Why State and Local Governments Are Prime Targets
State and local government entities — collectively known in the industry as SLED — have become some of the most aggressively targeted organizations in the cybersecurity threat landscape. The reasons are straightforward: they hold enormous volumes of sensitive citizen data, they operate legacy infrastructure that is difficult and expensive to modernize, they are chronically underfunded on the security side, and they cannot simply take systems offline when an attack occurs. Emergency services, payroll, permitting, utilities management — all of it depends on continuous system availability.
What I see working with public sector clients is a gap between the sophistication of modern threat actors and the actual security posture of most government agencies below the federal level. That gap is widening. Threat actors know it. And if you are responsible for compliance or security at a state agency, county government, municipality, or special district, understanding the specific threat vectors targeting your environment right now is the first step toward closing it.
Ransomware: Still the Dominant Threat
Ransomware remains the single most damaging and most common cybersecurity threat facing state and local governments. High-profile incidents have disrupted entire cities, shut down court systems, compromised emergency dispatch operations, and cost taxpayers tens of millions of dollars in recovery costs — often far exceeding what a robust security program would have cost to build.
Several factors make government entities particularly attractive targets for ransomware groups. First, the pressure to restore public services creates strong incentives to pay ransoms quickly. Second, many agencies lack tested backup and recovery procedures, which removes the most effective non-payment response option. Third, ransomware operators have learned that publicly embarrassing government entities — by threatening to release sensitive constituent data — adds leverage that does not exist in most commercial attacks.
Modern ransomware deployments are also double and triple extortion schemes. Attackers no longer just encrypt data. They exfiltrate it first, then threaten public disclosure. For a county health department holding medical records, or a state tax authority holding financial data, the downstream liability of a disclosure event extends well beyond the immediate operational disruption.
Our Federal & SLED Risk Assessments service specifically evaluates ransomware exposure across backup integrity, network segmentation, and incident response readiness — the three areas where we most consistently find critical gaps in government environments.
Phishing and Social Engineering at Scale
Phishing remains the primary initial access vector for nearly every major attack targeting government networks. What has changed is the sophistication of the attacks. Generic mass-phishing campaigns have given way to spearphishing — highly personalized messages that impersonate known vendors, elected officials, federal agency contacts, or grant administrators.
Government employees are particularly susceptible because they regularly communicate with a wide range of external parties: federal agencies, contractors, constituents, vendors, and media. Threat actors exploit that breadth. A well-crafted email impersonating a federal grant program or a utility billing system can bypass even trained employees.
Business Email Compromise (BEC) is a specific and growing variant of this threat. In BEC attacks targeting local governments, attackers compromise or spoof a legitimate email account and redirect vendor payments or payroll deposits to attacker-controlled accounts. These attacks often go undetected for weeks. The financial losses are immediate and often unrecoverable.
Comprehensive security awareness training, multi-factor authentication, and email authentication protocols like DMARC, DKIM, and SPF are minimum baselines — not differentiators. If your agency does not have all three deployed and verified, your phishing exposure is materially higher than it needs to be.
Third-Party and Supply Chain Vulnerabilities
State and local governments rely heavily on third-party software vendors, managed service providers, and cloud platforms. That dependency creates significant supply chain risk. The SolarWinds attack demonstrated at a national scale what security professionals had long warned: a single compromised vendor can provide access to thousands of downstream organizations simultaneously.
For local governments, the supply chain risk is amplified because vendor oversight is often minimal. Many agencies operate under procurement rules that prioritize cost and features over security posture. Vendor security assessments, if they happen at all, are often cursory checkbox exercises rather than substantive evaluations of actual controls.
Third-party risk is not theoretical. When a local government's managed IT provider is compromised, every agency that provider supports becomes an attack surface. When a software vendor pushes a malicious or vulnerable update, every installation is immediately affected. Building a vendor risk management program that goes beyond contract language and includes ongoing security validation is essential — not optional.
Legacy Infrastructure and Unpatched Systems
One of the defining characteristics of state and local government IT environments is the age of core systems. Enterprise resource planning platforms, permitting systems, tax administration software, and public safety systems are often a decade or more old. Many run on operating systems that are no longer supported by their vendors. Patching cycles, where they exist at all, are slow and inconsistent.
Unpatched vulnerabilities are the path of least resistance for threat actors. Known exploits for common vulnerabilities are freely available, and attackers systematically scan for exposed systems running outdated software. This is not sophisticated adversarial tradecraft — it is opportunistic exploitation of preventable exposures.
The challenge for government IT teams is real: patching legacy systems can break critical functionality, and the budget to replace aging infrastructure rarely materializes. But the risk calculation has shifted. The cost of a ransomware recovery event — in direct costs, lost productivity, reputational damage, and potential liability — almost universally exceeds the cost of a structured modernization program. Prioritizing endpoint security and establishing a documented patch management process are foundational controls that reduce exposure without requiring wholesale infrastructure replacement.
Insider Threats and Credential Compromise
Insider threats in government environments take two forms: malicious insiders acting with intent, and negligent insiders whose actions create exploitable vulnerabilities. Both are significant concerns in public sector environments where employee turnover is high, off-boarding processes are inconsistent, and access provisioning is often poorly controlled.
Credential compromise is closely related. When employees reuse passwords across personal and professional accounts, when multi-factor authentication is not enforced, or when privileged access is not tightly scoped, a single stolen credential can provide an attacker with deep access to government systems. Credential stuffing attacks — in which attackers use lists of previously breached username and password combinations to attempt access to government portals — are increasingly common and increasingly effective against agencies that have not enforced strong authentication policies.
Zero trust architecture principles address many of these exposures by eliminating implicit trust based on network location and requiring continuous verification of every access request. Understanding zero trust security fundamentals is increasingly relevant for public sector IT and compliance leaders.
Critical Infrastructure Attacks Targeting Government Operations
State and local governments are also responsible for — or closely connected to — critical infrastructure: water treatment, wastewater management, traffic systems, emergency communications, and in many cases public power utilities. Attacks on these systems carry consequences that go beyond data loss or financial damage. They pose direct public safety risks.
Nation-state threat actors and sophisticated criminal groups have demonstrated both the interest and the capability to target operational technology (OT) environments connected to public infrastructure. Industrial control systems that manage water treatment or power distribution are increasingly networked — often poorly secured — and represent high-value targets for disruption campaigns.
The separation between IT and OT environments, which was once a reliable security boundary, has eroded. Agencies responsible for physical infrastructure need to evaluate OT security as a distinct but integrated component of their overall cybersecurity program.
The Compliance and Governance Gap
Underlying most of the threats described above is a governance gap: many state and local government entities lack the formal cybersecurity program infrastructure needed to identify, assess, prioritize, and remediate risks in a structured and sustainable way. Without a documented risk management framework, security investments are reactive rather than strategic. Resources go to the loudest problems rather than the highest risks.
Federal funding — including grants through CISA's State and Local Cybersecurity Grant Program — has provided new resources for improving public sector security posture. But funding without a mature compliance program framework to direct and govern its use produces limited results. Grant dollars spent on tools without the processes and personnel to operate them effectively do not move the needle.
Building a structured Compliance Program Development foundation is how agencies transform from reactive to resilient. It is also increasingly a prerequisite for accessing and justifying continued federal grant funding.
What State and Local Government Agencies Should Do Now
The threat environment facing state and local governments is serious, but it is not unmanageable. The organizations that build durable security postures share several characteristics:
- They start with a formal risk assessment. You cannot prioritize what you have not identified. A structured cybersecurity risk assessment, benchmarked against NIST CSF or NIST SP 800-53, gives leadership an honest picture of current exposure and a defensible basis for investment decisions.
- They address authentication as a non-negotiable baseline. Multi-factor authentication, privileged access management, and strong password policies eliminate a disproportionate share of credential-based attack vectors at relatively low cost.
- They build and test incident response capabilities. A plan that has never been exercised is not a plan — it is a document. Tabletop exercises and technical drills validate response capabilities and surface gaps before attackers do.
- They manage third-party risk actively. Vendor security reviews, contract security requirements, and ongoing monitoring of critical service providers reduce supply chain exposure meaningfully.
- They invest in security awareness continuously. Phishing simulations, regular training updates, and a culture that rewards reporting suspicious activity reduce the human attack surface that no technical control can fully eliminate.
- They consider outside expertise where internal capacity is limited. Regulatory vCISO Services give agencies access to senior security leadership without the cost and hiring challenges of a full-time CISO hire — a model that fits the budget and staffing realities of most state and local entities.
For agencies that want to understand where they currently stand, our SLED risk assessment services provide a structured starting point that produces actionable findings, not just a report.
The Stakes Are Higher Than Ever
Cyberattacks against state and local governments are not abstract risks or theoretical scenarios. They are happening at an accelerating pace, with increasing sophistication and increasingly severe consequences. The question for every compliance manager and executive in this space is not whether your agency will be targeted — it is whether you will be prepared when it happens.
The investment required to build a defensible security posture is real. But it is consistently smaller than the cost of a major incident — in direct financial terms, in service disruption, in legal liability, and in the erosion of public trust that follows a preventable breach.
Take the Next Step
Cleared Systems works with state and local government agencies, federal contractors, and regulated organizations to build compliance programs and cybersecurity postures that hold up under real-world pressure. If you are ready to assess your current exposure and build a roadmap toward resilience, request a quote or explore our engagement models to find the approach that fits your organization's size, budget, and timeline.