John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Two of the most significant cybersecurity stories this week aren’t about malware. They’re about institutions. What happens when you underfund the agencies responsible for national cyber defense, destabilize their leadership, and keep turning the lights off.
In Washington, the answer is playing out in real time.
Six People. One Day. One Team Gone.
On March 25, CISA acting director Nick Andersen testified before the House Homeland Security Committee and didn’t bury the lead. A highly specialized threat-hunting and incident response team lost six members in a single day. All resignations.
CISA currently has roughly 1,000 vacant positions. Sixty percent of its workforce is furloughed or otherwise unable to work. The agency is now in its third government shutdown this fiscal year, 39 days deep with no resolution in sight.
Andersen’s warning was direct: “At some point, the compounding risk within this dynamic threat landscape is going to cause real damage to the American people.”
He also named specific upcoming events on his mind. The America 250 celebration. The FIFA World Cup. High-profile moments adversaries plan around and treat as opportunities.
It’s also worth noting the leadership situation plainly: Andersen is the third acting director since no Senate-confirmed director has been in place for over a year. Three acting directors. No confirmation. An agency responsible for securing US critical infrastructure, run by a succession of temporary leaders while the staffing crisis deepens.
Career specialists don’t stick around for that indefinitely. The six who left in a single day weren’t making a protest. They were making a calculation.
Across the Atlantic
Richard Horne, CEO of the UK’s National Cyber Security Centre, was at RSA Conference this week with a very different message.
Where CISA’s acting director was describing an agency struggling to keep its people, Horne was calling for a “full court press” against the same threats. Coordinated, collective action across law enforcement, regulation, offensive cyber capability, and resilience building. Not one lever at a time. All of them, simultaneously.
He described practical measures already underway: sharing malicious links directly with ISPs so traffic gets blocked at scale before it reaches targets, and working with international partners to actively dismantle hostile infrastructure rather than just monitor it. Not a reactive posture. One that tries to complicate the adversary’s ability to operate at all.
Same Threats, Opposite Trajectories
The adversaries CISA and NCSC worry about are mostly the same ones: China’s persistent presence in telecom infrastructure, Russian state and criminal actors, North Korean operators funding a sanctions-busting economy through cybercrime, Iran probing government and industrial targets.
The difference is institutional condition.
One is calling for a full court press. The other is testifying that it can’t hold onto a six-person team.
National cybersecurity isn’t a product you purchase and deploy. It’s an institutional capability that takes years to build, requires sustained investment to maintain, and degrades fast under instability. Talent walks. Institutional knowledge walks with it. The muscle memory of how to respond to a major incident lives in the people who’ve done it before.
Andersen’s testimony was notable because CISA leaders typically avoid statements that could be read as political. He said it anyway. The word “compounding” in his quote is doing real work. Each round of attrition makes the next crisis harder to manage, not just because there are fewer people, but because the people who remain are less experienced, more stretched, and more likely to leave too.
The UK’s “full court press” assumes you have a team on the court to press with. That assumption matters.
Adversaries are watching too. They know when their primary opposition is at half strength.