Argues that no single decision was catastrophic in isolation, but the cumulative effect — CISA layoffs of 1,300+ employees, CSRB dissolution, leadership vacancies, and shuttered programs — creates a defensive vacuum precisely when threats like Salt Typhoon demand maximum institutional capacity. Frames the hundred-day period as potentially the most consequential in cyber history.
Emphasizes that seasoned threat analysts and incident responders were cut while actively remediating Salt Typhoon, a Chinese campaign that compromised at least nine major U.S. telecoms. The expertise walking out the door — in threat intelligence sharing, election security, and critical infrastructure coordination — cannot be rebuilt quickly enough to matter against current adversaries.
Highlights that Salt Typhoon had compromised call metadata and lawful intercept systems at AT&T, Verizon, and T-Mobile, and remediation was still ongoing when the investigating agencies began losing staff. The editorial frames the collision of escalating state-sponsored attacks with reduced defensive capacity as the central danger, not abstract policy disagreement.
The first hundred days of 2025's second Trump administration have produced a cascade of changes to the U.S. federal cybersecurity apparatus that, taken individually, might each be debatable policy choices. Taken together, they represent the most significant reduction in national cyber defense capability since the discipline was formalized.
CISA — the Cybersecurity and Infrastructure Security Agency, the central node for federal civilian cyber defense — has seen mass layoffs, with reporting indicating cuts affecting over 1,300 employees, including seasoned threat analysts and incident responders. Entire programs focused on election security, critical infrastructure coordination, and threat intelligence sharing have been scaled back or eliminated. The agency's "Shields Up" campaign, which provided actionable threat advisories to private sector defenders, has gone quiet.
Simultaneously, key cybersecurity leadership positions across government have been vacated. The Cyber Safety Review Board (CSRB) — modeled on the NTSB's approach to investigating transportation disasters — was effectively dissolved in its early days, just as it was investigating the Salt Typhoon campaign. Senior officials at NSA's Cybersecurity Directorate and across the intelligence community's cyber operations centers have departed or been reassigned. The institutional knowledge walking out the door is irreplaceable on any timeline that matters.
The core argument in the "hundred days" framing isn't that any single decision was catastrophic. It's that the compound effect creates a defensive vacuum during a period of unprecedented threat activity.
Salt Typhoon — the Chinese state-sponsored campaign that compromised at least nine major U.S. telecom providers including AT&T, Verizon, and T-Mobile — was still being remediated when the agencies investigating it began losing staff. The attackers gained access to call metadata, lawful intercept systems, and in some cases actual call content for senior government officials. This wasn't a smash-and-grab; it was a patient, multi-year intelligence operation that exploited systemic weaknesses in telecom infrastructure.
The CSRB was in the middle of its Salt Typhoon investigation when it was disbanded. No final report was issued. No binding recommendations were made. The telecom companies involved have little external pressure to implement the kind of architectural changes — like mandatory end-to-end encryption and network segmentation — that would actually prevent recurrence.
Meanwhile, the threat landscape hasn't paused for the reorganization. Russian state actors continue to target critical infrastructure, with Volt Typhoon-style prepositioning in water, energy, and transportation systems designed for disruption during a geopolitical crisis. Ransomware groups have evolved into what functionally resembles organized crime cartels, with revenue models sophisticated enough to fund zero-day acquisition programs. And the DOGE initiative's broad access to sensitive government systems — including personnel records, financial data, and potentially classified networks — has introduced an entirely novel attack surface that no threat model anticipated.
The uncomfortable reality is that adversaries treat defender posture as an input to their operational planning. When the U.S. publicly dismantles its cyber coordination capabilities, that information is consumed by every intelligence service running cyber operations against American targets. It's not just that the defense is weaker — it's that attackers know the defense is weaker, and adjust their risk calculus accordingly.
The private sector feels this immediately. Federal threat intelligence sharing — the flow of indicators, TTPs, and strategic warnings from NSA, CISA, and FBI to critical infrastructure operators — has measurably degraded. Companies that relied on CISA's Joint Cyber Defense Collaborative (JCDC) for early warning of sector-specific threats are finding the channel quieter. Those that built incident response playbooks assuming federal coordination as a backstop are discovering that backstop may not be there.
If you're running security for any organization that touches critical infrastructure — and in 2025, that includes cloud providers, SaaS platforms, financial services, healthcare, and energy — the operational implications are concrete.
Threat intelligence is now more DIY. The reduction in federal sharing means commercial threat intel feeds, ISACs (Information Sharing and Analysis Centers), and peer networks matter more than ever. If you're not already participating in your sector's ISAC, start. If you're relying solely on your EDR vendor's threat feed, diversify. The organizations that will navigate this period best are the ones that invested in threat intelligence relationships before they needed them.
Incident response assumptions need updating. Review your IR plan's assumptions about external coordination. If it references CISA's incident response teams, FBI cyber squads, or federal coordination mechanisms, validate that those resources are still available and staffed at levels that match your plan's assumptions. For many organizations, the answer will be "no longer reliable" — which means your internal IR capability needs to fill the gap.
Supply chain risk just went up. The telecom compromise demonstrated that infrastructure you don't control — but critically depend on — can be silently owned for years. Assume your communications are monitored when discussing sensitive topics. Use end-to-end encrypted channels (Signal, not SMS) for anything you wouldn't want a foreign intelligence service to read. This was good advice before Salt Typhoon; it's essential now.
Budget conversations changed. If your CISO has been struggling to get board attention for security investment, the "hundred days" narrative is a forcing function. The implicit federal safety net that many organizations assumed existed is fraying. That risk has shifted to the private sector, and boards need to understand the transfer.
The cybersecurity community has weathered organizational upheaval before — DHS's creation, the stand-up of CYBERCOM, the post-Snowden reforms. But those were additive disruptions: new capabilities being built, with growing pains along the way. What's happening now is subtractive: existing capabilities being removed faster than alternatives can form. The question isn't whether incidents will increase — they will, by any actuarial measure. The question is whether the private sector, state governments, and whatever remains of federal cyber capability can coordinate effectively enough to prevent a catastrophic infrastructure failure. The first hundred days suggest the answer is far from certain. The next hundred will tell us if the damage is recoverable.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.