Note from Tom:
I have moved to Substack as my primary blog platform. If you want to see all my new posts, as well as my 1200+ legacy posts dating from 2013, please support me by becoming a paid subscriber to my Substack blog. The cost is $30 a year. Thanks!
Â
It’s time to face the truth: The current administration aims to end CISA altogether (or “terminate with extreme prejudice”, as the CIA agent says with a slight smile when giving Martin Sheen his order to kill Captain Kurtz in Apocalypse Now). Moreover, even though they haven’t been able to achieve that lofty goal yet, they are determined to progressively hollow the agency out, so that – probably by the end of 2025 – it will be more or less an empty shell.
The latest evidence of this is found in this Cybersecurity Dive article that I just read. I learned from the article that DHS (which houses CISA) didn’t dissemble at all when they laid out the reason why they made the most recent 176 layoffs (all since the government shutdown started two weeks ago): “During the last administration, CISA was focused on censorship, branding and electioneering,” a spokesperson said. “This is part of getting CISA back on mission.” What the spokesperson is referring to is something that happened in 2020, when Chris Krebs, the founder and first Director of CISA, refused to parrot the lie that the recent election had been stolen. For that sin he lost his job, although that only enhanced his reputation.
Since the 45th presidential administration ended soon after the firing, CISA flourished for four years and did a lot of great work. Unfortunately, we (the cybersecurity community) allowed ourselves to believe that was the new normal and we would always be able to count on CISA being there to come up with innovative programs and help when needed.
However, it turns out that firing Chris Krebs was just the opening shot of a campaign of “retribution” against CISA and all its employees, even though it’s safe to say that not even one of those employees had anything to do with the (in)famous memorandum in which Chris stated that the election was free and fair.
Since the 47th presidential administration commenced on January 20, 2025, almost all federal agencies have been hit with layoffs, some more severe than others. One common feature of those layoffs is that they have been indiscriminate and not based on anything more than a desire to eliminate X number of people from the agency. In other words, if you were fired, your layoff notice was a lot like a statement that Michael Corleone makes in The Godfather, regarding a double murder he’s going to carry out. I paraphrase it as “This isn’t personal. It’s just business.” Like Michael’s victims, I’m sure the people losing their jobs in those agencies drew great comfort from the fact that they were being fired for purely statistical reasons, not due to any failing on their part (after all, the boss needs to make his numbers!).
However, the many people that have been laid off at CISA this year, including the people laid off so far during the shutdown, don’t even have that small comfort. The spokesperson quoted above said they are being laid off to “(get) CISA back on mission.” In other words, these people are being laid off because Chris Krebs told the truth in 2020, even though probably few of them even worked for CISA at the time of the truth-telling, let alone had anything to do with that nefarious deed.
In the same way, the decision to fire so many employees (which has been ongoing since January and will probably continue throughout this administration, if CISA itself isn’t terminated) is clearly a business decision: It’s being done not just to reduce head count at the agency, but to deter all federal employees, especially those caught in the act of “discovering facts while engaged in cybersecurity”, from disclosing those facts when it might be unhelpful for the people in charge. Of course, this is a lesson that future cybersecurity stars are sure to take to heart when considering whether to take a lower-paying CISA job over a higher-paying private sector position: CISA (or any other federal agency) just isn’t worth the grief, no matter how personally rewarding it might be otherwise.
The administration has stated that they want the number of employees at CISA at the end of this year to be no more than 35% of what it was in early January. I’m “pleased” to report this is one goal the administration is likely to achieve, both by directly terminating people and more importantly by “persuading” them to resign.
The Cybersecurity Dive article provides a lot of information on how that persuasion works: Management transfers CISA employees to other DHS agencies like ICE and FEMA, where their roles will probably have nothing to do with cybersecurity. Plus, to put icing on the cake, they assign them to a location far from where they are currently and give them a short deadline either to accept the transfer or resign. In fact, Sonny Wescott, whose amazing presentation at NERC’s 2024 GridSecCon grid security conference was something I’ll never forget (as is probably true with most of the others who heard her then), seems to have received one of these “offers” (to work for the Federal Protective Service, which guards federal buildings including ICE facilities, in Fort Worth. She is Chief Meteorologist of CISA, based in DC). However, she was given 60 days to decide, rather than the usual seven (!). I’m sure she’ll have something much better lined up before she has to report to the new position.
This points to the worst feature of the layoffs (both at CISA and other agencies): They’re being carried out with deliberate cruelty. There’s certainly a dignified way to lay somebody off, which respects the fact that they’re human beings. Unfortunately, nobody seems to have gotten that memo in the current administration. Of course, this means that CISA probably won’t be able to hire great (or even good) people until management has turned over at the very top. Who’s going to work for an agency that has made it clear they couldn’t care less about their employees and they’ll discard them at a moment’s notice (or 7 days’ notice, as in CISA’s case)?
However, there’s one more action taken at CISA which has probably had, and will continue to have, even more deleterious effects than the firings. I described it in this post:
(One of the more interesting individuals introduced at CISA in the early days of the new administration was) Edward Coristine. He was listed as a Senior Advisor to CISA in February, having been installed by the “Department of Governmental Efficiency” or DOGE (Coristine had a famous nickname that I can’t repeat here, since this is a family blog).
Mr. Coristine had success in the cybersecurity field while still in high school (which wasn’t long ago, since he was 19 when he was at CISA. He’s either 19 or 20 today). He must be quite good at whatever he does, since his company, DiamondCDN, was complimented by a customer called EGoodly. They posted on Telegram, “"We extend our gratitude to our valued partners DiamondCDN for generously providing us with their amazing DDoS protection and caching systems, which allow us to securely host and safeguard our website…”
What kind of company, pray tell, is (or was) Egoodly? They were described by Reuters (in the article linked above) as “a ring of cybercriminals”. Perhaps I’m old-fashioned, but it doesn’t seem to me that someone who has done work for cybercriminals should be installed as a senior advisor to CISA - with access to their most sensitive systems, of course. At the very least, one would expect that CISA’s (and DHS’s) management team would have requested a background check first – and if it was refused, they would have refused to give Mr. Coristine access to any system, except perhaps the cafeteria menu system. But it seems there was no background check, even though I’m sure every janitor gets such a check.
Of course, I’m sure that CISA management last February and March was under tremendous pressure to do whatever DOGE told them to do. Even if DOGE demanded system access for Vladimir Putin, it would probably have been granted. I guess we can at least be happy that didn’t happen.
However, this isn’t just a funny story. After all, an associate of cybercriminals may have had access to the most sensitive systems at CISA. He’s gone now, but what did he leave behind in those systems? Malware, logic bombs, spyware? All of the above? In my opinion, a prudent cybersecurity person (and that species probably went extinct months ago at CISA) would require that all systems be brought down and thoroughly scrubbed for anything that might be harmful, whether or not it can be proven to be so. And any systems that can’t be 100% trusted need to be shut down and rebuilt from scratch (plus the backups can be trusted, either).
Of course this will greatly slow the work of the agency, but it needs to be done. Because if it isn’t done, any organization that currently partners with CISA (including foreign governments, state and municipal governments, and private sector organizations) needs to seriously rethink whether they should continue that relationship. In addition, they should examine any of their own systems that were ever directly connected to a CISA system.
Furthermore, any organization or government that wants to partner with CISA now should first have a thorough examination – and I’m not talking about an examination of their systems. I’m talking about a psychological examination. Why is their self-esteem so low that they’re willing to risk being put out of business due to malware that was “gifted” to them by Edward Coristine, better known as “Big B___s”?
Â
If you would like to comment on what you have read here, I would love to hear from you. Please email me at [email protected] or comment on this blog’s Substack community chat.
I’m now in the training business! See this post for more information.