US cybersecurity agency suffers massive loss of executives

The US government's austerity measures at its agencies are no exception when it comes to cybersecurity. According to an internal email from the new deputy director of the cybersecurity agency CISA, more than half of the agency's executives have already left after US President Donald Trump brought Elon Musk onto his team to streamline the US administration.

Earlier this year, the US Department of Homeland Security (DHS) halted the investigation into a massive cyberattack in the US by recalling all US officials from a panel that advised CISA. Experts described this as a “gift to China”, as previously the US network operators AT&T, Verizon, and Co. had allegedly been infiltrated by a Chinese espionage group. However, the corresponding investigation was practically ended or at least significantly restricted as a result.

This situation is unlikely to improve in the future. Last Thursday, Madhu Gottumukkala, Deputy Director of the Cybersecurity and Infrastructure Security Agency (CISA), informed his staff that the heads of five of the six CISA divisions and six of ten regional offices have left or will leave the US agency by the end of this month. This was reported by the Washington Post and the US magazine Cybersecurity Dive.

Criticism from experts and concerns from employees

Experts are critical of this development because “the departure of these executives could undermine the effectiveness and strategic clarity of CISA's partnerships with critical infrastructure operators, private security firms, foreign allies, state governments and local emergency managers”. This raises fears for CISA's capabilities, as US cybersecurity journalist Eric Geller writes on Bluesky.

CISA employees are also concerned. “Given the high number of departures of senior staff, including some who have been here since the days of US-CERT, there is great concern about when the cuts and departures will finally stop, and we can move forward as an agency,” they say. The US Computer Emergency Readiness Team (CERT) was absorbed and replaced by CISA almost 20 years after it was formed in early 2023. Another employee, also anonymous, added that “it feels like the wrong people are leaving”.

Pros and cons of new and old boss

The US cybersecurity agency defends itself and counters. “CISA is stepping up its efforts and fulfilling its statutory mission to secure the nation's critical infrastructure and strengthen our collective cyber defenses,” said CISA chief Bridget Bean via statement. “We were established as the nation's cybersecurity agency and have the right team in place to fulfill that mission and ensure we are prepared for a range of cyber threats from our adversaries.”

But a former head of that cybersecurity agency also fears limitations to US cybersecurity. Suzanne Spaulding, who led CISA's predecessor agency within DHS from 2011 to 2017, said it was “sad and infuriating to see so much expertise and institutional knowledge lost.” And she warns that “the loss of these leaders, including senior leaders across the country who work with critical infrastructure owners and operators every day, will weaken the nation's security and resilience.”

(fds)