Let’s cut funding to what’s working and then demand more programs??
In April 2025, Erik Nost and team discussed how planned cuts to CISA would have crippled MITRE’s CVE cataloging and recent news shows that even the instability caused by these actions of DOGE have negatively impacted the US CyberSentry program. For a short explanation, CISA’s CyberSentry deploys monitoring modes to voluntarily participating critical infrastructure partners which provides threat intelligence on both IT and OT infrastructure. This intelligence enhances the information shared by organizations like MITRE to improve defensive cybersecurity as well as identify vulnerabilities across all industries. While DHS reviewed CyberSentry related contracts this year, the contract with Lawrence Livermore National Laboratory expired meaning the lab cannot legally analyze the data collected by CyberSentry, introducing new risks into their threat detection and response processes for their infrastructure, but this also means any other companies with contracts for CyberSentry could have the same issues.
While these cuts to CISA are sowing their own levels of chaos, new White House directives on AI security run counter to this reduction as they would necessarily require additional resources to ensure CISA is able to meet the detailed directives. A lot of the AI security guidance is tied to protecting critical infrastructure industries which are rife with Operational Technology (OT) environments including energy generation and transmission, oil & gas production, healthcare, and transportation. This point is important because of how much uncertainty we’re dealing with.
OT requires stable threat detection & response to maintain safe operations
In 2024 we saw what happens when detect & respond offerings go awry in IT infrastructure, but when placed within OT, the risks of unstable threat detection or AI utilization, especially within cybersecurity, can go from loss of business to loss of life. In 2021, Colonial Pipeline shut down operations because malicious actors had compromised components of the IT network and the operators didn’t know if the attackers had the ability to attack the OT environment, so to reduce the risk of something catastrophic, they ceased operations until they could confirm it was safe to come back online.
Any cybersecurity platform used within OT infrastructure must always be accessible to the operators of that environment to maintain safe operations. Operators have to trust the information they’re viewing is accurate and precise, and they need a complete understanding of the risks in their environment before making a decision on their cybersecurity posture. Uncertainty can force the business to take the wrong action which can be as safe as ceasing operations based on false positive alerts, which negatively impacts customers who rely on that service, or maintaining operations based on false negative alerts and this allows an attacker to further compromise that infrastructure. This applies to threat intelligence as well as the use of AI to assist in cybersecurity operations.
Government sponsored cyber risk
A major issue with relying solely on CyberSentry for threat detection is it breaks the model of cybersecurity defense in depth. The same could be said if your only avenue of threat detection was from your network firewalls or your EDR; you’ve concentrated your risk into one program that if unavailable, will leave you vulnerable to attack until you can restore operations or, in a parallel incident, the contract with your security vendor expired and you can no longer access their platform. This isn’t to say that the CyberSentry program is bad, but like any threat detection tool it should be one part of a comprehensive threat detection and response program within your organization and not a sole source.
For AI in cybersecurity, there is certainly a desire to utilize the various AI approaches such as generative, agentic, or explainable within security solutions to replace menial human tasks and provide autonomous functions. While there have already been some genAI adoptions, for critical infrastructure the AI models must be augmented by analyst oversight to weed out hallucinations and incomplete assessments or else operations like patient care or railway service can grind to a halt.
You also need to account for the uncertainty that is inherent in any government-sponsored program because these programs are subject to the whims and demands of the governing bodies, which means it can change after every election cycle which injects programmatic instability and can reduce the trust level of the solution. You should be viewing the actions of the federal government with regards to programs like CyberSentry or guidance on AI as augmenting your primary, secondary, and tertiary methods of threat detection and response and security operations.
Planning the way forward
Our earlier blog discussed the other global initiatives that are working on alternatives to the CISA sponsored vulnerability information and that’s a good thing. While the MITRE CVE cataloging has been immensely beneficial at identifying the endless list of cyberthreats, businesses around the world benefit from multiple parties validating those CVE’s to reduce the risks brought on by consolidation and ensure that disruptions within one program don’t break the whole system. There will be requirements for those who use these sources to validate the intelligence feeds and reduce duplication, but in the long run it adds a level of stability into the risky world of geopolitics.
Connect With Us
If you’re a Forrester client and need assistance in navigating these changes and their implications, we’d love to help. Please reach out and schedule an inquiry or guidance session.
If you want to learn more about be sure to check out my session “Protecting The Global Workforce In A Geopolitically Risky World” at our upcoming Security & Risk Summit in Austin November 5-7. This session is part of the Prevention, Detection, And Response track at the event. Check out the agenda here.
