COMMENTARY: The Cybersecurity and Infrastructure Security Agency (CISA) faces some serious cuts from the Elon Musk-led Department of Government Efficiency (DOGE) – it’s been all over the security news.
Let’s take a step back and explore why we need a strong CISA more than ever today:
On Aug. 27, 2024, the Washington Post reported that Chinese hackers known as Salt Typhoon had attacked and breached two U.S. telecommunications firms.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
That list has since grown to at least nine. They were able to access call records at will across the American population, but focused on mostly governmental “targets of interest.” They also breached the infrastructure used by law enforcement used to wiretap phone calls when authorized via court order.
During the response phase, CISA stepped up as one of the central governmental actors facilitating the flow of information to the private security to identify Salt Typhoon. They helped to expel Salt Typhoon from those networks, and offered industry guidance to help better secure affected organizations from future attacks.
If the telecommunications networks were owned and operated by the government, the challenge from nation-state actors would be much easier. We’d have people with clearances, all of whom have available secure compartmentalized intelligence facilities (SCIF) to view intelligence data and collaborate with our intelligence community.
However, in the United States, about 85% of all critical infrastructure is owned and operated by the private sector and execs from those companies can’t walk into Fort Meade, Maryland, to get intelligence briefings. Put another way, that 85% needs to defend against hostile intelligence agencies doing spy things without direct access to spy resources to protect themselves.
That’s why the Trump administration’s Project 2025 identified two core functions of CISA that still needed protection and fostering: protection of the federal civilian government networks while coordinating the execution of national cyber defense and sharing information with non-federal and private-sector partners; and national coordination of critical infrastructure security and resilience.
The creation of CISA
In January of 2017, US-CERT – a predecessor of sorts to CISA – warned industry to cease the use of Version 1 of the server message block (SMB) protocol. US-CERT hadn’t been taken particularly seriously up to that point. By May of 2017, the WannaCry attack happened, abusing a vulnerability in the SMB protocol. Had the warning been heeded globally, WannaCry may not have happened, but it was too late.
This chain of events ultimately led to the creation of CISA with credible and serious professionals who focused on the kind of outreach needed to communicate with CISOs, explain the threats, and drive change before incidents took place.
While many improvements to that mission remain, even many of the CISA skeptics in the Trump administration understand their importance. We cannot get this done without – in Bay Area parlance – 10X engineers with the credibility to make the case their analysis is sound, and their recommendations will work without collateral harm. Those are the same 10X engineers who could go to the private sector tomorrow, earn two-to-three-times their current federal salary, and likely won’t ever look back when they do.
The U.S. government also has a "scholarship for service" program for cybersecurity. Essentially, students get an all-expenses paid scholarship to their current university program and for each year of scholarship funds they receive, they commit to a year of federal service. It has created a great talent pipeline of entry-level professionals who end up remaining in federal service. With the mass termination of probationary (first-year) employees, that pipeline is now in serious jeopardy.
Who would commit to that scholarship, knowing that they must repay the funds if they can’t do their required federal service? Pushing out experienced professionals while pulling the rug on entry level professionals will devastate the pool of cybersecurity professionals in the federal government – and especially at CISA.
At a time when foreign adversaries are rapidly advancing their skillsets and increasing the sophistication of their attacks, we cannot reduce the federal government’s response to little more than a Crtl-C and Crtl-V analysis. We need to meet their best and brightest with our best and brightest.
No one disputes the dual mission of CISA: to protect the civilian government networks and to deliver critical analysis to the private sector to protect critical infrastructure. Failing to rise to the threat will mean that our critical infrastructure will be vulnerable to attack – and that a serious attack will eventually happen.
John Bambenek, president, Bambenek Consulting
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
