Federal Shutdown Deals Blow to Already Hobbled Cybersecurity Agency

Political Football
The agency takes a nonpartisan approach to cybersecurity matters. However, some politicians have accused the agency of political bias for its work helping states protect their voting infrastructure from cyberattacks and external influence. Specifically, the agency was repeatedly maligned for calling the 2020 election the “most secure” in history. For some in elected office, this work on election security has tarnished CISA’s reputation and perhaps explains recent budgetary actions taken against the agency.

Since the Trump administration took office in January 2025, nearly 1,000 CISA employees have departed the agency through voluntary buyouts or deferred resignations. By the end of May 2025, nearly all of CISA’s senior leadership had resigned or had announced plans to do so.

For 2026, the president’s draft budget proposes to reduce CISA’s head count by nearly one-third, dramatically cutting staff from its risk management and stakeholder engagement divisions. Other cuts will significantly reduce the agency’s collaboration activities and funding for CISA’s various cybersecurity education and training programs.

Making the problem worse, the government shutdown began at the same time that Congress failed to renew the Cybersecurity Information Sharing Act. This law provided a legal shield that allowed companies and infrastructure operators to share timely and often sensitive information with CISA about the cyberattacks, vulnerabilities and incidents that they were encountering.

In the wake of the law’s expiration, prudent companies may consider restricting what information they share with the government. Without the indemnification provided by CISA, many companies will likely have their legal teams review any information to be shared with the government. And that takes time.

Unfortunately, adversaries do not reduce their attacks against the U.S. based on available federal cyber defense funding or the status of cybersecurity laws. In fact, malicious hackers often strike when their target’s guard is down.

Charting a Better Course
Early in my career I had to work through a prolonged government shutdown. I’ve also participated in and developed assorted public-private information-sharing environments to exchange intelligence and analysis on cyber- and national security matters. And having been in the D.C. area for over 30 years, I’ve seen how government works. So I have a good idea of what’s needed to improve American cybersecurity. The following suggestions are a starting point.

First, Congress could ensure that critical security agencies such as CISA are immune from the threat of recurring federal government shutdowns. If it desired, Congress could set budgets for America’s security agencies on a biennial basis – as 16 states already do for their entire budgets.

In terms of cybersecurity funding, the White House’s proposed 2026 budget reduces research and education on cybersecurity. For example, the nation’s premiere federal cybersecurity scholarship program to recruit, educate and place future federal cybersecurity workers would be reduced by over 60%. Protecting this funding would allow CISA and the federal government to maintain the pipeline for a robust and capable cybersecurity workforce both today and into the future.

Companies could develop new or expand existing nongovernmental information-sharing networks that are not completely dependent on the government to facilitate or fund, such as the Cyber Threat Alliance or the Center for Internet Security. Cybersecurity relies on trust. But right now, the instability of the federal government makes it difficult to rely on any entity under its policy or funding influence, no matter how well time-tested and trusted. Regardless, without legal protections, the information-sharing utility of these services will be limited.

Cybersecurity risks remain even if the federal government shuts down. So this is another reminder that each of us is responsible for our own cybersecurity. Individual users should continue to remain vigilant, follow accepted best practices for cybersecurity and always be mindful about online risks.

It’s ironic that the federal government is shutting down, CISA is being eviscerated and the Cybersecurity Information Sharing Act has expired just as the country begins to observe national Cybersecurity Awareness Month – another collaborative public engagement activity that CISA promotes to help improve cybersecurity for all Americans.

Richard Forno is Teaching Professor of Computer Science and Electrical Engineering, and Associate Director, UMBC Cybersecurity Institute, University of Maryland, Baltimore CountyThis article is published courtesy of The Conversation.

Leave a comment

Register for your own account so you may participate in comment discussion. Please read the Comment Guidelines before posting. By leaving a comment, you agree to abide by our Comment Guidelines, our Privacy Policy, and Terms of Use. Please stay on topic, be civil, and be brief. Names are displayed with all comments. Learn more about Joining our Web Community.