CISA to prioritize new hires in 2026: report

Following news in June of around 1,000 employee departures and layoffs, the Cybersecurity and Infrastructure Security Agency (CISA) has reportedly reversed course and prioritized new hiring to address cyberattacks facing the nation, including threats from China.

According to Cybersecurity Dive, a November 5 memo from acting CISA director Madhu Gottumukkala revealed plans to expand recruitment efforts and prioritize the hiring of state cybersecurity coordinators and regional cybersecurity advisers. These efforts are designed to ensure continuity of operations in the face of evolving national security risks.

“The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” Gottumukkala added in the memo, as reported by Cybersecurity Dive.

Cybersecurity Dive referenced “China continuing to target US and allied critical infrastructure, and experts predicting a crisis in 2027.”

When IT Brew contacted CISA and asked the agency about the memo and its plans for new hires at the agency, CISA Director of Public Affairs Marci McCarthy wrote: “CISA is focused squarely on executing its statutory mission: serving as the national coordinator for securing and protecting the nation’s critical infrastructure and is delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats. CISA does not confirm or comment on agency personnel and staffing actions.”

In addition to addressing what Gottumukkala reportedly referred to in the memo as “an approximately 40% vacancy rate across key mission areas,” Cybersecurity Dive explained that CISA also aims to expand its use of recruiting programs like the Department of Homeland Security’s Cyber Talent Management System, as well as partnerships with educational institutions to support cybersecurity expertise in “high-demand industrial control systems and other mission-critical domains.”

“CISA must hire highly qualified professionals by the end of fiscal year 2026 to strengthen the agency’s defensive posture,” the memo stated, according to Cybersecurity Dive.

They spy. Google Cloud Security forecast that “the volume of China-nexus cyber operations is expected to continue surpassing that of other nations” in 2026. The report’s writers, who also predicted cyber threats from North Korea and Iran, expect cyber espionage to continue, noting a particular area of interest in the semiconductor sector “where competition, US export restrictions, and increased demand related to AI adoption may result in espionage.”

Reports this year claimed China-based cyberattackers have targeted US critical infrastructure, including US telecom systems and the US Defense Intelligence Agency.

In May 2023, CISA alerted the public to “Volt Typhoon”—Chinese state-sponsored cyber actors focused on espionage and information gathering.

Campaigns like Volt Typhoon are not ransomware-style attacks but “quiet, patient efforts to gain long-term access inside electric utilities, water systems, transportation networks, maritime operations, telecommunications carriers, and state and local government networks,” Michael Centrella, head of public policy at cybersecurity company SecurityScorecard (and former assistant director of the US Secret Service), wrote to IT Brew in an email. “The goal is to pre-position [themselves] in US systems that could be disrupted during a geopolitical crisis.”

SecurityScorecard, in a Nov. 19 blog post, announced finding a coordinated effort to compromise routers, revealing that the campaign “appears to be a part of a growing set of campaigns from China-linked hackers looking to quietly develop a massive network of infected devices they can use to establish persistent presence and remain hidden.”

Now hiring. Cybersecurity Dive’s story says CISA is prioritizing the hiring of state cybersecurity coordinators and regional cybersecurity advisers. These roles facilitate information sharing and vulnerability assessments, according to Centrella, who, as a former law enforcement leader, saw their importance firsthand.

“We regularly coordinated with them on complex investigative matters, and their ability to connect federal capabilities with local realities consistently made the difference in both preparedness and response,” he wrote.

CISA does not have the statutory authority to compel critical infrastructure managers or states to perform cybersecurity actions. However, the agency can build relationships that foster essential cyber resilience, according to Nick Reese, adjunct professor of emerging technology at New York University in the Center for Global Affairs, who noted the importance of the roles.

“If there is a major incident against critical infrastructure, the first response is going to be at the state or regional level, and you need CISA personnel to have the relationships, to be there on the ground on day one in order to respond to that event,” Reese said.

In the fight against adversaries like China-based threat actors, Reese also stressed the importance of IT professionals having direct relationships with their local and regional CISA office, so the agency can bring its resources to bear to aid in response and recovery.

“What they are targeting is what the IT professionals are protecting.”