Yves here. I hope tech and security-savvy readers will treat this post as a critical thinking exercise and voice corrections, quibbles, and points of agreement in comments. This topic is generally over my pay grade so I am not ideally positioned to do so. I\u2019m not keen about giving presumed hacking groups cute names to indicate their supposed backers, as well as hackers from a particular nation being insinuated to be state actors. During Russiagate, experts called out gimmickry like the use of Russia tools to claim that certain hackers were Russian when those tools were widely used, and the inept and gratuitous use of Russian. <\/p>\n
I also note the absence of mention of gangs as a cyberthreat, when my impression is that they are becoming more effective. <\/p>\n
Nevertheless, it\u2019s telling that DOGE managed to degrade the operations of CISA, which is part of the intelligence apparatus, but has left the armed forces largely alone. Note that the title elevates Iran to the status of lead cybersecurity menace. <\/p>\n
By Lynn Parramore, Senior Research Analyst at the Institute for New Economic Thinking. Originally published at the Institute for New Economic Thinking website<<\/a>\/strong><\/strong><\/em><\/p>\n As international tensions increase, cyberwarfare and ransomware attacks loom\u2014and America\u2019s digital defenses face a perfect storm of foreign attacks, criminal behavior, and self-inflicted damage.<\/em><\/p>\n Few understand the stakes better than Dr. David Mussington, former head of Infrastructure Security at CISA, who\u2019s spent decades crafting strategies at RAND, the Pentagon, and DHS. In this eye-opening conversation with the <\/em>Institute for New Economic Thinking<\/em><\/a>, Mussington warns that while countries like Iran, China, and Russia grow more aggressive, the Trump administration has gutted the very agency designed to protect America\u2019s most critical systems\u2014cutting CISA\u2019s budget by nearly half, eliminating nearly a third of its staff, and driving out decades of cybersecurity expertise.<\/em><\/p>\n With experienced defenders gone, vital federal structures disbanded, and state and private actors left to pick up the slack, Mussington raises a chilling question: are we really ready for what\u2019s coming \u2014 or are we falling dangerously behind? He discusses our vulnerabilities as consumers, citizens, and as a country.<\/em><\/p>\n Lynn Parramore: Can you say a bit about your background in cybersecurity?<\/strong><\/p>\n David Mussington: I have over two decades of experience in different aspects of the cybersecurity risk challenge. My career began at the RAND corporation, where I participated in and led research teams evaluating U.S. critical infrastructure security. This included exercises, assessments, and policy analysis. Later on I worked at the Department of Defense \u2013 writing cyber strategies and advising the Office of the Secretary on USCYBERCOM\u2019s standup, and on supply chain and other challenges posed by U.S. adversaries in the cyber domain.<\/p>\n Most recently, I led the Infrastructure Security Division for CISA (Cybersecurity and Infrastructure Security Agency \u2013 a part of the Department of Homeland Security) for four years during the Biden\/Harris administration, overseeing physical security, Internet of Things (IOT), operational tech, and critical infrastructure risk assessments and remediation programs. That role gave me a front-row seat to threat levels, vulnerabilities, private sector responses, and global collaboration\u2014especially around nation-state threats, our top concern.<\/p>\n LP: Let\u2019s talk about CISA. How has the agency changed under the current administration, especially with the recent cuts and firings?<\/strong><\/p>\n DM: First, I think it\u2019s fair to say the changes have been dramatic\u2014but it\u2019s still early to know where they\u2019ll lead. CISA doesn\u2019t have a permanent director yet\u2014Sean Plankey\u2019s been nominated, but not confirmed. We do have a national cyber director, Sean Cairncross, and some key roles at DHS and the Sector Risk Management Agencies are finally taking shape. But the team hasn\u2019t fully come together yet. It takes time when we change administrations to reestablish new priorities.<\/p>\n My biggest concern is losing experienced people. Fewer staff means a heavier burden on those that remain, weaker national critical infrastructure security, and lessened resilience. These public servants are dedicated, but constant attacks on their patriotism are unfair and hurt morale. I deeply respect the CISA staff and others facing sudden changes after decades of service. Leaving a mission they believed in\u2014defending the country\u2014is hard.<\/p>\n We must support those still serving\u2014they\u2019re fighting for all of us. I loved this work, and moments like representing the U.S. at Australia\u2019s National War Memorial reminded me why it matters. That mission and honor must never be forgotten.<\/p>\n LP: One of CISA\u2019s past priorities has been securing our elections. But under the current administration, there\u2019s talk of that mission shifting. What can you tell us about the changing focus?<\/strong><\/p>\n DM: You mentioned the election mission. It\u2019s clear from recent decisions that CISA\u2019s role in that area has been deliberately targeted for reduction\u2014if not outright removal. That\u2019s a decision made by this administration. Obviously, the administration I was in didn\u2019t agree with that. We were focused on a specific cluster of activities \u2013 mostly foreign malign threats. Russia was a key concern, among others, given their efforts to manipulate American opinion using tactics we discussed in our last conversation<\/a>.<\/p>\n On the other hand, nation-state threats still exist. This administration\u2019s rhetoric remains focused on them \u2014 particularly China\u2019s campaigns like Salt Typhoon, Volt Typhoon, and Silk Typhoon. Their persistent access to U.S. critical infrastructure and the potential to weaponize those vulnerabilities remains, I believe, a top national priority.<\/p>\n There\u2019s clearly a shift toward greater reliance on states and the private sector to handle cybersecurity on their own. That\u2019s how I interpret the shrinking federal role in critical infrastructure protection\u2014both in size and scope.<\/p>\n LP: In moving from federal to state responsibility, what security vulnerabilities at the state level concern you?<\/strong><\/p>\n DM: It\u2019s less about where the vulnerabilities are and more about who controls them\u2014and what capabilities they have. In Texas, for instance, some private infrastructure operators are technically strong, but they may now bear more responsibility than they\u2019re used to. That puts greater weight on their security plans. As the federal role recedes, the effectiveness of those plans\u2014against everything from insider threats and ransomware to nation-state actors\u2014matters more than ever.<\/p>\n A state will be only as good as the big private sector infrastructure operators are. States don\u2019t typically have a lot of autonomous critical infrastructure protection or resilience capacity of their own. They\u2019re very dependent on the private sector.<\/p>\n LP: Do you see any states modeling effective planning?<\/strong><\/p>\n DM: Difficult to tell, because this shift toward the states also represents a move away from federal Sector Risk Management Agencies (SRMAs). Under the traditional model, CISA coordinated at the top, followed by SRMAs, then state and local governments, and finally the private-sector operators of critical infrastructure. That hierarchy now seems to be changing.<\/p>\n To the extent that states have technological capabilities under their control\u2014take California, for example: a wealthy state with significant critical infrastructure and advanced industries\u2014the state can leverage its own partnerships, fiscal tools, and regulatory mechanisms. That combination of technical expertise, preexisting capacity, and the presence of a strong technological and educational ecosystem is probably the best predictor of how well a state will perform. And across the U.S., states vary widely in how well they\u2019re positioned to take on more of this responsibility themselves.<\/p>\n I think generally that richer states are going to be in a better position to do this than poorer states. But is the federal government still able to step in and pick up the slack?<\/p>\n LP: We saw it during the pandemic\u2014states can act independently, but for certain challenges, coordination is essential. How do you see that playing out when it comes to cybersecurity?<\/strong><\/p>\n DM: CISA remains the national coordinator for critical infrastructure security and resilience. Regardless of resources, it\u2019s essential for public-private coordination and helping states leverage each other\u2019s strengths. That\u2019s where my concerns lie\u2014I worry about the loss of expertise and whether CISA, especially after the Chevron deference decision<\/a>(curtailing the power of agencies), will keep the authority and capacity to coordinate effectively. I\u2019m also concerned if Sector Risk Management Agencies have the authority to do their part.<\/p>\n Some don\u2019t, and some won\u2019t. I don\u2019t expect Congress to grant federal agencies\u2019 broad cyber-regulatory power anytime soon. So, regulatory approaches to cyber-risk won\u2019t be as prominent, even though regulation has long been seen as key to federal cyber-risk management.<\/p>\n States do have the authority to regulate critical infrastructure within their borders. The big question is how each state will approach it. I don\u2019t know most states well enough to predict, but generally, regulations aren\u2019t popular\u2014and cybersecurity rules likely won\u2019t be either.<\/p>\n LP: Let\u2019s talk about the politicization of cybersecurity and the shifting approaches of different administrations. How do you view that issue, especially in light of evolving threats arising from global conflicts?<\/strong><\/p>\n DM: I think it makes us less coherent as a nation, since we won\u2019t be able to articulate a single strategy or strategic approach to critical infrastructure security and resilience.<\/p>\n My former director, Jen Easterly, used to say that cybersecurity isn\u2019t political\u2014it\u2019s a set of risks we have to address regardless of ideology. I agree. That perspective points you toward a particular approach: federal coordination of a largely private-sector-oriented, voluntary framework built around best practices carried out for the public good.<\/p>\n In areas like defense and nuclear power generation and distribution, there are strong mandates for infrastructure protection\u2014and I think that\u2019s rightly seen as nonpartisan. Whether we return to that view remains to be seen. Given current threat conditions, I\u2019m not sure it\u2019s sustainable to treat this as a partisan issue. We have real vulnerabilities in our critical infrastructure.<\/p>\n CISA continues to publish the Known Exploited Vulnerabilities (KEV) list, which was already voluminous when I was there\u2014and it hasn\u2019t gotten any shorter. These are vulnerabilities that have been actively exploited, sometimes for years, and they pose serious risks both individually and when chained together. These are the same vulnerabilities that adversaries from China, Iran, and Russia continue to target\u2014and that remains true regardless of ideology. The best practice recommendations to counter them haven\u2019t changed either.<\/p>\n Right now, there\u2019s real potential for Iranian cyber countermeasures against the U.S., given the current conflict involving Israel. In the recent past, Iranian cyber actors linked to the Islamic Revolutionary Guard Corps (IRGC) have targeted U.S. critical infrastructure and even election systems. They\u2019ve also shown interest in water systems and dams.<\/p>\n Iran\u2019s cyber capabilities are serious. They\u2019ve actively targeted regional rivals like the UAE and Saudi Arabia. If conflict escalates, could they go after U.S. infrastructure again\u2014and would our defenses hold up? Those are key questions as we consider possible actions related to Iran\u2019s nuclear and military capabilities.<\/p>\n LP: Let\u2019s talk economics and budgets. DOGE was sold as a way to cut costs and boost efficiency. But when agencies like CISA face cuts and lose expertise, could we be risking higher costs later?<\/strong><\/p>\n DM: We could. But I\u2019d frame it a bit differently: the real question is whether the private sector and the states can mitigate risk at scale to meet the threat as it exists\u2014and whether we have systems in place to actually measure that.<\/p>\n LP: Do we?<\/strong><\/p>\n DM: We don\u2019t. There\u2019s no metrics-based framework to assess how well we\u2019re doing on cybersecurity or critical infrastructure resilience at the national level. When we were running risk management and infrastructure assessments through CISA, we struggled\u2014our metrics were weak, and the data was often stale.<\/p>\n Knowing things are fragile\u2014and understanding how risk and vulnerability have changed between 2022 and 2025\u2014makes responding effectively a major challenge.<\/p>\n On the economics, I think the key is focusing on incentives for remediation. Are the asset owners\u2014where the risks actually exist\u2014truly incentivized to take the necessary steps to reduce risk to their assets, their operations, and the public? It\u2019s clear there\u2019s an incentive misalignment\u2014asset owners often shift the cost of risk onto others, like customers or other jurisdictions, because they rarely face accountability for breaches or for passing risks along.<\/p>\n Our insurance markets don\u2019t align those incentives, and we don\u2019t regulate to prevent companies from inadvertently imposing risks on their customers. This is especially clear with consumer technologies, which people buy and are then expected to protect on their own.<\/p>\n I do a lot with my computers. But at a certain level, I can\u2019t fix hardware vulnerabilities. I can\u2019t really do a lot about the software vulnerabilities either. If I hear about a piece of software that\u2019s breached or something, I guess I can look for an update. But that\u2019s about it.<\/p>\n What about hardware and software manufacturers? What about the secure-by-design principles we discussed during our administration? How do we measure if something truly meets those standards\u2014and how do we make that information available to consumers so they can make informed choices?<\/p>\n All of that undermines market-based incentives from favoring security over insecurity, because the market isn\u2019t properly structured for it. And since regulation is so often off the table, we don\u2019t have enough security to protect cyberspace\u2014whether at the national critical infrastructure level against nation-states, or at the individual level inside people\u2019s homes.<\/p>\n
![\"Print](\"https:\/\/cdn.printfriendly.com\/buttons\/print-button-gray.png\")
<\/a><\/div>\n<\/div>\n