Layoffs at the government’s top cybersecurity agency could make critical U.S. infrastructure more vulnerable to hacks by groups with ties to foreign adversaries, sources told NOTUS.
The Cybersecurity and Infrastructure Security Agency laid off more than 100 people last month as part of the Department of Government Efficiency’s efforts to shrink the government. Among those staffers were agents tracking the activity of threat groups like Salt Typhoon and Volt Typhoon, recently laid-off workers and a congressional aide familiar with the matter told NOTUS.
“I don’t think there was any criteria at all. It was just random,” said Kelly Shaw, CISA’s former lead of CyberSentry, a system that monitors for breaches from known cybercriminals and malicious state actors.
“They’re doing it without regard to what people actually do for the nation,” Shaw added.
Congress created CISA in 2018 during President Donald Trump’s first term to protect critical infrastructure from cybercriminals and state-sponsored cyber attacks. The agency became a target for Republicans and Trump after its work to counter election interference and misinformation, which Republicans said singled out conservatives.
Now Trump is back in office and DOGE is making cuts. And even positions that are critical to safety haven’t been spared, former CISA staffers said. Recent layoffs included staff working to combat intrusion campaigns by Salt Typhoon and Volt Typhoon, which are suspected of being sponsored by the Chinese government.
Last year, CISA found that these groups had infiltrated nine cell phone carriers, accessing text messages and phone calls from these networks in real time. The hack had gone undetected for over a year — it even targeted U.S. political figures — and malicious actors have continued their campaign on telecommunications companies in the time since.
Meanwhile, Congress has repeatedly proposed budget cuts at CISA, which is part of the Department of Homeland Security, and Secretary Kristi Noem said during her confirmation hearing that CISA “needs to be much more effective, smaller, more nimble to really fulfill their mission.”
A DHS spokesperson told NOTUS that cuts are meant “to eliminate egregious waste and incompetence that has been happening for decades.” The cuts across the department would result in “roughly $50 million in savings for American taxpayers,” the spokesperson added.
“DHS component leads identified non-mission critical personnel in probationary status,” said the spokesperson. “We are actively identifying other wasteful positions and offices that do not fulfill DHS’ mission.”
However, many of the CISA agents laid off last week were only working under probationary status due to recent promotions or because they were recently hired from other federal agencies, multiple sources told NOTUS.
“That’s institutional knowledge, that’s a lot of historical knowledge, that’s a lot of experience we let go,” said a former CISA staffer who requested anonymity to speak about the situation. “I don’t think we’re safer with letting these people go. I don’t think we’re more efficient with letting these people go.”
The way the recent cuts were carried out caught some staff and congressional aides by surprise.
“The department hasn’t given us data specifically about who’s gone and what roles, so we’re just piecing things together from word-of-mouth and LinkedIn posts,” said a congressional aide who requested anonymity because they were not authorized to speak to the press.
Paula Davis, a cybersecurity analyst recently laid off by CISA, said that her team members were initially told they could not take the “fork” deferred resignation offer due to the critical nature of their roles. A week later, supervisors told agents they would “respect whoever wants to participate,” she said.
The rushed nature of these departures has caused the agency to skip over crucial steps, Davis said. CISA and other agencies dealing with national security are not carrying out customary security debriefs for outgoing personnel, she said.
These debriefs allow agencies to keep track of what kind of information employees with security clearances possess in case it falls into the hands of a foreign adversary. Russian and Chinese intelligence have already started targeting departing federal employees, CNN reported.
“Even the smallest detail for an attacker or for a state actor could be very important,” Davis said. “It’s just that to us, professionals in this industry, it is just mind-blowing.”
Cybercrime-related damages resulted in an estimated $12.5 billion in damages in 2023 alone, according to an FBI report released last year. That figure is only expected to increase as data breaches, ransomware attacks and other cyber attacks become more efficient and widespread.
“When they make these cuts, they’re not trimming the fat. They’re cutting into the marrow,” the congressional aide said. “And it will take a long time to rebuild that capacity.”
—
Samuel Larreal is a NOTUS reporter and an Allbritton Journalism Institute fellow. NOTUS reporter Anna Kramer contributed reporting.