Ex-CISA employee: 'This culture of fear started permeating the agency'

Interview It's hard to pinpoint exactly when the "culture of fear" began to permeate America's top cyber-defense agency.

It wasn't one particular incident, but rather a death by a thousand cuts, according to a former US Cybersecurity and Infrastructure Security Agency employee, who spoke to The Register on the condition that we don't reveal their name.  

And it doesn't look like it's going to get better anytime soon as the agency faces steep budget cuts, no top boss in charge, and an ongoing exodus amid firings and buyouts.

This shock-and-awe strategy seems intentional if you listen to the comments of Russell Vought, who co-authored Project 2025 before President Trump appointed him to lead the federal Office of Management and Budget.

"We want the bureaucrats to be traumatically affected," Vought said in a video obtained by ProPublica and made public in October. "When they wake up in the morning, we want them to not want to go to work, because they are increasingly viewed as the villains. We want their funding to be shut down…We want to put them in trauma."

Then there was the "fork in the road" email sent to all federal employees in January, offering them a buyout if they resigned.

"It just kept happening," the former CISA worker said. "People were being fired — across the government, not just at the agency. And then there was this made-up government agency that everyone had to report to." 

You're not sure who is watching, and then not sure what might happen because of what someone heard about this program

This, of course, is the so-called "Department" of Government Efficiency, aka DOGE, initially led by centi-billionaire Elon Musk. (Which was established by executive order and was never a cabinet-level agency.) 

"Then you had these policies that were created, but not necessarily communicated out, from the department, maybe applied in different ways, and adding to the level of scrutiny."

People became wary of seeing new faces in the elevators and careful about what they said in public. "You're not sure who is watching, and then not sure what might happen because of what someone heard about this program," the ex-CISA employee said. "Is it going to get cut?"

"This culture of fear started permeating the agency," and that stifled workers' creativity, which they need to bring to the table every day to help solve America's biggest cybersecurity threats, they added.

"Our national security challenges are myriad, and it takes a lot of different perspectives to look at those threats, look at those challenges, look at the whole landscape to understand what needs to be done to protect the nation. If you're unable to think freely, think creatively, then you're doing a disservice to the nation and to our overall security."

More top officials jump ship

The Register spoke with this former federal employee shortly after CISA's new No. 2, Madhu Gottumukkala, sent a memo to staff alerting them that the heads of five of CISA's six operational divisions and six of its 10 regional offices will have to be gone by Friday.

The Washington Post first reported on Gottumukkala's memo, and Cybersecurity Dive later named the already-out or soon-to-be-leaving CISA executives:

Acting head of the Infrastructure Security Division Steve Harris left on May 16; acting head of the Stakeholder Engagement Division Trent Frazier left on May 2; and Vince Delaurentis, the No. 2 in the Emergency Communications Division, will leave on May 30, according to the memo. 

It also confirmed that Matt Hartman, the acting executive assistant director for cybersecurity, and Boyden Rohner, the head of the integrated operations Division, had already exited the agency.

Additionally, the CISA regional directors who will be leaving or have left include: Region 2 Director John Durkin, Region 4 Director Jay Gamble, Region 5 Director Alex Joves and Deputy Director Kathy Young, Region 6 Director Rob Russell, Region 7 Director Phil Kirk, and Region 10 Director Patrick Massey.

• CISA has a new No. 2 ... but still no official top dog
• CISA mutes own website, shifts routine cyber alerts to Musk's X, RSS, email
• CISA slammed for role in 'censorship industrial complex' as budget faces possible $500M cut
• Cybercrime is 'orders of magnitude' larger than state-backed ops, says ex-White House advisor

CISA responds

A CISA spokesperson confirmed all of these departures to The Register, and emailed a statement from CISA Executive Director Bridget Bean. 

"CISA is doubling down and fulfilling its statutory mission to secure the nation's critical infrastructure and strengthen our collective cyber defense," Bean said. "We were created to be the cybersecurity agency for the nation, and we have the right team in place to fulfill that mission and ensure that we are prepared for a range of cyber threats from our adversaries."

Former CISA boss Jen Easterly called the agency's personnel and budget "a real loss for the federal government, but more so it's a loss for the American people."

This brain drain isn't only about losing expertise; it's also about losing capacity, the ex-CISA employee said. 

"Expertise is helpful in knowing how things should be done, especially in times of emergency or times of an incident, and then you need the capacity," they said. "Doing a mission requires people to carry it out, and if you just don't have the people, then you're not going to be able to carry that out effectively."

None of which bodes well for America's cybersecurity, which is under siege from foreign adversaries and criminals alike.

"These institutions are there to serve the American people and preserve their safety, security, well-being, resilience," the former employee said. "We're severely hampering that. What happens to our public safety and health, our public security? We haven't had that reckoning yet. I hope we don't. But I think everyone's holding their breath." ®