Chaos at CISA: US cybersecurity agency brings back fired employees via website

The US cybersecurity agency CISA is causing confusion among its employees and the IT security community with terminations, contract terminations and a hasty recall campaign. In a message directly on the homepage of its website, the agency is now turning to terminated employees to bring them back. However, the agency does not seem to know exactly who it has dismissed, so those affected should get in touch by email.

Due to an injunction by the District Court of Maryland, various federal agencies, including CISA, are obliged to reverse dismissals made by the DOGE (Department of Government Efficiency). The agency is now doing that – or trying to. Apparently, the contact details of some ex-employees who are supposed to contact the authority's e-mail address are missing. Apparently, CISA does not have all the necessary information about employees on probation. However, the phrase "probationary period" can also mean a period to improve performance.

But even those who return to CISA are not allowed to work there again: All returnees are given time off with full pay immediately after resuming their position, the authority states on its website. Anyone who does not wish to do so should submit a written statement – of course, you can also resign voluntarily at any time.

Insecure e-mail instructions

To identify themselves, those dismissed should compile a password-protected attachment with personal information – such as their name, date of employment and termination, date of birth or social security number. CISA also requests any letter of resignation by e-mail.

As security researcher Kevin Beaumont writes on Mastodon, the cybersecurity authority expects the password for the attachment to be sent in a separate email to the same address. This is an insecure practice that allows attackers with access to CISA mail traffic to view sensitive data. Such attacks are not just theoretical: CISA presumably uses the Microsoft cloud and could therefore be affected by a data leak like the one in 2024. At that time, CISA issued an emergency decree ordering other federal authorities to carry out extensive clean-up operations.

There are also pitfalls in sending password-protected archives by email: Malware scanners cannot examine such files, so attackers could infiltrate Office documents with malicious code. The cybersecurity authority's shirt-sleeved approach is causing a justified frown among experts.

CISA Red Team continues to work

The Cybersecurity Agency is not resting on its laurels after speculation about an alleged U.S. U-turn in the cyber war against Russia and its impact on CISA began to circulate in early March 2025. A spokeswoman for the US Department of Homeland Security, which oversees CISA, described the reports as "garbage".

Recently, rumors have also been circulating that CISA had fired its "Red Team". In the IT security of a company or authority, a Red Team specializes in taking on the role of a cyberattacker, searching for vulnerabilities and exploiting them. As an American with the job title "Senior Penetration Tester DHS | CISA" wrote on the LinkedIn platform, DOGE had terminated its contract with the security authority, which affected the Red Team and over one hundred employees.

Media reports that CISA was now deprived of its offensive security capabilities without the Red Team were countered by the authority on March 12 with a denial: the department had not been dissolved, but redundant contracts had been terminated. However, this did not impact CISA employees, whose Red Team continued to work without interruption.

Meanwhile, former CISA boss Jen Easterly expressed her criticism of the DOGE clean-up at her former agency on LinkedIn. She feared that CISA was now bleeding out and losing some of its best employees because they would rather not work in an environment dominated by fear and uncertainty. Most of her ex-colleagues had been selfless, courageous, honorable and highly qualified civil servants.

(cku)