The US Department of Homeland Security has started reassigning cybersecurity personnel to non-cyber duties tied to deportation and border enforcement priorities.
Hundreds of workers within the Cybersecurity and Infrastructure Security Agency (CISA), who were engaged in issuing alerts about threats against US agencies and critical infrastructure, have been shuffled and reassigned to agencies such as Immigration and Customs Enforcement, Customs and Border Protection, and the Federal Protective Service, according to Bloomberg.
CISA’s Capacity Building team, which is assigned to write emergency directives and oversees cybersecurity for the government’s highest value assets, has been impacted the most. Refusal to accept new roles reportedly carries the risk of termination.
These developments follow the firing of 130 CISA staff since the Trump administration took over.
A shift in priorities raises cybersecurity concerns
CISA is the national coordinator for Critical Infrastructure Security and Resilience, where it works with partners at every level to identify and manage risk to the cyber and physical infrastructure critical for the US. But the rising landscape of cybercrime, curtailing the cyber workforce of the US Cybersecurity agency, can have a severe impact on CISA’s operations.
“CISA runs on specialized knowledge. These are analysts who understand federal networks, toolsets, and long-running threat patterns. Once these people are reassigned, a lot of system and institutional strength is lost, and threat intel slows down,” said Devroop Dhar, MD and co-founder, Primus Partners. “Vulnerability scans may also pile up. Coordination with agencies may take a much longer time. You might not notice it immediately, but in quick time the gaps start to show, like slower responses, more threats slipping through.”
The reassignment of the cyber workforce does not mean that CISA is shutting down, but coordination is definitely expected to slow down. It may result in some of the key cybersecurity roles going unfilled.
“The first thing to suffer is threat hunting, as it is highly specialized and resource-heavy. So it is usually scaled back first. Next is vulnerability management and scanning, then threat monitoring. Incident response is protected as long as possible, but without enough people, surge capacity gets hit quickly during major events,” said Amit Jaju, senior managing director at Ankura Consulting.
In place of multiple detailed alerts in a week, you may see only one alert, Dhar said. “Low-priority vulnerabilities may pass through easily, and when advisories are delayed, patching schedules also don’t get updated on time, for both government departments and industry. This is how small security gaps turn into large-scale incidents.”
The situation could worsen further following the US government shutdown, which temporarily impacts the remaining CISA workforce. This instability, analysts say, could make the US more vulnerable to cyber adversaries.
“Periods of disruption in national cybersecurity are closely watched abroad. Adversarial groups, be it criminal or state-backed, have learned to map the US administrative cycles almost as carefully as they map networks,” said Sanchit Vir Gogia, CEO and chief analyst at Greyhound Research. “When they sense distraction or depleted capacity, reconnaissance typically increases. That pattern has repeated across past shutdowns and is likely recurring now.”
Wake-up call for enterprises
The current situation acts as a wake-up call for enterprises. CISA may not be able to actively engage in issuing alerts and advisories, given its lack of resources.
Organizations, therefore, cannot afford to wait for official confirmation on every new vulnerability. Acting on credible intelligence, within clear governance limits, can prevent a minor flaw from becoming a major breach, noted Gogia.
Enterprises should not overlook industry networks, Dhar warned. “Sector ISACs and private intel groups can fill a lot of the temporary gaps if everyone shares what they see. In moments like this, collective vigilance matters more than hierarchy.”
As organizations can’t afford to wait for federal alerts right now, they should keep patch cycles tight, especially for known exploited flaws, noted Jaju. “Double down on identity protection with phishing-resistant MFA and privilege reviews. They should make sure that detection, logging, and response playbooks are solid. The goal should be to stay alert and reduce dependency on any single source of defense.”
No Responses