America’s enemies are growing bolder and more sophisticated in cyberspace. To fend them off, the government must stop unilaterally disarming.

Two recent reports underscore the danger. In mid-October, Seattle-based cybersecurity firm F5 Inc. acknowledged a “catastrophic” breach of its systems, which may have allowed Chinese hackers to penetrate networks used by federal agencies and Fortune 500 companies. Less than a week later, a congressionally mandated watchdog, the Cyberspace Solarium Commission, warned that US cyber readiness had for the first time regressed since the body was formed five years ago. Nearly a quarter of the group’s recommendations judged to have been “fully implemented” had lost that status.

Much of the damage has occurred at the Cybersecurity and Infrastructure Security Agency, responsible for coordinating defense of the nation’s civilian networks. Launched in 2018, the agency has generally won plaudits for helping secure election systems around the country, providing early warning of attacks, and helping companies and infrastructure managers bolster their cyberdefenses. Since January, the agency has lost nearly a third of its personnel — including most of its senior staff — to layoffs, buyouts and early resignations. About two-thirds of the remaining employees were furloughed during the government shutdown, while others have been transferred to agencies focused on deportations. At one point, fewer than 900 were still on the job.

Meanwhile, a key law offering liability protections to companies when they share information about attacks with the government and each other lapsed temporarily, slowing down potential responses. While Congress has revived it through the end of January, a long-term fix is still needed. The administration’s proposed budget for 2026 would slash nearly $500 million from CISA’s funding, further shrinking collaboration with states and companies, as well as education and training programs.

Although the White House defends the cuts as streamlining the agency’s mission, cybersecurity professionals and members of the Cyberspace Solarium Commission are alarmed. Artificial intelligence tools threaten to supercharge the capabilities of criminals and US adversaries even as, according to the commission’s new report, the “nation’s ability to protect itself and its allies from cyber threats is stalling and, in several areas, slipping.” States and infrastructure operators can’t easily replicate the resources and bird’s-eye view of the federal government, nor can they play the same coordinating role. If that delays responses to hacks of critical systems, including energy grids and hospitals, attacks could swiftly cascade.

Congress should heed the warnings of its own commission. The information-sharing law in particular has widespread support across both sides of the aisle and across industry. It should be extended beyond January, and a replacement found for the public-private council that formerly allowed industry to discuss sensitive security information with the government.

When legislators finally get around to drawing up a new budget for next year, they should also restore funding and staffing for CISA, preferably on a multiyear basis to insulate the agency against future shutdowns. While it may be difficult to restock the ranks with experienced professionals given more lucrative private-sector opportunities, the government should at least strive to retain those that are left and to restore the pipeline for new recruits.

Threats to the nation’s digital networks are not going to shrink. Neither should the agency tasked with helping to defeat them.

____

The Editorial Board publishes the views of the editors across a range of national and global affairs.

©2025 Bloomberg L.P. Visit bloomberg.com/opinion. Distributed by Tribune Content Agency, LLC.