Originally at https://www.wired.com
The winner of the 2024 US presidential election will confront complicated questions about whether the government is doing enough to protect the country from cyber threats. But one leading conservative group is sidestepping those questions and pushing to shrink the government’s main cyber agency, calling it a bastion of far-left tyranny.
Project 2025, a widely circulated playbook from the influential right-leaning Heritage Foundation, takes aim at the Cybersecurity and Infrastructure Security Agency (CISA) on several fronts, especially its efforts to reduce dangerous online misinformation. If former president Donald Trump wins the election and appoints officials who follow the playbook’s recommendations for CISA, the five-year-old agency could face an unprecedented crisis.
Trump has disavowed Project 2025—a 900-page document full of controversial proposals—but its authors have close ties to his former administration and his campaign, and many of its recommendations align with Trump’s agenda. If he wins a second term, Trump is likely to embrace Project 2025’s combative approach to CISA, whose director he fired for debunking his lies about the 2020 election. That makes the 2024 election an existential moment for CISA.
“If every recommendation in this proposal were accepted, this would significantly weaken CISA as an agency,” says Steve Kelly, a former special assistant to the president and senior director for cybersecurity and emerging technology at the National Security Council.
“It would essentially see CISA cease functioning as a principal element of cybersecurity,” says John Costello, a former chief of staff to the national cyber director at the White House. “It really takes out many of its central functions.”
Missing the Mark on Misinformation
No aspect of CISA’s work has sparked as much GOP ire as its efforts to combat online falsehoods destabilizing American society, and Project 2025’s most substantial recommendation for CISA concerns this work.
“Of the utmost urgency,” the plan says, “is immediately ending CISA’s counter-mis/disinformation efforts.”
During the 2020 election, amid conspiracy theories and hoaxes about Covid-19 and the presidential election, CISA flagged state and local officials’ concerns about online falsehoods to social media companies. This practice, dubbed “switchboarding,” outraged conservatives, who accused CISA of suppressing their speech. House Republicans produced a report on what they called “the weaponization” of the agency, two GOP-led states sued the government (the US Supreme Court dismissed the case), and CISA and its federal partners all but froze their conversations with social media firms.
“CISA has devolved into an unconstitutional censoring and election engineering apparatus of the political Left,” Project 2025 declares. After dismissing Russian interference in the 2016 election as a “dirty trick” by Hillary Clinton’s campaign (despite it being extensively documented, including in a lengthy bipartisan Senate report), Heritage’s policy proposal recommends that the military and the intelligence community take over the responsibility of combating foreign propaganda.
CISA and its defenders maintain that the agency never pressured tech companies to delete posts, but regardless, the agency’s current counterpropaganda operation is a shell of its former self. Talks with tech firms have resumed, but in the election space, the agency is now relying solely on its “Rumor vs. Reality” fact-checking page.
Cybersecurity experts say the government needs to be debunking harmful lies, especially those spread by foreign adversaries.
“There’s a role for CISA in mis- and disinformation, but they’d be wise to keep it cabined and narrow,” says Kelly, who is now the chief strategy officer at the nonprofit Institute for Security and Technology.
Costello calls Project 2025’s proposal “deeply problematic.”
The report fails to acknowledge the seriousness of adversaries’ efforts to sow chaos in the US, according to Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a conservative-leaning think tank.
The document “appears blind to the fact that Russia, China, and Iran are weaponizing social media networks to create a false narrative that weakens US national security,” Montgomery says.
Project 2025’s leaders did not respond to inquiries for this story. Ken Cuccinelli, a top Department of Homeland Security official in the Trump administration and the author of the report’s DHS chapter, declined an interview request.
Vague and Contradictory
Most of Project 2025’s proposals for CISA are difficult to decipher and reflect what experts say is a misunderstanding of the agency’s activities.
The plan envisions CISA helping local election officials “assess whether they have good cyber hygiene,” but it warns that “CISA should not be significantly involved closer to an election” and should not engage in any “messaging” work.
“It’s unclear to me what a statement like that would mean,” says Kiersten Todt, a former chief of staff to CISA’s director, “because as the elections approach, the need to ensure the safety and security of those elections is even more urgent.”
Indeed, Costello says, the run-up to Election Day is “when misinformation [and] disinformation upticks the highest” and when it’s most important to debunk lies about things like polling places and voting times. “That’s when [we’re] most vulnerable. And we saw that in 2016.”
Muzzling CISA during this crucial period, Costello says, “runs the risk of creating a bubble where Russia or China or any other nation-state threat actor could have a safe space for a massive disinformation campaign.”
If Trump wins and adopts this approach, Todt worries that CISA’s locally deployed election security advisers will be pressured not to offer help in a campaign’s closing stage. CISA’s empowerment of its field force is “one of the great achievements and successes of the past few years,” she says.
Project 2025 also vaguely decries what it characterizes as CISA’s overlap with other agencies. The report says CISA “should refrain from duplicating cybersecurity functions done elsewhere at the Department of Defense, FBI, National Security Agency, and US Secret Service,” but no cyber experts consulted by WIRED could figure out what that means.
If the idea is that the military, not CISA, should be defending critical infrastructure operators from hackers, that’s “a fundamental misreading of US law … about who’s allowed to do what,” Costello says. “CISA helps facilitate things domestically that DoD can’t touch and NSA can’t touch.” That includes direct monitoring of intrusion-detection sensors on critical infrastructure networks.
If anything, the military has impinged on CISA’s territory—not the other way around—out of exasperation with the civilian agency’s constrained resources, says Montgomery, a retired Navy rear admiral.
“The Department of Defense would say, ‘We’re having to do things that we think CISA should be doing,’” Montgomery says, which has meant “slowly creeping outside the base fence to make sure that electrical power grids, water systems, [and] telecom systems [near bases] are properly protected in case of a crisis.”
Department of Dubious Moves
Of all the CISA proposals in Project 2025’s plan, the most ambitious one is highly unlikely to succeed: moving the agency into the Department of Transportation as part of a broader initiative to dismantle DHS.
The recommendation reflects conservatives’ desire to shrink the overall size of government, but it may also suggest a belief that moving CISA would curtail its scope and make it “a little more manageable,” says Brandon Pugh, director of the cybersecurity and emerging threats team at the center-right think tank R Street Institute. Pugh says some Republicans believe the agency “went beyond its original mandate and [has] become too bloated.”
But this idea is a virtual nonstarter because the congressional committees with oversight of CISA won’t give up their power in a rapidly growing domain. “There’s no way that would ever work,” Costello says.
Apart from being infeasible, the proposal would undermine CISA’s effectiveness.
Cybersecurity fits squarely into DHS’s homeland-security portfolio, so moving CISA into a department with a different mission “doesn’t make a lot of sense” and “would undermine some of the organizational logic,” Kelly says. “I don’t actually understand the rationale of that.”
DHS is also better-suited to facilitate the kind of cross-government collaboration that CISA relies on for its twin missions of protecting federal computer systems and helping companies and local governments defend themselves.
“Giving CISA to Department of Transportation would reduce the cybersecurity of our national critical infrastructure for some period of time,” Montgomery says, adding that Transportation is “one of the last places” he’d put CISA and calling the proposal “nonsensical.”
Still, observers say it might be worth reviewing the structure of DHS, which has steadily accumulated functions since its post-9/11 creation and is now considered something of a Frankenstein department. But that review has to be “well thought out,” Todt says. “Reorganization of government should never be taken lightly.”
Squandering a Moment
Even as Project 2025 appears to misunderstand some aspects of CISA’s mission and focus disproportionately on others, the document also misses opportunities to recommend meaningful reforms.
Congress has spent years waiting for CISA to complete a “force structure assessment” that would better define its mission and the resources and organization needed to accomplish it. But even beyond CISA, there are serious concerns that the government as a whole isn’t coordinating well on cyber issues.
Pugh says it’s worth examining whether the system is working well. “Do we need to take a harder look at who’s responsible for different leadership aspects of cyber?”
For now, though, experts agree that Project 2025 misses the mark. The document, Montgomery says, is “full of little tantrums” and “shows a lack of understanding of how federal government works.”
Costello says it’s “embarrassing” to see Project 2025 “call for essentially the hollowing out of CISA,” and he worries that its implementation could create a perilous feedback loop for the agency.
“If you were to reduce the mission scope and importance of CISA,” he says, “morale is going to drop, people are going to want to leave, and Congress is going to be less willing to fund [it].”
Read the Original Story