Recently, a prominent think tank offered up its recommendations for the next U.S. president to shore up the cybersecurity posture of the United States.  Titled, “Securing America’s Digital Future: A Bipartisan Cybersecurity Roadmap for the Next Administration”, the report provides nearly 40 recommendations to better position the country to address current and future cyber threats.  The underlying message driving the publication of this report is clear:  cybersecurity must be a priority for the next president regardless of which part of the aisle they represent.  This is important given that cybersecurity is party agnostic, and while targeting a particular party may influence on how some threat actors go about their operations (e.g., nation states, hacktivist proxies), there is little question that the nation’s cybersecurity should be paramount given the general acknowledgement that cyber technologies will only play an increasing role in the operations of both the public and private sectors effecting regular citizens worldwide.

The recommendations seem logical and practical and have largely been recurrent themes in the discourse of cybersecurity, playing out in cybersecurity strategies, executive orders, and public official talking points.  The report may be new, but the considerations expressed therein are not.  The recommendations are folded under eight guiding principles: 1) Unifying the Regulatory Landscape; 2) Strengthening the Government’s Role in Cybersecurity Coordination; 3) Deterrence and Cost Imposition in Cyberspace; 4) Increased Cybersecurity Resilience; 5) Navigating International Cyber Challenges; 6) Building the Cyber Work Force; 7) Protecting Critical and Emerging Technologies; and 8) Increasing Cybersecurity Resources. 

Indeed, the list of contributors is a who’s who of senior government officials previously linked to government efforts and strategies, and many of which are now in the private sector in leadership positions.  The emphasis that the report’s recommendations are bipartisan in nature is a curious distinction to make, as if cybersecurity in and of itself has been a partisan issue that has been progressed or hindered based on party, and not a topic that has demanded government attention for a substantial period of time.  Regardless, many of the recommendations are reflective of what’s been expressed, correctly indicating that such goals need to be consistently pursued and cannot be satisfied in a “one and done” approach of fixing a problem.

Most of the guiding principles are familiar having been frequently socialized in public and private circles as necessary initiatives to increase cyber resiliency.  For example, there has been increased attention placed on the U.S. cybersecurity workforce, not just for the government but the public sector as well.  This has been recently outlined in a June 2024 hearing on the United States’ Cyber Workforce Shortage, as well as an April 2024 World Economic Forum white paper “Strategic Cybersecurity Framework,” which stated that there was currently four million cybersecurity professionals needed to “plug the gap” in the global cybersecurity industry.  While this has been an ongoing issue for a couple of years, during the same span of time there have been instances where companies were actually laying off cyber professionals rather than hiring them in an effort to reduce costs.  This seemingly contradictory messaging no doubt requires a more comprehensive study to determine why such a discrepancy exists.

Another common theme has been increased cooperation between the public and private sectors, which always seems to culminate in the need for the government to become more involved in what industries are doing, even though criticismspersist that the government isn’t doing its fair share in this regard.  One of the key recommendations under this principle is to enhance mechanisms for the sharing of classified information with the private sector.  This has long been a concern among private sector stakeholders and seems a frequent critique from year to year, with minimal progress made to reduce enough bureaucratic red tape to finally address this shortcoming once and for all.

One that bears more notice is the recommendation of developing a more formal offensive cyber policy, which would further solidify and codify the United States intent to engage in hunt-forward operations.  And while this certainly imposes punishment on cyber threat actors for their malfeasance, there is little literature correlating these activities to actually improving the nation’s cybersecurity readiness.  The voluminous number of attacks from myriad cyber threat actors ae still enduring regardless of how much infrastructure is taken down, or operations temporarily disrupted.  And while it would appear that the United States has met operational objectives with these active defense cyber activities, it does beg the question of how other countries will respond to them in the future, and if they will seek to replicate them and use them in kind.  Hopefully, the new administration will take into account that the world is as dynamic as cyberspace and expect that adversaries will react the same way tomorrow as they did yesterday.  This recommendation seems less about cybersecurity and more about embracing offensive activities under the moniker of “active defense.”

Overall, the recommendations are sound, if not a bit predictable.  Most of them need to be done because they always need to be done, and the more advanced and integrated cyber technologies become, the longer they are not instituted exacerbates our cybersecurity posture.  Though the nearly 40 recommendations are comprehensive, they are also cumbersome.  There are so many targets to hit that efforts may be spread thin to address them.  Additionally, it might be a mistake if the next President repeat the same steps as previous administrations, especially when it comes to trying to prioritize such an extensive list.  If presidents keep starting at the top of the list, there is little hope that other areas will ever be addressed satisfactorily.  Therefore, the next administration may want to focus on three areas of cybersecurity that would have a more direct impact on shaping the cybersecurity landscape of the United States.

• Data Privacy Must Be Paramount.  Many different cybersecurity bills have been circulating around Congress, most with limited success so far.  The new Administration may want to work with a bipartisan committee to enact a national Data Privacy Law.  While some initiatives have been underway via an Executive Order and now with CISA proposing a set of requirements directed by that E.O., it is not enough.  If cybersecurity is to be a priority, it must be done by the whole of government – backed by the Executive Office, drafted and implemented by the Legislature, and protected by the Judiciary.  Microsoft recently reported that its customers faced on average 600 million cyber attacks a day, ranging from phishing to more complex ransomware and cyber espionage campaigns.  And while the overwhelming majority of these would likely not be considered potentially catastrophic or even grave, the fact remains that the sheer escalation in volume of attacks are being directed at people moreso than organizations.

• Empower and Incentivize Industries to Develop Standards.  Despite the efforts of organizations like NIST to provide guidelines for better cybersecurity standards and practices, they remain largely voluntarily.  It’s time for the government to incentivize industries to develop their own standards for those stakeholders falling under their umbrellas.  They can certainly work with NIST and CISA, but the onus of responsibility needs to be set firmly on the shoulders of the industries themselves.  Incentivizing them should encourage industries to adopt the practices set forth by their own industry, and a coalition of industry-specific leaders should be positioned to not only make sure standards are being adopted by their respective stakeholders, but also hold those that fail to meet metric milestones accountable in a way that makes sense to that particular industry.

• Embrace Cyber Sovereignty – and Hold Governments Responsible.  Despite United Nations agreements recognizing that existing international law applies to cyber operations, no significant headway has been made with respect to codifying cyber norms of state behavior in cyberspace.  The status quo benefits states to continue to use and abuse cyberspace that suits their interests.  Backing cyber sovereignty puts full responsibility on the governments for what cyber activities occur from within or traverse through their borders whether they be state operations (e.g., disruptive attacks against critical infrastructures), hacktivist proxies (e.g., what’s been seen in the Ukraine conflict), or cybercriminal activity (e.g., ransomware gangs).  Governments providing havens for these nonstate actors would be held accountable for their activities, and the global community as a whole exerting influence and pressure via sanctions or other diplomatic means for not policing their borders at the expense of the global community.

As with risk management, the way forward for the next Administration is to selectively prioritize cybersecurity initiatives based not only on vulnerability and consequence, but a realistic capability to complete a project.  Everything can’t be held with the same importance lest it lowers the threshold of what importance means.  Many of the recommendations in the report are things we have heard expressed before in the past.  That is not to say they are not needed; they clearly are.  But perhaps the new Administration should consider a new angle to start tackling these areas. Instead of running the same playbook, a more advantageous approach would be choosing the most essential issues to focus on first that would deliver the biggest bang for the buck, and whose results could be measured to gauge their effectiveness.  And when it comes to cybersecurity, that starts with putting people’s needs first instead of kicking them down the road for someone else to figure out.