America’s cyber shield is cracking where it matters most, trust
A small vandalism of an Arizona candidate portal should have been routine. Swap out defaced images, pull logs, call the federal clearinghouse, compare indicators of compromise, push protections across other states. Instead, the call many officials once made first never came. The agency designed to stitch together these moments, the Cybersecurity and Infrastructure Security Agency, is no longer the default partner for some of the very people it was built to serve.
CISA’s strength has always been network effect, not headline power. It convenes, correlates, and quietly routes help to operators that keep water clean, transit moving, ballots counted, and hospitals functional. That model depends on trust, steady staffing, and legal scaffolding that encourages information to flow up and guidance to cascade down. Each of those pillars has eroded. Cuts, reassignments, furloughs, and politicization have chipped at confidence. Partnership programs have been weakened. Legal protections that once encouraged sharing have lapsed. Even when the front line still hears from CISA, the back end is thinner, the follow through slower.
This is not an abstract worry. The past few years have brought sophisticated campaigns against cloud services, telecom infrastructure, and municipal systems. When it works, CISA becomes the switchboard, collecting telemetry from one breach and lighting up others before copycats strike. When trust frays, the switchboard goes quiet. States look inward. Utilities lean on ad hoc networks. Minor anomalies stay siloed. The dots do not connect until they form a crisis.
Politicization is the accelerant. Election security is especially fragile because trust is the product. If state officials suspect that sharing sensitive details will be weaponised on social platforms or spun in press releases, they will ration the facts. Silent mode becomes a survival tactic. That protects a local reputation in the short term, and it weakens national defense in the long term. The paradox is brutal. The more an agency is pulled into partisan battles, the less effective it becomes at its nonpartisan mission.
The cutbacks compound the problem. Stakeholder engagement staff, the people who keep phones answered and relationships alive, have been thinned out. Joint public private work that once moved threat data at speed has stalled. Grants that helped small governments harden systems sit in limbo. The result is predictable. The largest players will buy resilience on their own. The smallest, with a dozen staff and thin cash buffers, will hope nothing breaks.
Water is the clearest example. A utility with fifteen people does not have a threat hunting team. It needs weekly assessments, plain language playbooks, and someone to call on a weekend. When that support is consistent, a misconfiguration gets fixed before it becomes a spill. When it is intermittent, risk moves from the screen to the river.
There is a way back, but it requires choices that are procedural rather than theatrical.
First, rebuild the firewall between security work and political messaging. Publish clear guardrails for election related engagements, separate stakeholders by role, and keep operational detail away from political appointees who do not need it. Trust is a design choice.
Second, restore the plumbing. Rehire and protect the engagement teams, restart joint defense collaboratives, and reauthorize liability shields that let companies and municipalities share indicators without fear. Information moves when the law makes it safe to move.
Third, fund the unglamorous tier. Keep state and local cyber grants flowing, with a bias toward minimum controls that stop the most common attacks. Multi factor authentication, patch management, offline backups, secure configurations, and incident templates save more than any single silver bullet.
Fourth, practice together. Tabletop exercises across states, ISACs, and federal partners turn names into relationships and checklists into muscle memory. When the vandalism becomes a breach, people trust the process because they rehearsed it.
Fifth, measure and publish. A short set of national readiness metrics, shared quarterly, would create accountability without naming and shaming victims. Count patch latency, multi factor coverage, asset inventories, backup tests, and exercise participation. What gets measured gets funded.
Cybersecurity is not a spectator sport. It is a relay that only works if the baton moves at the right moment. America built CISA to coordinate those handoffs across 16 sectors and thousands of operators who will never appear on a podium. The technical challenge is hard, but solvable. The trust challenge is simpler, and more urgent. Stop turning a safety agency into a political character. Staff it, shield it, and let it do the quiet work that keeps the lights on and the water safe.
If the country insists on treating cybersecurity as a culture war, the attackers will not need to innovate. They will only need to wait.
