Cyberdefense Cuts Could Sap U.S. Response to China Hacks, Insiders Say

The Washington Post

13:41 JST, May 24, 2025

SAN FRANCISCO – As senior Trump administration officials say they want to amp up cyberattacks against China and other geopolitical rivals, some government veterans warn that such an approach would set the United States up for retaliation that it is increasingly unprepared to counter.

Alexei Bulazel, senior director for cyber at the National Security Council, said earlier this month that he wanted to fight back against China’s aggressive pre-positioning of hacking capabilities within U.S. critical infrastructure and “destigmatize” offensive operations, making their use an open part of U.S. strategy for the first time.

Bulazel, an Oracle security architect before joining the Trump administration, said such “exciting” action would be the quickest way to “change the script” and hopefully curb the rising rate of foreign cyberattacks on U.S. targets. He was speaking at the RSA Conference in San Francisco, the largest annual tech security meetup, where some others inside and outside government echoed his position.

“We have done everything, but it is extreme responses that will convince governments” to change their ways, said Rob Joyce, a former head of cybersecurity at the National Security Agency.

Yet far more security experts interviewed at the conference were fretting about recent personnel cuts to the Cybersecurity and Infrastructure Security Agency (CISA), and additional ones ahead under the GOP budget reconciliation bill, in which the administration asked for a 17 percent decrease in the budget of the principal civilian cyber agency. The consensus was that the U.S. is not well-defended now, and multiple security firms reported that the number of Chinese hacking attempts detected in the first quarter of this year more than doubled from a year earlier.

In a memo to CISA staff Thursday night, the new No. 2 at the agency wrote that the heads of four of CISA’s six main divisions – cybersecurity, infrastructure security, emergency communications and integrated operations, which oversees regional offices – were all leaving this month. The leaders of most of the regional offices also are leaving, the memo said, along with the top CISA officers for finance, strategy, human resources and contracting.

U.S. security personnel revealed more than 18 months ago that Chinese military hackers had burrowed into the computer systems linked to infrastructure such as water and electrical utilities, ports and pipelines. That initiative, which the U.S. called Volt Typhoon, was soon supplemented by another, Salt Typhoon, that targets telecommunications networks. Sen. Mark R. Warner (D-Virginia) called it the “worst telecom hack in our nation’s history – by far.”

The covert offensive is far from over. Volt Typhoon is showing up in a wider variety of utilities, according to specialists at the cybersecurity firm Dragos, and an FBI official said Salt Typhoon might be able to reinfect carriers after they have been cleaned up. But CISA’s parent, the Department of Homeland Security, has now disbanded advisory panels, including the Cyber Safety Review Board, which was investigating Salt Typhoon.

“We need CISA, we need these operations, we need these people and partnerships,” Dave DeWalt, a security industry investor and longtime CISA adviser, told The Washington Post, alluding to the unsettled state of international alliances. “We’ve got to go fast, because we are vulnerable – especially if we’re doing what we are doing around the world, geopolitically.”

Aside from Volt Typhoon and Salt Typhoon, DeWalt said a still-unfolding onslaught of Chinese attacks on water and power utilities and hundreds of other targets using a flaw in SAP business software shows that malicious activity is surging amid trade tensions between Washington and Beijing.

Under Homeland Security Secretary Kristi L. Noem, 130 probationary CISA employees have been dismissed, along with a small team dedicated to election security that had come under criticism from Republicans for its reports of misinformation about voting procedures. Many of the agency’s numerous contractors have seen their contracts canceled.

“CISA was in disastrous shape when President Trump and Secretary Noem took office,” said a senior official with the Department of Homeland Security who spoke on the condition of anonymity under departmental policy. “Under the Biden administration, despite a ballooning budget, CISA’s mission was focused on becoming a hub of self-promotion, censorship, misinformation and electioneering.”

Noem told the San Francisco conference that while the agency has been doing important work, people “only heard about it when it was doing something bad,” referring to its past contacts with social media companies about disinformation. She also said more responsibility for infrastructure protection should fall to state and local officials. “I feel like most of the innovation can happen at the state level,” Noem said.

At a small Baltimore security conference more recently, former national cyber director Harry Coker said the opposite.

“My small hometown in rural Kansas is under assault every day from nation-state actors and malicious cybercriminals,” Coker said. “They’re going after the local hospital, the local school system, the local financial systems. And no one, especially our government, should expect my rural hometown to be able to defend itself against a nation-state actor.”

Security experts and officials from both major political parties had hoped to avoid cuts to CISA as severe as those being levied in other divisions and federal departments. They pointed to CISA’s front-line role helping protect civilian government offices and privately owned critical infrastructure from attacks by highly effective ransomware gangs and geopolitical rivals.

“This is no time to pull defenders from the resilience and continuity of operations of lifeline human needs like water, power and access to emergency care,” said Joshua Corman, a former CISA official who now leads a pilot project with the nonprofit Institute for Security and Technology to improve security communications among people working in critical infrastructure. “The coming storms need more help and better help. The risks are nonpartisan and affect all communities.”

Congress has held several hearings on cyberthreats and introduced bills aimed at deterring Chinese spying successes. At one, Rep. Andrew R. Garbarino (R-New York), chairman of the subcommittee on cybersecurity and infrastructure protection, said even early cuts were going too far and that CISA should take on more responsibility for safeguarding government departments.

CISA supporters in Congress and employees were encouraged by Trump’s nomination of Sean Plankey to head CISA, though Sen. Ron Wyden (D-Oregon) has put the nomination on hold until he gets more information on telecom security. Plankey served in several high-level cybersecurity posts during the first Trump administration.

Concerns about the agency’s efficacy have grown with the personnel and budget cuts, despite a recent court injunction against restructuring without congressional input.

“CISA is indirectly decimating our mid- and top ranks and leaving us without capable and experienced leaders,” said a current employee, who spoke on the condition of anonymity for fear of retaliation.

Current CISA executives declined to say how many people had left the agency or how it will adapt to the cuts.

CISA is “doubling down and fulfilling its statutory mission to secure the nation’s critical infrastructure and strengthen our collective cyberdefense,” Executive Director Bridget Bean said in an emailed statement. “We have focused our operations on ensuring that we are prepared for a range of cyberthreats from our adversaries.”

Especially hard-hit by the cuts are the regional CISA offices that have helped local and state governments targeted by ransomware attacks, officials said. Scores of employees have also left the teams that provide CISA expertise to public and private entities – including hospitals, utilities and local public offices that have proved to be choice targets for foreign-origin hacking.

Vermont Secretary of State Sarah Copeland Hanzas expressed concern particularly about local offices. “We don’t have the economies of scale that a New York or a California or a Texas has to staff up in-house to provide some of the cybersecurity support and prevention that CISA has been providing,” she said.

Especially in light of the prospect of a more openly offensive U.S. cyber stance toward China, the trend toward a less robust CISA has alarmed many experts in the field.

“We were doing about a C-minus before, at risk of going down,” retired Rear Adm. Mark Montgomery, who led the congressionally chartered Cyberspace Solarium Commission confronting such issues, told attendees of the cybersecurity convention in San Francisco earlier this month. “We are not ready for a systemic cyberattack in our country.”