The Big Purge: Inside Our Nation’s Top Cybersecurity Agency, Workers Are Trembling

By Tim Leogrande, BSIT, MSCP, Ed.S.

Updated 10:30 PM EDT • Sun March 16, 2025

The Cybersecurity and Infrastructure Security Agency (CISA), part of the United States Department of Homeland Security (DHS), is responsible for cybersecurity and infrastructure protection across all levels of government. However, recent Department of Government Efficiency (DOGE) mandated layoffs are interfering with critical CISA jobs, and the remaining employees are dismayed, frightened, and overworked.

CISA has lost key support staff, international partnerships have been strained, and employees are hesitant to address democracy risks they can no longer counter. Meanwhile, CISA's temporary leader is trying to appease The White House, angering staff who claim she's out of touch and won't defend them. Reports indicate that many agency workers are now focused on their own safety rather than current cyber threats.

This sudden upheaval may have extremely undesirable impacts on national security and economic prospects as the Trump administration's ‘war on bureaucracy’ shatters several vital government agencies. The DHS has established itself as a nonpartisan source of financing, guidance, and direct defensive support for cities, corporations, and organizations facing cyberattacks. That mission is now threatened, according to several CISA personnel.

Since its 2018 founding, CISA's mission has expanded. The agency, originally created to defend government networks, now supports private firms and state governments, promotes secure software, and works with overseas partners. This gave CISA credibility and visibility. But after numerous rounds of layoffs and new Trump administration constraints, the agency is failing to maintain its momentum. Multiple CISA employees estimate that between the layoffs and the Office of Personnel Management's deferred-resignation program, CISA has lost 300 to 400 employees; approximately 10% of its 3,200-person workforce.

Many workers were hired through DHS's Cybersecurity Talent Management System (CTMS), which competes with private-sector compensation for specialists. They became probationary employees for three years, rendering them subject to layoffs. Longtime government personnel who had become probationary by shifting to CTMS posts were laid off at CISA. Kelly Shaw, who oversaw CISA's flagship program, a voluntary threat-detection service for critical infrastructure operators, David Carroll, who led the Mission Engineering Division, the agency's technological backbone, and Duncan McCaskill, Carroll's technical director, all left the agency.

<aside> 💡

The departures pressured an already stretched crew. Most staff already worked as much as two or more full-time employees, and the CISA unit that assists critical infrastructure operators with hacks has been understaffed for years.

</aside>

After a GAO examination, the government added support roles for that team, but most of those people were terminated. So far, CISA's flagship programs have managed to survive. The threat-hunting branch assesses threats, monitors government networks for intruders, and responds to breaches. However, several laid-off employees provided vital “backend” support for threat hunters and analysts; and there are enhancements that could be made to the tools that they're using. However, fewer workers making improvements means that there are going to be an increasing number of antiquated systems.

CISA relies on external relationships to understand and combat evolving threats, but they've been sandbagged because international travel and internet communications with foreign partners have been frozen due to a new policy which dictates that these activities now require high-level authorization. This has hindered CISA's coordination with other cyber agencies, including “Five Eyes” partners Canada, Australia, New Zealand, and the UK. CISA workers can't even connect with other federal agencies in the usual fashion and previously routine discussions between CISA staff and high-level officials now require special permits, impeding crucial work.

DOGE's ransacking of agency systems has also made private businesses wary of providing information to CISA or using its free attack-monitoring services. Partners are asking what DOGE can access and are worried about the use of their sensitive information, and the dismantling of these relationships will have long-lasting impacts.

CISA's Joint Cyber Defense Collaborative, a prominent government-industry partnership, is also failing. Over 300 private organizations collaborate with the JCDC to share threat information, write defensive playbooks, debate geopolitical issues, and publish advisories. The unit wants hundreds more partners, but it has had difficulty scaling this effort, and recent layoffs have only made things worse. Contractors might help, but JCDC vendor support contracts run out in less than a year, and CISA doesn't know if it can pursue new deals because federal operations have been blocked or paused in recent weeks. Many CISA employees believe the JCDC lacks federal workers to cover the gap. With fewer workers to maintain its relationships, the JCDC must decide how to focus its resources without sacrificing threat visibility. It may be cheaper to focus on major corporations, but that would leave out mid-sized firms whose technology is vital to US industries.

Other CISA missions are also waning. The agency promised to help the computer industry understand and manage the risks endemic to open-source software—which is often inadequately maintained and exploited by hackers—during the Biden administration. Since Trump took office, CISA lost Jack Cable, Aeva Black, and Tim Pepper, three tech luminaries who supervised this work.

<aside> 💡

Artificial intelligence activity at CISA has been halted by the new administration. The agency was studying AI threats and using AI for vulnerability identification and networking monitoring alongside the commercial sector. About 50% of CISA's AI expert staff has been let go, severely limiting the agency’s ability to help the US AI Safety Institute test AI models prior to deployment.

</aside>

The new administration also fired CISA's top AI officer, Lisa Einstein, and closed her office. Einstein's team managed CISA's AI use and monitored it with private enterprises and foreign governments. A huge team of DHS and CISA AI staffers was supposed to accompany Vice President JD Vance to Paris in February for an AI symposium, but they were prohibited from participating.

After the agency was forced to suspend its election security program and lay off most of its workers, CISA officials were left reeling. CISA's election security initiative, which offered free services and advice to state and local officials and collaborated with tech companies to track online misinformation, was targeted by right-wing conspiracy theories after Trump returned to the White House in 2024. Despite being a small component of CISA's budget and operations, the campaign against the initiative has frightened agency personnel. The election security purge spread across the agency because some laid-off officials had migrated from elections to other duties or were working on both missions.

When JCDC chief of partnerships Geoff Hale was placed on administrative leave, a scramble ensued to replace him. Hale managed the elections team from 2018 to 2024. At CISA, morale began to deteriorate after Hale and his coworkers were fired. No one at the agency is going to talk about election security now, however, due to fear of punishment from the The White House.

<aside> 💡

DOGE’s layoffs, operational changes, and other disruptions have lowered morale and effectiveness for employees throughout CISA. Even simple tasks are difficult to accomplish because workers have no idea if their teammates will still work there tomorrow.

</aside>

The main source of tension and irritation is acting CISA head Bridget Bean, a former Trump appointee who employees say seems eager to please the president even if it means not defending her agency. In town hall meetings, Bean has advised staff to “assume noble intent" when interacting with Trump administration officials. Many employees share the sentiment that Bean is against the workforce and is only interested in pleasing The White House.