“What’s happening now is not a policy disagreement, but something dark: the targeting and removal of nonpartisan public servants and the normalization of loyalty oaths to something other than our Constitution. And if we—who aim to protect critical systems—can’t defend the humans who manage and maintain them, what exactly are we securing?”
— Jen Easterly, Former Director, CISA in today’s LinkedIn post

I read a really powerful LinkedIn post this morning by the former director of the Cybersecurity and Infrastructure Security Agency (CISA) under Biden, and I wanted to share my comments with the readers of this Substack. As I think you all know by now, I’m a retired private sector cybersecurity executive. Honestly, I am disappointed by the low volume of voices in my former industry about what is happening to the state of cybersecurity and our democracy under this Trump administration. These are not Democrat or Republican issues. We need collaboration across research, government, and the private sector to protect us against cybersecurity threats.

There are voices, but they are muted. As a small step, I do appreciate efforts by groups like the Cyber Threat Alliance (CTA) to promote collaboration across private sector companies. (My former company joined this group back in 2015). For example, the CTA president and CEO did take a position on the latest round of proposed Trump administration cuts to CISA.

“The proposed reductions to CISA will weaken U.S. cybersecurity at a time when cyber threats are only increasing… While it is the president’s prerogative to establish priorities for executive branch agencies, reductions of the magnitude reported will make it difficult for CISA to carry out its missions, including protecting federal civilian executive branch networks and helping to protect U.S. critical infrastructure.”

— Michael Daniels, President and CEO, Cyber Threat Alliance as quoted in CyberSecurity Dive

However, this statement remains pretty muted language given what we’ve got in front of us. There are a couple of issues of the existing administration’s behaviors I have been particularly concerned about as an ordinary retired techie just reading the news.

• No accountability for SignalGate. Mistakes can happen, but those responsible should own them. Just as customers demand from their vendors accountability for operational and security lapses, we as a cybersecurity community should demand from our White House and Defense Department accountability for what was clearly a mistake to disclose attack plans on Signal. Worse yet, this incident mistakenly included someone outside of a “need to know” (a journalist!) in the communications. What are the steps to mitigate risks in the future? Don’t just lie to us claiming no confidential information was discussed! And don’t repeat the mistakes — with the latest being with Defense Secretary Pete Hegseth’s wife, brother, and personal lawyer! We just learned that Hegseth installed Signal on his desktop computer in the Pentagon where cellphones and personal devices are not allowed and utilized an unsecured Internet connection (“dirty line”) installed in his office to bypass security protocols. My former colleagues from the cybersecurity private sector have stayed quiet here. It is time to speak out objectively about these extremely appalling practices of leaking confidential information with those who should not be in the know and intentionally bypassing internal security controls.
  

• No accountability for DOGE exposure of NLRB data. Hats off to NPR for reporting this and Democratic congresspeople from demanding more details. However, most of my former colleagues have stayed silent on the report of a whistleblower inside the IT Department of the NRLB. What happened? DOGE came into the NRLB, demanded the highest levels of tenant admin access to the systems, exempted their activities from logging, installed GitHub projects to scrape data, and downloaded over 10GB of data from the NLRB systems. The data included sensitive records, including information about employees who want to form unions and proprietary business documents. The best reporting I’ve seen on the details have come from Krebs on Security. Where are the opinions from the private sector of the cybersecurity community on this? If the access was legitimate, why did the DOGE employees evade logging? This action amounts to a security breach affecting American citizens. Where are the disclosures and protections?

Beyond the irresponsibility of the administration, Jen Easterly’s post this morning made me reflect on the attacks on individuals trying to protect us. This goes beyond irresponsibility into threats to our rights as citizens.

• Removal of Gen. Timothy Haugh from dual roles as director of the NSA and commander of United States Cyber Command (CYBERCOM). I encourage you to read this editorial from Frank Kendall, former Secretary of the Airforce from 2021-2025, stating why every American should be concerned about this politicization of the military.
  

• Trump’s attack of Chris Krebs, the first director of the Cybersecurity Infrastructure Security Agency (CISA). Krebs was Trump’s own appointee (nominated in February 2018) and was not acting as a partisan. His wrongdoing? Declaring that the 2020 election was the most secure in US history. Trump fired Krebs that day on November 17, 2020, as Krebs acknowledged. However, the April 9 presidential memorandum targeting Krebs goes too far. The cybersecurity community should have a responsibility to speak out against this attack on both First Amendment free speech rights and due process.
  

• Targeting of SentinelOne. Sentinel One acquired a consulting firm founded by Chris Krebs. As such, the firm was part of the April 9th presidential memorandum, revoking the security clearances for its employees. The company claimed on its website, "we do not expect this to materially impact our business in any way.” Still, I agree with the Cyber Threat Alliance President and CEO Michael Daniels on this issue.

"Targeting a company because the president does not like someone in the company is an example of the very weaponization of the federal government the memo claims to be combating,"
— Michael Daniels, President and CEO, Cyber Threat Alliance as reported by Reuters

For another opinion concurring with Jen Easterly’s post that we as a cybersecurity community should speak out to protect our colleagues, check out this post from the Electronic Frontier Foundation.

“Cybersecurity professionals and the infosec community have essential roles to play in protecting our democracy, securing our elections, and building, testing, and safeguarding government infrastructure. It is critically important for us to speak up to ensure that essential work continues and that those engaged in these good faith efforts are not maligned by an administration that has tried to make examples of its enemies in many other fields.”

Yet, none of this conversation is happening in the open. I’d like to quote the Reuter’s reporting here related to the lack of response by the private sector to these Trump attacks on either Krebs or SentinelOne.

Microsoft, where Krebs worked as a director between 2014 and 2017, according to Krebs' LinkedIn profile, was one of 11 companies that declined to comment on Trump's move against SentinelOne. Rubrik, which formerly had Krebs as part of an advisory board, said only that the board had been inactive since 2023, but did not address questions about Krebs or SentinelOne.

Twenty-four other businesses and trade groups did not respond to requests for comment. Among them was CrowdStrike, whose work defending the Democratic National Committee from Russian hackers in 2016 has long made it the object of conspiracy theories spread by Trump and others.

The National Cybersecurity Alliance, where Krebs briefly served as vice chair before joining CISA, did not return emails. The Cloud Security Alliance, of which SentinelOne is a member, declined comment.

At a broader level, the relative silence of the private sector of the cybersecurity community is dangerous. We’re seeing Trump break down the press, education, law, and trade. Now, we’re watching cybersecurity across research, government, and industry being threatened, too. The only way we can survive all of this is for the community to use our voices.

Democracy dies in silence.

Note: this article is also cross-posted on Medium here:

https://medium.com/p/6030784d0318

If you liked it, I’d appreciate the “claps” there, too.