Florida’s local officials are on the front line of defense. Most don’t know it yet.

In late April, the city of Tallahassee successfully fended off a cyberattack targeting portions of its technology infrastructure. City officials said staff responded quickly, isolated the threat, and avoided major operational disruption.

It was, in other words, a near-miss.

But it was also a reminder of something that should concern every Floridian, and especially every elected official responsible for the systems Floridians depend on: our state’s critical infrastructure remains vulnerable to well-resourced foreign adversaries who are actively and systematically assessing our defenses.

This is not merely a federal problem that occasionally spills into Florida. It is a Florida problem, and it is landing in the laps of state legislators, County Commissioners, City Council members, and Utility Board members, many of whom have never been adequately briefed on the threat landscape they now inhabit. We are in the middle of a civilizational struggle, one in which America’s adversaries have deliberately identified local infrastructure as a point of attack precisely because local leadership is the least prepared to defend it.

Earlier this spring, the Alliance for Global Security convened state legislators from across the country in Tampa for a forum on exactly these threats. “Our state and local officials are making decisions every day about whether to give time and attention to issues with real national security implications,” said state Rep. Danny Alvarez, Chair of the Alliance for Global Security’s Frontiers Forum. “They deserve the intelligence and the tools to make those calls wisely. Right now, most of them don’t have either.”

Tallahassee’s incident is not an outlier. Nearly two years ago, the Florida Department of Health was hit by ransomware that disrupted the state’s Vital Statistics system, blocking the issuance of birth and death certificates and exposing sensitive data on vaccine records, prescriptions and medical marijuana patients. These incidents form a pattern: Florida’s government systems at every level are under sustained pressure from hackers and our adversaries — predominantly China, Russia, Iran and North Korea — who are probing our weakest points with increasing sophistication.

What makes this especially troubling is how often the vulnerabilities being exploited were preventable. Post-breach reviews frequently reveal that security gaps existed for months or years before being weaponized. But there is a second, underappreciated failure point: the assumption that a vendor’s name recognition is a substitute for verified security standards.

It is not.

When government agencies choose a technology vendor, they are not just purchasing software. They are extending trust, handing over the operational backbone of services residents depend on and data that is often deeply sensitive. A vendor’s market dominance, household name and ubiquity across government contracts do not guarantee its house is in order. Operations and compliance specialists will tell you directly: audit your providers and insist on verifiable standards rather than assume the vendor has secured its own technology. That discipline is standard in the private sector. It is inconsistently applied in government procurement at every level.

The consequences are not theoretical. One of the world’s largest technology companies, a vendor whose products are embedded in federal agencies, state agencies and local governments across Florida, made the business decision to maintain critical cloud infrastructure using engineers based in a nation the U.S. intelligence community identifies as a primary cyber adversary. This was a cost-optimization decision. When vulnerabilities in those products are subsequently exploited by state-sponsored actors, the consequences ripple through every level of government that relies on the same infrastructure. Florida agencies had no say in that decision and inherited its consequences.

This is what vendor concentration risk looks like. The question state and local officials need to start asking is not “Is this a well-known company?” but rather: Has this vendor experienced significant breaches? Where is critical work performed, and by whom? What independent oversight exists? How quickly does it respond to known vulnerabilities? These are not exotic questions. They are the baseline of responsible procurement.

The attacks are real. They are ongoing. They are connected to foreign governments that view our local infrastructure as a legitimate target precisely because it is lightly defended and has very real impacts on everyday citizens. Tallahassee’s near-miss should not be the lesson; it should be the warning. Our defenses need to be at least as sophisticated as the threats we face, and that starts with holding vendors accountable to standards they can demonstrate, not just reputations they have accumulated.

Foreign adversaries have already decided that Florida’s local infrastructure is worth attacking. The question is whether Florida’s leaders will decide it is worth defending.

___

Joshua Burgin is the founder and president of Alliance for Global Security.