Full Report
Expert speakers discussed the impact of reported cutbacks to CISA on the ability of local officials to protect against surging cyber-attacks on US election infrastructure
Analysis Summary
# Incident Report: CISA Election Security Program Disruption
## Executive Summary
This report summarizes the security landscape impact following significant budget cuts and personnel reductions within the Cybersecurity and Infrastructure Security Agency (CISA) instigated by the Trump administration. The primary impact is the severe undermining of federal support for US election infrastructure security, leading to reduced monitoring of nation-state threats and the cessation of vital services like assessments and threat briefings for state and local election officials. Response actions are centered on internal redirection of funds and communication with stakeholders, though experts express concern over future vulnerability to foreign interference.
## Incident Details
- Discovery Date: March 2024 (Initial reports of contract terminations and funding cuts)
- Incident Date: March 2024 (Confirmation of suspension/dismantling of federal support)
- Affected Organization: Cybersecurity and Infrastructure Security Agency (CISA), Center for Internet Security (CIS), Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), Multi-State Information Sharing and Analysis Center (MS-ISAC)
- Sector: Government/Critical Infrastructure (Election Security)
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: Prior to March 2024 (Budgetary and personnel decisions leading to cuts)
- Vector: Administrative/Resource Allocation (Internal organizational decision)
- Details: Approximately 300 personnel contracts terminated; significant funding cuts implemented across cybersecurity projects affecting election security.
### Lateral Movement
- N/A (This incident describes administrative/policy shifts impacting security posture, not a traditional cyber intrusion.)
### Data Exfiltration/Impact
- Impact: Suspension or dismantling of federal support for election security work, including physical security assessments, security training, classified threat briefings, and the termination of $10M in funding to CIS, which subsequently led to the shuttering of the EI-ISAC. Foreign interference monitoring efforts reportedly ceased.
### Detection & Response
- Detection: Reported in March 2024 via internal leaks and expert briefings (Keep Our Republic webinar) confirming programmatic changes.
- Response actions taken: CISA spokesperson confirmed resource reallocation, stating $25M remains allocated to CIS (70% of the original plan) and that other CISA support remains available to election infrastructure owners under general critical infrastructure guidance.
## Attack Methodology
*Note: As this is an administrative/budgetary incident, the MITRE ATT&CK mapping applies to the **security posture degradation** rather than a cyber attack.*
- Initial Access: Policy/Budgetary Action
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: N/A
- Impact: Degradation of defensive posture against foreign election interference operations.
## Impact Assessment
- Financial: $10 million in funding terminated for specific CIS activities.
- Data Breach: Potentially increased risk of exposure to foreign election interference and disinformation campaigns targeting voter databases, tabulation systems, and results reporting.
- Operational: Significant decrease in specialized support (assessments, dedicated regional advisors, classified briefings) provided directly to state and local election officials.
- Reputational: Erosion of confidence in election security systems due to public reporting of reduced federal support.
## Indicators of Compromise
- Network indicators: N/A (No active compromise identified)
- File indicators: N/A
- Behavioral indicators: Disruption/cessation of established federal support mechanisms (e.g., EI-ISAC operations).
## Response Actions
- Containment measures: CISA publicly reaffirmed that election infrastructure owners still have access to general CISA support as critical infrastructure entities.
- Eradication steps: N/A (Incident was an internal resource reallocation, not an attacker's malware eradication)
- Recovery actions: State officials (like PA Secretary Al Schmidt) expressed hope that the new administration would resume full support once the impact is understood.
## Lessons Learned
- Federal support, built on non-partisan trust, is vital for state and local election security due to the federal government's unique access to national intelligence concerning nation-state threats.
- Specialized mechanisms like the EI-ISAC, though potentially duplicative under new mandates, provided focused incident response capability that has now been lost.
- Adversaries (primarily Russia, Iran, China) continue to execute robust influence and cyber operations targeting elections, making sustained federal monitoring essential.
## Recommendations
- Re-evaluate and restore dedicated funding and personnel specifically tasked with securing election infrastructure, recognizing that state/local resources cannot replicate the federal intelligence advantage.
- Ensure established lines of communication for sharing classified threat intelligence regarding foreign interference campaigns remain open and robust between federal agencies and state/local election authorities.
- CIS should be encouraged or incentivized to maintain specialized ISAC capabilities necessary for the election sector, even if direct federal funding for legacy agreements is terminated.