How did the United States get so dangerously behind on cybersecurity? From China’s hack of the Office of Personnel Management to the SolarWinds attack to the shutdown of Colonial Pipeline due to ransomware, bad actors have regularly sliced through meager U.S. defenses. Should such an attack breach our power grid, the damage could be devastating.

One reason for this weakness, albeit not the only one, is the government’s inability to attract and retain top talent. The federal government’s cumbersome and misguided process for political appointees is part of the problem. The system is supposed to give Congress oversight control, but too often it leaves critical positions open, creates discontinuity and hampers the government in emergency response situations.

The Office of Cybersecurity, Energy Security and Emergency Response (CESER) might not be well-known, but it is a critical entity within the Energy Department that is in charge of responding to natural and man-made emergencies impacting our power — from the Texas electric grid disaster to the pipeline hack. Considering the fleet of weather-related disasters and the rampant cybercrimes threatening our energy security, one would think a seasoned professional with years of experience would remain at the helm, even when administrations come and go. That would be wrong.

Thanks to the previous administration, the head of the office is a political position. That administration selected Karen S. Evans for the slot, despite her slight experience and poor management skills. She was confirmed as head of CESER in 2018. She lasted less than two years. Things got so bad that the inspector general found hundreds of millions of dollars unaccounted for due to a “lack of established internal controls.” After she left in February 2020, the position remained without a confirmed replacement. Not surprisingly, resignations plagued this key office. It fell to President Biden’s energy secretary, Jennifer Granholm, to revive the office.

The Biden administration came in with a commitment to strengthen cybersecurity and protect our electric grid, requesting a 30 percent budget increase for CESER. Granholm found someone to run the office: Puesh M. Kumar, who has years of private- and public-sector experience. He is the sort of person one would want running the agency regardless of party — and to continue running it even when administrations change hands. And if he does leave, the position certainly should not remain vacant as the confirmation process drags on for months.

That is precisely what Granholm is asking Congress to consider. At a June Senate hearing, Granholm engaged in a back-and-forth with Sen. Angus King (I-Maine), who urged that pipeline security be centralized and elevated. He asked whether CESER’s leadership should be bolstered and whether it should remain an assistant secretary post. That is the last thing we should do. As Granholm explained, “Since CESER was established, about half its existence has been without leadership because it is a political position.” If you really want to elevate the position and the work CESER does, it should look like other emergency response entities where key posts are filled by career experts.

This is one small example of how critical functions of government would benefit from being removed from the political confirmation process. Max Stier, head of the Partnership for Public Service (which partners with The Post to track nominations and confirmations), has long advocated reducing the astonishing 4,000 or so political slots, more than 1,200 of which require Senate confirmation. “Simply put, the Senate is a small pipe down which we are trying to force too much material. Predictably, it is now clogged,” he wrote in a recent piece for Bloomberg. Do all these positions really need Senate confirmation? Given the discontinuity, unfilled leadership spots and cronyism that can undermine an agency or department without proper leadership, the answer is almost certainly no.

In testimony before the House Committee on Homeland Security’s subcommittee on cybersecurity, infrastructure protection, & innovation on Thursday, Stier listed a number of challenges that have hampered cybersecurity, from recruitment to retention to diversity. He also told members, “Congress also should hold political and career federal leaders accountable not only for owning policy but also for the organizational health of their agencies. In many cases, agencies and bureaus could benefit from career executives at the helm — nonpartisan, professional leaders who can provide needed stability and deep expertise.” He specifically cited CESER and urged Congress to “consider reducing the number of political appointees and creating more opportunities for career experts to lead.”

Should lawmakers ignore his plea, expect more empty slots, more reliance on “acting” officials, a loss of continuity of government and a greater risk that someone drops the ball at a critical time. The 9/11 Commission, for example, found that failure to have the requisite political positions in place contributed to the breakdown in communication and security lapse that allowed the catastrophic attack to happen.

“Cyber and emergency response should be depoliticized. The growing threats from cyberattackers and climate change mean that our energy system needs stable, professional leadership at the helm of DOE’s CESER office,” Tarak Shah, Energy Department chief of staff, told me. “It’s a matter of when, not if, our country will face the next major cyberattack on our power sector, and at that moment, it’s incumbent on all of us to ensure we have technical experts at the helm with the requisite institutional knowledge.”

Granholm has it right. Congress should not only follow her advice on CESER but also start combing through the federal government to pare down its ludicrous list of political appointees.