Federal funding for the election security ISACs did not just lapse. Senior leaders made a deliberate choice to cut off the Multi-State ISAC (MS-ISAC) and the Elections Infrastructure ISAC (EI-ISAC), long the main conduit for free threat intel, 24/7 monitoring, and hands-on support for state and local election offices.
Every serious adversary just logged that move as a green light.
Ground truth- what actually happened
Facts first, outrage after.
- The Department of Homeland Security and CISA cut roughly 10 million USD in funding for CIS programs that ran EI‑ISAC and MS‑ISAC early in 2025.
- CISA then let the broader cooperative agreement with the Center for Internet Security (CIS) expire on September 30, 2025, ending federal support for MS-ISAC and confirming earlier cuts to EI-ISAC.
- EI‑ISAC stopped receiving DHS funding, and CIS announced the loss of support for the election ISAC on its own site.
- DHS leadership under President Trump fired 12 CISA staff who handled election “misinformation,” paused all election security activities, and tied those steps to an executive order framed as a “free speech” purge.
- CISA messaging now claims a “new model” with direct grants, no-cost tools, and advisors replacing the ISAC structure.
Russian, Chinese, and Persian outlets immediately framed the cuts as dismantling U.S. election defenses rather than as neutral restructuring.
Internal U.S. subversion since 2016: domestic actors as force multipliers
Domestic actors started acting as amplifiers for foreign information warfare during the 2016 cycle and never really stopped. Russian services ran a broad active measures campaign that targeted election infrastructure and social media, while U.S. candidates and partisan media outlets echoed hacked material and conspiratorial narratives when those stories fit their goals.
Over the next eight years, foreign interference blended with a homegrown movement that denied any unwelcome result. Researchers describe the “Big Lie” narrative after 2020 as a nationwide internal disinformation system: political leaders, partisan media, and influencers repeated a stolen‑election story long after courts, recounts, and audits rejected those claims.
That narrative did more than shape beliefs. Stop the Steal organizers drove a wave of harassment and violence, from threats against local officials through a mob that stormed the Capitol on January 6, 2021. Election workers reported death threats, swatting, and stalking, enough to push many out of public service and to force federal prosecutors to set up an Election Threats Task Force.
Internal subversion since 2016 follows a clear pattern. Political elites repeat unfounded fraud claims; right‑wing media and activist networks harden those claims into identity markers; extremists target election officials and voting infrastructure in the name of those myths; then those same elites point to the resulting anger as justification to punish neutral security institutions.
CISA’s Rumor Control page and related partnerships with platforms started as straightforward defenses against false viral stories about ballots and machines. After 2020, partisan pressure and court fights over “censorship” pushed federal agencies to back away from that work, even as Stop the Steal narratives spread further. Lawfare and NPR reporting describe a steady retreat: fewer updates, less contact with platforms, and more legal handcuffs on information sharing.
Election denial then moved from rhetoric into direct efforts to overturn outcomes. Fake elector slates, pressure on state officials to “find votes,” and plans to seize voting machines turned a conspiracy narrative into concrete plots to nullify ballots. That escalation reached a new stage when many participants in those efforts entered the 2025 administration and started steering policy on civil rights and election integrity.
Internal subversion now links directly to the funding cuts for EI‑ISAC and MS‑ISAC. The same movement that framed CISA, DOJ, and social media trust and safety teams as enemies of “free speech” now drives budget and staffing choices that shut down EI‑ISAC, strip tens of millions from MS‑ISAC, fire CISA election staff, and place the Election Threats Task Force under a cloud. nstead of helping foreign actors from Moscow, Tehran, or Beijing smuggle sabotage into U.S. elections, domestic actors handle much of that work by eroding trust, intimidating neutral officials, and dismantling the security infrastructure that election offices built after 2016.
Old model vs “new model”- security downgrade in plain terms
What local officials lost
EI‑ISAC and MS‑ISAC provided-
- Real-time threat intel and cross-state alerts on attacks against election systems and other local networks.
- A 24/7 security operations center that actually watched logs and called small jurisdictions when something looked bad.
- Shared tools such as Albert sensors and monitoring platforms that smaller counties never could afford at market price.
- Election-specific training, tabletop exercises, and guidance on ransomware, DDoS, spoofed election sites, and vendor risk.
Officials did not receive perfect protection, but they did receive coherent, national-scale support focused on low-budget counties and towns.
New model in practice
CISA now promises-
- Grants under broader state and local cybersecurity programs.
- Direct CISA tools and services instead of a CIS-run ISAC.
- Advisor networks and regular security calls.
CIS, meanwhile, moves MS-ISAC and EI-ISAC toward a fee-based membership model with reduced free services for cash-strapped governments.
Simple comparison
| Feature | Old ISAC Model (CIS + CISA funding) | New Model (CISA direct + fee‑based ISAC) |
| Cost for small counties | Mostly free or very low cost | Membership fees; grants help only jurisdictions that win the money |
| 24/7 monitoring and alerts | Central shared SOC oriented around local needs | Patchwork- some CISA tools, some state SOCs, large gaps |
| Cross‑state election intel | Dedicated EI‑ISAC channel, vendor involvement | Fragmented, depends on voluntary sharing |
| Staff familiarity | Election offices already trained into ISAC workflows | New tools, new processes, learning curve |
| Focus on election threats | Core mission for EI‑ISAC | One topic among many competing demands |
Security professionals across U.S. media and Russian‑language outlets describe the shift as a major gamble with little upside for defenders.
Security logic- the move fails basic threat math
Adversaries study structure. They love gaps.
Election infrastructure faces-
- Nation-state intrusion from Russia, China, Iran, and aligned contractors.
- Crimeware crews seeking ransom against counties and vendors.
- Domestic extremists who see local election offices as soft targets.
Every one of those actors benefits when thousands of small jurisdictions lose shared monitoring, cheap tools, and standard playbooks.
State and local governments already face ransomware and data theft at an accelerating pace; MS‑ISAC incident data and independent reporting show constant attacks against schools, counties, and utilities.
Federal leadership responded by stripping away the one structure designed to help low-resource defenders see attacks early and answer together.
That decision does not follow any serious risk-based logic. It follows politics.
Motives- what the pattern suggests
Direct evidence of intent stays murky, but patterns speak loudly.
Ideological hostility to federal election guardians
Trump and allies frequently attacked CISA and EI‑ISAC from 2020 onward, especially after CISA officials defended the integrity of that election.
Recent actions line up with a long campaign to-
- Erase or punish institutions that pushed back against “stolen election” narratives.
- Rebrand election security as “federal censorship” rather than defense against foreign and domestic interference.
Russian and Chinese commentary openly connects funding cuts with Trump’s promises to dismantle “censorship” and investigations into foreign interference.
Shifting costs downward on purpose
Axios, NACo, and trade press coverage describe a budget strategy that moves responsibility to states and localities while cutting federal outlays. Axios+2naco.org+2
That shift hits exactly where defenses stay weakest-
- Rural counties with perhaps one overworked IT generalist.
- Small towns that share a part-time clerk as “election administrator.”
- Tribal jurisdictions and underfunded municipalities.
Adversaries do not need to break a hardened national system. They need one unpatched county that still connects to statewide voter registration systems or election-night reporting systems.
Symbolic purge of “election police.”
DHS fired the specific CISA staff who monitored election misinformation and disinformation, and paused all election security activities pending review.
Those staff did not run censorship. They tracked obvious foreign campaigns, fake election websites, and platform abuse, then passed information to platforms and state officials. That function aligned closely with standard counter-disinformation practices everywhere from NATO to Taiwan.
Federal leadership treated that work as political heresy and smashed the supporting structure.
Who benefits, who loses
Winners and losers table
| Actor group | Effect of ISAC funding cuts |
| Russian, Chinese, and Iranian services | More uncoordinated U.S. defenses, slower cross‑state detection |
| Cybercrime crews | Weaker monitoring, fewer shared indicators of compromise |
| Domestic extremists | Less unified tracking of threats to election workers and offices |
| Large, rich states | Enough budget to build alternatives, though with duplication and waste |
| Small, poor jurisdictions | Shrinking access to monitoring, tools, and expert support |
| CIS and MS‑ISAC | Forced into awkward fee model, less reach to the weakest members |
| CISA leadership | Temporary ideological win, fewer internal enemies |
| U.S. voters | More risk of disruption, confusion, and contested results |
Russian coverage already frames the move as proof that U.S. elites care more about internal power struggles than about secure elections.
A Chinese analysis notes the loss of real-time threat exchange and calls EI-ISAC and MS-ISAC “irreplaceable” for local election offices.
Arabic and Persian outlets describe EI‑ISAC in the past tense as a central hub that once helped thousands of local jurisdictions share technical threat data during elections.
Adversaries did not need to run an operation to achieve this outcome. U.S. politics did the job for them.
Effects on disinformation and cognitive warfare
Election security no longer revolves only around firewalls and patches. Attackers blend hacks, leaks, fake results, and intimidation.
Recent examples include-
- AI-generated fake election results in Utah forced the lieutenant governor to warn voters in real time.
- Longstanding foreign operations that seed doubt about U.S. elections, then amplify every domestic controversy.
EI‑ISAC and related CISA efforts gave election officials-
- Early warning when fake county or state election sites popped up.
- Shared guidance on handling hacked information and forged documents.
- Standard playbooks to talk to the public during an incident.
Federal leadership dismantled that structure, fired the staff who monitored the information space, and then framed the wreckage as a victory for “free speech.”
Adversary information operations now face a fragmented, underfunded set of local officials, many of whom lack full-time security staff. That imbalance favors attackers in every engagement.
How public officials adapt- realistic paths, ugly tradeoffs
State and local officials do not have the luxury to sulk. They must adapt right now, even under protest.
Fragmented substitutes
Likely pattern in coming cycles-
- Large states and big cities build or expand state SOCs, deploy state-funded sensors, and buy private threat‑intel feeds.
- Mid-size jurisdictions scramble for CISA grants, which flow through slow federal processes and state politics.
- Small towns quietly drop out of collaborative monitoring because membership fees and integration costs exceed their capacity.
That pattern hands adversaries a patchwork. They probe for the weakest node in each state, then pivot through vendors, third-party providers, and shared services.
State-driven ISAC clones
Some policy shops already encourage states to form regional or state-level information-sharing hubs to replace EI-ISAC partially.
Those efforts help, but they suffer from-
- Loss of economies of scale; fifty miniature ISACs burn far more staff and money.
- Gaps at state borders, where cross-state operations lose a unified view.
- Unequal quality; rich states may build strong centers, poorer states lag.
Quiet dependence on CIS tools anyway
Even without federal funding, many jurisdictions will still rely on CIS best‑practice benchmarks, Shared services, and community forums. Wikipedia+2CIS+2
Fee pressure will push CIS to favor paying members. That incentive structure directs more support toward already better-resourced entities.
Precisely the opposite resource flow that serious national defense demands.
Adversary exploitation- Russia, China, Iran
Analysts inside Moscow, Beijing, and Tehran do not miss signals like this funding cut.
Russia
Russian outlets are already running stories with headlines such as “The U.S. switches off election protection systems- what next?” that link CISA’s pause of election activities and funding cuts to Trump’s free speech order.
Narrative lines up as-
- U.S. elections lack stability.
- The federal government fights internal enemies more than foreign interference.
- American claims about foreign meddling sound hypocritical.
That story supports Russian information operations everywhere, including in Europe and the Global South.
China
Chinese cybersecurity media spells out that DHS terminated funding for CIS, which ran EI‑ISAC and MS‑ISAC, and then notes that Trump’s government suppressed investigations into election security.
Analysts quoted there describe ISACs as providing real-time threat sharing that local election offices cannot replicate on their own. Adversary planners read that line and see opportunity.
Iran and regional audiences
Persian and Arabic content aimed at Middle Eastern audiences explains EI‑ISAC’s function in plain terms- a hub that connected thousands of local U.S. jurisdictions and vendors for 24/7 threat exchange.
Narrative for that audience-
- U.S. rhetoric about democracy rings hollow.
- U.S. leaders willingly degrade protections for their own voters.
That narrative helps Iranian information operators push the idea of U.S. decline and dysfunction.
Federal leadership just-
- Removed a proven structure that helped the weakest defenders.
- Replaced it with vague promises, grant paperwork, and scattered services.
- Fired the staff who understood election threats best.
- Gifted foreign and domestic adversaries a propaganda and operational win.
No serious defender requested that trade.
Every honest risk assessment of U.S. elections over the past decade stressed exactly the opposite- more shared monitoring, more information sharing, more stable funding, more continuity.
The cut does not represent strict prioritization. It represents ideological vandalism against national security plumbing that worked reasonably well for low-resource defenders.
Election officials will improvise, because they must. Some rich states will muddle through. Attackers only need the softest county in each network.
Adversaries are studying that map right now.
