, and for such entities, ORTSOC is often the primary line of defense.²⁷

Onboarding entails ORTSOC installing a network sensor on a client’s system to collect log data—at no cost to the client. “Security assessments, network monitoring, remote incident response, and penetration testing are our core services,” Bobba adds. “We’re planning to expand that list in the coming year.”²⁸

These are important first steps as Oregon continues its efforts to strengthen relationships among state government, the university system, and local players, laying the groundwork for future progress.

Other efforts to promote local public cybersecurity defense

Recognizing the limitations of fragmented cybersecurity efforts, the federal government launched the State and Local Cybersecurity Grant Program (SLCGP) in 2022.³³ The program allocates funding to each state based on a statutory formula, with a mandate that at least 80% of the funds directly support local governments. While the SLCGP marked an important step toward a whole-of-state cybersecurity approach, its implementation has faced some challenges, funding levels have been quite limited, and the future of the program may be in doubt.³⁴

States are also following other approaches to provide cyber services to the whole-of-state ecosystem:

• North Carolina incident response services: Facing escalating cyberthreats, North Carolina established the Joint Cybersecurity Task Force, an alliance of state, local, and federal entities. The task force provides support to government entities statewide, including schools and local agencies, delivering services such as incident coordination, technical aid, and on-site recovery. The task force includes the North Carolina Department of Information Technology, North Carolina Emergency Management, the National Guard, the FBI, the Department of Homeland Security, and local IT volunteers.³⁵
• North Dakota: Since 2020, North Dakota has launched several initiatives to deliver whole-of-state cybersecurity services, including the establishment of a central SOC to monitor and protect over 250,000 devices across state and local entities. Using AI-driven threat detection, daily security alerts declined by 99.6%.³⁶ The state also deployed advanced endpoint protection—free of cost—to schools and local governments, helping to secure thousands of devices.³⁷
• New York shared services program: New York State launched the Shared Services Program in 2022, offering advanced cybersecurity tools to county and local governments regardless of their technological maturity. The program’s flagship service is an endpoint detection and response solution that monitors devices for suspicious activity. Crucially, data from these tools feeds directly into the New York State SOC, giving the state a comprehensive view of cyberthreats across all levels of government.³⁸

Fighting the battle of Muleshoe

Why would foreign hackers bother disrupting a water system in a small town like Muleshoe, Texas? Perhaps they’re practicing—testing defenses, probing weaknesses, and preparing for larger-scale disruptions.

Cybersecurity is a persistent battleground, with cyberattacks growing in scale, frequency, and impact. Even the smallest local entity could be on the front line of an ongoing global cyber conflict. As the federal role in cybersecurity support shifts, the responsibility to protect systems is increasingly falling on state and local governments.

State leaders can help build a resilient and coordinated defense. By addressing the five questions highlighted in this article, leaders can help craft a vision for whole-of-state cybersecurity and a clear pathway to achieving it.

As part of building a whole-of-state vision, leaders should also consider the following:

• Working with the legislature to enhance understanding of the risks associated with insufficient cybersecurity preparedness across the whole-of-state ecosystem
• Building relationships with local officials to address incident prevention, monitoring and response, and to understand their concerns
• Building relationships with higher education leaders and workforce development leaders throughout the state to strengthen the cybersecurity talent pipeline
• Collaborating with federal officials at CISA and other federal agencies to understand and minimize gaps in cybersecurity

While many states have taken initial steps, few have fully addressed the five select questions outlined in this article.³⁹ Answering them—collectively and strategically—will be essential on the journey toward building resilient, statewide cybersecurity postures. Each state’s path will differ, and the precise structure of a coordinated defense posture will inevitably vary. But the reality of a growing threat to the whole-of-state ecosystem is driving many states toward delivering stronger cyber defenses for smaller, more vulnerable public entities.