State governments are forming cybersecurity task forces because cyber threats have become a consistent operational and public safety risk. Issues like ransomware, phishing, open source software vulnerabilities, and outdated legacy systems are putting state and local agencies under pressure. According to the National Conference of State Legislatures, at least 30 states have created a statewide cybersecurity task force, commission, advisory council, or similar group in the past several years. Most of these groups were set up through executive orders, while at least eight states used legislation. These task forces are designed to: - Assess statewide cyber risk and exposure - Coordinate responses to ransomware and other attacks - Improve security around critical services like elections and 911 - Guide investments in technology, people, and processes The need is reinforced by recent data: SecuLore Solutions found that 49 states and Washington, D.C., experienced cyber attacks in the past 24 months, affecting 90 public safety agencies and 199 local governments. A CyberEdge report from November 2021 also found that more than 68% of surveyed government organizations worldwide were compromised by at least one cyber attack in the previous 12 months. These numbers are pushing states to rethink how they organize and govern cybersecurity at scale.

Based on information from the National Conference of State Legislatures, at least 30 states have created a statewide cybersecurity task force, commission, advisory council, or similar body in recent years. States that have implemented these types of working groups include: - Arizona - Arkansas - California - Colorado - Connecticut - Delaware - Florida - Georgia - Idaho - Illinois - Indiana - Iowa - Kansas - Louisiana - Maine - Maryland - Minnesota - Mississippi - Missouri - Montana - New Hampshire - New York - North Carolina - North Dakota - Oregon - Rhode Island - Texas - Utah - Vermont - Virginia Most of these groups were created via executive order, while at least eight states used legislation to formalize them. Their common goal is to reshape how states manage cyber risk, coordinate incident response, and plan long-term investments in cybersecurity capabilities.

Two useful examples come from Idaho and Virginia, which show how states are moving from strategy to implementation. Idaho: - In August 2021, Idaho’s governor created a 19-member cybersecurity task force with representatives from organizations such as Idaho National Laboratory, Idaho Department of Commerce, Idaho Office of Emergency Management, Idaho Power, Micron Technology, Bank of Idaho, Boise State University, University of Idaho, Idaho State University, and state lawmakers. - The task force produced a 34-page report with 18 recommendations organized under five strategic objectives: 1) Safeguarding Idaho’s infrastructure and providing active cyber deterrence 2) Increasing investments in cybersecurity professionals 3) Ensuring election integrity 4) Engaging the public in cybersecurity education 5) Continuing the task force’s efforts over time - One early outcome was a funding recommendation for election security. The governor secured $12 million to strengthen defenses around elections. - Other recommendations include: - Creating a cyber fusion center as a central hub for threat information and coordination - Establishing a cyber response and defense fund to help organizations respond to incidents - Allocating funds for more cybersecurity faculty, instructors, and infrastructure at Idaho colleges and universities - Developing a statewide cybersecurity strategy and roadmap - The state is now focused on tracking benchmarks and workforce development progress, recognizing that cybersecurity is a long-term effort that requires consistent follow-through. Virginia: - Virginia is building a broader cyber ecosystem through the Commonwealth Cyber Initiative (CCI). CCI’s goal is to create a commonwealth-wide innovation ecosystem focused on cybersecurity, autonomous systems, and data. - CCI emphasizes research, innovation, workforce development, and partnerships with organizations across the state. - Virginia also created a Cyber Incident Reporting Work Group to strengthen the state’s cybersecurity posture. - This work group brings together state leadership, local governments, state agencies, school systems, higher education institutions, and others to: - Share information about cyber incidents - Understand collective strengths and gaps - Coordinate readiness and response to cyber threats - The group has begun meeting regularly to exchange ideas and align efforts to protect the state’s 8.6 million residents from cyber risks. In both states, task forces are not just advisory bodies on paper; they are being used to reimagine how cybersecurity is governed, funded, and operationalized across government, education, and industry.