Full Report
The US Cybersecurity and Infrastructure Security Agency has frozen efforts to aid states in securing elections, according to an internal memo viewed by WIRED.
Analysis Summary
# Incident Report: CISA Election Security Program Review
## Executive Summary
This event is not a traditional cyberattack but a significant internal and policy incident at the Cybersecurity and Infrastructure Security Agency (CISA) following a change in US administration. The incident involves the immediate suspension of all election security activities, the placement of related staff on administrative leave, and a comprehensive internal review of all such programs, driven by allegations of government "censorship." The outcome is a temporary halt to critical election security support for state and local partners.
## Incident Details
- **Discovery Date:** February 7 (when staff were placed on leave, based on reporting/memo date).
- **Incident Date:** The memo ordering the review was sent on a Friday (implied recent date around February 2025, referencing the new administration's transition).
- **Affected Organization:** Cybersecurity and Infrastructure Security Agency (CISA).
- **Sector:** Government / Critical Infrastructure Security (Elections).
- **Geography:** United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Not applicable (This is a policy decision/internal review, not an external intrusion).
- **Vector:** Internal directive stemming from the new Presidential Executive Order (EO) concerning "ending federal censorship."
- **Details:** CISA's Acting Director, Bridget Bean, sent a memo ordering a review of all election security activities following the inauguration of President Trump and his January 20th Executive Order.
### Lateral Movement
- **Details:** The action involved freezing all elections security activities and suspending funding to coordinating bodies (like the non-profit mentioned) to ensure focus on the core cyber/physical security mission as defined by the new mandate.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Not applicable. The primary impact is the cessation of security support services (consultations, guidance, hardening activities) that state and local election officials relied upon since 2017.
### Detection & Response
- **How it was discovered:** An internal memo from the Acting Director informed all CISA employees.
- **Response actions taken:**
1. All CISA election security activities paused until the review concludes (March 6th).
2. Employees "initially identified to be associated with the elections security activities and the MDM program" placed on administrative leave (February 7th).
3. Funding cut to a key election community coordinating body.
4. Comprehensive review initiated for all products, activities, services, and programs related to election security and countering mis-/disinfo (MDM).
## Attack Methodology
*Since this is a policy shift, the methodology relates to the internal response structure:*
- **Initial Access:** New Administration Executive Order on "ending federal censorship."
- **Persistence:** Placing key personnel on administrative leave and freezing the entire program scope.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable.
- **Credential Access:** Not applicable.
- **Discovery:** Review and assessment of every position, product, service, and program related to election security and MDM since 2017.
- **Lateral Movement:** Not applicable.
- **Collection:** Gathering data for the review report to determine necessary scope adjustments.
- **Exfiltration:** Not applicable.
- **Impact:** Cessation of operational support for election security.
## Impact Assessment
- **Financial:** Not specified, but funding to external coordinators was cut off.
- **Data Breach:** None reported.
- **Operational:** Significant disruption of ongoing support services provided by CISA to state and local election administration bodies, jeopardizing physical and digital infrastructure hardening efforts.
- **Reputational:** Damage to CISA's previously bipartisan reputation as an apolitical security provider, heightened by allegations of past censorship.
## Indicators of Compromise
*Not applicable, as this is a policy incident, not a network intrusion.*
## Response Actions
- **Containment measures:** Immediate operational pause on all election security activities.
- **Eradication steps:** Identifying and preparing to "eliminate" personnel, contracts, grants, and programs conflicting with the new anti-censorship directive or exceeding authorities.
- **Recovery actions:** Conducting an internal review (due to conclude March 6th) followed by a report to the White House detailing a "more focused provision of services."
## Lessons Learned
- **Key takeaways:** Internal agency operations and mission scope can be drastically and immediately altered based on executive directives following a political transition. Reliance by local partners on federal support can create vulnerability during political shifts.
- **What could have been done better:** The previous administration's work on election security, despite being praised by bipartisan local officials, was apparently insufficiently insulated from future political challenges regarding "misinformation" coordination.
## Recommendations
- **Prevention measures for similar incidents:** Future critical infrastructure support programs should seek explicit, durable statutory mandates rather than relying solely on executive authority or departmental designation to ensure continuity across administration changes.
- **Mitigation:** Ensure any future engagement on mis/disinformation is clearly delineated from core infrastructure hardening activities to avoid policy conflation.