COMMENTARY: National security or digital hype? The recent budget cuts at the Cybersecurity and Infrastructure Security Agency (CISA) force a stark choice. As cyberattacks escalate, the very systems designed to protect us face a financial gutting.
How much of our national security are we relegating to a line item in the budget, ready to be compromised by Elon Musk's so-called Department of Government Efficiency (DOGE)?
Since 2018, CISA has been the nation’s centralized cyber defense agency, acting as a coordination center for the federal civilian agencies. It also leads the government’s efforts on sharing information with the private sector.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Congress has signaled a 3% budget cut, and panic-inducing headlines focus on high-visibility efforts, such as combatting disinformation, or those on researching China’s intrusions on American power, telecom, and water infrastructure.
To make matters trickier, as I write this, reports indicate DOGE has just entered the building.
I’ve talked to several dozen current and former govvies who work, worked at, or collaborated with CISA, and encouraged them to dig below the frantic headlines. DOGE comes in as a loose cannon, and I plan to follow-up once we see what actions it really takes.
However, for now, spoiler alert: we’ll probably be OK.
This isn’t to say the cutbacks have no impact, they do. Here’s what's going away for now:
Risk and impact
Because it’s a fairly new agency, CISA has only recently identified the information in demand by government, private sector, and allied nation partners, and until recently was in the process of adding automation and scalability. In other words, in the name of efficiency, efficiency-producing programs are now frozen.
With two rounds of layoffs and as much as 10% of CISA’s budget held in reserve under anticipation of being reallocated towards border security, it will cost a lot more in the long run to build these programs back up. Reprioritizing congressionally authorized budgets is one thing, but if the argument shifts to reducing waste, some of the recent actions seem horribly misguided.
The reason: Though most of the intrusion data originated from more mature programs, such as those run by law enforcement or intelligence agencies, CISA is uniquely structured to connect commercial and civil resources, foster collaboration and information sharing, and drive certain front line defenses against major attacks and adversaries.
I’m told the motto at CISA is the following: “how can we frustrate the adversary, today.” I’m also told, quite bluntly by insiders that, “right now we’re not doing that, and we cannot coordinate with those parts of our government that could bring the pain.”
The team is notably not aggressively pursuing China, where Salt and Volt Typhoon remains an active intrusion. The attackers have not halted or even slowed their efforts. On the one hand, the elimination of the Cybersecurity Advisory Committee, which was orchestrating the evaluation and mitigations for Chinese actors having their way with our critical infrastructure in and of itself isn’t considered so bad, but the cessation of the actual work is mind boggling.
CISA also spent a lot of energy and good will ushering in “Secure by Design,” an effort to pressure vendors to improve their coding practices and enable security options by default, which improves everyone’s defensive posture. Losing momentum here can potentially halt others from abandoning poorer practices.
On the speculative side, many industry offerings are built on top of CISA’s Known Exploited Vulnerabilities (KEV), catalog of vulnerabilities exploited in real-world attacks. As a neutral third-party, CISA is best postured to receive reports, sanitize origins (from classified or victim networks), push out data, and do so in a bias-free format without a hidden profit or political motive. Disbanding or privatizing this could lead to challenges pertaining to cyber threat intelligence products and patch management. Note: SLAs are based off of the KEV catalog.
Counterarguments and rebuttals
Many reasons have been supplied to me that justify the cutbacks. Let’s start purely with the raw numbers. Cutting the budget 3% equates to $35 million. Of that, $26 million has been described by proponents as duplicative. Although the 10% budget hold is significant, the administration does have a prerogative to prioritize border security over cybersecurity.
Beyond that, CISA has its detractors. For one, it grew too broad, tried to solve too many problems all at once, and, lacking effectiveness, justifying all the programs became unreasonable. In addition to information sharing and collaboration, CISA tried implementing Protective DNS (PDNS), viewed as a glorified and highly expensive RSS feed for the hard work conducted by other agencies. They wanted it to function as a central coordination center across all of the U.S. government, though different agencies have wildly different tooling, staffing, and layouts.
As alternatives to CISA, many I spoke with had an affinity for existing federal programs hosted elsewhere. Examples include NSA’s Cybersecurity Collaboration Center, described as implementing the same mission, only better. Or DoD’s Big Data Platform (BDP) information sharing.
It also may make sense at this time to disband CISAs election security work, deeming it seasonal and cost-prohibitive to staff in perpetuity when the agency can put that talent to work elsewhere in the wider mission until the next election cycle.
The biggest criticism of CISA is that it hasn’t been effective. While they did impose some cost to attackers by forcing them to quickly abandon and re-procure infrastructure, it’s not accurate to say CISA slowed or disrupted the Typhoon attacks, before that mission went paused.
Long-term effects
Unfortunately for CISA advocates, the immediate effects will likely be soft. It’s really hard to measure the impact of a lack of government-coordinated information sharing, particularly when no one will study it. The same for quantifying international cooperation, or public trust. But make no mistake about it, these actions are 100% intentionally eroding trust.
Those in critical infrastructure who continue to get pummeled by zero- day attacks seem perfectly fine not reporting breaches to regulators. That's unfortunate to those of us who rely on critical infrastructure – like all of us – let alone those tasked with defending the networks.
For all the jokes and recent animosity towards government employees, Uncle Sam continues to lead in both cybersecurity foundational advances and cybersecurity personnel development, and many, including myself, got their career start as civilian servants.
This last point is more important than it may seem at first glance. Much of the private sector often hesitates to hire junior employees and give them formal on-the-job training. The government does both, and has long been a talent source for our industry. Slashing innovation, mission, and personnel could pose a pipeline challenge for years to come.
The adjustments to CISA’s programming are not apocalyptic. However, they do represent a calculated shift in priorities, and do create the subtle erosion of our defense and response capacity. In a domain where attackers now have a perpetual and unfair advantage, even incremental reductions can leave us increasingly vulnerable. The long-term implications for our national cybersecurity posture are undeniable.
I guess it comes down to this: Are we mortgaging our digital future for memes and a fleeting moment of fiscal relief?
Evan Dornbush, former NSA cybersecurity expert
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
