Cybersecurity threats continue to pose an escalating risk to state and local governments, with attacks becoming more sophisticated, diverse, and costly. Recent data shows large increases in cyberattacks across all categories—from ransomware and data breaches to state-sponsored espionage, and supply chain compromises—making cybersecurity preparedness more critical for all levels of governments in Kansas.
Understanding the Cybersecurity Threat Landscape
Cybercriminals employ various tactics to compromise government systems and data, including:
- Ransomware: Malicious software that encrypts files and demands payment for decryption;
- Data Breaches: Unauthorized access to sensitive information for theft or exposure;
- Phishing: Fraudulent communications designed to steal credentials or install malware;
- Supply Chain Attacks: Compromising third-party vendors to access target organizations;
- State-sponsored Attacks: Nation-state actors conducting espionage or disruption operations; and
- Distributed Denial of Service (DDoS): Overwhelming systems to disrupt operations.
These tactics typically allow for access to systems through phishing emails, malicious downloads, unpatched vulnerabilities in software, or compromised user credentials. Using that access, cybercriminals may steal sensitive data, disrupt operations, demand ransom payments, or establish persistent access for ongoing surveillance.
Threat Statistics
Cybersecurity threats are at all-time highs as statistics indicate approximately 4,000 cyberattacks happen daily, or an average of one attack every three seconds. According to multiple cybersecurity firms, worldwide cybercrime costs are estimated to reach $10.5 trillion annually by 2025.
Cyberattacks on state and local governments increased by 48.0 percent between 2023 and 2024, with 34.0 percent of state and local government organizations indicating they were hit by ransomware in 2024. The broader cybersecurity community has taken notice of these trends, with 72.0 percent of cybersecurity professionals reporting increased cyber risks, especially social engineering and ransomware. The financial impact has also risen, as the average cost of a data breach reached $4.88 million in 2024.
Emerging Threats
Several trends are changing the threat landscape, with artificial intelligence (AI) playing an increasingly prominent role in cyberattacks. AI-enhanced attacks have led to a surge in phishing incidents, which increased by 4,151.0 percent since ChatGPT’s release, as AI makes social engineering more sophisticated and harder to detect. Simultaneously, attackers are shifting their focus toward supply chain targeting, increasingly concentrating on managed service providers (organizations that manage information technology (IT) infrastructure remotely), and third-party vendors to access multiple clients simultaneously through a vulnerability. These evolving tactics have also intensified pressure on critical infrastructure, with 16.0 percent of reported ransomware attacks in 2024 specifically targeting utilities and energy infrastructure.
Kansas Incidents
Kansas has experienced multiple significant cyber incidents affecting critical government services. In October 2023, a cyberattack on the Kansas Judicial Branch’s IT systems shut down online access to the court system for several months, severely disrupting legal proceedings across the state.
The following year brought additional challenges when an attack on the City of Wichita in May 2024 disrupted city services and forced the municipality to revert to cash-only payments for city services. A September 2024 breach in Franklin County exposed sensitive poll book records containing names, social security numbers, vaccination information, and insurance billing information of 30,000 residents, demonstrating the broad scope of personal data at risk in government cyber incidents. So far, there has not been a major state-level incident in 2025.
National Incidents
Recent attacks on governmental entities nationwide show the cyber threats facing public sector organizations. In Bucks County, Pennsylvania, a cyberattack disabled 911 terminals in emergency vehicles, creating operational disruptions that required the National Guard to assist with emergency services.
Fulton County, Georgia, experienced a multi-week system outage that affected utilities, courts, and tax networks, demonstrating how ransomware can impact multiple government functions simultaneously.
The city of Columbus, Ohio, suffered a particularly damaging breach where three terabytes of sensitive data was stolen and subsequently leaked online after the city refused to pay ransom demands.
The education sector has also been targeted, with the Chicago Public School District experiencing a data breach that affected over 700,000 current and former students.
Federal agencies have also been attacked, as Chinese hackers breached a third-party vendor serving the U.S. Department of the Treasury, gaining access to over 3,000 files.
The judicial system faced significant disruption when Washington’s state courts experienced a statewide court system outage caused by a cyberattack. As recently as August 24, 2025 Nevada’s state government suffered a major attack that disrupted services statewide, including Department of Motor Vehicles (DMV) operations, law enforcement dispatch systems, and state agency websites, forcing many offices to close for extended periods. The attackers successfully exfiltrated data from state networks, though officials have not yet identified what specific information was stolen.
Several high-profile private sector breaches have had significant government and public implications as well. Change Healthcare suffered the largest health care breach in U.S. history, affecting 100 million individuals and costing the company $2.87 billion, creating widespread disruptions in health care services and insurance processing. AT&T experienced a breach of its cloud environment that affected call records of over 100 million users, raising national security concerns about telecommunications infrastructure. A supply chain attack on Starbucks affected 11,000 stores nationwide, demonstrating how attacks on major retailers can impact local communities and economic activity across the country.
Kansas State Cybersecurity Initiatives
State officials and the Legislature, in cooperation with federal entities like the Cybersecurity and Infrastructure Security Agency (CISA), have been working to improve the State’s security posture. The most significant recent effort is the enactment of 2024 House Sub. for SB 291.
2024 House Sub. for SB 291
The legislation requires Chief Information Security Officers (CISOs) for each branch of government to work with agency heads to develop cybersecurity programs compliant with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0. These programs must be implemented by July 1, 2028.
NIST CSF 2.0 includes six core functions:
- Identify: Understanding organizational assets, risks, and resources;
- Protect: Safeguarding critical assets and data from threats;
- Detect: Identifying potential cybersecurity events or incidents;
- Respond: Taking action during or after a cybersecurity event;
- Recover: Restoring capabilities and services after a cybersecurity event; and
- Govern: Establishing and monitoring policies, processes, and oversight to manage cybersecurity risks.
Kansas is currently the only state to adopt a requirement for NIST CSF 2.0 compliance. Federal agencies are the only other entities requiring similar compliance.
The legislation also requires cybersecurity staff for each branch of government in Kansas to work at the direction of the branch’s respective CISO.
Additionally, beginning in 2028, a mechanism will be in place to certify an amount equal to 5.0 percent of an agency’s total budget that may be lapsed by the Senate Committee on Ways and Means or the House Committee on Appropriations should it be determined by the relevant Chief Information Technology Officer and Director of the Budget that an agency is not in compliance with provisions found within 2024 House Sub. for SB 291.
All provisions will expire on July 1, 2026, and the law will need to be reviewed during the 2026 Legislative Session. The House of Representatives adopted 2025 HB 2271 which, among other things, would have removed the referenced sunset provisions contained within 2024 House Sub. for SB 291. This legislation is currently in the Senate Committee on Federal and State Affairs, and could be considered during the 2026 Session.
Additionally, the Joint Committee on Information Technology held discussion and received testimony on the provisions of 2024 House Sub. for SB 291 during the 2025 Interim and is expected to make several recommendations for consideration by the 2026 Legislature.
State Appropriations
In 2025, the Office of Information Technology Services (OITS) requested, and the Legislature appropriated, $2.0 million for the creation and operation of a 24/7 Security Operations Center (SOC). The SOC provides real-time threat detection and incident response for the State’s network. In 2024, OITS modified its rate structure to eliminate the agency charge-back for cybersecurity services, opting to include those costs as a core portion of its services. Essentially, state agencies utilizing OITS services no longer pay a separate fee for cybersecurity services.
By James Fisher and Matthew Willis.
See Infrastructure and Security for more.