While TSA Made Headlines, CISA Went Dark
BSidesSLC 2025 – Risk Management Explained Through Star Wars
The Department of Homeland Security has been partially shut down for over 45 days. In that time, 460 TSA officers have quit, absences at major airports have exceeded 30%, and the TSA acting head publicly warned the agency may need to decide which airports to keep open and which to shut down (Reuters, March 24, 2026; Philadelphia Inquirer, March 25, 2026). That story dominated every major outlet for weeks.
There is another DHS shutdown story that almost nobody is covering. The same funding lapse that produced airport chaos also degraded the Cybersecurity and Infrastructure Security Agency, the federal government’s primary coordination point for defending critical infrastructure against cyberattacks. CISA’s disruption did not produce visible lines or viral footage. It produced something far more consequential. Gaps opened in the national cybersecurity posture at the exact moment the threat environment escalated to its most active state in years.
What CISA Does and What Stops When Funding Lapses
For readers unfamiliar with CISA, the agency operates as the central nervous system for federal cybersecurity coordination. In simple terms, if a vulnerability is being actively exploited across the internet, CISA is the agency that identifies it, catalogs it, alerts federal agencies, and coordinates the response. It maintains the Known Exploited Vulnerabilities (KEV) catalog, publishes vulnerability alerts, issues binding operational directives, coordinates incident response across sectors, provides security assessments to state and local governments, and runs a 24/7 operations center for shared situational awareness on cybersecurity threats nationwide.
During the funding lapse, Acting CISA Director Madhu Gottumukkala testified that 888 of CISA’s 2,341 employees would continue working without pay (CyberScoop, February 2026). The 24/7 operations center and imminent threat response would continue on a limited basis. Everything else would stop. Strategic planning, new capability development, cybersecurity guidance, stakeholder training, security assessments, and binding operational directives would all halt. The skeleton crew keeps the lights on. The work that actually advances the nation’s cybersecurity posture goes dark.
“When the government shuts down, our adversaries do not,” Gottumukkala told Congress (CyberScoop, February 2026).
It is important to remember that behind these numbers are real people. The TSA story included officers sleeping in cars and selling plasma to cover rent. The CISA story is quieter but carries its own cost. Experienced analysts and field advisers who have spent years building relationships with critical infrastructure partners are the ones working without pay or walking out the door. When they leave, they take knowledge that cannot be replaced by backfilling a position months later.
An Agency That Was Already Running on Fumes
The shutdown did not hit a fully staffed agency. It hit one that was already significantly degraded. Under the Trump administration’s fiscal year 2026 budget proposal, CISA is projected to lose approximately one third of its workforce, dropping from 3,292 employees to 2,324 (Nextgov, June 2025). Roughly 1,000 have already departed. The Cybersecurity Division lost nearly 200 staff. The Cybersecurity Advisers field team, often the first federal phone call during a cyber incident, shrank from 164 to approximately 97 nationwide (TechTarget, 2026). Total operational funding was cut by more than 420 million dollars (Government Executive, June 2025).
The deepest cuts targeted the functions most relevant right now. The National Risk Management Center, responsible for anticipating threats to national infrastructure, faces a 73% budget reduction. The Stakeholder Engagement Division faces a 62% cut. The Election Security Program was eliminated entirely ahead of the 2026 midterms (CPO Magazine, 2026). Minnesota Secretary of State Steve Simon told AP News: “We do not have a sense of whether we can rely on CISA for these services as we approach a big election year in 2026.“
At this point one is likely wondering how the government can simultaneously declare cybersecurity a national priority and defund the agency responsible for operationalizing it. In June 2025, the administration issued Executive Order 14306 directing the use of AI to improve cybersecurity, signed over one billion dollars in AI funding legislation, and released an AI Action Plan with explicit pillars for critical infrastructure defense (NIST, June 2025). At the same time, the agency responsible for much of that defense is losing a third of its workforce and 495 million dollars in funding. The budget cuts are a deliberate policy choice. The shutdown is a political standoff over immigration enforcement. Neither has anything to do with cybersecurity, but both are degrading the same agency at the same time.
The Threat Environment Is Not Waiting for Congress
On February 28, 2026, two weeks after the DHS shutdown began, the United States and Israel launched Operation Epic Fury against Iran (U.S. Central Command, February 28, 2026). Within hours, the cyber dimension of the conflict activated. Unit 42 documented more than 60 hacktivist groups mobilizing against U.S. targets (Unit 42, March 2026). CloudSEK identified over 40,000 internet exposed industrial control systems in the United States as potential retaliation targets, many running with default credentials or no credentials at all (CloudSEK, March 2026). The largest escalation in state sponsored cyber threat activity in years began while the agency responsible for coordinating the federal response was operating with a skeleton crew.
The attacks were not theoretical. On March 11, Handala, an Iran linked group affiliated with Iran’s Ministry of Intelligence and Security, attacked Stryker Corporation, one of the largest medical device manufacturers in the world (AP News, March 11, 2026). The group claimed to have wiped over 200,000 systems across 79 countries and exfiltrated 50 terabytes of data (Bleeping Computer, March 2026). According to Check Point Research, the attackers used compromised Microsoft Entra ID credentials to access Microsoft Intune and deployed legitimate administrative wipe features to destroy endpoints at scale. They did not need custom malware. They used the organization’s own cloud management tools against it. Stryker’s Lifenet system, used by emergency responders to transmit patient data to hospitals, reportedly became nonfunctional in parts of Maryland (CNN, March 11, 2026).
AP News reported that Iranian hackers are actively targeting U.S. defense contractors, government vendors, businesses working with Israel, and critical infrastructure including hospitals, ports, water plants, and power stations. The stated objective is to “wear down the American war effort, drive up the costs of energy, strain cyber resources and cause as much pain as possible” (AP News, March 2026). Iran is one dimension. CISA’s own advisories have warned that Volt Typhoon, a Chinese state sponsored group, has been seeking to preposition on U.S. critical infrastructure for potential disruptive attacks (CISA Advisory AA24-038A). These are persistent threats that require sustained coordination from exactly the kind of agency being starved of resources.
What Organizations Should Be Doing Now
TSA disruption is visible and largely reversible. Officers can be rehired. Screening lines will normalize. Cybersecurity degradation works differently. Think of it like a levee system. Nobody notices when maintenance stops. The levee looks the same from the outside. The erosion is invisible until the water rises and the wall fails. The Coast Guard’s vice commandant testified that recovery from the shutdown would require “two and a half days to recover for each day without funding” (Navy Times, March 26, 2026). Cybersecurity capacity likely follows a similar or worse ratio. The 45 day shutdown does not produce 45 days of lost capacity. It produces months of degraded readiness.
Federal cybersecurity support is not guaranteed. The DHS shutdown has made that clear. Organizations relying on CISA for vulnerability prioritization, threat alerts, incident coordination, or security assessments should be evaluating whether their own capabilities can absorb the gap. The geopolitical environment demands more cybersecurity capacity, not less. Iranian threat actors are actively targeting U.S. organizations. Chinese state sponsored groups remain prepositioned on critical infrastructure. Private organizations need to be prepared to fill the risk gaps created by disruptions like this shutdown. That means investing in independent threat intelligence, maintaining vulnerability management programs that do not depend solely on federal guidance, and ensuring incident response plans account for scenarios where federal coordination is unavailable. Organizations that treated CISA as a backstop now need to treat their own security programs as the primary line of defense.
CISA’s “Shields Up” guidance remains sound advice. The irony is that the agency behind it is the one that needs shielding right now.
Sources
Reuters, “TSA says 460 airport officers quit as standoff poses major security risks,” March 24, 2026
Philadelphia Inquirer, “TSA boss warns of airport shutdowns, but no deal yet on day 40 of Homeland Security funding fight,” March 25, 2026
CyberScoop, “Acting CISA chief says DHS funding lapse would limit, halt some agency work,” February 2026
MeriTalk, “CISA Says DHS Shutdown Will Likely Further Delay CIRCIA Rule,” March 2026
Nextgov, “CISA projected to lose a third of its workforce under Trump’s 2026 budget,” June 2025
Government Executive, “CISA projected to lose a third of its workforce under Trump’s 2026 budget,” June 2025
TechTarget, “News brief: CISA and partners face budget overhauls, cuts,” 2026
CPO Magazine, “Trump’s 2026 Budget Would Cut Nearly a Quarter of CISA’s Funding,” 2026
AP News, “Changes to the agency that helps secure elections lead to midterm worries,” March 2026
U.S. Central Command, “U.S. Forces Launch Operation Epic Fury,” February 28, 2026
Palo Alto Networks Unit 42, “Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran,” updated March 26, 2026
CloudSEK, “A Threat Actor Landscape Assessment of ICS/OT Targeting in the 2026 Iran-US Conflict,” March 2026
AP News, “Medical equipment company Stryker reports cyberattack,” March 11, 2026
Bleeping Computer, “Medtech giant Stryker offline after Iran-linked wiper malware attack,” March 2026
Check Point Research, “Handala Hack: Unveiling Group’s Modus Operandi,” March 2026
CNN, “Stryker: Pro-Iran hackers claim cyberattack on major US medical device maker,” March 11, 2026
AP News, “Cyber threats rise as Iran-linked hackers eye US targets,” March 2026
CISA Advisory AA24-038A, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure”
Navy Times, “Coast Guard operations, capabilities damaged by continued shutdown, says vice commandant,” March 26, 2026
NIST, “Executive Order 14306: Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity,” June 2025
CISA, “Shields Up”
*** This is a Security Bloggers Network syndicated blog from Security, Decoded: Insights from Suzu Labs authored by Jacob Krell. Read the original post at: https://suzulabs.com/suzu-labs-blog/while-tsa-made-headlines-cisa-went-dark
About Author
