The Shared Antenna Problem

Imagine you run security for a mid-size city. Your team is three people. Your budget covers the basics: endpoint protection, a firewall that has seen better days, and one analyst who splits time between security and desktop support. You are not underprepared by choice. You are underprepared because that is the math.

Now imagine someone cuts the early warning system that told you a ransomware variant was circulating through municipalities in your region before it hit yours. Not because the system stopped working. Because someone decided the contract was redundant.

That is exactly what happened when federal support for the MS-ISAC was gutted.

I want to be honest about something most commentary on this topic avoids: the MS-ISAC was not a luxury. It was load-bearing infrastructure. The distinction matters, because when people frame it as a "nice to have" program, the political math becomes easy. Cut it. Save the money. Let states figure it out. What that framing misses is that the MS-ISAC was not handing out pamphlets. It was operating a collective sensor network spanning tens of thousands of government entities, feeding aggregated threat intelligence back to members who had no other practical way to get it.

Think about how air traffic control works. A single small airport cannot afford to maintain radar infrastructure that gives it visibility into everything moving in its airspace. The system works because there is shared infrastructure, shared data, and shared protocols for acting on that data. Gut the centralized system and every node goes blind independently. The planes are still up there. The controllers just cannot see them.

That is the architecture problem at the center of this debate.

State and local government cybersecurity is structurally fragmented. Dozens of agencies inside a single state government may have different security tools, different logging configurations, different incident response procedures. Extend that out to counties, municipalities, school districts, public utilities, rural hospitals. You have thousands of independently-operated environments with almost no common visibility layer. MS-ISAC was the closest thing to a common visibility layer that most of those entities had ever seen.

When the funding disappeared, the entities that could afford the new fee structure paid and stayed. The ones that could not, dropped off. And the ones that dropped off were almost always the smallest, the most rural, the most resource-constrained, and by extension, some of the most attractive targets. Ransomware operators do not go where defenses are strong. They go where defenders are isolated and overextended.

Here is the operational reality I live with every day running enterprise security at scale: information sharing is not a feel-good exercise in interagency cooperation. It is the mechanism by which defenders maintain collective situational awareness against adversaries who share freely among themselves. Threat actors collaborate. They sell access. They post tools. They share techniques across forums where the only membership requirement is intent to attack. The defender community does not have that luxury by default. We have to build the sharing infrastructure deliberately, and we have to fund it.

What Senator Warner's bill gets right is the funding level. The proposed $50 million annual authorization is not just restoration. It is a recognition that the original investment was always too small for the scope of the problem. Ten million dollars per year was the historical baseline, and even that was never enough to do the job at the scale the threat environment demands. Authorizing five times that figure acknowledges something important: defending public-sector critical infrastructure requires sustained, serious investment, not a shoestring contract renewed year to year at the discretion of whoever happens to be running the agency.

What I want to see paired with that investment is the accountability structure Warner's bill also requires: reporting on re-enrollment, reporting on barriers to participation, and a mandate that CISA maintain interoperability with federal law enforcement. That last piece is not bureaucratic box-checking. It is the mechanism that turns local threat data into national threat awareness. A ransomware hit on a water utility in one state is more useful to everyone if it gets synthesized with signals from a dozen other states and fed back through the intelligence pipeline within hours, not weeks.

The bill ordering CISA to actively work on re-enrollment matters too. When you defund a program abruptly and organizations scramble to find alternatives or simply go without, the default assumption is that the program is gone. Rebuilding participation is not passive. You cannot just reopen the doors and expect the members to flow back in. Someone has to pick up the phone. Someone has to explain what changed, why it is safe to re-engage, and what the organization will actually get for its investment. That is outreach, and it costs resources and attention.

I have watched states go through cycles of building cyber capacity, losing it to budget pressures, and trying to rebuild. Every time you rebuild, you start further back than you think. The institutional knowledge walks out the door with the people. The tool configurations drift. The relationships with peer organizations atrophy. The MS-ISAC membership that lapsed during the defunding period represents exactly this kind of setback. Getting those organizations back is not flipping a switch.

Warner's letter to governors deserves its own attention. The framing that "threats do not respect state borders or party lines" is correct, and it is the framing every state-level security leader should be using with their own executives and legislators. The interdependence of critical infrastructure means that a successful attack on one system is rarely contained to one system. Power affects water. Water affects hospitals. Hospitals affect public safety response. The cascade is not theoretical. It happens. Nevada's state systems going dark for weeks last fall was a real, sustained operational disruption, not a news cycle event.

The risk AI poses in this environment is also real and deserves more than a line item. Lowering the barrier to sophisticated attacks while simultaneously increasing the capability of adversaries to automate them changes the calculus on how much investment defenders need. If an attacker can now scale operations that previously required a team of skilled operators, the defender cannot respond by standing still.

Restoring MS-ISAC funding is the minimum viable response to a situation that got materially worse over the past year. The communities that lost access to free threat intelligence and monitoring did not get less dangerous adversaries in the meantime. They got more isolated while the threat environment grew more complex.

That is the actual problem. Build the antenna back. Fund it properly. Keep it on.