Generative AI lowers the cost of social engineering, expands the attack surface for South Carolina's public institutions, and introduces new failure modes in election integrity, healthcare data, and supply-chain compromise. It also creates a clear opportunity for South Carolina to lead — given the depth of the state's existing cyber community. This piece is a first survey; a more technical follow-up will be co-authored with SCAIO's Chief Technologist.
The honest version of the AI-cybersecurity conversation does two things at once. It names how generative AI changes what attackers can do — cheaper phishing at scale, convincing voice cloning, deepfake video, accelerated vulnerability discovery, autonomous reconnaissance. And it names how generative AI changes what defenders can do — faster triage in security operations centers, broader vulnerability detection, AI-assisted incident response, lower-cost monitoring for under-resourced institutions. Both stories are real. They are arriving in South Carolina at the same time.
This piece is not a complete map of either. It is a first orientation: what the threat picture looks like for SC's public institutions, what the state's existing cyber community brings to the response, where the specific concentrations of risk and capability sit, and what a constructive contribution from outside the agencies would look like. SCAIO will continue to develop this conversation, with technical co-authorship from Noah Schiffman, in subsequent pieces.
For the people charged with defending South Carolina's public institutions — school district IT directors, hospital CISOs, municipal IT leads, the State Department of Education's information security team, the Division of Information Security inside the Department of Administration, the Office of the State Inspector General, and the cybersecurity professionals at NIWC Atlantic and SLED — the practical change generative AI introduces is that the marginal cost of well-crafted attacks has collapsed.
Three categories of attack are now meaningfully easier to run at scale than they were two years ago.
Generative AI makes it trivial to produce well-written, contextually appropriate phishing email at scale — in the recipient's writing style, referencing real internal projects, with no English-as-a-second-language tells. The defender's traditional warning signs (typos, awkward phrasing, generic salutations) no longer apply. The volume of this kind of mail aimed at public institutions has measurably risen.
A short sample of public audio is now enough to clone a voice convincingly. The targets in SC are predictable: school superintendents, hospital executives, municipal CFOs, agency directors — anyone whose voice is in the public record and whose authority can be invoked to redirect a payment, change a beneficiary, or extract sensitive information. Voice-cloning wire fraud is a real and growing line item in public-sector loss reports nationally.
Attackers are using large language models to assist in code review, vulnerability discovery, and exploit development. The pace at which newly disclosed vulnerabilities are weaponized has shortened. For SC's public institutions — many running long-tail software, mixed cloud deployments, and legacy on-premises systems — that compression of the patch-to-exploit window is the most underestimated risk in the current environment.
None of these categories are unique to South Carolina; they are unfolding everywhere. What is specific to South Carolina is the institutional profile of the most exposed targets: 79 school districts, 64 acute-care hospitals (with a long tail of small rural facilities), 46 county governments, hundreds of municipal governments, the State Department of Education, the State Department of Insurance, the court system, the State Election Commission, the State Treasurer's Office, the Department of Revenue, and the Department of Health and Environmental Control. Every one of those institutions sits at the intersection of "high public trust" and "constrained security budget" — the exact profile attackers prioritize.
"The thing to understand about AI in cybersecurity is that the gap between what attackers can do and what defenders can do does not widen permanently — it oscillates. South Carolina has the right ingredients to be on the favorable side of that oscillation, but only if the institutions doing the work get connected to one another."
The state's cyber community is one of its underappreciated strategic assets. The institutional density is unusual for a state of South Carolina's size, and it concentrates in Charleston in ways that very few other states can match.
Naval Information Warfare Center Atlantic — formerly SPAWAR — is the federal anchor for the entire Charleston cyber community. NIWC Atlantic's mission centers on information warfare, cybersecurity engineering, and the technical capabilities that support fleet and joint operations. Around it has grown a deep network of cleared defense contractors, cyber firms, and engineering talent that runs from North Charleston up the I-26 corridor toward Summerville and Goose Creek.
The SC Cyber Initiative provides a statewide vehicle for cyber readiness work. It is paired with active cybersecurity research programs at the Citadel, USC, Clemson, the College of Charleston, and Coastal Carolina, several of which run the kinds of cyber-range exercises, capture-the-flag programs, and applied research projects that produce the next generation of practitioners. SC's cyber-degree programs collectively turn out a substantial workforce pipeline each year — most of which stays in-state because the demand is local.
The state Division of Information Security, the Statewide Information Security Officer, and the Office of the State Inspector General all play active roles in coordinating cyber readiness across agencies. The State CIO's office has been a credible champion of statewide cyber posture. The State Law Enforcement Division (SLED) operates cyber capabilities for both investigation and incident response. Federal partnerships through CISA Region 4 and the FBI's Columbia field office round out the picture.
SCAIO's Chief Technologist Noah Schiffman's career — Chief Technology Advisor at KBR, CISO roles at Wave Sciences and Orbis, frequent speaker at DEFCON, BSides, IEEE, and ISACA, multiple patents in computing and acoustics — is one example of the depth of senior cybersecurity practitioners with SC ties. The state's cyber-consulting industry, defense contractors operating in the Charleston market, and a growing number of cybersecurity product companies (notably the team behind Secursion, the AI-cybersecurity platform Noah co-founded) round out the picture.
The pieces — federal anchor, state government coordination, academic research and pipeline, private industry depth — are unusual in their density. The constructive question is the same one that runs through every chapter of SCAIO's flagship report: how to make those pieces visible to one another, so that the institutions defending the front lines can draw on the capacity that already exists in the state.
Three categories of risk feel underdiscussed in the SC public conversation and worth surfacing here.
The State Election Commission already manages a complex, decentralized system across 46 counties. Synthetic media — deepfake video, AI-generated audio of candidates, AI-fabricated voting-process content — introduces a new category of operational risk that has not yet been tested in a major SC election cycle. The agency's existing voter-education infrastructure is well positioned to incorporate synthetic-media literacy. A constructive contribution from outside the agency would be plain-language, non-partisan public-education material on what synthetic political content looks like and how to report it — distributed through county libraries, civic associations, faith communities, and the SC Press Association well in advance of the next cycle.
S.443 addresses one slice of clinical AI well (insurer prior authorization). The cybersecurity slice is largely unaddressed. AI deployments in SC hospitals — including ambient documentation tools, AI-assisted radiology and pathology, and predictive-risk models — introduce new data-flow patterns, new vendor dependencies, and new failure modes that the existing HIPAA security posture was not designed for. The risk is highest at the rural-hospital end, where security budgets are smallest. A statewide voluntary deployment standard for clinical AI (proposed in Recommendation 8 of SCAIO's flagship report) should explicitly include cyber-posture requirements.
The category that worries cybersecurity practitioners most is also the hardest to discuss publicly: software supply-chain risk in a world where AI-assisted development means more code is being produced faster, including by developers using AI assistants to write code they themselves cannot fully audit. Public institutions that procure software from SC-based and out-of-state vendors face a meaningfully different supply-chain assurance question now than they did three years ago. The constructive response here is procurement and contracting language that names AI-development-tool use, requires a software bill of materials, and reserves the institution's right to audit. None of that is new in concept; what is new is the urgency.
South Carolina has more cybersecurity capacity than most of its peer states. The constructive question is how to extend that capacity to the institutions that need it most.
Cybersecurity sits at the intersection of nearly every chapter of SCAIO's flagship report. It is touched in the infrastructure discussion (data-center security), the workforce discussion (cybersecurity is one of SC's strongest existing labor pipelines), the policy discussion (S.443's data-flow implications, S.963 consumer protection), and most directly in Chapter 7's first risk category and second opportunity category — defense and cyber AI as a leadership case the state is unusually positioned to make.
This Journal piece is a first orientation. A more technical follow-up — with Noah Schiffman as a co-author — will go deeper on the specific threat categories, the AI-defense tooling that public institutions can reasonably adopt today, and a richer treatment of supply-chain compromise via AI-assisted development. SCAIO will also continue to track AI-cybersecurity legislative developments (S.963 is the bill most likely to evolve quickly) and publish updates as the picture develops.
South Carolina enters this period with more cybersecurity infrastructure than most states — federal anchors, academic capacity, state-government coordination, private-industry depth. The question for the next several years is whether that infrastructure gets connected to the front-line institutions that need it most. The opportunity is real. The work is constructive. SCAIO will continue to document it.