Iran's hackers surge as CISA runs on 800 furloughed-down staff

"When the DHS funding lapse began in mid-February 2026, CISA furloughed roughly two-thirds of its 2,540-person workforce — leaving the agency that guards federal civilian networks and critical infrastructure with about 800 active employees. Of CISA's 2,341 employees, only 888 were designated as "excepted" staff who continue working through the shutdown, while the remaining 1,453 work without pay.\n\nMadhu Gottumukkala, who had been serving as acting director since May 2025, warned House appropriators the week before the shutdown: "I want to be clear — when the government shuts down, cyber threats do not." His testimony proved prophetic as Iran launched cyberattacks precisely when CISA was at its weakest."

"Gottumukkala's warning proved prophetic in the worst possible way. On February 28, the same night Operation Epic Fury launched in Iran, CISA's website displayed a notice that it had not been updated since February 17 "due to a lapse in federal funding" and was "not being actively managed."\n\nThe agency responsible for publishing threat advisories, vulnerability alerts, and critical infrastructure warnings had gone dark at the exact moment the United States entered active conflict with one of the world's most capable state-sponsored cyber powers. The shutdown also halted implementation of CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, which was already delayed beyond its May 2026 deadline."

"The leadership void compounded the operational crisis. Gottumukkala — who had come to CISA from a 🗿South Dakota state IT role, with close ties to Kristi Noem, and no cybersecurity background — was reassigned to a DHS cost-cutting review division the week before the shutdown.\n\nPolitico had already reported that during his nine months as acting director he had uploaded sensitive contracting documents to the public version of ChatGPT and failed the polygraph test required to access sensitive cyber intelligence shared with CISA by partner agencies. His lack of cybersecurity experience raised serious questions about his qualifications to lead America's primary cyber defense agency."

"NANick Andersen, the agency's executive assistant director for cybersecurity and a career professional, stepped into the acting director role — CISA's third acting director in a matter of weeks.\n\nSean Plankey, Trump's nominee to permanently lead CISA, a retired Coast Guard officer with genuine cybersecurity credentials, was meanwhile escorted out of DHS headquarters by security after clashing internally with Gottumukkala over contracts. Plankey had his access badge removed and was physically removed from the Coast Guard headquarters in an unprecedented move for a presidential nominee."

"Plankey's Senate confirmation remained blocked — initially by Sen. Rick Scott (R-FL) over a 🌴Florida shipbuilding contract dispute, then by Sen. Thom Tillis (R-NC) over the Noem DHS obstruction imbroglio.\n\nThe leadership chaos created a dangerous vacuum at the precise moment when U.S. cyber defenses needed stable, experienced leadership most. Three Republican senators refused to move forward with Plankey's confirmation for unrelated reasons, leaving CISA without permanent leadership as Iran prepared cyberattacks."

"Into this vacuum, Iranian state-sponsored hacking groups surged. Cybersecurity experts and intelligence firms told NBC and Nextgov that Iran's IRGC-linked units — APT33 (Refined Kitten) and APT34 (OilRig) — were increasing targeting of U.S. businesses and critical infrastructure sectors including energy grids, water utilities, and financial services.\n\nPavel Gurvich, founder of cybersecurity startup Tenzai, told CNBC: "From a timing perspective, it's now or never. In that sense, the danger is meaningfully higher." Iran was explicitly exploiting the American government shutdown to launch cyber operations when U.S. defenses were weakest."

"DHS issued a Critical Incident Report to law enforcement partners warning that the Cyber Islamic Resistance had called for cyberattacks against the United States and Israel.\n\nThe timing was not coincidental — Iran was explicitly exploiting the American government shutdown to launch cyber operations when U.S. defenses were weakest. Iranian hackers had been probing U.S. critical infrastructure for months but waited for the CISA shutdown to escalate their attacks."

"On March 3, Iran struck three AWAmazon Web Services data centers — one in Bahrain, two in the UAE — knocking all three offline and marking the first time a major U.S. tech company's physical cloud infrastructure was explicitly targeted by a foreign power during a U.S. military operation.\n\nIran's state news agency attributed the attacks to AWS's support for U.S. military and intelligence operations. AWS holds classified contracts with the CIA and DoD through GovCloud. The attacks paralyzed banking, government offices, and key industries across the Middle East, with one minute of downtime costing millions in economic damage."

"The structural lesson exposed by all of this is that CISA's operational capacity is directly tethered to congressional appropriations politics — meaning foreign adversaries can time cyberattacks to coincide with domestic budget fights.\n\nRep. AGAndrew Garbarino (R-NY), chair of the House Homeland Security Subcommittee on Cybersecurity, said: "Iranian regime-backed cyber actors continue to pose a serious threat to the United States and our allies, from probing our water utilities to running influence operations that undermine our democracy." The attacks demonstrated how domestic political disputes directly create national security vulnerabilities."

"Garbarino emphasized: "CISA and its skilled personnel need to remain fully operational — and paid — to ensure our nation is ready to deter and respond to cyber threats against critical infrastructure."\n\nHis warning highlighted how domestic political disputes directly create national security vulnerabilities. Neither the Republican shutdown blame strategy nor the Democratic demands for immigration enforcement reforms included any emergency carve-out to keep CISA fully funded during the DHS lapse."

"House Appropriations chair Tom Cole had written a month earlier that CISA's personnel were already "stretched thin" and that a shutdown would "hinder the country's ability to protect critical infrastructure and hospitals."\n\nNeither the Republican shutdown blame strategy nor the Democratic demands for immigration enforcement reforms included any emergency carve-out to keep CISA fully funded during the DHS lapse. The failure to protect CISA funding represented a catastrophic breakdown in congressional oversight of national security functions."