Alabama’s near-miss cyber crisis shows how states are rethinking cyber defense
On an episode of the McCrary Institute’s Cyber Focus podcast, Alabama’s top IT leaders described how a tip from CISA helped them stop a looming cyber incident just days before it could have turned “very tragic” for the state. Their account offers a rare, candid look at how a modern state government is trying to defend decentralized networks, support resource-strapped local agencies and prepare for the next wave of AI-enabled threats.
Chad Smith, Alabama’s chief information security officer, opened the conversation with a blunt assessment of how close the state came to a much worse outcome. “We were probably within four days of seeing something very tragic happen within the state,” he said, crediting “pinpointed information” from federal partners that allowed his team to hunt down the threat and contain it. That near-miss has become a catalyst for longer-term change.
Daniel Urquhart, the state’s chief information officer and secretary of the Office of Information Technology (OIT), oversees technology standards and contracts for roughly 140 executive-branch agencies – most of which still retain significant autonomy over their own systems. He describes Alabama as a “hybrid” state: somewhat consolidated but “mostly decentralized,” with agencies free to buy and manage their own platforms. That flexibility can be “kind of scary from a cybersecurity perspective,” Urquhart noted, because procurement often becomes the only real control point.
To close some of those gaps, Alabama has leaned into the State and Local Cybersecurity Grant Program (SLCGP), using its role as state administrative authority to extend tools and visibility to smaller municipalities that could never afford them on their own. Smith said the program lets OIT bring “attack surface intelligence and other kind of capabilities” out to local governments and then look across the data to answer a blunt question: “How sick are we as a state?”
The recent incident also underscored the value – and difficulty – of building a true “whole-of-state” response. Once the CISA call came in, Alabama activated its incident response retainer, pulled in outside responders (including the McCrary Institute) and pushed out common tooling so they could finally see the same telemetry across disparate networks. Smith recalled that, over two intense weeks of response, the team clocked 95 hours in a single week as they clawed their way back to normal operations. He emphasized that the crisis surfaced years of accumulated technical debt and forced overdue standardization.
Equally important, Alabama chose openness over silence. Urquhart stressed that they communicated early and often with cabinet officials. Smith said he hopes other states follow their example, noting, “Oftentimes you get in these kind of situations and you find yourself sort of wanting to crawl into a shell and not talk about it. And I think we have to be willing to talk about it so that people can learn from it.”
Throughout the episode, both leaders returned to a simple theme: no state can do this alone. “Cybersecurity is a team sport. It’s not just one person. We’re trying to build the community,” Urquhart said, pointing to tight relationships with CISA, the FBI, the Secret Service, the National Guard, major utilities and managed partners who help operate 24/7 security operations. That partnership mindset now extends to more immersive tabletop exercises that bring state agencies, federal partners and critical-infrastructure operators into the same room to stress-test how they would actually communicate if the lights went out.
For other states, the Alabama story is less about one close call and more about what comes after: using a crisis to justify hard choices on standardization, investing in shared tools for local partners and normalizing honest conversations about failures and near-misses. The full episode of Cyber Focus offers a deeper dive into how Urquhart and Smith are trying to build that culture before the next close call.