CISA Cuts: A Dangerous Gamble in a Dangerous World

The recent layoffs at the Cybersecurity and Infrastructure Security Agency (CISA) have sparked major concerns across the cybersecurity community. More than 400 Department of Homeland Security employees, including 130 from CISA, were dismissed in what has been described as a workforce reduction of “non-mission critical personnel in probationary status.” While these layoffs raised alarms about the agency’s ability to fulfill its irrevocable mission, it also presents an opportunity to reframe the narrative around CISA’s role in global risk management.

The Critical Role of CISA in Risk Management

Established in 2018, CISA has been a cornerstone of US government efforts to protect critical infrastructure and manage cyber-risks. Its achievements, such as the public Known Exploited Vulnerabilities (KEV) catalog, the Secure by Design initiative, and the Stop Ransomware campaign, underscore its watchdog role in safeguarding digital and physical infrastructure.

But CISA’s mandate extends far beyond just helping to report threats. The agency is tasked with ensuring the resilience of critical infrastructure, ranging from energy grids to transportation systems to manufacturing units to healthcare and financial services. After all, a ransomware attack on a hospital can disrupt life-or-death healthcare services, while a breach in the energy sector has led to widespread fuel shortages.

CISA also plays a big role in preparing for and responding to other types of threats, including natural disasters, supply chain disruptions, and geopolitical instability. For example, during the US presidential election CISA worked tirelessly to secure election infrastructure against interference from foreign adversaries and domestic bad actors, combating disinformation campaigns, and ensuring the integrity of the voting process.

The agency is also heavily involved in managing risks related to physical infrastructure. For example, during the 9/11 attacks or natural disasters like hurricanes and wildfires, CISA worked to enhance the resilience of the nation’s critical physical infrastructure. This broad scope positions CISA as a central player in risk management, a discipline that encompasses identifying, assessing, and mitigating risks that could disrupt societal functions.

The Impact of CISA Layoffs on Risk Management

The cuts at CISA come at a time when the agency’s responsibilities are expanding, not shrinking. The rise of sophisticated cyber threats, the proliferation of connected devices, the growing interdependence of critical infrastructure systems, the emergence of AI-powered threats, and the threat of state-sponsored attackers demand a more robust, agile, and proactive defense.

With fewer staff members, the agency might struggle to maintain its current initiatives, let alone expand its scope. The risks are clear: Critical infrastructure could become more vulnerable to cyberattacks, while the government’s ability to respond to these incidents might drastically reduce. The loss of experienced personnel might also erode institutional knowledge and hinder long-term planning. Not to mention the impact on public-private partnerships. With fewer personnel to engage with private sector partners — something that is essential in today’s fast-shifting cyber world — the agency’s ability to provide timely guidance, coordinate incident response, and foster trust could be severely compromised.

The workforce reduction further risks being interpreted as a fundamental misunderstanding of the agency’s role in risk management. Cybersecurity isn’t an isolated issue; it’s deeply intertwined with other forms of risk that threaten global security and economic stability. By reducing CISA’s capacity, the administration is not only potentially weakening the nation’s cyber defenses but also its ability to manage a wide range of various risks.

A Call for Strategic Expansion in CISA

Sound risk management requires thoughtful decision-making based on an assessment of all of the interlocking and co-dependent risks and threats. This is all too often still a resource-intensive exercise, and there is undoubtedly an argument that rather than cutting CISA’s workforce, the federal government should be investing in the agency’s expansion. This includes not only hiring more personnel but also providing the resources needed to modernize its tools, technologies, and processes. A stronger CISA would be better positioned to address the evolving threat landscape and support the nation’s risk management efforts.

Moreover, continued investment in CISA would send a powerful message that the US and its allies are committed to defending critical infrastructure and maintaining leadership in cybersecurity. It would also reassure the private sector, which relies on CISA for guidance and support in managing cyber-risks.

The recent layoffs at CISA are puzzling, but they should not define the agency’s future. By reframing the conversation around risk management, the government can help build a stronger, more resilient CISA. Now is the time to invest in CISA’s role, ensuring that it can continue to protect society from an ever-expanding array of risks. The stakes are too high to do otherwise.