Who's Minding the Store?

On April 7, 2026, six federal agencies co-signed Advisory AA26-097a. The FBI, CISA, NSA, Department of Energy, EPA, and US Cyber Command warned that Iranian-affiliated actors are actively exploiting programmable logic controllers across American water systems, energy facilities, and government networks. The targets were Rockwell and Allen-Bradley PLCs, the hardware that opens valves, regulates pressure, and controls the machines that keep the lights on in places where lights matter most. The adversary’s intent, per the advisory, is to “cause disruptions” and “manipulate data displayed on HMI and SCADA displays.” Translation for anyone who hasn’t spent time in an operations center: people we cannot trust are reaching into the guts of American infrastructure and turning the dials.

The same week, the White House released its FY2027 budget proposal. CISA, the agency whose name appeared second on that advisory, would lose $707 million. Roughly 30% of its budget. The National Risk Management Center (NRMC), which coordinates protection of the same physical and digital systems the advisory was warning about, would lose 73%. The budget justification document rationalized the cuts by claiming CISA has been “more focused on censorship than on protecting the nation’s critical systems.”

So on the same week that CISA co-authored a warning about a nation-state adversary manipulating American infrastructure, the agency’s own government published a document calling it unnecessary.

America built a volunteer fire department to protect its most critical infrastructure. The department doesn’t own the buildings. Can’t force the building owners to install sprinklers. Can’t compel the volunteers to show up. What it can do is coordinate. Make the calls, share the intelligence, tell people where the fire is spreading, bring the fire fighters and the weather forecasters and the fire fighting technology vendors and the building owners all into the same room. That department is CISA. And right now, during the worst fire season in its history, the department is operating at 38% capacity.

The arsonists have not taken a corresponding pay cut.

CISA grew fast after its 2018 founding, accumulated programs that were controversial, and attracted legitimate criticism from all sides. Grant all of it. Whether CISA needed reform was never the question. The question is what CISA should become. Because the architecture for how we do critical infrastructure defense in the United States is fundamentally broken. Not because of one administration, although this administration is making it catastrophically worse at the worst possible time. But it’s also broken because of how the system was designed.

---

The Architecture

Presidential Policy Directive 41, signed in 2016, established the framework for how the United States responds to significant cyber incidents. Three lines of effort. Asset Response (protecting the victim’s networks) belongs to CISA, housed inside DHS. Threat Response (investigating and disrupting the attacker) belongs to the FBI, housed inside DOJ. Intelligence Support (attributing the attack and providing classified context) belongs to NSA and ODNI. Alongside those three lanes, Cyber Command defends military networks and conducts offensive operations abroad, DOE runs the national labs and CESER for energy-sector defense, other sector-specific agencies like Transportation provide sector-specific security guidelines, and FFRDCs like MITRE and Sandia do the deep technical research that none of the operational agencies have time for.

That’s a lot of capability sitting behind a firewall. And that firewall keeps it hidden away from the private sector organizations that need it the most.

The White House, NSC, and Office of the National Cyber Director sit on top: policy coordination. They set direction and deconflict the agencies below them. They don’t execute. Four agencies hang off that layer, each with a distinct lane. CISA and the JCDC handle asset response and industry coordination. FBI and DOJ investigate and prosecute. ODNI and NSA own foreign intelligence. Cyber Command conducts offensive operations and defends military networks. Below all of them sits the actual target of interest: Private Sector and Critical Infrastructure.

And between the government layer and the private sector, a line. No agency above that line has the authority, the regulatory mandate, or the structural incentive to reach across it unilaterally. Cyber Command can go after the attacker abroad but cannot operate on US civilian networks. NSA can identify the threat but cannot quickly share raw intelligence directly with a private company without risking sources and methods. The FBI wants evidence preserved, which creates a direct tension with incident response teams that want to wipe and rebuild as fast as possible. None of them can walk into a Fortune 100 company’s security operations center and say “patch this” or “we want to help you hunt.” Try navigating that org chart during a breach at 2 AM.

That’s by design. The voluntary model was a deliberate policy choice, and a defensible one that encourages information sharing without legal exposure, without regulatory overreach, without turning cybersecurity into another compliance exercise. The problem was never the voluntary principle. The problem is coordination. 90% of American critical infrastructure is privately owned. A company in the middle of a breach fields calls from multiple agencies simultaneously, each asking for something different, each operating under different authorities and constraints. Someone has to translate between all those lanes and the people actually running the networks.

That someone is CISA. In practice, CISA is the only federal entity that formally faces outward toward the private sector. It shares sanitized intelligence. It runs tabletop exercises. It maintains the relationships, the phone trees, the bilateral partnerships with the companies that actually operate the networks being targeted. The Joint Cyber Defense Collaborative brings together major companies to coordinate defense against nation-state threats. CISA is the front door for the private sector into the entire federal capability stack, and the only agency that routinely crosses the line between government and industry by design.

CISA is the interface. The protocol. The translation layer between everything the federal government can do and the private-sector operators who need it. PPD-41 describes it as one lane among many, but that undersells the reality of what it can be and what we need it to be.

---

Why the Current Model Can’t Hold

The current model depends on the translation layer being staffed, trusted, and functional. It was never given the structural protections to guarantee any of those three and this administration proved it.

Since February 2025, CISA has lost roughly two-thirds of its operational workforce through a combination of budget cuts, a government shutdown, organizational turbulence, and what can most charitably be described as institutional sabotage. DOGE canceled the agency’s primary red team contracts. Approximately 1,000 employees departed through layoffs, buyouts, and early retirements. CISA’s previous acting director, Madhu Gottumukkala, uploaded at least four documents marked “for official use only” to a public ChatGPT instance (he had been granted special access to the service not available to other CISA employees, which is the kind of detail that would be funny if it weren’t about the person running America’s cybersecurity agency). He also failed a polygraph test. To be fair, those things legit suck and are totally pseudoscience anyway. But when six career staffers who administered the polygraph raised concerns, they were suspended. Gottumukkala was eventually reassigned to “director of strategic implementation” at DHS, a title that sounds like it was generated by the same ChatGPT instance he’d been uploading documents to.

The Senate has not confirmed a CISA director in thirteen months. Thirteen months during the most active nation-state cyber campaigns against American infrastructure in history. Sean Plankey, a qualified pick, has been held up by Wyden (D-OR) over a delayed telecom security report, Scott (R-FL) over a Coast Guard cutter contract, and Budd (R-NC) and Tillis (R-NC) over Hurricane Helene disaster funding. Four senators, three unrelated grievances, none connected to cybersecurity policy. The FY27 budget proposes eliminating 860 additional positions. And the budget justification frames all of this as a correction (“The agency was focused on censorship, so we’re fixing it.”)

They’re not fixing it. The NRMC lost 73%, and the NRMC has nothing to do with elections or misinformation. The red teams had nothing to do with censorship. The 860 positions span the entire agency, not just the politically contentious programs. The administration isn’t refocusing CISA. Based on every signal it has sent, it appears to be trying to eliminate CISA’s existence or at the very least its ability to function.

And the threat hasn’t paused for the renovation.

The Iranian cyber campaign unfolding in 2026 bears no resemblance to the episodic hacktivism of prior years. Iranian-affiliated groups are conducting coordinated, multi-front operations across American water systems, energy grids, and government networks, with something that looks uncomfortably like a command structure. CyberAv3ngers, the group that compromised a municipal water authority in Aliquippa, Pennsylvania in 2023 as a proof of concept, is now part of a trilateral alliance that publicly named US water infrastructure as targets. Salt Typhoon, the Chinese campaign that compromised more than 200 telecom providers across 80 countries, remains active. CISA faces simultaneous campaigns from two of the three most capable nation-state cyber actors on the planet. At 38% capacity.

The volunteer fire department is running on a skeleton crew during the worst fire season in its history. The United States chose to defend critical infrastructure through voluntary cooperation, coordinated by an agency with no regulatory authority, staffed by people who could make twice their salary in the private sector, and protected by exactly zero structural safeguards against the moment someone decided the whole thing was expendable.

That moment has arrived.

---

The Translation Layer

So what should CISA actually be?

Not what it was. The administration’s critics want to restore CISA to its 2024 form. The administration wants to eliminate it. Both positions miss the structural problem that predates this White House by a decade.

PPD-41 treats CISA as one column in a multi-column framework. Parallel lanes, each with its own authorities and capabilities. That framing is not adequate in 2026. The coordination demands have become continuous, multi-front, and operationally complex. The old framework treats coordination as one function among equals. The threat environment demands coordination as the load-bearing function.

CISA should be the interface. CISA is the protocol.

Policy on the left. White House, NSC, ONCD set direction. The capability stack in the center (Cyber Command, NSA, FBI, DOE, FEMA, the national labs, FFRDCs), they generate the power, the intelligence, the investigative capacity, the offensive options. CISA on the right, positioned explicitly as the translation layer between all of those federal resources and the private-sector critical infrastructure operators who own 90% of the targets.

If this shape looks familiar, it should. The internet runs on the same architecture. Engineers call it the hourglass model (that I’ve just turned on its side for design reasons). A massive number of applications on top (your email, your browser, your video calls), a massive number of physical networks on the bottom (fiber, copper, wireless, satellite), and one thin translation layer in the middle that lets anything above talk to anything below. That layer is TCP/IP on the internet. It doesn’t try to be everything. It does one job. It transports information. And because it does that job reliably, everything above and below it can evolve independently. The hourglass model is the most successful architecture in the history of networked systems, and the reason it works is that the narrow waist is stable, well-defined, and protected. If TCP/IP breaks, nothing above or below it matters. The applications don’t reach the networks. The networks don’t reach the applications. Everything stops.

CISA should be the narrow waist. Massive capability above (Cyber Command, NSA, FBI, DOE, etc). Massive, heterogeneous infrastructure below (water, energy, telecom, healthcare, finance, all privately owned, all running different systems). One translation layer in the middle that lets anything above reach anything below. And the lesson the hourglass teaches, the one the current PPD-41 framework missed, is that the narrow waist is the part you protect most aggressively. Not the part you cut.

CISA sits perpendicular to the other agencies, facing outward, serving as the interface through which private-sector operators access every capability the federal government has. When a water utility in Pennsylvania discovers Iranian-affiliated traffic on its PLCs, it shouldn’t need to navigate four separate federal lanes. It should hit one interface. That interface coordinates the asset response, triggers the threat investigation, requests the intelligence support, and escalates to military channels if the attack warrants it.

The people who look at CISA’s wreckage and see failure miss the more important fact. CISA is trying to do this. The JCDC was already bringing major tech and telecom companies into coordinated defense planning. The bilateral partnerships were already building international coordination with Japan, Australia, the UK, and the EU. The regional coordinators were already building trust with state CISOs and local utilities. The model was working. Not perfectly, not at the scale the threat demanded, but working. The translation layer was functional. It just never had the formal mandate, the structural protections, or the political support to sustain it through the stress test that every institution eventually faces.

The prescription is a new Presidential Policy Directive with the force to restructure authorities and the statutory protections to survive electoral cycles. I would say the prescription is a new law, but I highly doubt we can get something so simple through Congress without them completely bastardizing it. The new PPD needs to do four things.

Codify the translation layer. CISA’s formal mandate should explicitly define it as the federal government’s interface to private-sector critical infrastructure for cybersecurity coordination. Not asset response. Not one column among four. The interface. The protocol that every company, every utility, every hospital system uses to access federal cyber capabilities. Make the org chart match the reality of what CISA’s best people were already doing before this administration scattered them.

Give it teeth for crisis coordination. The voluntary model works when the threat is manageable and trust is high. The threat is no longer manageable. CISA needs defined authorities for incident coordination during national-level cyber events: the ability to compel information sharing (with liability protections for the sharing entities) and the ability to direct federal resources across agency lines during active campaigns. Not regulatory authority over private-sector cybersecurity practices. Coordination authority during a crisis. The difference matters.

CISCA liability protections expire September 30, 2026. Protect it structurally. If they lapse, the legal foundation for voluntary information sharing disappears. CIRCIA, the mandatory incident reporting rule, has been delayed repeatedly and its implementation town halls were canceled during the shutdown. These are the legal architecture that makes the translation layer functional, and both are on life support. A new PPD should anchor both in statute, not in rules that can be defunded or directives that can be rescinded.

Protect it from the political cycle. This is the hardest one, and the most necessary. If CISA can be gutted during an active cyber campaign without political consequence, it can be gutted again. And again. The agency becomes permanently politicized, and the talent pipeline reroutes entirely. The people who could make two to three times their salary in the private sector, the ones you need running this thing, they’ll do the math. They’ll calculate the risk of joining an agency that might be dismantled every four years based on which party holds the White House. CISA needs an independent funding mechanism or statutory mandate that can’t be zeroed out by a budget proposal. Congress protects defense spending this way. It protects intelligence spending this way. If CISA is the translation layer for national cyber defense, and it is, then its funding deserves the same structural protection.

I sit in an interesting chair for watching this. I spent seven years in the US Navy, including time at NSA. I currently coordinate international security partnerships at NTT, one of the companies that invested significant organizational resources in CISA’s JCDC bilateral partnership model. I’ve seen the translation layer work. I’ve seen the calls that get made, the intelligence that gets shared, the coordination that happens when the phones are staffed. I’ve also seen what it looks like when the phones go dark. The architecture I’m describing was already happening, imperfectly, before someone decided the fire department was the problem.

The administration is right about one thing. CISA circa 2024 had drifted from its core mission. The election security expansion, the counter-misinformation work, the rapid headcount growth without proportional capability maturation. All of it created legitimate grounds for reform. But the answer to mission creep is mission clarity, not demolition. And the clearest possible mission for CISA is the one it was already performing: serving as the translation layer between the most formidable national security and cyber operations apparatus on Earth and the private-sector infrastructure that apparatus exists to defend.

That’s what needs minding. The mandate needs to catch up to the work. The fire department can be rebuilt, but only if someone decides to stop arguing about whether we need one while the building across the street burns.

Brandon