AI hacking era could hit hardest at state and local level
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Megan Robinson/Axios
Big banks and federal agencies are working frantically to shore up their defenses against new advanced AI systems, but small towns, schools and utilities lack the staff and basic cyber defenses needed to fend off such threats, experts tell Axios.
Why it matters: Cybercriminals and nation-state hackers have long viewed state and local targets as gateways for their attacks.
- Many such organizations still struggle with basic cyber hygiene — including asset inventories, identity management and multifactor authentication — even as AI's advances dramatically accelerate the rate at which hackers can discover and exploit vulnerabilities.
- Even if state and local governments get access to tools like Mythos and GPT-5.5-Cyber, they likely won't have the personnel or funding to fix all of the security flaws the programs uncover.
Driving the news: Senate Minority Leader Chuck Schumer (D-N.Y.) wrote to Homeland Security Secretary Markwayne Mullin this month expressing concern about "the lack of an effective plan to coordinate with state, local, tribal, and territorial" governments on AI cyber threats.
- Senior security officials from more than a dozen states sent a letter to OpenAI, Anthropic, Microsoft and Google this month urgently seeking to be included in projects that test new frontier models' cyber capabilities.
- The House Homeland Security Committee's cyber subcommittee will hold a hearing Thursday on state and local cyber threats.
The big picture: Cybersecurity leaders who work closely with state and local governments say many public-sector organizations are already struggling to inventory systems, patch vulnerabilities and hire security staff.
- Some rural municipalities and school districts don't even have dedicated cybersecurity personnel.
- In some cases, the IT leader might also be the school nurse or the town clerk's grandson, said Randy Rose, vice president of security operations and intelligence at the Center for Internet Security.
Threat level: Those shoddy defenses are now up against a world of AI-enabled hacking.
- "The timeline between when a vulnerability gets exposed and how you respond has shrunk," Rose told Axios. "That's something a lot of organizations aren't prepared for, and they're looking for help in that space."
By the numbers: 63% of state chief information security officers said they aren't confident their state can secure the data of government agencies and public universities, according to a survey released in April from the National Association of State Chief Information Officers (NASCIO) and Deloitte.
- 47% of state CISOs in the survey said they lack confidence in their ability to fend off AI-enabled attacks.
- "You could throw all the money in the world at it, buy every single tool, do all the things, and you could still have an attempt," Meredith Ward, deputy director of policy and research at NASCIO, told Axios. "Everything's changing so rapidly."
Between the lines: Preparedness for AI-fueled hacking threats varies across states and local governments, experts say.
- States that have spent years centralizing cybersecurity operations and building dedicated cyber offices are in a much stronger position.
- Critical infrastructure operators face a separate challenge: many industrial control systems were built decades ago without modern authentication or security protections in mind, Chris Grove, director of cybersecurity strategy at Nozomi Networks, told Axios.
Reality check: Some state and local entities aren't rushing to gain access to frontier cyber models because they lack the operational capacity to harness them.
- "If you have crappy cybersecurity and then you throw AI on top of it, you're going to have a whole lot of crappy cybersecurity problems to solve," Grove said.
The flip side: OpenAI recently briefed some state and local officials on its cyber-focused models, as Axios first reported.
- An Anthropic spokesperson told Axios that the company recently held a bipartisan briefing with the majority of states and the District of Columbia on supporting their critical cybersecurity efforts. Several of the attendees already use Claude Security Opus 4.7, per the spokesperson, and the company just pushed Claude Security into public beta, which is available to all customers.
- Meredith Burkart, senior director of government affairs at Halcyon and a former FBI cyber policy chief, told Axios that many state leaders are motivated by the challenge posed by the new tools.
- "Hearing the enthusiasm, and 'Let's roll up our sleeves, we have to do more of this,' is very heartening to me," she said.
What to watch: Congress is considering legislation that would reauthorize the State and Local Cybersecurity Grant Program, which provided $1 billion to various security-focused projects across the country.
- State officials and cybersecurity groups say the program has been especially important for helping local governments deploy shared cybersecurity services and basic defenses.
- "Local governments need the help," Ward said. "The bad actors, they don't care where the state border lines are. They don't care where the city border lines are. Everyone's the target."
Go deeper: Tapping the powers of Mythos-like models still requires human intervention
