Insights Gleaned from the Cyber Civil Defense Summit of 2025

Insights Gleaned from the Cyber Civil Defense Summit of 2025

The Cyber Civil Defense Summit 2025, held on June 11 at the Ronald Reagan Building and International Trade Center in Washington, D.C., brought together nearly 200 members of the public interest cybersecurity community to discuss the unique challenges facing underserved communities and the strategies to address them.

The theme of the summit was "Collaborative Advantage: Uniting Forces to Achieve More," reflecting the focus on leveraging collective efforts to enhance cybersecurity across vulnerable populations.

One of the key challenges underscored during the summit was the poor cybersecurity hygiene and awareness in underserved communities. These areas often lack baseline security protections in critical community infrastructure, such as water systems, making them vulnerable to insider threats, vulnerabilities in supply chains, and remote access. These factors create significant risks that bad actors can exploit through social engineering, insecure communications, unpatched vulnerabilities, and insider collusion.

The summit also highlighted the limited resources, lack of access to cybersecurity education, underinvestment in security infrastructure, and challenges posed by forced regulatory burdens that can disproportionately impact minority groups in underserved communities. The ending of federal cybersecurity grant programs after 2025 may also limit financial support for state and local governments to improve cybersecurity capabilities in these communities, exacerbating the problem.

Addressing these challenges requires a multi-faceted approach. Key strategies discussed at the summit include cross-sector collaboration, whole-of-community strategies, enhanced education and awareness programs, improving supply chain security and third-party risk management, advocacy for equitable regulatory approaches, and modernizing IT systems and shared services.

Cross-sector collaboration involves government, private sector, and community organizations sharing threat intelligence and cybersecurity best practices. Whole-of-community strategies combine resources and expertise to address cybersecurity gaps collectively, especially in underserved areas. Enhanced education and awareness programs aim to improve cybersecurity hygiene and reduce social engineering risks.

Improving supply chain security and third-party risk management involves better visibility and stricter access controls to prevent exploitation stemming from external vendors. Advocacy for equitable regulatory approaches seeks to consider the unique challenges of underserved communities without imposing disproportionate burdens. Modernizing IT systems and shared services aims to optimize limited resources and improve security posture.

The summit also emphasized the role private companies can play in cyber civil defense, including by embracing secure-by-design principles. For instance, Signal, a private company, is committed to data minimization principles and end-to-end encryption as the default setting.

In addition, the summit highlighted the efforts of public agencies like the Environmental Protection Agency (EPA) and Texas's regional security operations centers in offering free cybersecurity assistance and assessments to water and wastewater utilities.

The summit also addressed the cybersecurity of essential public service providers that lack the budget to hire cybersecurity talent or purchase necessary tools. Udbhav Tiwari from Signal called for cyber civil defenders to prioritize and defend private communications as a fundamental utility.

The summit concluded that uniting diverse stakeholders and pooling resources—public, private, and civil—provides a pathway to tackle the distinct cybersecurity challenges faced by underserved communities more effectively. Collaborative efforts can enhance awareness, infrastructure security, and resilience against evolving cyber threats at a scale beyond what isolated entities can achieve.

The Cyber Civil Defense Summit 2025 was made possible with the support of Craig Newmark Philanthropies, Okta for Good, and Google.org. The Trump Administration's limited role in cyber defense, as evidenced by a reduction in the staff of the Cybersecurity and Infrastructure Security Agency (CISA) by a third and a shrinking budget by 17%, was not discussed at the summit. However, the administration's executive order that transfers responsibility for cybersecurity preparedness to state and local governments was mentioned.

[1] Cybersecurity and Infrastructure Security Agency (CISA). (2021). Cybersecurity for Critical Infrastructure: What You Need to Know. Retrieved from https://www.cisa.gov/publication/cybersecurity-critical-infrastructure-what-you-need-know

[2] National Association of State Chief Information Officers (NASCIO). (2020). State Cybersecurity: A Survey of State Chief Information Officers. Retrieved from https://www.nascio.org/wp-content/uploads/2020/03/NASCIO-State-Cybersecurity-Survey-2020.pdf

[3] National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://www.nist.gov/cybersecurity/framework

[4] European Union Agency for Cybersecurity (ENISA). (2020). NIS2 Directive: What's new and how it will impact the EU. Retrieved from https://www.enisa.europa.eu/publications/nis2-directive-whats-new-and-how-it-will-impact-the-eu

[5] Cybersecurity and Infrastructure Security Agency (CISA). (2021). State and Local Cybersecurity Grant Program. Retrieved from https://www.cisa.gov/slcg

1. The Cyber Civil Defense Summit 2025 underscored the necessity of addressing poor cybersecurity hygiene and awareness in underserved communities, highlighting concerns over insider threats, supply chain vulnerabilities, and social engineering risks.
2. Cross-sector collaboration was identified as a key strategy to enhance cybersecurity across underserved areas, with a focus on sharing threat intelligence and best practices between government, private sector, and community organizations.
3. Enhanced education and awareness programs were advocated to improve cybersecurity hygiene and reduce social engineering risks, aiming to engage more individuals from underserved communities.
4. Advocacy for equitable regulatory approaches was emphasized to ensure that regulations do not disproportionately impact underserved communities without considering their unique challenges.
5. The summit called for modernizing IT systems and shared services to optimize limited resources and improve security posture, with a focus on essential public service providers that lack the budget to hire cybersecurity talent or purchase necessary tools.
6. Private companies like Signal were praised for embracing secure-by-design principles, such as data minimization and end-to-end encryption, to enhance security and protect privacy.
7. Public agencies like the Environmental Protection Agency (EPA) and Texas's regional security operations centers were recognized for offering free cybersecurity assistance and assessments to water and wastewater utilities in underserved communities.
8. The summit emphasized the significance of cybersecurity governance, emphasizing the role of leadership, policy, and research in shaping a secure and resilient future on the Internet.
9. Cybersecurity research from various organizations, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Association of State Chief Information Officers (NASCIO), the National Institute of Standards and Technology (NIST), the European Union Agency for Cybersecurity (ENISA), and CISA's State and Local Cybersecurity Grant Program, were referenced to support the summit's findings and recommendations.

Read also: