The Fall of the Cyber Guardians

For twenty years, two US agencies shaped how the rest of the world thought about cybersecurity. NIST gave us a risk management framework that was logical, legible, and sensible enough that governments from Canberra to Copenhagen adopted it — or built their own in its image. CISA became the authoritative voice on critical infrastructure protection, vulnerability management, and incident response. Between them, they set the standard. Literally.

That’s over now.

What’s happened

Since January 2025, both agencies have been systematically dismantled under the banner of “government efficiency.” CISA has lost roughly a third of its workforce — around a thousand people — through layoffs, forced resignations, and the elimination of entire programmes including election security and counter-ransomware operations.¹ The proposed FY2026 budget would cut its workforce from 3,732 to 2,649 positions — a reduction of nearly 30%.²

NIST has shed more than 700 jobs, including 89 at the lab responsible for validating government encryption.³ The same lab standardising post-quantum cryptographic algorithms — arguably the most consequential cryptographic transition in decades — is now understaffed and losing institutional knowledge. The National Vulnerability Database, which the entire global security industry depends on for vulnerability intelligence, has been drowning in a processing backlog since 2024 and is now losing the people who might have fixed it.⁴

These aren’t political appointees. They’re career cryptographers, incident responders, framework authors, and vulnerability analysts. The kind of people who take decades to develop and can’t be replaced by a contractor with a Jira board.

The silence

What’s striking is who isn’t saying anything.

Jackie Singh wrote about this in her piece for Hacking, But Legal — that the cybersecurity industry, an industry that markets itself on courage and adversarial thinking, has gone completely quiet.⁵ Reuters contacted 33 of the largest US cybersecurity companies for comment on the targeting of former CISA director Chris Krebs. Thirty-two either declined or didn’t respond.⁶

Krebs — who built CISA and was fired for publicly stating that the 2020 election was secure — had his security clearance revoked by executive order in April 2025. The same order suspended clearances for every employee at SentinelOne, the company he worked for. He resigned shortly after.⁷ The message was clear: cross us and we’ll go after your employer too.

And the industry heard it. They heard it and they shut up.

Why this matters here

I run an information security programme in Australia. My frameworks, my risk registers, my control libraries — they all trace their lineage back to NIST and CISA guidance. The Essential Eight, the ISM, the VPDSF — they draw from the same well. When that well is poisoned, we feel it, even if we pretend we don’t.

But there’s a more immediate problem. We are deeply dependent on US-based service providers. Microsoft holds our email, our identity, our collaboration platforms. AWS and Azure run our infrastructure. We use American AI models, American SaaS platforms, American threat intelligence feeds. Every one of those companies operates under the CLOUD Act, which allows US law enforcement to compel disclosure of data stored anywhere in the world — including data belonging to Australian citizens and government agencies.⁸

That was a manageable risk when the US government was broadly aligned with the rule of law and its own institutional norms. It’s a different calculation entirely when the same government is using executive orders to punish private companies for the political views of their employees, when DOGE operatives are downloading sensitive personal data from across federal agencies with no legal authority and no audit trail,⁹ and when a federal judge has warned that Treasury Department data may have already been shared in violation of federal law.¹⁰

The EU has noticed. Spending on sovereign cloud infrastructure is projected to triple to US$23 billion by 2027.¹¹ France and Germany launched a joint summit on European digital sovereignty in November 2025, with a task force reporting in 2026.¹²

Australia, meanwhile, is still largely pretending this is someone else’s problem.

The uncomfortable question

Here’s where I wrestle with something professionally uncomfortable. We teach risk practitioners — I am one — to balance the cost of a mitigation against the consequence of a risk being realised. It’s rational. It’s sensible. It’s in every certification curriculum I’ve ever studied.

But what happens when the consequence of a breach is functionally zero?

Fines in Australia for data breaches remain laughable compared to the EU’s GDPR regime or even the US regulatory environment. If a US-based service provider mishandles Australian data, what exactly happens? What leverage do we have? If the provider is simultaneously being compelled by its own government to hand over that data, who do we complain to?

We spend enormous effort building risk frameworks, writing policies, conducting assessments, and maintaining controls — all predicated on the assumption that there’s a functioning ecosystem of standards bodies, enforcement mechanisms, and consequences. When NIST is gutted, when CISA is hollowed out, when the US government itself is the threat actor raiding its own databases, that ecosystem is broken.

And the question that no one in our profession wants to ask is: are we just going through the motions?

I don’t think we are. I think the work still matters, because the threats haven’t gone away — they’ve multiplied. But I think we need to be honest about the fact that the foundations we built on are shifting, and that the assumption of a stable, trustworthy US-led cybersecurity ecosystem is no longer safe.

The frameworks were always tools, not scripture. It’s time we started treating them that way — and started building the ones we actually control.