America's Cyber Defense Agency Is Burning Down and Nobody's Coming to Put It Out

Back to Blog

I've been in network security and cybersecurity since 1994. Before that I spent a decade in the Coast Guard boarding hostile vessels in conditions where bad decisions got people killed. I say that not to wave credentials but to make a point. I know what a leadership vacuum looks like in an organization that exists to protect people. And what's happening at CISA right now should terrify every American who depends on running water, electricity, and the ability to vote in free elections.

Let me lay out the facts, because they are worse than you think.

The Guy Running CISA Uploaded Sensitive Documents to ChatGPT

The acting director of the Cybersecurity and Infrastructure Security Agency, the person in charge of defending every federal network and coordinating critical infrastructure protection for the entire country, uploaded at least four documents marked "For Official Use Only" to the public version of ChatGPT. Not the government's internal AI tool, DHSChat, which is designed to keep data inside federal networks. The public version. The one where your inputs get ingested and potentially regurgitated to other users.

Madhu Gottumukkala requested special permission to use ChatGPT shortly after arriving at CISA in May 2025, at a time when every other DHS employee was blocked from using it. He got his exception. Then he fed sensitive contracting documents into it. Automated security sensors caught it and generated multiple alerts.

Let that sink in. The head of the nation's civilian cyber defense agency, the same agency that advises every company in America on how to protect their data, did the exact thing that every CISO in the country trains their employees not to do on day one.

But that's not even the worst part.

He Failed a Counterintelligence Polygraph and Six Career Staff Paid the Price

In June 2025, Gottumukkala pushed to take a counterintelligence polygraph exam to access a controlled access program. He failed it. The Department of Homeland Security later called the polygraph "unsanctioned," but the damage was done. At least six career CISA staff, people with years of institutional knowledge and expertise, were placed on leave in the aftermath. Not because they did anything wrong. Because the situation Gottumukkala created needed to be managed.

One current CISA official described his tenure as "a nightmare." His entire IT leadership experience before taking over the nation's cyber defense agency was serving as CIO of South Dakota under Kristi Noem. That's who's running the show at CISA right now while China sits inside our critical infrastructure.

A Third of the Agency Is Gone

CISA went from roughly 3,400 staff at the start of 2025 to about 2,400 by December. That's a thousand people. A third of the agency's workforce. Most of those departures weren't voluntary retirements. They were the result of workforce reduction programs, political turbulence, and an environment where experienced professionals saw no future.

Five of CISA's six operational divisions lost their top leaders. Six of ten regional offices lost their directors. The people who built relationships with state and local governments, who coordinated critical infrastructure protection nationwide, who carried institutional knowledge that takes decades to develop. They're gone.

Yesterday, February 11, Gottumukkala confirmed to House appropriators that 70 CISA staff were reassigned to other DHS offices in the past year. The agency also received about 30 employees from other DHS components. So the expertise flowed out and got replaced with people who don't know the mission.

Errol Weiss, the Chief Security Officer at the Health Information Sharing and Analysis Center, said it plainly: "The essential mechanisms CISA needs to support critical infrastructure partners have been hollowed out."

Meanwhile, the Right Guy Is Sitting on the Sidelines

Sean Plankey has been nominated to lead CISA since March 2025. He has bipartisan support. He has broad industry backing. He has actual cybersecurity credentials. Coast Guard and Navy cyber operations including offensive missions in Afghanistan, National Security Council, Department of Energy where he co-authored the National Maritime Cyber Security Plan. This is a guy who knows the mission.

He can't get confirmed because of Rick Scott's beef over a Coast Guard shipyard contract in Florida, Ron Wyden's hold over an unreleased telecom security report, and Thom Tillis blocking all DHS nominees until Kristi Noem agrees to testify before the Judiciary Committee. None of these disputes have anything to do with cybersecurity. None of them have anything to do with Plankey's qualifications.

The Senate returned his nomination to the White House on January 3. Trump renominated him on January 13. As of today, his nomination is sitting in the Homeland Security and Governmental Affairs Committee going nowhere.

The result is that CISA has been without a Senate-confirmed director for over a year. An acting director without the political authority or mandate to set multi-year strategy, fight for budget, or make the hard decisions the agency desperately needs is running the nation's cyber defense. Except he's not really running it. He's just occupying the chair while the building empties out around him.

This Is Happening While Nation-States Are Inside Our Infrastructure

Volt Typhoon, China's state-sponsored threat group, has been pre-positioned inside U.S. critical infrastructure since at least 2021. Communications, energy, water systems, transportation. FBI Director Wray called it "the defining threat of our generation" in his January 2024 congressional testimony. CISA's own joint advisory confirmed that Volt Typhoon actors maintained access inside some victim environments for at least five years, using living-off-the-land techniques that make them nearly invisible to traditional security tools.

This isn't theoretical. This is an adversary that has already established persistent access to the systems that keep the lights on, the water running, and the military supplied. The entire strategic purpose of that access is to be ready to cripple American infrastructure if a conflict over Taiwan kicks off.

And right now, the agency charged with coordinating the defense against that threat has lost a third of its workforce, has no confirmed director, has an acting director who uploads sensitive documents to public AI tools, and can't get its nominee through a Senate controlled by the President's own party.

Salt Typhoon compromised U.S. telecommunications companies, the same networks that carry law enforcement wiretap data. Multiple Fortinet vulnerabilities (CVE-2026-24858, CVE-2026-21643) are being actively exploited right now, with CISA adding them to the Known Exploited Vulnerabilities catalog while its own house is on fire. Attackers are creating rogue admin accounts on patched FortiGate devices. The Arctic Wolf research team, not CISA, was the first to identify and publish findings on the latest wave of attacks. That should bother everyone. When the private sector is identifying and publishing critical threat intelligence faster than the government agency whose job it is to do exactly that, something is fundamentally broken.

What Needs to Happen

I'm not going to pretend this has easy answers. But some things are obvious.

First, confirm Sean Plankey. Today. Stop holding a cybersecurity nomination hostage over shipyard contracts and telecom reports. The Senators blocking this know exactly what they're doing and they need to be called out by name. Rick Scott, Ron Wyden, Thom Tillis. Your procedural games are leaving the nation's cyber defense without a permanent leader while China is inside our infrastructure. That's not a policy disagreement. That's negligence.

Second, stop the bleeding at CISA. The agency cannot fulfill its mission with 2,400 people doing what 3,400 were doing a year ago, especially after losing the majority of its senior leadership. The people who left weren't bureaucrats. They were the operational experts who made the agency work. Replacing institutional knowledge takes years, not budget cycles.

Third, hold leadership accountable. An acting director who uploads FOUO documents to public ChatGPT, fails a counterintelligence polygraph, and gets career staff suspended should not be running the nation's civilian cyber defense agency. That's not a political statement. That's a basic competence standard that should apply regardless of who's in the White House.

This Isn't About Politics

I'm a veteran. I served under both parties. I don't care which side of the aisle fixes this. I care that it gets fixed. CISA was created under the first Trump administration because the country needed a dedicated agency to defend against cyber threats to critical infrastructure. That mission hasn't changed. If anything, the threat has gotten exponentially worse since 2018.

What I see right now is an agency that is being gutted at the exact moment when we need it most. And the people who have the power to fix it are too busy playing procedural games to do their jobs.

I've spent over 30 years filling gaps that nobody else would fill. First in the Coast Guard, then in cybersecurity. My company exists because the private sector has to pick up what the government can't or won't do. But there are things the private sector cannot replace: the authority to coordinate across federal agencies, the ability to issue binding directives to critical infrastructure operators, and the institutional trust that comes from having a credible, well-led government cyber defense agency.

CISA is supposed to be that agency. Right now it's a shell of what it was built to be, run by someone who shouldn't be there, waiting for a leader the Senate won't confirm, while adversaries that have already breached our infrastructure prepare for whatever comes next.

If that doesn't scare you, you're not paying attention.

James McMurry is the CEO and founder of ThreatHunter.ai, a Service-Disabled Veteran-Owned Small Business providing 24/7 threat hunting services since 2007. He has been in network security and cybersecurity since 1994. He is a Coast Guard veteran (1984-1994) and founder of VETCON, the cybersecurity conference for military personnel transitioning to the industry.