As international tensions increase, cyberwarfare and ransomware attacks loom—and America’s digital defenses face a perfect storm of foreign attacks, criminal behavior, and self-inflicted damage.
Few understand the stakes better than Dr. David Mussington, former head of Infrastructure Security at CISA, who’s spent decades crafting strategies at RAND, the Pentagon, and DHS. In this eye-opening conversation with the Institute for New Economic Thinking, Mussington warns that while countries like Iran, China, and Russia grow more aggressive, the Trump administration has gutted the very agency designed to protect America’s most critical systems—cutting CISA’s budget by nearly half, eliminating nearly a third of its staff, and driving out decades of cybersecurity expertise.
With experienced defenders gone, vital federal structures disbanded, and state and private actors left to pick up the slack, Mussington raises a chilling question: are we really ready for what’s coming — or are we falling dangerously behind? He discusses our vulnerabilities as consumers, citizens, and as a country.
Lynn Parramore: Can you say a bit about your background in cybersecurity?
David Mussington: I have over two decades of experience in different aspects of the cybersecurity risk challenge. My career began at the RAND corporation, where I participated in and led research teams evaluating U.S. critical infrastructure security. This included exercises, assessments, and policy analysis. Later on I worked at the Department of Defense – writing cyber strategies and advising the Office of the Secretary on USCYBERCOM’s standup, and on supply chain and other challenges posed by U.S. adversaries in the cyber domain.
Most recently, I led the Infrastructure Security Division for CISA (Cybersecurity and Infrastructure Security Agency – a part of the Department of Homeland Security) for four years during the Biden/Harris administration, overseeing physical security, Internet of Things (IOT), operational tech, and critical infrastructure risk assessments and remediation programs. That role gave me a front-row seat to threat levels, vulnerabilities, private sector responses, and global collaboration—especially around nation-state threats, our top concern.
LP: Let’s talk about CISA. How has the agency changed under the current administration, especially with the recent cuts and firings?
DM: First, I think it’s fair to say the changes have been dramatic—but it’s still early to know where they’ll lead. CISA doesn’t have a permanent director yet—Sean Plankey’s been nominated, but not confirmed. We do have a national cyber director, Sean Cairncross, and some key roles at DHS and the Sector Risk Management Agencies are finally taking shape. But the team hasn’t fully come together yet. It takes time when we change administrations to reestablish new priorities.
My biggest concern is losing experienced people. Fewer staff means a heavier burden on those that remain, weaker national critical infrastructure security, and lessened resilience. These public servants are dedicated, but constant attacks on their patriotism are unfair and hurt morale. I deeply respect the CISA staff and others facing sudden changes after decades of service. Leaving a mission they believed in—defending the country—is hard.
We must support those still serving—they’re fighting for all of us. I loved this work, and moments like representing the U.S. at Australia’s National War Memorial reminded me why it matters. That mission and honor must never be forgotten.
LP: One of CISA’s past priorities has been securing our elections. But under the current administration, there’s talk of that mission shifting. What can you tell us about the changing focus?
DM: You mentioned the election mission. It’s clear from recent decisions that CISA’s role in that area has been deliberately targeted for reduction—if not outright removal. That’s a decision made by this administration. Obviously, the administration I was in didn’t agree with that. We were focused on a specific cluster of activities – mostly foreign malign threats. Russia was a key concern, among others, given their efforts to manipulate American opinion using tactics we discussed in our last conversation.
On the other hand, nation-state threats still exist. This administration’s rhetoric remains focused on them — particularly China’s campaigns like Salt Typhoon, Volt Typhoon, and Silk Typhoon. Their persistent access to U.S. critical infrastructure and the potential to weaponize those vulnerabilities remains, I believe, a top national priority.
There’s clearly a shift toward greater reliance on states and the private sector to handle cybersecurity on their own. That’s how I interpret the shrinking federal role in critical infrastructure protection—both in size and scope.
LP: In moving from federal to state responsibility, what security vulnerabilities at the state level concern you?
DM: It’s less about where the vulnerabilities are and more about who controls them—and what capabilities they have. In Texas, for instance, some private infrastructure operators are technically strong, but they may now bear more responsibility than they’re used to. That puts greater weight on their security plans. As the federal role recedes, the effectiveness of those plans—against everything from insider threats and ransomware to nation-state actors—matters more than ever.
A state will be only as good as the big private sector infrastructure operators are. States don’t typically have a lot of autonomous critical infrastructure protection or resilience capacity of their own. They’re very dependent on the private sector.
LP: Do you see any states modeling effective planning?
DM: Difficult to tell, because this shift toward the states also represents a move away from federal Sector Risk Management Agencies (SRMAs). Under the traditional model, CISA coordinated at the top, followed by SRMAs, then state and local governments, and finally the private-sector operators of critical infrastructure. That hierarchy now seems to be changing.
To the extent that states have technological capabilities under their control—take California, for example: a wealthy state with significant critical infrastructure and advanced industries—the state can leverage its own partnerships, fiscal tools, and regulatory mechanisms. That combination of technical expertise, preexisting capacity, and the presence of a strong technological and educational ecosystem is probably the best predictor of how well a state will perform. And across the U.S., states vary widely in how well they’re positioned to take on more of this responsibility themselves.
I think generally that richer states are going to be in a better position to do this than poorer states. But is the federal government still able to step in and pick up the slack?
LP: We saw it during the pandemic—states can act independently, but for certain challenges, coordination is essential. How do you see that playing out when it comes to cybersecurity?
DM: CISA remains the national coordinator for critical infrastructure security and resilience. Regardless of resources, it’s essential for public-private coordination and helping states leverage each other’s strengths. That’s where my concerns lie—I worry about the loss of expertise and whether CISA, especially after the Chevron deference decision (curtailing the power of agencies), will keep the authority and capacity to coordinate effectively. I’m also concerned if Sector Risk Management Agencies have the authority to do their part.
Some don’t, and some won’t. I don’t expect Congress to grant federal agencies’ broad cyber-regulatory power anytime soon. So, regulatory approaches to cyber-risk won’t be as prominent, even though regulation has long been seen as key to federal cyber-risk management.
States do have the authority to regulate critical infrastructure within their borders. The big question is how each state will approach it. I don’t know most states well enough to predict, but generally, regulations aren’t popular—and cybersecurity rules likely won’t be either.
LP: Let’s talk about the politicization of cybersecurity and the shifting approaches of different administrations. How do you view that issue, especially in light of evolving threats arising from global conflicts?
DM: I think it makes us less coherent as a nation, since we won’t be able to articulate a single strategy or strategic approach to critical infrastructure security and resilience.
My former director, Jen Easterly, used to say that cybersecurity isn’t political—it’s a set of risks we have to address regardless of ideology. I agree. That perspective points you toward a particular approach: federal coordination of a largely private-sector-oriented, voluntary framework built around best practices carried out for the public good.
In areas like defense and nuclear power generation and distribution, there are strong mandates for infrastructure protection—and I think that’s rightly seen as nonpartisan. Whether we return to that view remains to be seen. Given current threat conditions, I’m not sure it’s sustainable to treat this as a partisan issue. We have real vulnerabilities in our critical infrastructure.
CISA continues to publish the Known Exploited Vulnerabilities (KEV) list, which was already voluminous when I was there—and it hasn’t gotten any shorter. These are vulnerabilities that have been actively exploited, sometimes for years, and they pose serious risks both individually and when chained together. These are the same vulnerabilities that adversaries from China, Iran, and Russia continue to target—and that remains true regardless of ideology. The best practice recommendations to counter them haven’t changed either.
Right now, there’s real potential for Iranian cyber countermeasures against the U.S., given the current conflict involving Israel. In the recent past, Iranian cyber actors linked to the Islamic Revolutionary Guard Corps (IRGC) have targeted U.S. critical infrastructure and even election systems. They’ve also shown interest in water systems and dams.
Iran’s cyber capabilities are serious. They’ve actively targeted regional rivals like the UAE and Saudi Arabia. If conflict escalates, could they go after U.S. infrastructure again—and would our defenses hold up? Those are key questions as we consider possible actions related to Iran’s nuclear and military capabilities.
LP: Let’s talk economics and budgets. DOGE was sold as a way to cut costs and boost efficiency. But when agencies like CISA face cuts and lose expertise, could we be risking higher costs later?
DM: We could. But I’d frame it a bit differently: the real question is whether the private sector and the states can mitigate risk at scale to meet the threat as it exists—and whether we have systems in place to actually measure that.
LP: Do we?
DM: We don’t. There’s no metrics-based framework to assess how well we’re doing on cybersecurity or critical infrastructure resilience at the national level. When we were running risk management and infrastructure assessments through CISA, we struggled—our metrics were weak, and the data was often stale.
Knowing things are fragile—and understanding how risk and vulnerability have changed between 2022 and 2025—makes responding effectively a major challenge.
On the economics, I think the key is focusing on incentives for remediation. Are the asset owners—where the risks actually exist—truly incentivized to take the necessary steps to reduce risk to their assets, their operations, and the public? It’s clear there’s an incentive misalignment—asset owners often shift the cost of risk onto others, like customers or other jurisdictions, because they rarely face accountability for breaches or for passing risks along.
Our insurance markets don’t align those incentives, and we don’t regulate to prevent companies from inadvertently imposing risks on their customers. This is especially clear with consumer technologies, which people buy and are then expected to protect on their own.
I do a lot with my computers. But at a certain level, I can’t fix hardware vulnerabilities. I can’t really do a lot about the software vulnerabilities either. If I hear about a piece of software that’s breached or something, I guess I can look for an update. But that’s about it.
What about hardware and software manufacturers? What about the secure-by-design principles we discussed during our administration? How do we measure if something truly meets those standards—and how do we make that information available to consumers so they can make informed choices?
All of that undermines market-based incentives from favoring security over insecurity, because the market isn’t properly structured for it. And since regulation is so often off the table, we don’t have enough security to protect cyberspace—whether at the national critical infrastructure level against nation-states, or at the individual level inside people’s homes.
LP: With massive password breaches hitting companies like Google, Apple, and Facebook, what security challenges are everyday people facing—and how are they changing?
DM: Problems like identity theft, ecommerce fraud, and ransomware have actually worsened over the last decade. The actors conducting these activities are sometimes criminals, and sometimes proxy groups – acting on behalf of others for ideological or foreign intelligence reasons. It is often difficult to differentiate the causes of activity. We just know we are seeing more of it, and more consequential critical infrastructure impacts. The best defense for consumers is to use best practices such as multi-factor authentication—ideally with authenticator apps, not SMS—and using strong, unique passwords or passkeys. Having a playbook for incident response is a good practice as well as it enables practice and preparation for difficult circumstances.
LP: We rely on businesses to keep us safe. Are they doing enough?
DM: Awareness is much better now, especially around ransomware. Most medium-sized companies follow basic security practices or hire experts. Small businesses still struggle but often use built-in protections from Apple, Microsoft, etc. The real issue is the mindset—some still think “it won’t happen to us,” which is dangerous. Your security depends on your weakest link—like contractors without protections.
CISA and others do a lot to share best practices, but the bigger problem is vulnerable hardware and software—like IoT devices with default passwords anyone can find. Consumers depend on companies to build secure products, but often they don’t.
LP: What risks do devices like smart speakers pose?
DM: The major risk that IoT devices — of which smart speakers are just one example — is that their provenance — the security procedures built into their hardware and software — may be entirely unknown to the consumer and possibly architected to prevent user modifications of their functionality. This means that consumers may be unable to rectify flaws in shipped hardware (or software) — meaning that risk is shifted from technology producers to consumers from the standpoint of accountability and cost.
LP: With so many breaches in 2025, which worries you most?
DM: Honestly, I’m not surprised by new or repackaged breach data anymore. After a decade of massive breaches affecting hundreds of millions, how much more can be stolen? We live in a “breached” environment, which fuels cybercrime. The core issue is that we still haven’t nailed the basics.
Overall, my major concerns were and remain nation-state cyber operations targeting US critical infrastructure, and the velocity of change that new technologies – such as AI – bring to the risk challenge.
LP: What are the things that keep you up at night?
DM: Given my last job, I’m especially worried about vulnerabilities that linger unpatched for years. I use the CISA Known Exploited Vulnerability (KEV) list as a strategic litmus test—is it shrinking? Is the average time vulnerabilities stay on it going down? The answer is no. Campaigns like Salt Typhoon and Volt Typhoon show ongoing intrusions. Are we pushing those actors out? No. These persistent weaknesses let adversaries hold a foothold in critical infrastructure—a serious strategic threat.
We didn’t always face widespread, persistent vulnerabilities exploited by China across most critical infrastructure. Now we do. Russia’s tactics in Ukraine—using crimeware and criminal groups tied to nation-states—weren’t always seen here, but they are now. Plus, IoT is embedded everywhere in our lives, vastly expanding the attack surface and risks. I worry about identity theft too—I’ve had my data breached like many, relying on lifetime monitoring because that’s the reality today.
Nation-state techniques used to be elite and rare; now they’ve trickled down to criminals, making anyone a target. That cluster of risks is what keeps me up at night.
LP: Every administration presumably wants to keep Americans safe and avoid being blamed for a major incident. That’s a strong incentive. But are there disincentives working against our cybersecurity?
DM: Everything requires a solid plan. The best incentives and intentions don’t stop risks actively being actively exploited. We’re still in the early stages of this administration’s cybersecurity plans.
We have numerous top-level executive orders and presidential directives, but CISA still doesn’t have a director. The fate of NSM-22, the successor to PPD-21, remains uncertain. Sector Risk Management Agencies are still finding their footing without new strategic guidance.
That guidance hasn’t formally arrived yet. Meanwhile, the Critical Infrastructure Partnership Advisory Council (CIPAC), which connects the federal government with private-sector leaders in critical sectors, was suspended. Its successor has yet to emerge.
So we have structures that aren’t functioning as they used to, nor have they been redesigned to fit the new administration’s priorities. Five or six months in, much hasn’t yet gelled around a new approach. What remains is the leftover framework from before, alongside a lot of disbanded structures. For example—where is the National Infrastructure Advisory Council? Where is the Cyber Safety Review Board (CSRB)? These bodies, created to tackle cyber risks, have been sidelined, supposedly awaiting better replacements.
So in these early days, even though the threat remains, we’ve effectively taken a five- or six-month hiatus from framing a renewed and fully strategic response.
LP: If you had to give one piece of advice to the current administration, what would it be?
DM: It’s easy for someone no longer in the administration to advise their successors. So I won’t do that—just share a couple of thoughts instead.
If we agree that nation-state risks are real—and I believe they are—and that CISA’s known exploited vulnerabilities and interagency concerns are valid, then we need to act with much greater urgency. Our ability to collaborate with the private sector and states, now with more responsibility, must become a higher priority.
LP: What happens if we don’t?
DM: Well, attackers hold huge advantages in this environment, and that’s largely because these exploited vulnerabilities remain unmitigated. That’s the first, and biggest, concern.
Second, if we take the China threat seriously—Salt Typhoon and Volt Typhoon—their ability to freely access and remain inside our critical infrastructure hostage has to be a huge concern. When I was in, we worried about 2027 and threats to Taiwan, fearing China might miscalculate and disrupt our infrastructure to keep us out of ‘their business.’ That concern remains, because 2027 will still come.
Are we positioned to protect our critical infrastructure from being held hostage—so China can’t use those vulnerabilities to deter U.S. policy choices? The idea that the U.S. could be blackmailed into backing down from defending its Pacific interests is a major concern—one I had then and still have now. How well we’ll manage this remains to be seen, but if we have fewer capabilities in 2027 than if better plans had been made, we’ll be more vulnerable.
