If anything, it is the military that has encroached on CISA’s turf — not the other way around — out of exasperation at the civilian agency’s limited resources, says Montgomery, a retired Navy rear admiral.
“The Department of Defense was saying, ‘We need to do things that we think CISA should be doing,’” Montgomery says, which has meant “slowly edging out from behind the base fence to make sure that power grids, water systems (and) telecommunications systems (near bases) are adequately protected in the event of a crisis.”
Department of Doubtful Movements
Of all the CISA proposals in the Project 2025 plan, the most ambitious one is unlikely to succeed: moving the agency into the Department of Transportation as part of a broader effort to dismantle DHS.
The recommendation reflects conservatives’ desire to reduce the overall size of government, but may also suggest a belief that moving CISA would reduce its scope and make it “a little bit more manageable,” says Brandon Pugh, director of the cybersecurity and emerging threats team at the center-right think tank R Street Institute. Pugh says some Republicans believe the agency “has overstepped its original mandate and become too bloated.”
But that idea is virtually unworkable because the congressional committees that oversee CISA are unwilling to give up their power in a rapidly growing area. “There’s no way that could work,” Costello says.
In addition to being unworkable, the proposal would undermine CISA’s effectiveness.
Cybersecurity fits squarely within DHS’s national security portfolio, so moving CISA to a department with a different mission “doesn’t make a lot of sense” and “would undermine some of the organizational logic,” Kelly says. “I don’t really understand the rationale for that.”
DHS is also better prepared to facilitate the kind of intergovernmental collaboration that CISA relies on for its dual mission of protecting federal computer systems and helping businesses and local governments defend themselves.
“Giving CISA to the Department of Transportation would reduce the cybersecurity of our national critical infrastructure for a while,” Montgomery says, adding that Transportation is “one of the last places” he would put CISA and calling the proposal “absurd.”
Still, observers say it may be worth reviewing the structure of DHS, which has steadily accumulated functions since its creation after 9/11 and is Now considered A kind of Frankenstein department. But such a review has to be “very well thought out,” says Todt. “The reorganization of the government should never be taken lightly.”
Wasting a moment
While Project 2025 appears to misinterpret some aspects of CISA’s mission and disproportionately focus on others, the document also misses opportunities to recommend meaningful reforms.
Congress has spent years waiting for CISA to complete a “force structure assessment” That would better define its mission and the resources and organization needed to accomplish it. But even beyond CISA, there are serious concerns that the government as a whole is not coordinating well on cyber issues.
Pugh says it is worth examining whether the system is working well. “Do we need to look more deeply at who is responsible for different aspects of cyberspace leadership?”
For now, however, experts agree that Project 2025 misses the mark. The document, Montgomery says, is “full of petty tantrums” and “shows a lack of understanding of how the federal government works.”
Costello says it’s “embarrassing” to see Project 2025 “essentially call for the hollowing out of CISA,” and worries that implementing it could create a dangerous vicious cycle for the agency.
“If you were to reduce the scope of CISA’s mission and its importance,” he says, “morale would drop, people would want to leave, and Congress would be less willing to fund it.”