BACK TO BRIEFING

Cyber Vacuum

America's cybersecurity leadership decapitated at every level — during active cyber war with Iran, Russia, and China. The most vulnerable infrastructure in the country relied on federal agencies that no longer have leadership, staff, or direction.
Updated Mar 6, 2026, 06:15 PM CST · iran.hexxa.dev · YNTK Investigation
FEDERAL MALFEASANCE
The United States has no permanent leadership at NSA/Cyber Command, CISA, or DHS. CISA — the agency responsible for defending hospitals, water systems, power grids, and election infrastructure from cyberattack — has lost its director, its nominated replacement, and one-third of its entire workforce. This happened while Iran, Russia, and China are running active cyber operations against US infrastructure. SC World called it “malfeasance.”

JPMorgan spends $700 million a year on cybersecurity. Goldman Sachs employs thousands of security engineers. They will be fine.

Your water system does not have a $700 million budget. Your rural hospital does not have a SOC. Your county election office does not have a threat intelligence team. These institutions relied on CISA for threat notifications, vulnerability alerts, and incident response. CISA is now gutted, leaderless, and dark.

The Org Chart of Absence
Cybersecurity Leadership Vacancy Org Chart — NSA/CYBERCOM, CISA, DHS
Three-column vacancy chart showing current status of all cybersecurity leadership positions. Generated Mar 6, 2026, 06:15 PM CST.
3
AGENCIES HEADLESS
33%
CISA STAFF CUT
0
DAYS FULL LEADERSHIP
3+
NATION-STATE ADVERSARIES
How It Happened
Gen. Timothy Haugh — NSA Director / CYBERCOM Commander
Fired in February 2025. The NSA director and commander of US Cyber Command — America's top signals intelligence and cyber warfare officer — was removed on the advice of Laura Loomer, a far-right activist with no security clearance, no military background, and no government role. Haugh had overseen operations against Russian and Chinese cyber intrusions. No permanent replacement has been named.
Sources: CNBC, NYT, Politico
Srinivas Gottumukkala — Acting CISA Director
Fired after reports surfaced that he used ChatGPT on a government device. Gottumukkala had replaced Bridget Bean, who herself replaced Jen Easterly (who departed on inauguration day). The top CISA job has turned over three times in less than three months. The agency’s election security and critical infrastructure protection teams have been particularly hard-hit by staff cuts.
Sources: CyberScoop, The Record
Sean Plankey — CISA Director (nominated)
The administration's own nominee for permanent CISA director was escorted out of the building before his confirmation. Plankey, a former DOE cybersecurity official and combat veteran, was walked out of CISA headquarters under unclear circumstances. His nomination has not been formally withdrawn, but he has no access to the agency he was nominated to lead.
Sources: CyberScoop, Politico
Kristi Noem — DHS Secretary
Fired while testifying before Congress in March 2025. Noem — CISA’s parent-agency secretary — had called CISA “a mess” and signaled major restructuring even before her removal. Her firing left DHS, the umbrella agency for all domestic cybersecurity and infrastructure protection, without confirmed leadership during the peak of the Iran crisis.
Sources: NPR, Reuters
CISA Workforce — 33% Reduction
Approximately 500 CISA employees — roughly one-third of the agency — have been cut through a combination of firings, voluntary departures, and RIF (reduction in force). The cuts disproportionately hit election security specialists, critical infrastructure liaison officers, and the Hunt and Incident Response Team (HIRT) that deploys to help organizations during active cyberattacks.
Sources: CyberScoop, SC World
The Laura Loomer Problem

The single most damning fact in this investigation: the firing of America's top cyber warrior was initiated by a civilian activist with no security clearance, no military experience, and no government position.

A Social Media Influencer Directed National Security Firings
Laura Loomer, known for far-right conspiracy theories and anti-Muslim rhetoric, reportedly convinced President Trump to fire Gen. Timothy Haugh during a visit to Mar-a-Lago. Loomer has no expertise in cybersecurity, signals intelligence, or military operations. She has no security clearance. She holds no government position. Yet she successfully orchestrated the removal of the four-star general commanding America’s entire cyber defense apparatus — a dual-hatted role leading both NSA and Cyber Command — at a time when those agencies were actively engaged in operations against Russian, Chinese, and Iranian cyber threats.
Sources: NYT, CNBC, Politico
Vacancy Timeline
Cybersecurity Leadership Departure Timeline — Jan 2025 to Mar 2026
Gantt-style timeline showing leadership tenure (colored bars) and vacancies (red bars). Key events marked: Inauguration, Haugh firing, Noem firing, Iran strikes. Generated Mar 6, 2026, 06:15 PM CST.
What They Left Undefended
Rural Hospitals
Small and rural hospitals are among the most targeted entities in ransomware campaigns. They lack dedicated IT security staff and relied on CISA’s free vulnerability scanning, threat alerts, and incident response. In 2024, Change Healthcare’s ransomware attack disrupted claims processing for thousands of providers. With CISA gutted, the next attack will find no federal cavalry coming.
Source: HHS, AHA
Municipal Water Systems
In late 2023, Iranian-affiliated hackers (CyberAv3ngers / IRGC) breached a water authority in Aliquippa, Pennsylvania, targeting Unitronics PLCs. CISA issued alerts, coordinated response, and helped other water utilities check for similar compromises. With CISA’s critical infrastructure teams gutted, the approximately 50,000 community water systems across America — most run by small municipalities with minimal IT staff — are on their own.
Source: CISA Advisory AA23-335A, CyberScoop
Election Infrastructure
CISA’s election security program — built after the 2016 Russian interference campaign — provided free security assessments, phishing training, and threat briefings to state and local election officials. This program has been a specific target of cuts and political hostility. With midterms approaching and nation-state adversaries actively probing, county election offices that relied on CISA’s Albert sensors and vulnerability scanning are losing their early-warning system.
Source: CISA Election Security, Brennan Center
Small Power Cooperatives & School Districts
Rural electric cooperatives (serving 42 million Americans) and the approximately 13,000 public school districts nationwide share the same vulnerability profile: limited IT budgets, legacy systems, and dependence on CISA for threat intelligence and incident response. The 2021 Colonial Pipeline attack showed what happens when critical infrastructure gets hit. The difference now: there’s no CISA to coordinate the response.
Source: NRECA, K12 SIX
Active Threat Landscape

This leadership vacuum exists during the most active period of nation-state cyber operations against the United States in history.

Iran — Active Offensive Cyber Operations
Iranian APT groups (including MuddyWater, APT33/Elfin, and CyberAv3ngers) have demonstrated capability against US water systems, healthcare, and energy infrastructure. Following the US strikes on Iran in Operation Epic Fury, Iranian cyber retaliation is not a hypothetical — it is expected. Iran has already proven it can reach US operational technology. With CISA’s HIRT team gutted, incident response capacity is severely degraded.
Sources: Microsoft Threat Intelligence, CISA
Russia — Deepening Iran Alliance + Active Campaigns
Russia continues to operate Sandworm (GRU Unit 74455) and APT29 (SVR) against US and allied networks. The Russia-Iran military alliance has deepened since Iran’s drone sales for Ukraine, raising the possibility of coordinated cyber operations. Russia’s 2020 SolarWinds breach reached the Treasury, Commerce, and Homeland Security departments. No one has replaced the leadership that detected and responded to that intrusion.
Sources: Mandiant, CISA ED 21-01
China — Salt Typhoon + Volt Typhoon: Pre-Positioned in US Infrastructure
Salt Typhoon penetrated at least nine US telecommunications companies, accessing call records and potentially wiretap systems. Volt Typhoon pre-positioned itself in US critical infrastructure — water, energy, communications — for potential disruption during a Taiwan crisis. FBI Director Wray called Volt Typhoon “the defining threat of our generation.” The teams at NSA and CISA that tracked these intrusions are now leaderless or gone.
Sources: CISA Advisory (Volt Typhoon), Washington Post (Salt Typhoon)
Banks Can Defend Themselves. Your Town Cannot.
JPMorgan Chase spends over $700 million annually on cybersecurity and employs 12,000+ technology staff. Large financial institutions, defense contractors, and tech companies have in-house SOCs, threat intelligence teams, and the budgets to defend themselves. The entities that depended on CISA — small municipalities, hospitals, schools, election offices, water utilities — have none of this. The cybersecurity leadership vacuum is a class-based vulnerability: it hurts the organizations least able to defend themselves.
Source: JPMorgan Annual Report 2024
Historical Comparison

2020-2021: Leadership Intact

  • SolarWinds breach (2020): CISA Director Chris Krebs had built detection capability; his team identified Russian SVR intrusion across 18,000 organizations
  • Colonial Pipeline (2021): CISA + FBI coordinated national response within hours; DHS Secretary Mayorkas personally briefed
  • NSA/CYBERCOM: Gen. Nakasone running dual-hat, active hunt-forward operations in allied networks
  • Result: Incidents contained, attribution established, defenses improved

2025-2026: Leadership Decapitated

  • NSA/CYBERCOM director: VACANT since Feb 2025 (fired on Loomer's advice)
  • CISA director: 3 turnovers in 3 months, currently vacant; nominee escorted out
  • DHS Secretary: FIRED during Congressional hearing
  • CISA workforce: 33% cut including election security and incident response teams
  • Result: No coordinated federal cyber defense during active nation-state campaigns from Iran, Russia, and China
The Replacement Problem

Even if leadership positions were filled tomorrow, the damage is structural. Cybersecurity leadership at this level requires deep institutional knowledge, established relationships with international partners, and security clearances that take months to process.

Institutional Knowledge Cannot Be Replaced by Political Appointees
Gen. Haugh had decades of signals intelligence experience and relationships with Five Eyes partners (UK GCHQ, Australian ASD, Canadian CSE, New Zealand GCSB). Jen Easterly built CISA’s Joint Cyber Defense Collaborative from scratch, establishing information-sharing agreements with hundreds of private-sector companies. The CISA staff who were cut included specialists with years of relationships with state election officials, water utility operators, and hospital IT teams. These relationships — built over years through trust — cannot be replaced by political appointees parachuted in.
Sources: CyberScoop, Lawfare
“You cannot simply hire new people and expect them to have the relationships, the institutional knowledge, the security clearances, and the operational understanding that comes from years of service. The damage is not just about vacancies — it’s about the destruction of capability that took a decade to build.” — Former senior CISA official, via CyberScoop
The Verdict
“This isn’t incompetence. It’s malfeasance. Dismantling our cyber defenses during active nation-state campaigns against US infrastructure isn’t a policy disagreement — it’s a dereliction of the most basic responsibility of government: protecting its citizens.” — SC World editorial analysis
Sources
Back to Main Briefing · Faith & Command Investigation
iran.hexxa.dev · Updated Mar 6, 2026, 06:15 PM CST · Sources indexed: 246