Congress Needs to Shutdown-Proof CISA

Government shutdowns leave U.S. critical infrastructure dangerously exposed to cyberattacks. Congress needs to address this vulnerability immediately for the current shutdown, and take additional steps to protect the nation’s top cyber agency in future government shutdowns.

The Cybersecurity and Infrastructure Security Agency (CISA) furloughed two-thirds of its staff this week after Congress failed to pass a spending bill to keep the government open, leaving the agency with just shy of 900 workers. The CISA workforce had already shrunk earlier this year by approximately 1,000 workers in DOGE-related staffing cuts. CISA serves a vital function, not only providing cybersecurity leadership across the federal government and for states, but also working to secure critical infrastructure, including energy, transportation, and health-care systems, while responding to cyberattacks. So, these cuts have severely weakened the nation’s first line of cyber defense and grounded the teams that are on standby to respond to an attack.

But the problem is bigger than just a lack of personnel at the nation’s cyber agency. Congress also failed to renew the Cybersecurity Information Sharing Act of 2015 (CISA 2015), a law that shields private-sector companies from liability for collecting and sharing information about cyber threats. CISA 2015 allows companies to monitor private networks, share cyber threat intelligence with government agencies, and exchange information about cybersecurity issues with other companies without violating privacy or antitrust laws. The law expired on September 30, 2025, and while it has bipartisan support in Congress, the reauthorization has stalled as part of the current government funding fight. Without this law, the flow of information from the private sector about emerging cyber threats will come to a halt.

Hitting pause on U.S. cybersecurity efforts creates a serious vulnerability. Chinese, Russian, and North Korean hackers regularly target U.S. businesses and government agencies. For example, the PRC-backed cyber group Volt Typhoon has compromised the systems of critical infrastructure organizations in the United States in a multitude of sectors, including communications, energy, transportation, and water. Attackers are savvy, and they will exploit any weakness. Following federal government layoffs earlier this year, a network of front companies for a Chinese firm tried to recruit former government workers in a likely attempt at intelligence gathering. Attackers will almost certainly seize this opening to attempt new exploits—ones that may not be discovered for months or more.

In the short term, Congress would ideally move quickly to reauthorize CISA 2015 and fund CISA operations, even if the overall funding fight continues. But the reality is that lawmakers are unlikely to give any preferential treatment to CISA over other federal budget concerns, especially if Congress remains out of session.

But these budget fights are becoming more common, so Congress should prepare for the next one. To keep CISA fully operational, Congress should create a dedicated funding stream so that the agency does not have to rely so heavily on appropriations. One option is for Congress to establish a working capital fund and then allow CISA to create a fee-for-service model for various cybersecurity services that it provides to states, such as vulnerability monitoring and phishing assessments. CISA provides these services at no cost today, but Congress could instead provide states grants to pay for these services from CISA. Another option would be for Congress to establish a permanent self-sustaining fund for CISA operations, such as one paid for with a small fee for domain name registrations and renewals.

Maintaining strong cybersecurity is crucial to national security, and Congress should not allow it to get caught in the crossfire of funding fights. Unless Congress shutdown-proofs CISA, the next lapse in funding will not just stall government—it could open the door to dangerous cyberattacks by America’s adversaries.