States Should Learn From Each Other to Close Cybersecurity Gaps

Cyberattacks have surged nationwide, affecting nearly every critical infrastructure sector. In Minot, North Dakota, a ransomware attack targeted the city’s water treatment plant and forced staff to run the facility manually for 16 hours. In Winona County, Minnesota, attacks shut down critical systems for the second time this year alone, prompting the governor to activate the National Guard. These and other incidents illustrate that threat actors are probing every layer of state and local governments to exploit any gaps. Some states have adopted proactive strategies to strengthen their cyber capabilities, but many still lag, underscoring the need for every state to act and follow emerging state models that strengthen coordination, standardize practices, and close the gaps that threat actors continue to exploit.

Texas emerged as an early leader in strengthening its cybersecurity by launching a statewide Cyber Command Center in June 2025, creating a centralized hub that finds and fixes vulnerabilities in government systems, trains public‑sector workers, and coordinates rapid responses to cyber incidents. The state acted after a wave of escalating attacks, including breaches that shut down services in Mission and Abilene and exposed 300,000 transportation records. To strengthen long‑term resilience, Texas also partnered with academic institutions to build a cybersecurity talent pipeline, with the University of Texas at San Antonio investing heavily in facilities that will train the state’s future cyber workforce.

Nevada’s Governor’s Technology Office in February 2026 issued a statewide data classification policy in response to a cyber attack that infiltrated state systems, exposed 3,200 files, and cost $1.5 million to resolve. The policy establishes four clear categories—public, sensitive, confidential, and restricted—to guide cybersecurity efforts by aligning protections with risk levels. Before the attack, agencies relied on inconsistent practices that left staff guessing how to safeguard information, creating confusion and openings that attackers could exploit. This new framework gives every agency a shared playbook, strengthening daily operations and the state’s ability to contain future breaches.

Mississippi, in late March 2026, created a State Security Operations Center inside its Department of Information Technology Services. The Center aims to serve as a cross‑agency hub for detecting, responding to, and recovering from cyber incidents, providing continuous monitoring, threat detection, and incident response. The Center will also partner with Mississippi’s public universities and community colleges to develop a Cybersecurity Talent Pipeline Program. By consolidating operations into a central hub and strengthening its workforce pipeline, Mississippi reduces duplication and ensures it maintains a highly skilled workforce ready to act when incidents occur.

West Virginia, in early April 2026, adopted legislation authorizing the state’s chief information security officer (CISO) to establish statewide cybersecurity policies and a unified standards framework aligned with industry best practices. The law replaces the state’s patchwork of ad‑hoc, agency‑by‑agency practices with consistent requirements and centralized oversight. It also reduces the risk of vendor lock‑in—when agencies become stuck with a single company’s tools because switching is too costly or difficult—by setting technology‑neutral requirements that let agencies choose any solution that meets statewide standards instead of forcing agencies to rely on certain products, giving them the flexibility to change vendors as needs and threats evolve.

Maine’s House of Representatives in early April 2026 advanced bill LD 2103, which would require hospitals to adopt cybersecurity plans aligned with the federal government’s Cybersecurity and Infrastructure Security Agency’s best practices, including timely reporting, backup communications, and annual staff training. The bill also mandates continuity‑of‑care procedures and patient‑notification protocols so hospitals can keep treating patients even when systems go offline. These requirements directly address the breakdowns exposed by recent attacks that affected more than 400,000 residents, showing how quickly a single intrusion can cascade across a state’s health system. By requiring hospitals to plan for outages, diversion, and rapid triage, the legislation strengthens one of the state’s most essential pieces of critical infrastructure.

New York Governor Kathy Hochul, in early March, announced new regulations requiring water treatment facilities to adopt comprehensive cybersecurity standards, including operator training, vulnerability management, and continuous network monitoring. The regulation also adds incident‑response planning, access controls, and regular testing to address the outdated equipment and inconsistent practices that have left water systems vulnerable nationwide. Paired with the $2.5 million Strengthening Essential Cybersecurity for Utilities and Resiliency Enhancements program—which provides $50,000 for assessments, $100,000 for upgrades, and free technical assistance—the effort gives even small utilities the resources to harden their defenses.

These five states each identified a specific vulnerability and closed it with targeted action. Others should follow their lead by avoiding ambiguity with clear standards (e.g., Nevada’s data classification policy and West Virginia’s forthcoming statewide cyber framework); creating unified structures to consolidate cyber operations (e.g., Mississippi’s State Security Operations Center and Texas’ Cyber Command Center); strengthening cyber workforce pipelines by establishing relationships with universities (e.g., Mississippi and Texas); and extending cybersecurity mandates across critical infrastructure (e.g., Maine’s proposed approach to health care and New York’s new regulations for water treatment facilities and existing regulations for all utilities). While federal agencies provide essential support, states should act boldly and share what works to strengthen not only their own defenses but the nation’s collective security.