A government shutdown is supposed to be temporary. A furlough is supposed to be temporary. Even a leadership gap is supposed to be temporary.

But when temporary starts stacking up year after year, it stops feeling temporary. It starts feeling terminal.

The latest New York Times article reporting on the Cybersecurity and Infrastructure Security Agency paints a picture that should make anyone in this industry uncomfortable. A workforce that once stood at roughly 3,400 is now below 2,400. With the current Department of Homeland Security shutdown, fewer than 1,000 employees remain actively working. The rest are furloughed.

That is not trimming around the edges. That is muscle and bone.

And this didn’t happen overnight.

From Bright Spot to Political Target

It is worth remembering that CISA was born during the first Trump administration. For many of us in cybersecurity, that was a welcome development. For years, we had argued that federal cyber coordination was fragmented and reactive. CISA was supposed to fix that. It brought infrastructure protection, federal network defense and public-private coordination under one roof.

For a moment, it felt like progress.

Then came 2020.

When Chris Krebs publicly stated that the 2020 election was secure and that claims of widespread fraud were unfounded, he was fired. That moment mattered. Not because of party politics, but because it sent a signal. Speak plainly, and you may pay for it.

The agency’s credibility with security professionals remained strong. But politically, the ground had shifted.

Jen Easterly stepped in and tried to steer the ship through choppy waters. She leaned into partnerships, election security and misinformation defense. For that, she became a target. The attacks were not subtle. They followed her beyond the Beltway, even into professional forums like RSA Conference. When cybersecurity leadership becomes a proxy battlefield for political grievances, it is not just the individual who takes the hit. The institution does too.

The Slow Erosion

Since the 2024 election cycle, scrutiny of CISA intensified. Employees were reportedly asked to justify their roles against specific statutes. Election security personnel were sidelined. Reassignments were offered that many interpreted as demotions in disguise. Senior leaders left. Institutional knowledge walked out the door with them.

By the end of last year, roughly a third of the workforce had departed.

Now layer on budget cuts. Now layer on mission narrowing. Now layer on a shutdown that furloughs about 60% of the remaining staff. Now layer on the fact that the agency still lacks a Senate-confirmed director, with Sean Plankey’s nomination stalled for nearly a year amid broader DHS nomination disputes.

This is not one blow. This is a series of body shots.

The Times reports demoralization inside the agency. Former officials describe a “flood” of departures. Lawmakers express concern about whether CISA can fulfill its statutory mission after losing a third of its workforce. Acting Director Madhu Gottumukkala has warned that even if essential services continue, a shutdown leaves infrastructure more vulnerable.

That is not political spin. That is operational reality.

The Real Risk

Cyber adversaries do not observe government shutdowns. Nation-state actors do not pause campaigns because Washington cannot pass a funding bill. Criminal ransomware groups do not check the Senate calendar before launching attacks.

CISA’s value has never been that it does everything itself. Its value has been coordination. It connects federal agencies, state and local governments and private sector operators. It shares threat intelligence. It facilitates information sharing that many companies would not otherwise get.

That model runs on trust and people.

Lose experienced threat hunters and you lose pattern recognition. Lose regional coordinators and you lose local relationships. Lose election security specialists and you lose expertise that cannot be rebuilt overnight. Lose a confirmed leader and you lose authority at the cabinet table.

Cybersecurity is not just technology. It is institutional muscle memory.

When you hollow out the institution, you hollow out the response.

Public-Private is Not Optional

For years, we have preached public-private partnership in cybersecurity. The Colonial Pipeline attack, the SolarWinds compromise, the wave of ransomware against hospitals and municipalities all reinforced the same lesson. No single entity can handle this alone.

CISA was designed to be the connective tissue.

If the agency becomes politicized to the point that half the country distrusts it and the other half fears speaking plainly, that connective tissue weakens. If seasoned professionals conclude that their careers are safer elsewhere, the brain drain accelerates.

This is not about whether you agree with CISA’s election security work. It is not about whether you think misinformation efforts crossed lines. Those are legitimate debates in a democracy.

What is not legitimate is allowing the nation’s primary civilian cyber defense agency to drift into dysfunction because of them.

An Abject Lesson

There is a broader lesson here.

Institutions are easier to tear down than to build. It took years of advocacy, legislation and bureaucratic wrangling to stand up CISA in 2018. It took sustained leadership to mature its operations. It took trust-building across industries to make information sharing real.

It does not take much to undermine that.

A few high-profile firings. A few stalled nominations. A few budget battles. A few rounds of workforce reductions. A few public campaigns casting doubt on motives.

Add it up, and suddenly what was once a bright spot looks like it is on life support.

Time for a Reset

At this point, we may need to admit something uncomfortable.

CISA probably needs a reset.

Not cosmetic changes. Not another reorganization rumor. A real reset.

Confirm a director. Clarify the mission in statute if necessary. Stabilize funding. Rebuild the workforce. Reestablish bipartisan support for the core function of defending critical infrastructure.

Depoliticize cyber defense as much as humanly possible.

That does not mean ignoring debates about speech or federal authority. It means separating those debates from the basic mission of defending federal networks and helping critical infrastructure operators protect themselves.

We can argue about policy all day. That is how democracy works.

But when the grid flickers, when water systems are compromised, when hospital systems are locked by ransomware, nobody cares which party scored points in the last hearing.

They want to know one thing.

Who was watching the gate?

Recent Articles By Author

• Trying to Control AI is Like Holding Sand
• Closing the Gap Between AI-Scale Attacks and Enterprise Remediation
• When AI Agents Inherit Your Identity Dark Matter

More from Alan Shimel