It was late June, and something strange was happening on Arizona’s online portal for political candidates. Images of the candidates were disappearing. Photos of the Iranian Ayatollah Ruhollah Khomeini were popping up in their place. The state would later come to believe it was an attack from an Iranian government-affiliated group. When they first discovered the threat, though, they were in the dark — and they needed help.
Arizona Secretary of State Adrian Fontes’ office took action to contain the threat, which he says did not impact personal voter information. But one thing he didn’t do was contact the federal agency that would have once been among Fontes’ first calls: the Cybersecurity and Infrastructure Security Agency (CISA).
CISA, housed within the Department of Homeland Security (DHS), is America’s central coordinator of cybersecurity information. The agency helps organizations that run critical infrastructure ranging from elections to sanitation prepare for cyber and physical threats, and helps streamline the response to attacks when they arise.
Are you a current or former CISA employee, or do you work for a critical infrastructure organization? Reach out securely and anonymously with tips from a non-work device to Lauren Feiner via Signal at laurenfeiner.64.
But since the beginning of President Donald Trump’s term, CISA has faced mass staffing cuts, reassignments to immigration-related work, and recent furloughs induced by the ongoing government shutdown. The Trump administration has requested CISA’s $3 billion budget be slashed by nearly half a billion dollars and cut a reported third of its workforce. While some of this mirrors actions at other government agencies, Republicans have a special animus toward CISA, thanks to its role in tracking disinformation around the 2020 election. Now, with the agency greatly diminished and under Trump’s control, people who once worked for and collaborated with it are losing faith.
Normally, Fontes would have been in regular contact with CISA, even before the attack. The agency has helped Arizona create emergency preparedness workshops for Election Day threats. Its staff would physically inspect election-related buildings, offering recommendations to make them more secure. When Arizona’s polling locations received bomb threats during the 2024 election, Fontes tells The Verge in an interview, the state got intel on the situation “instantaneously” from CISA and only had to delay one polling location by 20 minutes. “We were prepared mostly by the help of folks like CISA, and they would grease the skids between all of the other federal organizations,” Fontes says. The same should have been true for the Iran-linked hack.
“How can I reveal security information that’s very sensitive in nature, that could be very easily exploited for political means, with an agency that’s been gutted and politicized?”
But under Trump, Fontes says, many of the CISA staffers his office regularly worked with have left, while Trump loyalists have taken up key posts at DHS. Its election integrity team is led by right-wing activist Heather Honey, who has promoted conspiracy theories about voting fraud. “How can I reveal security information that’s very sensitive in nature, that could be very easily exploited for political means, with an agency that’s been gutted and politicized?” Fontes says. “It would be foolish of me to do that.”
Fontes says that after discovering the candidate portal attack, his office contacted the National Guard and Arizona’s Counter Terrorism Information Center, which has contact with federal agencies — but he excluded CISA as much as possible. The decision underscores how much trust the agency has lost. It also reveals a disconcerting threat to America’s cyber defenses.
CISA’s value comes from its bird’s-eye view of cybersecurity. It can centralize intelligence about threats and provide recommendations based on them, along with helping less sophisticated players with training and preparation. And the agency deals with far more than elections. It focuses on critical infrastructure like water and transit systems, which experts have warned for years could be vulnerable to cyberattacks. When Microsoft Exchange Online was breached in 2023 by what the US determined to be China-affiliated hackers, “CISA was a central point for information sharing” across federal agencies and looked for other compromised areas, according to a report detailing the response.
But that capability only holds up if businesses, state-level agencies, and other organizations feel like disclosing information is secure and worthwhile. The warier groups are of working with CISA, the more everyone is left at risk.
“There’s been so much turmoil over the last six months”
It’s not just Fontes who’s worried. Earlier this year, DHS moved to disband a public-private partnership that gave utilities legal cover to share more sensitive security information with the government. Cynthia Lane, general manager of a Colorado-based water and sanitation utility, says that move raised concern about who at the federal level would push security information down to state and local stakeholders. Between the gutting of CISA staff and the government shutdown, Lane says, “it’s hard to find what the new level of activity and engagement’s going to be because there’s been so much turmoil over the last six months.”
Meanwhile, people who do still contact the agency will find it harder to reach. Layoffs last month impacted nearly all 95 of the agency’s Stakeholder Engagement Division (SED) employees, which coordinate discussion with infrastructure operators, nonprofits, academic institutions, and international partners, Cybersecurity Dive reported. Compounding the problems, a law incentivizing companies to share cyber threat information by providing legal protections recently expired, and amid the government shutdown, grants for state and local governments to beef up their cyber defenses have lapsed.
A three- to four-month “hiccup” in staffing up is normal at the start of an administration, says retired Rear Adm. Mark Montgomery, senior director of the Foundation for Defense of Democracies Center on Cyber and Technology Innovation. “But instead what we’ve seen is a significant stalling in the progress of improving cybersecurity across the federal government, and in some cases, backsliding.” The cuts include “key areas that could afford no losses,” he says, including the Joint Cyber Defense Collaborative, which helps improve threat information sharing between the public and private sectors.
“We do not do these kinds of cuts and everything’s fine”
The Trump administration has denied CISA is having problems. CISA’s executive assistant director Nick Andersen said in September that despite “an awful lot of reporting recently about CISA and the potential for degraded operational capabilities … nothing can be further from the truth.” Montgomery says that assessment “defies a 250-year history of the government. We do not do these kinds of cuts and everything’s fine.”
CISA’s director of public affairs Marci McCarthy says in a statement that during the Trump administration, the agency “continues to execute on its mission amid a record-breaking Democrat-led government shutdown,” and collaborates with federal agencies and private sector players to improve cybersecurity. “CISA will not operate as it did during the Biden Administration, when it inappropriately focused on electioneering and censorship,” McCarthy says.
But a former CISA official, who declined to be named due to privacy concerns, warns that the Trump administration is “playing with fire” by diminishing CISA’s services. Over the past few years the US has faced several significant attacks, including a breach of Microsoft Sharepoint and a major attack on US telecom systems, which prompted officials last year to recommend all Americans use encrypted communications. “It’s only a matter of time until something significant happens,” they told The Verge.
For a utility like Lane’s with 15 people on staff, CISA continues to provide free weekly threat assessments to identify weaknesses in its defenses, which it would otherwise not be able to afford. The consequence of a hack to its operational systems could be extremely tangible to the community: water main breaks caused by ramping up on the pressure on the distribution systems, or sewer overflows into nearby rivers.
“The new MO is, share with who you can trust, in as limited a way as you have to to get the job done”
Fontes, for his part, was forced to weigh placing trust in CISA against the threat of losing trust from his own constituents. It’s taken years of consistent effort to build up voter confidence in how the state runs elections, and now he worries that all it could take is a Truth Social post from DHS Secretary Kristi Noem to set it on fire. “I have to look at the data that we have and the information that we have as if somebody in the administration is going to flip it over and use it against me and my administration because I’m a Democrat,” Fontes says.
Fontes says the state kept DHS abreast of the candidate portal breach to the extent required by the law (without detailing exactly how). But he says his office has figured out how to keep the agency at arm’s length — what he refers to as “silent mode.” “We figured out ways to comply with the law, but also not be vulnerable to the politicized environment that CISA now presents,” he says. “The new MO is, share with who you can trust, in as limited a way as you have to to get the job done.”
That might even mean withholding the kinds of minor details that only a centralized force like CISA could make sense of. “This idea of an open line of communication, where you’re sharing all kinds of stuff, even unnecessary stuff because it might connect the dots to some other things — that doesn’t exist anymore,” he says.
Correction, November 10th: An earlier version of this article misstated the Trump administration’s budget cut request for CISA. It is nearly half a billion dollars, not half a million.
