CISA Under Trump

Jen Easterly is out as the Director of CISA. Read her final interview:

There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day. But ransomware is still a problem. We have been laser-focused on PRC cyber actors. That will continue to be a huge problem. I’m really proud of where we are, but there’s much, much more work to be done. There are things that I think we can continue driving, that the next administration, I hope, will look at, because, frankly, cybersecurity is a national security issue.

If Project 2025 is a guide, the agency will be gutted under Trump:

“Project 2025’s recommendations—essentially because this one thing caused anger—is to just strip the agency of all of its support altogether,” he said. “And CISA’s functions go so far beyond its role in the information space in a way that would do real harm to election officials and leave them less prepared to tackle future challenges.”

In the DHS chapter of Project 2025, Cucinelli suggests gutting CISA almost entirely, moving its core responsibilities on critical infrastructure to the Department of Transportation. It’s a suggestion that Adav Noti, the executive director of the nonpartisan voting rights advocacy organization Campaign Legal Center, previously described to Democracy Docket as “absolutely bonkers.”

“It’s located at Homeland Security because the whole premise of the Department of Homeland Security is that it’s supposed to be the central resource for the protection of the nation,” Noti said. “And that the important functions shouldn’t be living out in siloed agencies.”

Tags: , ,

Posted on January 28, 2025 at 7:09 AM21 Comments

Comments

John Freeze January 28, 2025 8:01 AM

For me, CISA stopped working a while ago – since they are not maintaining their CVE database anymore.
CVEs were still available, but the “common platform enumerators” are missing.
And that kills all tools that rely on that information for “Software Composition Analysis”, like OWASP Dependency-Check

Andy January 28, 2025 11:42 PM

@clive it’s what we voters wanted. Three times in a row. Europeans want their version of Trump already.

Sir Humphrey Appleby January 29, 2025 4:20 AM

This brings to mind an exchange between two characters in a UK tv show (ahem … “programme”) called “Yes, Prime Minster”. Sir Humphrey Appleby and Bernard Woolley are talking about the government’s defense policy:

Sir Humphrey Appleby – Bernard, what is the purpose of our defense policy?

Bernard Woolley – To defend Britain?

HA – No, Bernard. It is to make people believe Britain is defended.

BW – From the Russians?

HA – Not the Russians, the British! The Russians know it’s not. For all our simple, ignorant people shuffling in and out of houses, busses, factories and the Cabinet Room, the aim of the defense policy is to make them feel secure.

BW – But if there’s a better way…

HA – Bernard, we have a magic wand. It is called “Trident”. Nobody understands anything about it except that it will cost fifteen billion pounds which means it must be wonderful … magic! All we have to do is write a cheque and then we can all relax. But, if people in government start talking about it, d’you know what will happen?

BW – No.

HA – In the end, they’ll start thinking about it. They will come to realize the problems, the flaws in the reasoning. The nation will get worried. Agitation, questions, criticism, change.

BW – Change?!

HA – Change.

Jay January 29, 2025 5:22 AM

This is a receipt for “a total disaster” to use the words of Mr Trump.

He does not understand that a WW hybrid war is ongoing.

If we assume that the next president will quickly reverse this decision, the US will pay the price for more than a decade.

Drew January 30, 2025 6:21 AM

I thought this was very bad news at first, but then I thought about how the free market will eventually correct for the problems. I would rather have individual corporations pick where the budget goes then mandates by the USG. And I know they don’t have magic overarching power but eventually lawsuits will be filed based on their guidelines, so they have indirect impact. End them!

Agammamon January 30, 2025 12:37 PM

“. . . even though they can sort of help them they do not want the crime or terrorism that comes with some of them.”

Neither do we Clive, neither do we.

John Freeze January 31, 2025 5:08 AM

@Drew The free market never corrected IT security problems: less budget for security -> more profit.
When actual data is stolen, the company writes a press statement about the criminal energy that the super evil criminal attackers invested and that additional layers of antivirus snake oil will be applied.
And no customer ever left an unsecure provider (see okta, cisco, solarwinds, ivanti, fortinet, sophos, microsoft, …)

Clive Robinson January 31, 2025 3:05 PM

@John Freeze, Drew

With regards,

The free market never corrected IT security problems: less budget for security -> more profit.”

Actually no it’s “less profit”.

The Free Market Mantra of neo-cons and their minions boils down to,

“Take the money and run, don’t invest and reap the rewards continuously”

It’s almost the worst form of “short term thinking”.

Where it gets worse is the “don’t leave money on the floor” mantra. That in reality is

“Mortgage it up beyond the hilt, and run with the money leaving debts that can never be repaid no matter what productivity can be obtained.”

In it’s way part of this process is,

“Out sourcing, and Off Shoring.”

The latter of which is where “trade secrets are just given to,

“Agents of a hostile economic power.”

They don’t even have to commit “industrial espionage” because it gets given to them for just a cent or two off of the production Dollar.

As for “Out Sourcing” this is where all the “industrial espionage” and “insecurity” starts. Because to give those few cents off of the Dollar the agent the work is out sourced to has to make a 30-50% profit otherwise they would go “belly up”. So they need to spend less than 1/3rd of the money on “security” etc than the original organisation did.

And it should only take a moment or two’s thoughts to realise what that realy means for security…

It’s why it’s also called,

“A race for the bottom.”

And history shows two things,

1, It’s only stopped by Government legislation and regulation.
2, The effective level playing field the Government legislation and regulation forces, in turn creates real innovation both in products and production.

Thus contrary to the “Free Market Mantras” of the neo-cons, legislation and regulation acts like “a rising tide” and “lifts all well found businesses”. But at the expense of the neo-con “multiple holes in the hull businesses” that “just go under when the tide rises”, because “they are not well found”…

lurker January 31, 2025 5:04 PM

@John Freeze
“And no customer ever left an unsecure provider”

This surely is part of the problem. So long as the product does most of what they want, most of the time, the customer doesn’t want to know the nitty-gritty of security.

Clive Robinson January 31, 2025 5:40 PM

@ lurker, John Freeze, Drew,

As has been noted the current POTUS on his first trip was very keen on using “social media” and what others soon christened “Fake-News” or worse.

He then became “exhibit A” in a whole series of criminal court cases, and of some that have been concluded found guilty of criminal behaviour.

There is a lot of media and artist/creator talk about similar criminal behaviour performed by AI companies POTUS has “cuddled upto” in one way or another…

Well the Attorney General of California has made it clear they regard practically every thing AI companies are doing is probably criminal behaviour,

https://gizmodo.com/californias-ag-tells-ai-companies-practically-everything-theyre-doing-might-be-illegal-2000555896

I just hope this opinion gets confirmed in either court or legislation fairly quickly.

ResearcherZero February 2, 2025 9:58 PM

@vaadu

Highlighting misleading information or providing fact checking is not actually the definition of censorship. It is more likely the definition of providing more information.

What people seem to get more upset by is information they do not like. Which again is not censorship, that is personal opinion and opinion will not prove the certainty of facts.

If you are concerned about censorship then the right place to look is the infrastructure and who is building it. Currently the people building out those systems are the lawyers from the entertainment industry based on mere accusations of copyright infringement.
The new act is called the Foreign Anti-Digital Piracy Act which is aimed at DNS resolvers.
Under the act the RIAA can cut of your internet access without ever entering a courtroom.

While that is taking place the board investigating the recent Salt Typhoon hack into telcos have all been removed from their positions. The Cyber Safety Review Board was the same board who investigated the Chinese based hack of Microsoft and found the incident was linked to a culture of inadequate security practices within Microsoft and a cascade of failures which lead to the penetration of Microsoft’s supply chain development. This was the same team who were looking at Chinese spying which targeted Trump, JD Vance and other politicians, along with the hacking of sensitive systems within government departments.

ResearcherZero February 2, 2025 10:06 PM

@John Freeze

The CVE database was flooded with thousands of poor quality bug reports using automated processes. It is not clear if it was deliberate or just the result of automation and poorly considered submissions. The people reviewing those submissions are likely not all machines.

Clive Robinson February 3, 2025 7:59 AM

@ ResearcherZero, vaadu,

With regards,

“[T]he board investigating the recent Salt Typhoon hack into telcos have all been removed from their positions. The Cyber Safety Review Board was the same board who investigated the Chinese based hack of Microsoft and found the incident was linked to a culture of inadequate security practices…”

Two things need to be said about the Cyber Safety Review Board,

1, They operated in a “target rich environment” where nearly everyone including SigInt agencies –that should know better– were working in “a culture of inadequate security practices…”

2, No matter what they did the board was due to being underfunded and lacking resources in effect because of the first issue they were always failing through no fault of their own.

There was however a third issue that has not been widely talked about and finding information is hard.

3, The choice of what “target to investigate” was not always “optimal” from an external perspective.

This third issue due mostly to the previous points has enabled “Partisan Conspiracy Idiocy” or maliciousness to take place.

We know from the current POTUS’s first time around with his behaviour to certain very visible whistle blowers that he in effect wanted them to lie for political purposes, and if they did not POTUS would behave in a very venal way.

Thus the board “getting the chop” shows very clearly the continuing of “The nasty side of politics and power” when wielded by immoral individuals who see their “Individual Rights v Societal Responsibilities” in ways the majority of voters would not want.

ResearcherZero February 5, 2025 1:02 AM

@Clive Robinson

First I’d like to thank you for the info in relation to the NATO comms.

3, The choice of what “target to investigate” was not always “optimal” from an external perspective.

Investigating incidents and what to target is difficult without the partisanship. Even when there is an “independent inquiry” commission or a political committee which incidents can be submitted to. The behavior within can sometimes be akin to school ground disagreements.

I’ll supply a quote to highlight the issue:

“While at least one allied foreign intelligence service has provided extremely relevant and valuable intelligence reporting to the IC, the IC has limited the analytical value ascribed to this reporting because the reporting did not result from a U.S. line of effort.”

A simpler explanation would be to say, it presented evidence people did not want to hear.

You could swap the [U.S.] with any country code and that statement would be relevant. In that particular scenario however we could hypothetically argue the intelligence was far more valuable and would have instead reduced the analytical value of the other reporting.

The other reporting examined by the IC produced no outcome and came to no conclusion, yet it was held in higher regard than the “extremely relevant and valuable intelligence reporting” simply because it came form an “allied foreign intelligence service”.

(the intelligence had frightening implications and there was no Quick-Eze® in the room)

You can have all the facts and evidence needed to choose an incident, further investigate, or present a well verified and confirmed report that has been de-biased. You cannot lead a horse to water and then make it drink. The horse meat is typically added to the sausage at the parliamentary level. Occasionally the CIA deploys horse into the sausage via cannon.

ResearcherZero February 5, 2025 1:10 AM

4, If the CIA shows up very early into an investigation it’s guaranteed to remain hidden.

Clive Robinson February 5, 2025 7:58 AM

@ Bruce,

USPO suspends inbound packages from China and Hong Kong.

Yes it’s sort of “off topic”, but it can easily be seen as part of an escalating course of ill advised action,

https://about.usps.com/newsroom/service-alerts/international/suspension-of-inbound-parcels-from-china-and-hong-kong.htm

This is very rapidly going to spread into “Domestic” and “light commercial” goods and create significant scarcities and rapidly rising prices and inflation. Non of which is useful for the average American Voter.

If after recent “weather events” across the US and the Government Responses (or lack there of as portrayed in the MSM). You might have started thinking of making changes to your life and way of living…

Such as not being 100% dependent on the various infrastructure grids, or availability of goods in “Just In Time”(JIT) long supply chain stores etc.

Now might be a good time to make what you might consider domestic “capital equipment” purchases, whilst the goods are still actually crossing boarders and still at non tariffed prices, and making it onto store shelves.

Even doing a minimum buy of the 3day to 3month FEMA purchases and ensuring your domestic equipment is actually “fully functional” would make sense.

Oh and consider “unemployment” due to “share holder value” profit protection lay-offs to become not just “more frequent” but effectively “the norm”. Remember “side gigs” are only possible if you can source resources for them (you can not be productively working without Comms or Power or other resources).

Years ago I used to call keeping such resources including money as “a year of ‘drop-dead’ protection”.

I later found I was not alone in this thinking. Quite a few fairly mainstream religions tell their members to store a years supply of foods, water, energy, and other basics of life and work. Not just for the members of their immediate family but also their more extended family.

I’m told “Generation Zee” are going 90’s and earlier retro… Well knowing how to make food not just “shelf stable” without refrigeration but “ready to eat without needing “heat or water” and in a reusable way –think jar canning– is a very valuable skill set our grand and great grand parents used to do. Most do not realise that the standard size of US back yards pre 1970’s was sufficient to grow plant based foods and a few small live stock –fowl / rabbits / a goat/sheep– sufficient to feed a family of 6-8 people, along with collecting “water off the roof” to irrigate etc.

We can actually do better these days and less stressfuly than RTO in conditions you would not be legally alowed to keep/ship livestock in most civilised Western Nations.

Surveys are revealing that whilst most are not “actually quiting” with RTO mandates, many have dropped into “quiet/slow quiting” where they are only putting in the pretense of working in hopes of being made redundant etc.

As my father observed,

“It’s better to jump than fall, and that is better than being pushed, as you have some control on how you land.”

Both my parents by any measure of the time were “upper middle class” with good jobs and incomes. However they were born and grew up between the two world wars and knew all to well what the “Great Depression” and similar economic recession s were all about. They also very nearly did not survive the post WWII economic blight that went through to the 1960’s and many in Europe would not have survived if it was not for ordinary Americans sending aid parcels paid for out of their own pockets.

We don’t get taught such things in schools these days and it’s been lost in just a few generations as those who lived it or were taught it by their parents die out. And I suspect all to soon many are going to wish they had simple basic knowledge about “Keeping a pantry and garden”. Along with how to survive in the bitterest winter cold and most humid of summer heat without “energy” and “food” they can afford.

In the UK Armed Forces there is a saying,

“A soldiers first duty is to themselves.”

Look on it as acquiring the knowledge and skills, not just to survive but thrive in just about any environment you get throw in to. It’s a higher level of “Self Reliance” than most ever bother to acquire. But those that do have the best ability to survive any natural or manmade misfortune that comes their way as the increasing numbers of natural disasters show over and over.

It should also be the first mantra of “security”. Because if you are not secure or behave in an insecure way then not just you but all those around you will suffer.

As I point out from time to time, there is a scale of,

“Individual Rights v Social Responsibility”

Those that overly believe in the former, tend to forget all those things they think of as “rights” can only exist on a foundation of “responsibilities” to the community and society they exist in.

ResearcherZero February 8, 2025 1:53 AM

@Clive, @ALL

“A soldier’s first duty is to themselves.”

“sensible” classification

Anything with potential blow-back or that may expose teams and analysts to unreasonable blame due to the failure of others to take heed should remain highly classified. (IMHO)

That is to say, you are all on your own now. Why should anyone risk their own neck today?
In the past few that placed themselves at physical risk would hesitate. Now it’s complicated by the fact that anyone exposing a threat may wear the blame when their warning is ignored. Bringing that information to light may risk everyone who worked on an investigation, even though their findings were ignored by the then political establishment.

(the political establishment and it’s committees are typically made of two parties not one)

‘https://apnews.com/article/fbi-senate-homeland-security-wray-majorkas-fef3808a3773d06314ac3b01b845a9fc

“Unfortunately, we continue to miss opportunities to clarify truth, counter distortions, puncture false narratives, and influence events in time to make a difference,” they said about the current classification system in the memo.

Overclassification has made it more difficult for government agencies to share information.
https://www.politico.com/news/2021/04/26/spy-chiefs-information-war-russia-china-484723

ResearcherZero February 8, 2025 2:07 AM

Just stamp anything TOP SECRET and be done with it. Anything extremely sensitive should be compartmentalized to ensure it is not shared outside, accessed by stratified officers, or made known to anyone without Level 1 clearance specifically designated to access the file.

Shred and burn anything more than ten years old. People invent their own reality anyway.

Clive Robinson February 8, 2025 5:37 PM

@ ResearcerZero,

With regards,

“Shred and burn anything more than ten years old. People invent their own reality anyway.”

Nagh, just stack it in the bathroom to wait untill you can blackmail people with it…

It’s the new way as Trumpeted by some.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.