As the United States experiences its latest government
shutdown, most of the daily operations of the federal government have ground to
a halt. This includes much of the day-to-day work done by federal information
technology and cybersecurity employees, including those at the nation’s leading
civilian cybersecurity agency, the Cybersecurity
and Infrastructure Security Agency.
CISA is among the entities that will see the deepest staffing reductions during the shutdown that began Oct. 1, 2025, according to Department of Homeland Security documentation. Only about one-third of its employees remain on the job after federal employees were furloughed.
As if cybersecurity wasn’t challenging enough, fewer
CISA employees are being asked to do more and more work protecting
American cyberspace during the shutdown. And they’ll be working with the
promise of getting paid for their efforts at some date in the future once the
shutdown ends.
The current CISA situation is grim, from my vantage point
as a cybersecurity
researcher and former industry practitioner. The agency was already
experiencing deep
cuts to its staff and resources before the shutdown. And now,
coinciding with the shutdown, a key law that enabled the agency to facilitate
information-sharing with the private sector has
expired.
Taken together, the cyber defense agency is being
hobbled at a time when the need for its services has never
been greater, from the ongoing China-led Salt
Typhoon attack on U.S. telecommunications networks to ransomware, data
breaches and threats to infrastructure.
CISA was created in 2007 within the Department of
Homeland Security. As its name implies, the agency is charged with digital security matters across the
federal government. The agency also works with the companies that operate and
secure the numerous critical infrastructure sectors of the American economy,
such as phone networks, the electric grid and energy pipelines. Additionally,
it helps
state and local governments across the country secure their vulnerable networks
and data.
CISA also publishes threat and vulnerability alerts for the government and cybersecurity community and engages with public and private stakeholders on best practices in response to emerging vulnerabilities.
Prior
to the recent expiration of the 2015 Cybersecurity Information
Sharing Act, the agency also made it easier for organizations to share
useful information with the government to help cybersecurity teams better
protect their systems.
Political football
The agency takes a nonpartisan approach to cybersecurity matters. However, some politicians have accused the agency of political bias for its work helping states protect their voting infrastructure from cyberattacks and external influence.
Specifically, the agency was repeatedly
maligned for calling the 2020 election the “most secure” in history.
For some in elected office, this work on election security has tarnished CISA’s
reputation and perhaps explains recent budgetary
actions taken against the agency.
Since the Trump administration took office in January
2025, nearly 1,000 CISA employees have
departed the agency through voluntary buyouts or deferred
resignations. By the end of May 2025, nearly
all of CISA’s senior leadership had resigned or had announced plans to
do so.
For 2026, the president’s draft budget proposes to reduce
CISA’s head count by nearly one-third, dramatically
cutting staff from its risk management and stakeholder engagement
divisions. Other cuts will significantly reduce the agency’s collaboration
activities and funding for CISA’s various cybersecurity education and training
programs.
Making the problem worse, the government shutdown began
at the same time that Congress failed to renew the Cybersecurity Information
Sharing Act. This law provided a legal
shield that allowed companies and infrastructure operators to share
timely and often sensitive information with CISA about the cyberattacks,
vulnerabilities and incidents that they were encountering.
In the wake of the law’s expiration, prudent companies
may consider restricting what information they share with the government.
Without the indemnification provided by CISA, many companies will likely have
their legal teams review any information to be shared with the government. And
that takes time.
Unfortunately, adversaries do not reduce their attacks
against the U.S. based on available federal cyber defense funding or
the status of cybersecurity laws. In fact, malicious hackers often strike when
their target’s guard is down.
Charting a better course
Early in my career I had to work through a prolonged
government shutdown. I’ve also participated in and developed assorted
public-private information-sharing environments to exchange intelligence and
analysis on cyber- and national security matters. And having been in the D.C.
area for over 30 years, I’ve seen how government works. So, I have a good idea
of what’s needed to improve American cybersecurity. The following suggestions
are a starting point.
First, Congress could ensure that critical security
agencies such as CISA are immune
from the threat of recurring federal government shutdowns. If it
desired, Congress could set budgets for America’s security agencies on a biennial
basis – as 16 states already do for
their entire budgets.
In terms of cybersecurity funding, the White House’s
proposed 2026 budget reduces research and education on cybersecurity. For
example, the nation’s premiere federal cybersecurity scholarship program to recruit, educate
and place future federal cybersecurity workers would
be reduced by over 60%. Protecting this funding would allow CISA and the
federal government to maintain the pipeline for a robust and capable
cybersecurity workforce both today and into the future.
Companies could develop new or expand existing nongovernmental information-sharing networks that are not completely dependent on the government to facilitate or fund, such as the Cyber Threat Alliance or the Center for Internet Security. Cybersecurity relies on trust.
But right now, the instability of the federal
government makes it difficult to rely on any entity under its policy or funding
influence, no matter how well time-tested
and trusted. Regardless, without legal protections, the information-sharing
utility of these services will be limited.
Cybersecurity risks remain even if the federal government
shuts down. So, this is another reminder that each of us is responsible for our
own cybersecurity. Individual users should continue to remain vigilant, follow
accepted best
practices for cybersecurity and always be mindful about online risks.
It’s ironic that the federal government is shutting down,
CISA is being eviscerated, and the Cybersecurity Information Sharing Act has
expired just as the country begins to observe national
Cybersecurity Awareness Month – another collaborative public
engagement activity that CISA promotes to help improve cybersecurity for all
Americans.
Richard
Forno, Teaching Professor of Computer Science and Electrical
Engineering, and Associate Director, UMBC Cybersecurity Institute, University
of Maryland, Baltimore County
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.