Eight months into the second Trump administration, what’s most striking about its cybersecurity policy is what’s missing: Much of the workforce of the Cybersecurity & Infrastructure Security Agency, a permanent leader for the agency, and a public discussion about what the president did to its two previous directors.
On top of this, CISA and other federal information-security offices have been plunged into this turmoil even as digital threats continue to escalate, with Chinese and North Korean attackers regularly breaking into critical U.S. systems.
The next cybersecurity crisis could come in the form of yet another penetration of corporate or government networks, or of less-defended but still-critical infrastructure like sewer and water systems. Or it could involve a target that the Trump administration has itself created: the large amounts of data compiled and copied with questionable security by its DOGE government-disruption project and its brutal crackdown on undocumented immigrants.
But since Trump’s second inauguration, standing before a contingent of tech CEOs, Homeland Security Secretary Kristi Noem has ordered CISA to drop election security and misinformation from its missions. Layoffs have cut deep into its ranks: In June, the trade publication Cybersecurity Dive reported that one-third of CISA’s workforce had headed for the exits.
That marks a stark contrast with the first Trump administration’s approach to cybersecurity — which included launching CISA.
“Sure, there was some upheaval, but nothing like this administration,” says Katie Moussouris, CEO of the bug-bounty firm Luta Security.
The government shutdown, which is forcing about a third of CISA’s remaining employees to work without pay while it furloughs the remainder, seems unlikely to improve the situation.
Outrage, weaponized
CISA also lacks a Senate-confirmed director, with Trump’s nominee Sean Plankey stalled after Ron Wyden, the Democratic senator from Oregon, placed a hold on the nomination until CISA releases a 2022 report on the security of U.S. telecom networks.
Trump himself has paid less attention to his would-be CISA head than to the two previous occupants of that office: Jen Easterly, who ran it under President Biden, and Chris Krebs, whom Trump appointed in 2017 at CISA’s founding and then fired in November of 2020 for his public defense of the 2020 election’s integrity.
In April, Trump ordered agencies to yank Krebs’ security clearances and launch investigations into him and his employer, the security firm SentinelOne. A week later, Krebs resigned, telling colleagues that he needed to take on that fight “fully – outside of SentinelOne.”
In July, the Army rescinded Easterly’s appointment to a temporary department chair at West Point after the extremist influencer Laura Loomer complained about it on X as she has about other staffing choices.
“When outrage is weaponized and truth discarded, it tears at the fabric of unity and undermines the very ethos that draws brave young men and women to serve and sacrifice,” Easterly, a West Point graduate, wrote in a LinkedIn post denouncing the move.
Neither Krebs nor Easterly, contacted via intermediaries, responded to requests for comment.
Worse than expected
Add in developments like Trump dismissing the members of the Cyber Safety Review Board (CSRB), an investigatory office modeled on the National Transportation Safety Board, and the barely averted end of federal funding for a widely consulted database of security vulnerabilities, and the picture looks grimmer than the forecasts of security experts last summer for a possible Trump victory.
“I did not think they were going to break with norms as much as they have in this administration,” says Moussouris. She worries about attackers overseas now taking advantage of this disarray: “I think our adversaries are having a field day.”
She finds the punishment of Krebs and Easterly especially toxic. “It’s going to make it harder for career professionals to want to move into the federal government space,” she says. “It’s going to make it harder for those folks coming out of government to be hired by private industry.”
Steven Bellovin, a computer-science professor at Columbia University with multiple stints on government advisory boards, gripes about the pettiness of cutbacks like shutting down the CSRB. “Of course they did—it was a Biden initiative,” he says.
Ari Schwartz, executive director of the Center for Cybersecurity Policy and Law and, in President Obama’s second term, the National Security Council’s senior director for cyber, worries about the loss of experience and talent at CISA and elsewhere.
“They lost some people that have been there a long time,” he says. “They lost some people who are really, really good. And it’s the nation’s loss.”
advertisement
Schwartz also sees this White House’s foreign policy impeding cooperation with other countries. “This administration has done some things to build good relationships with our allies and has done some things to put our allies off a bit,” he says.
He declined to comment about Krebs and Easterly.
“CISA is laser-focused on its role as America’s premiere cyber defense agency and national coordinator for critical infrastructure security and resilience,” the agency’s public-affairs director Marci McCarthy said in a statement.
A somewhat silenced CISA
When security researchers, policymakers and marketers convened in Las Vegas in August for the annual Black Hat conference to compare notes and do business, CISA had a much lower profile there. Agency representatives speaking this year were relegated to side stages–a sharp contrast with last year, when that event opened with a keynote from Easterly.
Chris Butera, acting executive assistant director for CISA’s cybersecurity division, acknowledged that the agency had “lost some people,” while adding that it has “a very talented workforce.”
He noted CISA’s speedy response to a Microsoft Exchange vulnerability disclosed in a Black Hat talk the day before — the first time, he said, the agency had directed other federal offices to install patches for a just-identified weakness within 24 hours.
Following a panel featuring McCarthy hosted by the Washington security-startup foundry DataTribe, Fast Company asked her what the administration’s treatment of Krebs and Easterly suggested about its openness to dissenting views.
“That would be a question for President Trump,” McCarthy replied.
The work continues
The Trump administration’s capriciousness notwithstanding, Schwartz and Moussouris cited some reasons for cautious optimism.
Schwartz points to Trump’s pick of Sean Cairncross as national cyber director. “He’s known to be a good manager,” Schwartz says of Cairncross, who served as CEO of the government’s Millennium Challenge Corporation in the first Trump administration.
Schwartz’s suggested a key next step for the administration: Get Congress to renew the 2015 law offering legal protection to companies for sharing threat data amongst themselves and with the government. Congress allowed that statute expire at the end of September. That, of course, will have to wait until the conclusion of the shutdown.
Moussouris, meanwhile, gives a thumbs-up to the Trump administration’s push back against Britain’s demand that Apple compromise end-to-end encryption securing iCloud backups—which resulted in Westminster giving in to Washington.
“Whoever is giving them advice on that particular policy matter has it dead right,” she says.
That’s also her advice for cybersecurity leaders in this administration going forward.
“Listen to the technologists,” she says. “Go beyond the scope of whatever policy agenda has been given to you.”