Just last week I wrote that CISA was on life support.

That was before we knew how bad it really was.

When Jen Easterly stepped down and the agency was left without a Senate-confirmed director, it was already troubling. The Cybersecurity and Infrastructure Security Agency — the nerve center for defending federal networks and coordinating critical infrastructure protection — drifting without permanent leadership at a time of escalating global cyber threats was not a comforting thought.

But what we are now learning about the tenure of acting director Madhu Gottumukkala suggests something far worse than drift.

It suggests dysfunction. And it couldn’t come at a worse time. Just as we are engaged in armed conflict with a cyber-savvy adversary, our front and center defense agency seems to be asleep at the wheel.

From Leadership Vacuum to Leadership Disaster

According to reporting in Politico, Gottumukkala’s nine-month tenure at CISA was marked by:

• Uploading sensitive contracting documents into a public version of ChatGPT.
• Abruptly canceling or failing to renew major contracts — including a $30 million license used to identify vulnerable internet-connected devices across government.
• Alienating career cyber professionals.
• Triggering a polygraph debacle that resulted in staff being placed on leave.
• Firing or sidelining personnel amid an already depleted workforce.
• Clashing with senior career officials.
• Creating such turmoil that officials described the agency as “devolving every day.”
  

This wasn’t just personality conflict. This was operational instability inside the agency responsible for protecting U.S. civilian networks from Russia, China, Iran and whoever else is probing for weaknesses.

On top of that, he had no prior federal experience before being appointed deputy director and then acting chief of a $3 billion cyber defense agency. Well he was Noem’s cyber guy at South Dakota, I guess that should count as something, right? Not.

Let that sink in.

This isn’t a startup. This isn’t a mid-size SaaS company. This is the front line of national cyber defense.

And the result, by multiple accounts: chaos.

The Part That Should Worry You Most

The truly disturbing part here isn’t that a misjudgment was made in appointing someone unprepared for the role.

It’s that, according to reporting, Department of Homeland Security Secretary Kristi Noem was warned months ago that Gottumukkala was not the right person to lead CISA — and chose to keep him in place.

Why?

Because removing him would have reflected poorly on her.

Because political optics mattered more than course correction and competence.

Because she and her roommate, DHS adviser Corey Lewandowski — yes, that Corey Lewandowski — reportedly feared that acknowledging the mistake would harm her political standing ahead of Senate scrutiny.

If that reporting is accurate, then we have crossed from incompetence into something more troubling.

When you keep an unqualified leader in place at a national security agency to avoid political embarrassment, you are gambling with the country’s cyber resilience.

And now we find ourselves in a moment where geopolitical tensions are rising, Iran is being pushed into a corner, and critical infrastructure threats are not theoretical.

This is when you want your best and brightest in charge.

Frik and Frack won’t do when stuff starts flying.

CISA Was Already on Life Support

I’ve written before that CISA was hollowed out — losing nearly a thousand staffers under workforce reductions and operating without stable leadership since Easterly’s departure. The current government shutdown put even more pressure on CISA.

The failure to confirm Sean Plankey has left the agency in a holding pattern. A holding pattern is survivable when nothing extraordinary is happening.

But nothing extraordinary isn’t the world we live in anymore.

The agency was already weakened.

Now we learn the interim leadership was embroiled in:

• Damage assessments over AI usage.
• Internal retaliation battles.
• Contracting chaos.
• Congressional inquiries.

That’s not reform. That’s distraction.

Meanwhile, adversaries don’t pause their operations because DHS is politically uncomfortable.

A Pattern Across the Administration

This isn’t happening in isolation.

At the same time, we are punishing an AI company — Anthropic — for taking an ethical stand in how its models are deployed. Instead of rewarding caution, the message sent was: compliance with political power matters more than guardrails.

Competence takes a back seat to loyalty.

Institutions become props.

Ethics becomes inconvenient.

And leadership becomes performative.

When you run national security agencies like political chess pieces, you hollow out the very expertise those agencies were built to protect.

The Real Cost of Political Interference

Here’s the thing about cybersecurity: you can skate by for a while. If nothing catastrophic happens, you can pretend the system is fine. But cybersecurity isn’t judged on sunny days.

It’s judged when the lights flicker, pipelines shut down, hospitals get encrypted, or foreign adversaries decide to escalate. That’s when you find out whether you invested in competence or political theater.

CISA exists precisely for those moments.

And if the reporting is accurate, we allowed an already fragile agency to drift into internal turmoil because admitting a mistake would have been politically inconvenient.

That is leadership failure.

Not just at CISA.

Up and down.

Shimmy’s Take

This is what happens when unqualified people are handed critical roles in government.

While nothing out of the ordinary pops up, you can get away with it. The machinery keeps humming. The professionals carry the weight.

But when pressure builds — when wars loom, when adversaries probe harder, when the digital battlefield heats up — competence matters.

Experience matters.

Judgment matters.

Political loyalty and optics don’t stop ransomware.

They don’t harden critical infrastructure.

They don’t defend power grids.

Institutions don’t collapse all at once. They erode. Quietly. Piece by piece. A contract here. A staffing loss there. A temporary appointment that becomes a crisis.

I wrote that CISA was on life support.

What we’re now learning suggests it may have been operating with a self-inflicted wound.

And the bigger question is this:

If this is how we are handling cyber defense in peacetime, what happens when things escalate as they appear to be right now?

And when they do, the country deserves more than political calculations and placeholder leadership.

It deserves adults in the room.

Right now, that’s not what this looks like.