Lawmakers hear local officials, vendors urge statewide cyber coordination and recurring funding
February 26, 2026 | Local Government, House of Representatives, Legislative, Pennsylvania
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
HARRISBURG, Pa. — Lawmakers from the House Communications and Technology Committee and the House Local Government Committee heard more than four hours of testimony on how ransomware, nation-state espionage and rapidly evolving technologies are straining local governments, school districts and municipal authorities across Pennsylvania.
Local officials and private-sector cybersecurity leaders urged a mix of state-led coordination, recurring funding and shared services to shore up communities that lack technical staff or budgets to defend against modern attacks. "Cybersecurity has emerged as a critical concern as local governments now extend their responsibilities beyond traditional infrastructure," said Chair Freeman in opening remarks.
Carnegie Mellon representative Randy Trezak warned that public-sector incident volumes remain high, citing DHS and CISA triage metrics and recent utility attacks. "The number of cybersecurity incidents reached 30,000 in terms of [CISA's] 24/7 operations center," he said, and emphasized risk-management, zero-trust architectures, patch management and centralized monitoring as priorities.
Heather Morton of the National Conference of State Legislatures told the panel that states are pursuing a broad mix of bills addressing government cybersecurity standards, incident reporting and procurement limits for certain foreign-produced technologies. She said the State and Local Cybersecurity Grant Program has been reauthorized through Sept. 30, 2026, but that new funding is currently paused because of a partial DHS shutdown. Morton identified two federal reauthorization measures she is tracking: H.R. 5078 and S. 3251.
Private-sector witnesses described practical, scalable steps. Thomas McClellan of Palo Alto Networks said artificial intelligence has "changed the scale, the speed, and the sophistication of attacks," and recommended three state-level measures: an incident-response retainer pool, attack-surface management tools that continuously scan public-facing assets, and joint security operation centers to centralize monitoring for smaller localities. Justin Davis of Unisys urged localities to "understand your network" and rehearse incident recovery under an "assume breach" posture.
County and municipal leaders gave examples of real costs. Dave Glass, first vice president of the County Commissioners Association of Pennsylvania, recounted a ransomware incident that knocked his county offline for weeks. "We didn't pay, but we had to rebuild," he said, adding that recovery costs and lost productivity ran into six figures and had cascading effects for months.
Speakers representing municipal authorities and school boards underscored sector-specific risks. Craig Fonostock of the Pennsylvania Municipal Authorities Association discussed vulnerabilities in SCADA systems that manage water and wastewater operations. Kevin Buscher of the Pennsylvania School Boards Association described how districts hold years of student and staff data and urged recurring, dedicated funding, standardized vendor cybersecurity requirements for K–12 and a nonpunitive incident-reporting process so schools can get rapid help during incidents.
Township representatives asked lawmakers to consider how Right-to-Know requests sometimes mask phishing attacks. "We've seen cybercriminals impersonate vendors and even submit requests that look like official Right-to-Know forms," said Holly Fischel, who recommended reviewing the law to better protect sensitive fields such as bank account and credit card numbers.
On policy design, witnesses and local leaders largely favored flexible state baselines and incentives rather than one-size-fits-all mandates that local governments cannot afford. Multiple testifiers pointed to Arizona and New York as exemplars for state-run joint services and to North Dakota's centralized approach as an example that has yielded cost-avoidance in that state. Several witnesses endorsed multi-factor authentication and basic hygiene measures as baseline, widely achievable steps.
Lawmakers pressed witnesses on the risks of post-quantum computing (PQC). Panelists said jurisdictions should inventory encryption algorithms and consider "quantum-safe" options when procuring major systems, because some investments may become obsolete if they are not PQC-ready.
The hearing did not produce formal votes or legislation; committee chairs said the testimony will inform future drafting. "If there are ideas you want us to do, please tell us," the chair said in closing. Committees signaled interest in exploring recurring state funding lines, statewide coordination mechanisms and technical assistance portals to help local governments and schools speedily access services and incident response.
Local officials and private-sector cybersecurity leaders urged a mix of state-led coordination, recurring funding and shared services to shore up communities that lack technical staff or budgets to defend against modern attacks. "Cybersecurity has emerged as a critical concern as local governments now extend their responsibilities beyond traditional infrastructure," said Chair Freeman in opening remarks.
Carnegie Mellon representative Randy Trezak warned that public-sector incident volumes remain high, citing DHS and CISA triage metrics and recent utility attacks. "The number of cybersecurity incidents reached 30,000 in terms of [CISA's] 24/7 operations center," he said, and emphasized risk-management, zero-trust architectures, patch management and centralized monitoring as priorities.
Heather Morton of the National Conference of State Legislatures told the panel that states are pursuing a broad mix of bills addressing government cybersecurity standards, incident reporting and procurement limits for certain foreign-produced technologies. She said the State and Local Cybersecurity Grant Program has been reauthorized through Sept. 30, 2026, but that new funding is currently paused because of a partial DHS shutdown. Morton identified two federal reauthorization measures she is tracking: H.R. 5078 and S. 3251.
Private-sector witnesses described practical, scalable steps. Thomas McClellan of Palo Alto Networks said artificial intelligence has "changed the scale, the speed, and the sophistication of attacks," and recommended three state-level measures: an incident-response retainer pool, attack-surface management tools that continuously scan public-facing assets, and joint security operation centers to centralize monitoring for smaller localities. Justin Davis of Unisys urged localities to "understand your network" and rehearse incident recovery under an "assume breach" posture.
County and municipal leaders gave examples of real costs. Dave Glass, first vice president of the County Commissioners Association of Pennsylvania, recounted a ransomware incident that knocked his county offline for weeks. "We didn't pay, but we had to rebuild," he said, adding that recovery costs and lost productivity ran into six figures and had cascading effects for months.
Speakers representing municipal authorities and school boards underscored sector-specific risks. Craig Fonostock of the Pennsylvania Municipal Authorities Association discussed vulnerabilities in SCADA systems that manage water and wastewater operations. Kevin Buscher of the Pennsylvania School Boards Association described how districts hold years of student and staff data and urged recurring, dedicated funding, standardized vendor cybersecurity requirements for K–12 and a nonpunitive incident-reporting process so schools can get rapid help during incidents.
Township representatives asked lawmakers to consider how Right-to-Know requests sometimes mask phishing attacks. "We've seen cybercriminals impersonate vendors and even submit requests that look like official Right-to-Know forms," said Holly Fischel, who recommended reviewing the law to better protect sensitive fields such as bank account and credit card numbers.
On policy design, witnesses and local leaders largely favored flexible state baselines and incentives rather than one-size-fits-all mandates that local governments cannot afford. Multiple testifiers pointed to Arizona and New York as exemplars for state-run joint services and to North Dakota's centralized approach as an example that has yielded cost-avoidance in that state. Several witnesses endorsed multi-factor authentication and basic hygiene measures as baseline, widely achievable steps.
Lawmakers pressed witnesses on the risks of post-quantum computing (PQC). Panelists said jurisdictions should inventory encryption algorithms and consider "quantum-safe" options when procuring major systems, because some investments may become obsolete if they are not PQC-ready.
The hearing did not produce formal votes or legislation; committee chairs said the testimony will inform future drafting. "If there are ideas you want us to do, please tell us," the chair said in closing. Committees signaled interest in exploring recurring state funding lines, statewide coordination mechanisms and technical assistance portals to help local governments and schools speedily access services and incident response.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
