This review is crucial for understanding the current state of our cybersecurity laws and identifying areas where they fall short. It should examine not only sector-specific regulations but also overarching laws that impact cybersecurity, such as privacy laws, data protection regulations, and national security statutes. Importantly, this review must include an examination of sector-specific laws and regulations that, while not explicitly designed for cybersecurity, are currently being leveraged or extended to address cyber issues. The review should assess the effectiveness and appropriateness of using these non-cybersecurity-specific regulations to enforce cyber rules, considering the challenges observed in recent implementation efforts.

The review should pay particular attention to definitions and concepts that may have become outdated due to technological advancements. For instance, it should reconsider how we define critical infrastructure in the digital age, taking into account not just traditional sectors but also emerging critical digital assets and services.24 This approach will help identify where existing laws are being stretched beyond their original intent.

In light of the Loper Bright decision, this review becomes even more critical as it appears that agencies can no longer rely on broad interpretations of ambiguous statutes. Therefore, the review should focus on identifying areas where statutory language needs to be more precise to withstand potential legal challenges and where new, purpose-built cybersecurity legislation may be necessary.

The United States is facing a critical challenge when it comes to the harmonization of our cybersecurity regulatory frameworks. This challenge goes beyond the desire for bureaucratic streamlining in that it plays a critical role in ensuring the nation’s cybersecurity resilience. Further, harmonization will also better promote innovation and help us maintain our global competitive edge. U.S. cybersecurity regulation is a patchwork of laws, regulations, rules, and standards that have evolved incrementally over time in response to specific crises or by addressing more narrow sector-specific needs. This fragmented approach has led to a complex, overly burdensome, and sometimes contradictory regulatory environment that can hinder our collective cybersecurity efforts.

Several factors drive the need for harmonization. First, the nature of cyber threats is inherently cross-sectoral and transnational. A vulnerability in one sector can quickly become a point of exploitation that affects multiple industries and even national security. Second, the rapid pace of technological advancement often outstrips the ability of traditional legislative and regulatory processes to keep up, leading to outdated or ineffective rules. Third, the increasing interconnectedness of our digital infrastructure means that inconsistencies in cybersecurity practices across different sectors or jurisdictions can create systemic vulnerabilities.

One of the primary challenges in the current regulatory landscape is the lack of a comprehensive, up-to-date statutory framework that addresses the full spectrum of cybersecurity issues. Many of our existing laws were written in an era when the internet was in its infancy, and the concept of widespread cyber threats was barely understood. Moreover, some regulations currently applied to cybersecurity were originally intended for other purposes, such as safety or privacy. As a result, these laws and regulations often struggle to address modern cybersecurity challenges effectively. This situation not only calls for harmonization of existing rules but also necessitates a public debate on where new, purpose-built cybersecurity regulations are needed rather than simply extending the scope of outdated laws. For instance, the definition of what constitutes a "U.S. person" in the context of IT systems and data remains ambiguous, creating difficulties in applying laws consistently in our increasingly digital world.

The challenge of harmonization is further complicated by the reality of our interconnected digital world. We live and work in blended ecosystems that combine regulated, non-regulated, and partially regulated technologies, all interacting in complex ways. This interconnectedness demands the effective integration of multiple regulations, standards, and guidelines to ensure comprehensive cybersecurity coverage without gaps. Moreover, while technology is inherently global, regulations remain largely national or regional. Global alignment is primarily achieved through international standards bodies, whose work is then implemented in national-level requirements. This disparity underscores the need to strengthen the linkage between standards and regulations in terms of strategy, focus, and resourcing. Any harmonization effort must, therefore, not only address domestic regulatory inconsistencies but also consider how U.S. regulations align with global standards and practices.

It's important to acknowledge that some agencies, like the Cybersecurity and Infrastructure Security Agency, are responsible for multiple critical infrastructure sectors without having direct regulatory authority. This creates a unique challenge for CISA, which is tasked with coordinating cybersecurity efforts across nine sectors but lacks the regulatory tools to enforce standards or requirements.

This lack of clarity extends to the authorities and responsibilities of various government agencies in cyberspace. The distinctions between military, intelligence, and law enforcement operations in the digital realm are often blurred, leading to potential gaps or overlaps in response capabilities. This situation is further complicated by the fact that cybersecurity threats often require a coordinated response from multiple agencies, each operating under different legal frameworks and constraints.

Additionally, the current regulatory environment significantly burdens organizations, particularly those operating across multiple sectors or jurisdictions. These entities often find themselves navigating a maze of different and sometimes conflicting, cybersecurity requirements. This not only increases compliance costs but can also lead to a focus on meeting specific regulatory requirements rather than addressing the most critical security risks.

The challenges extend beyond our borders. In an interconnected global economy, inconsistencies between U.S. cybersecurity regulations and those of our international partners can create barriers to collaboration and information sharing. This is particularly problematic given the transnational nature of many cyber threats and the need for coordinated international responses.

The recent Supreme Court decision in Loper Bright Enterprises v. Raimondo, which overturned Chevron's deference, has added a new layer of complexity to this harmonization effort. This ruling potentially reduces the ability of regulatory agencies to interpret and implement cybersecurity laws, making it even more crucial for Congress to provide clear, specific guidance in legislation.

In light of this new judicial landscape, there is a growing need for enhanced technical expertise within Congress to craft precise and effective cybersecurity legislation. The lack of an Office of Technology Assessment or a similar entity capable of providing non-partisan, technical analysis to lawmakers is increasingly apparent. Restoring the OTA or establishing a comparable body could significantly aid Congress in understanding complex cybersecurity issues, thereby improving the quality and specificity of cybersecurity laws. This support is crucial in an environment where regulatory agencies' interpretive authority has been curtailed, necessitating more detailed and technically sound legislation from Congress. Such an entity could bridge the gap between rapidly evolving cyber technologies and legislative understanding, ensuring that our laws keep pace with the dynamic cybersecurity landscape.

To address these challenges, we propose a series of recommendations aimed at harmonizing and modernizing our cybersecurity regulatory and statutory framework:

Based on the comprehensive review, new legislation should be proposed to modernize our cybersecurity legal framework. This could include updating key definitions, creating new categories of cyber offenses, establishing clearer jurisdictional boundaries for cyber operations, and providing new tools and authorities for cyber defense and incident response. The legislation should be forward-looking, anticipating future technological developments and creating flexible frameworks that can adapt to emerging threats. Given the new judicial environment, legislation must be more detailed and prescriptive than in the past. Lawmakers should work closely with cybersecurity experts to ensure that statutory language is both technically accurate and legally robust.

This legislative approach should consider incorporating safe harbor provisions that offer legal protections to organizations that implement prescribed cybersecurity standards or best practices. Such provisions can encourage proactive cybersecurity measures by providing clarity on compliance expectations and mitigating concerns about potential liabilities, thereby making new regulations more palatable to the business community while enhancing overall cyber resilience.

The United States is facing a critical challenge when it comes to the harmonization of our cybersecurity regulatory frameworks. This challenge goes beyond the desire for bureaucratic streamlining in that it plays a critical role in ensuring the nation’s cybersecurity resilience. Further, harmonization will also better promote innovation and help us maintain our global competitive edge. U.S. cybersecurity regulation is a patchwork of laws, regulations, rules, and standards that have evolved incrementally over time in response to specific crises or by addressing more narrow sector-specific needs. This fragmented approach has led to a complex, overly burdensome, and sometimes contradictory regulatory environment that can hinder our collective cybersecurity efforts.

Several factors drive the need for harmonization. First, the nature of cyber threats is inherently cross-sectoral and transnational. A vulnerability in one sector can quickly become a point of exploitation that affects multiple industries and even national security. Second, the rapid pace of technological advancement often outstrips the ability of traditional legislative and regulatory processes to keep up, leading to outdated or ineffective rules. Third, the increasing interconnectedness of our digital infrastructure means that inconsistencies in cybersecurity practices across different sectors or jurisdictions can create systemic vulnerabilities.

One of the primary challenges in the current regulatory landscape is the lack of a comprehensive, up-to-date statutory framework that addresses the full spectrum of cybersecurity issues. Many of our existing laws were written in an era when the internet was in its infancy, and the concept of widespread cyber threats was barely understood. Moreover, some regulations currently applied to cybersecurity were originally intended for other purposes, such as safety or privacy. As a result, these laws and regulations often struggle to address modern cybersecurity challenges effectively. This situation not only calls for harmonization of existing rules but also necessitates a public debate on where new, purpose-built cybersecurity regulations are needed rather than simply extending the scope of outdated laws. For instance, the definition of what constitutes a "U.S. person" in the context of IT systems and data remains ambiguous, creating difficulties in applying laws consistently in our increasingly digital world.

The challenge of harmonization is further complicated by the reality of our interconnected digital world. We live and work in blended ecosystems that combine regulated, non-regulated, and partially regulated technologies, all interacting in complex ways. This interconnectedness demands the effective integration of multiple regulations, standards, and guidelines to ensure comprehensive cybersecurity coverage without gaps. Moreover, while technology is inherently global, regulations remain largely national or regional. Global alignment is primarily achieved through international standards bodies, whose work is then implemented in national-level requirements. This disparity underscores the need to strengthen the linkage between standards and regulations in terms of strategy, focus, and resourcing. Any harmonization effort must, therefore, not only address domestic regulatory inconsistencies but also consider how U.S. regulations align with global standards and practices.

It's important to acknowledge that some agencies, like the Cybersecurity and Infrastructure Security Agency, are responsible for multiple critical infrastructure sectors without having direct regulatory authority. This creates a unique challenge for CISA, which is tasked with coordinating cybersecurity efforts across nine sectors but lacks the regulatory tools to enforce standards or requirements.

This lack of clarity extends to the authorities and responsibilities of various government agencies in cyberspace. The distinctions between military, intelligence, and law enforcement operations in the digital realm are often blurred, leading to potential gaps or overlaps in response capabilities. This situation is further complicated by the fact that cybersecurity threats often require a coordinated response from multiple agencies, each operating under different legal frameworks and constraints.

Additionally, the current regulatory environment significantly burdens organizations, particularly those operating across multiple sectors or jurisdictions. These entities often find themselves navigating a maze of different and sometimes conflicting, cybersecurity requirements. This not only increases compliance costs but can also lead to a focus on meeting specific regulatory requirements rather than addressing the most critical security risks.

The challenges extend beyond our borders. In an interconnected global economy, inconsistencies between U.S. cybersecurity regulations and those of our international partners can create barriers to collaboration and information sharing. This is particularly problematic given the transnational nature of many cyber threats and the need for coordinated international responses.

The recent Supreme Court decision in Loper Bright Enterprises v. Raimondo, which overturned Chevron's deference, has added a new layer of complexity to this harmonization effort. This ruling potentially reduces the ability of regulatory agencies to interpret and implement cybersecurity laws, making it even more crucial for Congress to provide clear, specific guidance in legislation.

In light of this new judicial landscape, there is a growing need for enhanced technical expertise within Congress to craft precise and effective cybersecurity legislation. The lack of an Office of Technology Assessment or a similar entity capable of providing non-partisan, technical analysis to lawmakers is increasingly apparent. Restoring the OTA or establishing a comparable body could significantly aid Congress in understanding complex cybersecurity issues, thereby improving the quality and specificity of cybersecurity laws. This support is crucial in an environment where regulatory agencies' interpretive authority has been curtailed, necessitating more detailed and technically sound legislation from Congress. Such an entity could bridge the gap between rapidly evolving cyber technologies and legislative understanding, ensuring that our laws keep pace with the dynamic cybersecurity landscape.

To address these challenges, we propose a series of recommendations aimed at harmonizing and modernizing our cybersecurity regulatory and statutory framework:

While different sectors may have unique cybersecurity needs, a common baseline of security standards can help ensure a minimum level of protection across all critical infrastructure. These standards should be risk-based and outcome-focused, allowing for implementation flexibility while ensuring key security objectives are met. The standards should be developed in close consultation with industry and should leverage existing frameworks where possible, such as NIST’s Cybersecurity Framework. In the post-Chevron environment, these standards may need to be more explicitly endorsed or mandated by Congress to ensure their enforceability. The task force should consider recommending legislative action to codify key standards.

In addition to focusing on common baselines across different sectors, focused efforts are needed to develop cross-sector mapping among different standards regimes. Cybersecurity is implicated in so many existing standards regimes it is impossible to collapse them all. Consequently, better cross-walking of standards regimes and exploration of mutual recognition agreements are needed to improve the effective implementation of cybersecurity standards.

The United States is facing a critical challenge when it comes to the harmonization of our cybersecurity regulatory frameworks. This challenge goes beyond the desire for bureaucratic streamlining in that it plays a critical role in ensuring the nation’s cybersecurity resilience. Further, harmonization will also better promote innovation and help us maintain our global competitive edge. U.S. cybersecurity regulation is a patchwork of laws, regulations, rules, and standards that have evolved incrementally over time in response to specific crises or by addressing more narrow sector-specific needs. This fragmented approach has led to a complex, overly burdensome, and sometimes contradictory regulatory environment that can hinder our collective cybersecurity efforts.

Several factors drive the need for harmonization. First, the nature of cyber threats is inherently cross-sectoral and transnational. A vulnerability in one sector can quickly become a point of exploitation that affects multiple industries and even national security. Second, the rapid pace of technological advancement often outstrips the ability of traditional legislative and regulatory processes to keep up, leading to outdated or ineffective rules. Third, the increasing interconnectedness of our digital infrastructure means that inconsistencies in cybersecurity practices across different sectors or jurisdictions can create systemic vulnerabilities.

One of the primary challenges in the current regulatory landscape is the lack of a comprehensive, up-to-date statutory framework that addresses the full spectrum of cybersecurity issues. Many of our existing laws were written in an era when the internet was in its infancy, and the concept of widespread cyber threats was barely understood. Moreover, some regulations currently applied to cybersecurity were originally intended for other purposes, such as safety or privacy. As a result, these laws and regulations often struggle to address modern cybersecurity challenges effectively. This situation not only calls for harmonization of existing rules but also necessitates a public debate on where new, purpose-built cybersecurity regulations are needed rather than simply extending the scope of outdated laws. For instance, the definition of what constitutes a "U.S. person" in the context of IT systems and data remains ambiguous, creating difficulties in applying laws consistently in our increasingly digital world.

The challenge of harmonization is further complicated by the reality of our interconnected digital world. We live and work in blended ecosystems that combine regulated, non-regulated, and partially regulated technologies, all interacting in complex ways. This interconnectedness demands the effective integration of multiple regulations, standards, and guidelines to ensure comprehensive cybersecurity coverage without gaps. Moreover, while technology is inherently global, regulations remain largely national or regional. Global alignment is primarily achieved through international standards bodies, whose work is then implemented in national-level requirements. This disparity underscores the need to strengthen the linkage between standards and regulations in terms of strategy, focus, and resourcing. Any harmonization effort must, therefore, not only address domestic regulatory inconsistencies but also consider how U.S. regulations align with global standards and practices.

It's important to acknowledge that some agencies, like the Cybersecurity and Infrastructure Security Agency, are responsible for multiple critical infrastructure sectors without having direct regulatory authority. This creates a unique challenge for CISA, which is tasked with coordinating cybersecurity efforts across nine sectors but lacks the regulatory tools to enforce standards or requirements.

This lack of clarity extends to the authorities and responsibilities of various government agencies in cyberspace. The distinctions between military, intelligence, and law enforcement operations in the digital realm are often blurred, leading to potential gaps or overlaps in response capabilities. This situation is further complicated by the fact that cybersecurity threats often require a coordinated response from multiple agencies, each operating under different legal frameworks and constraints.

Additionally, the current regulatory environment significantly burdens organizations, particularly those operating across multiple sectors or jurisdictions. These entities often find themselves navigating a maze of different and sometimes conflicting, cybersecurity requirements. This not only increases compliance costs but can also lead to a focus on meeting specific regulatory requirements rather than addressing the most critical security risks.

The challenges extend beyond our borders. In an interconnected global economy, inconsistencies between U.S. cybersecurity regulations and those of our international partners can create barriers to collaboration and information sharing. This is particularly problematic given the transnational nature of many cyber threats and the need for coordinated international responses.

The recent Supreme Court decision in Loper Bright Enterprises v. Raimondo, which overturned Chevron's deference, has added a new layer of complexity to this harmonization effort. This ruling potentially reduces the ability of regulatory agencies to interpret and implement cybersecurity laws, making it even more crucial for Congress to provide clear, specific guidance in legislation.

In light of this new judicial landscape, there is a growing need for enhanced technical expertise within Congress to craft precise and effective cybersecurity legislation. The lack of an Office of Technology Assessment or a similar entity capable of providing non-partisan, technical analysis to lawmakers is increasingly apparent. Restoring the OTA or establishing a comparable body could significantly aid Congress in understanding complex cybersecurity issues, thereby improving the quality and specificity of cybersecurity laws. This support is crucial in an environment where regulatory agencies' interpretive authority has been curtailed, necessitating more detailed and technically sound legislation from Congress. Such an entity could bridge the gap between rapidly evolving cyber technologies and legislative understanding, ensuring that our laws keep pace with the dynamic cybersecurity landscape.

To address these challenges, we propose a series of recommendations aimed at harmonizing and modernizing our cybersecurity regulatory and statutory framework:

Strengthening the roles and responsibilities of Sector Risk Management Agencies (SRMAs) is essential for improving sector-specific cybersecurity efforts. SRMAs occupy a unique position in coordinating cybersecurity within their respective sectors, but current coordination mechanisms between SRMAs and other agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), must be enhanced to avoid duplication and ensure seamless collaboration. To this end, it's crucial to rationalize the number of sectors where CISA serves as the SRMA, ensuring that its role as an SRMA is distinct from its role as the National Coordinator for critical infrastructure security and resilience.

Establishing clear lines of accountability within SRMAs is another important step. Those with decision-making authority must also have the ability to influence resource allocation and oversee the implementation of cybersecurity measures within their sectors. To measure the effectiveness of SRMAs, developing clear metrics and performance indicators is necessary. These tools will help assess whether SRMAs are making meaningful progress in enhancing the cybersecurity posture of their respective sectors.

Additionally, a comprehensive review of critical infrastructure designations and SRMA assignments is needed. This review should consider whether emerging sectors, such as the space sector, warrant independent recognition under National Security Memorandum-22 (NSM-22) due to their growing importance in national security and the economy. As new technologies and threats evolve, SRMA assignments may need to be revisited, and new SRMAs may be required to address these changes effectively. NSM-22 retained a sector structure that may no longer reflect the current cyber risk environment, missing an opportunity to better harmonize with NATO allies. Therefore, the sector structure should be reevaluated based on defined and transparent criteria that better align with today's cybersecurity landscape.

As part of this comprehensive review, expanding the definition of critical infrastructure sectors in NSM-22 to include space infrastructure should be seriously considered. Space-based assets are increasingly relied upon for communication, navigation, and other critical functions, making them an integral component of national security and economic stability. Recognizing space infrastructure as a critical sector within NSM-22 would ensure that it receives the necessary attention, resources, and protection, commensurate with its significance to national interests.

The need for robust coordination across various stakeholders in cybersecurity has never been more critical. The complex nature of cyber threats demands a cohesive and efficient approach to incident prevention and response. This section explores the imperative of enhancing multi-stakeholder coordination, addressing the intricate web of relationships between federal agencies, state, local, tribal, and territorial entities, and the private sector.

While evolving, the current cybersecurity ecosystem often suffers from fragmentation and duplication of efforts. This inefficiency hampers effective response to cyber incidents and leaves vulnerabilities that malicious actors can exploit. By strengthening coordination, we can create a more resilient and responsive cybersecurity posture for the nation.

Operational collaboration among key agencies such as the FBI, DHS/CISA, DOD, and NSA forms the backbone of our national cybersecurity efforts. These agencies bring unique capabilities and perspectives to the table. With its domestic intelligence and law enforcement mandate, the FBI plays a crucial role in cybercrime investigations and threat response. The NSA, leveraging its foreign intelligence capabilities, provides invaluable insights into international cyber threats. The DoD contributes its vast resources and expertise in defending against nation-state actors and sophisticated cyberspace operations.

However, due to coordination challenges and resource constraints, these agencies' full potential remains unmet. Scaling up the FBI's activities in cost imposition strategies and enhancing the NSA's role in bringing intelligence to bear on cyber threats are critical steps. These agencies possess collection capabilities that, when properly leveraged and coordinated, can significantly bolster our cyber defenses.

The NSA's Cybersecurity Collaboration Center, for instance, represents a significant step forward in operational collaboration. By bringing together government and industry partners, it facilitates the sharing of critical cybersecurity information and enhances our collective ability to defend against sophisticated cyber threats. The center's focus on analyzing and disseminating information about nation-state actors and their tools provides invaluable intelligence to both government and private sector entities.

Moreover, the United States Secret Service, often overlooked in cybersecurity discussions, brings unique capabilities to the table, particularly in financial crimes and critical infrastructure protection. Incorporating the USSS more prominently into our coordinated cybersecurity efforts can enhance our overall defensive posture. Their expertise in investigating complex financial crimes, coupled with their role in protecting critical infrastructure, makes them a valuable asset in the fight against cyber threats.

A key aspect of strengthening coordination lies in prioritizing the needs of critical infrastructure owners and operators. These entities form the backbone of our national security and economic well-being. Effective coordination between government agencies and critical infrastructure operators is essential for rapid threat information sharing, incident response, and resilience planning. The growing focus on operational technology in critical infrastructure sectors further highlights the need for specialized knowledge and tailored coordination mechanisms.

The role of Sector Risk Management Agencies cannot be overstated in this context. SRMAs serve as the primary federal interlocutors for their respective critical infrastructure sectors, bridging the gap between government and industry. However, their effectiveness has been hampered by resource constraints and unclear delineations of responsibility. Empowering SRMAs with adequate resources, expected baseline capabilities, and clear mandates is crucial for improving sector-specific cybersecurity coordination.

It's important to note that CISA, as the national coordinator for critical infrastructure security and resilience, plays a crucial role in drawing up and maintaining lists of critical assets and entities across multiple sectors despite lacking direct regulatory authority in many of these areas.

Another crucial element in the coordination landscape is the Office of the National Cyber Director. Established to provide strategic direction and oversight of national cybersecurity policy and strategy, ONCD's role in facilitating interagency coordination and public-private partnerships is pivotal. However, to fulfill its mandate effectively, ONCD requires enhanced authorities and resources. The office's potential to serve as a central coordinating body for national cybersecurity efforts is significant, but it needs to be fully realized through a clear delineation of responsibilities—clarifying the roles of the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) serving within the Department of Homeland Security, the federal Chief Information Security Officer now serving within the Office of Management and Budget and informally dual-hatted as the Deputy NCD for federal cyber security, and National Security Council—and robust support from other federal entities (see also recommendation 2.3).

The Cybersecurity and Infrastructure Security Agency, as the nation's risk advisor, plays a central role in coordinating cybersecurity efforts across the civilian federal government and with the private sector. Strengthening CISA's capabilities and clarifying its responsibilities vis-à-vis other agencies is crucial for a more coherent national cybersecurity strategy. CISA's role in information sharing, threat analysis, and incident response coordination positions it as a key player in the national cybersecurity ecosystem. However, challenges remain in terms of its authority to compel action from other federal agencies, its ability to streamline and/or integrate the federal government’s engagement of the private sector, and its own capacity given longstanding resource limitations and its ability to engage effectively with the private sector.

The Cyber Safety Review Board has emerged as a best practice in fostering accountability and driving improvements in cybersecurity. Their comprehensive reports have prompted significant response actions from both government and industry stakeholders. The CSRB's model of in-depth incident analysis and actionable recommendations should be highlighted and potentially expanded to cover a wider range of significant cyber incidents.

The importance of operational models that bring together government and private sector entities cannot be overstated. Initiatives like the Joint Cyber Defense Collaborative, the NSA's Cybersecurity Collaboration Center, and Project Fortress in the financial sector demonstrate the power of operationalized public-private partnerships. Expanding and replicating these models can significantly enhance our collective cyber defense capabilities. These collaborative efforts improve information sharing and foster a deeper understanding of the threat landscape while promoting the development of joint strategies to address cybersecurity challenges.

The U.S. Cyber Command's Cyber National Mission Force plays a crucial operational role in thwarting foreign malicious cyber activity threats and actions against U.S. interests. The CNMF works closely with the National Security Agency to gather intelligence and with the Federal Bureau of Investigation to take action. This collaborative approach exemplifies the kind of interagency cooperation necessary to effectively combat sophisticated cyber threats. Strengthening the CNMF's capabilities and enhancing its integration with other key cybersecurity entities should be a priority in our national cyber defense strategy.

The concept of co-managed risk and resilience organizations, drawing inspiration from models like the North American Electric Reliability Corporation, offers a promising avenue for enhancing public-private collaboration. Such organizations can provide a structured framework for sharing information, developing standards, and coordinating response efforts across critical infrastructure sectors. These organizations can help bridge the gap between public and private sector cybersecurity efforts by involving both government and private sector stakeholders in governance and decision-making processes.

The role of state, local, tribal, and territorial entities in national cybersecurity efforts is often underappreciated. These entities are often on the front lines of cyber incidents, particularly those affecting critical infrastructure and essential services at the local level. Enhancing the cybersecurity capabilities of SLTT governments and improving their coordination with federal efforts is crucial for building a comprehensive national cybersecurity posture. This includes not only providing resources and training but also ensuring that SLTT entities are integrated into national-level cybersecurity planning and exercises.

The National Guard plays a unique role in bridging the gap between federal and state-level cybersecurity efforts. With its dual state-federal mission, the National Guard can provide critical cyber capabilities to support both state and federal responses to cyber incidents. Leveraging the National Guard's cyber units more effectively in national cybersecurity efforts could significantly enhance our overall resilience and response capabilities.

Research and development in cybersecurity is another area where improved coordination can yield significant benefits. Currently, cybersecurity R&D efforts are often fragmented across various government agencies, quasi-government entities, academic institutions, and private sector entities. Establishing a national-level coordination body for cybersecurity R&D could help align research priorities with national needs, identify gaps, reduce duplication of efforts, and accelerate the transition of research findings into practical applications.

In light of these considerations, we propose the following recommendations to strengthen coordination in the cybersecurity domain:

stablish ONCD as the primary coordinator for cyber incident response, bringing together inputs from agencies like NSA, DoD, CISA, SRMAs, and FBI during major cyber incidents. Empower ONCD with additional authorities to drive interagency coordination, including the ability to influence budget allocations for cybersecurity initiatives across agencies. Implement ONCD-led integrated portfolio reviews to assess and coordinate cybersecurity investments across the federal government, ensuring the involvement of the Office of Management and Budget. Create a formal mechanism for ONCD to engage with and coordinate efforts of SRMAs, fostering a more cohesive approach to sector-specific cybersecurity challenges.

The need for robust coordination across various stakeholders in cybersecurity has never been more critical. The complex nature of cyber threats demands a cohesive and efficient approach to incident prevention and response. This section explores the imperative of enhancing multi-stakeholder coordination, addressing the intricate web of relationships between federal agencies, state, local, tribal, and territorial entities, and the private sector.

While evolving, the current cybersecurity ecosystem often suffers from fragmentation and duplication of efforts. This inefficiency hampers effective response to cyber incidents and leaves vulnerabilities that malicious actors can exploit. By strengthening coordination, we can create a more resilient and responsive cybersecurity posture for the nation.

Operational collaboration among key agencies such as the FBI, DHS/CISA, DOD, and NSA forms the backbone of our national cybersecurity efforts. These agencies bring unique capabilities and perspectives to the table. With its domestic intelligence and law enforcement mandate, the FBI plays a crucial role in cybercrime investigations and threat response. The NSA, leveraging its foreign intelligence capabilities, provides invaluable insights into international cyber threats. The DoD contributes its vast resources and expertise in defending against nation-state actors and sophisticated cyberspace operations.

However, due to coordination challenges and resource constraints, these agencies' full potential remains unmet. Scaling up the FBI's activities in cost imposition strategies and enhancing the NSA's role in bringing intelligence to bear on cyber threats are critical steps. These agencies possess collection capabilities that, when properly leveraged and coordinated, can significantly bolster our cyber defenses.

The NSA's Cybersecurity Collaboration Center, for instance, represents a significant step forward in operational collaboration. By bringing together government and industry partners, it facilitates the sharing of critical cybersecurity information and enhances our collective ability to defend against sophisticated cyber threats. The center's focus on analyzing and disseminating information about nation-state actors and their tools provides invaluable intelligence to both government and private sector entities.

Moreover, the United States Secret Service, often overlooked in cybersecurity discussions, brings unique capabilities to the table, particularly in financial crimes and critical infrastructure protection. Incorporating the USSS more prominently into our coordinated cybersecurity efforts can enhance our overall defensive posture. Their expertise in investigating complex financial crimes, coupled with their role in protecting critical infrastructure, makes them a valuable asset in the fight against cyber threats.

A key aspect of strengthening coordination lies in prioritizing the needs of critical infrastructure owners and operators. These entities form the backbone of our national security and economic well-being. Effective coordination between government agencies and critical infrastructure operators is essential for rapid threat information sharing, incident response, and resilience planning. The growing focus on operational technology in critical infrastructure sectors further highlights the need for specialized knowledge and tailored coordination mechanisms.

The role of Sector Risk Management Agencies cannot be overstated in this context. SRMAs serve as the primary federal interlocutors for their respective critical infrastructure sectors, bridging the gap between government and industry. However, their effectiveness has been hampered by resource constraints and unclear delineations of responsibility. Empowering SRMAs with adequate resources, expected baseline capabilities, and clear mandates is crucial for improving sector-specific cybersecurity coordination.

It's important to note that CISA, as the national coordinator for critical infrastructure security and resilience, plays a crucial role in drawing up and maintaining lists of critical assets and entities across multiple sectors despite lacking direct regulatory authority in many of these areas.

Another crucial element in the coordination landscape is the Office of the National Cyber Director. Established to provide strategic direction and oversight of national cybersecurity policy and strategy, ONCD's role in facilitating interagency coordination and public-private partnerships is pivotal. However, to fulfill its mandate effectively, ONCD requires enhanced authorities and resources. The office's potential to serve as a central coordinating body for national cybersecurity efforts is significant, but it needs to be fully realized through a clear delineation of responsibilities—clarifying the roles of the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) serving within the Department of Homeland Security, the federal Chief Information Security Officer now serving within the Office of Management and Budget and informally dual-hatted as the Deputy NCD for federal cyber security, and National Security Council—and robust support from other federal entities (see also recommendation 2.3).

The Cybersecurity and Infrastructure Security Agency, as the nation's risk advisor, plays a central role in coordinating cybersecurity efforts across the civilian federal government and with the private sector. Strengthening CISA's capabilities and clarifying its responsibilities vis-à-vis other agencies is crucial for a more coherent national cybersecurity strategy. CISA's role in information sharing, threat analysis, and incident response coordination positions it as a key player in the national cybersecurity ecosystem. However, challenges remain in terms of its authority to compel action from other federal agencies, its ability to streamline and/or integrate the federal government’s engagement of the private sector, and its own capacity given longstanding resource limitations and its ability to engage effectively with the private sector.

The Cyber Safety Review Board has emerged as a best practice in fostering accountability and driving improvements in cybersecurity. Their comprehensive reports have prompted significant response actions from both government and industry stakeholders. The CSRB's model of in-depth incident analysis and actionable recommendations should be highlighted and potentially expanded to cover a wider range of significant cyber incidents.

The importance of operational models that bring together government and private sector entities cannot be overstated. Initiatives like the Joint Cyber Defense Collaborative, the NSA's Cybersecurity Collaboration Center, and Project Fortress in the financial sector demonstrate the power of operationalized public-private partnerships. Expanding and replicating these models can significantly enhance our collective cyber defense capabilities. These collaborative efforts improve information sharing and foster a deeper understanding of the threat landscape while promoting the development of joint strategies to address cybersecurity challenges.

The U.S. Cyber Command's Cyber National Mission Force plays a crucial operational role in thwarting foreign malicious cyber activity threats and actions against U.S. interests. The CNMF works closely with the National Security Agency to gather intelligence and with the Federal Bureau of Investigation to take action. This collaborative approach exemplifies the kind of interagency cooperation necessary to effectively combat sophisticated cyber threats. Strengthening the CNMF's capabilities and enhancing its integration with other key cybersecurity entities should be a priority in our national cyber defense strategy.

The concept of co-managed risk and resilience organizations, drawing inspiration from models like the North American Electric Reliability Corporation, offers a promising avenue for enhancing public-private collaboration. Such organizations can provide a structured framework for sharing information, developing standards, and coordinating response efforts across critical infrastructure sectors. These organizations can help bridge the gap between public and private sector cybersecurity efforts by involving both government and private sector stakeholders in governance and decision-making processes.

The role of state, local, tribal, and territorial entities in national cybersecurity efforts is often underappreciated. These entities are often on the front lines of cyber incidents, particularly those affecting critical infrastructure and essential services at the local level. Enhancing the cybersecurity capabilities of SLTT governments and improving their coordination with federal efforts is crucial for building a comprehensive national cybersecurity posture. This includes not only providing resources and training but also ensuring that SLTT entities are integrated into national-level cybersecurity planning and exercises.

The National Guard plays a unique role in bridging the gap between federal and state-level cybersecurity efforts. With its dual state-federal mission, the National Guard can provide critical cyber capabilities to support both state and federal responses to cyber incidents. Leveraging the National Guard's cyber units more effectively in national cybersecurity efforts could significantly enhance our overall resilience and response capabilities.

Research and development in cybersecurity is another area where improved coordination can yield significant benefits. Currently, cybersecurity R&D efforts are often fragmented across various government agencies, quasi-government entities, academic institutions, and private sector entities. Establishing a national-level coordination body for cybersecurity R&D could help align research priorities with national needs, identify gaps, reduce duplication of efforts, and accelerate the transition of research findings into practical applications.

In light of these considerations, we propose the following recommendations to strengthen coordination in the cybersecurity domain:

Establish co-managed risk and resilience organizations, drawing inspiration from the NERC model of the 1960s, to enhance public-private collaboration. Develop a secure, real-time information-sharing platform to rapidly disseminate actionable threat intelligence between government and critical infrastructure operators. Integrate private sector companies more effectively into coordinated cyber incident response efforts. Establish, expand, and improve the operational models similar to JCDC, ETAC, Project Fortress, Europol, NCIJTF, JTTF, and NSA's Cybersecurity Collaboration Center that bring together government and private sector entities for joint cyberspace operations and threat response. Consider creating a private sector analogue to the NCIJTF for coordinating disruption activities against cyber threats. Additionally, it should be considered that NCIJTF currently lacks resources to accomplish its role comanaging cyber incident response. If the goal is to continue leveraging NCIJTF going forward, it will likely require additional resources to be effective.

The need for robust coordination across various stakeholders in cybersecurity has never been more critical. The complex nature of cyber threats demands a cohesive and efficient approach to incident prevention and response. This section explores the imperative of enhancing multi-stakeholder coordination, addressing the intricate web of relationships between federal agencies, state, local, tribal, and territorial entities, and the private sector.

While evolving, the current cybersecurity ecosystem often suffers from fragmentation and duplication of efforts. This inefficiency hampers effective response to cyber incidents and leaves vulnerabilities that malicious actors can exploit. By strengthening coordination, we can create a more resilient and responsive cybersecurity posture for the nation.

Operational collaboration among key agencies such as the FBI, DHS/CISA, DOD, and NSA forms the backbone of our national cybersecurity efforts. These agencies bring unique capabilities and perspectives to the table. With its domestic intelligence and law enforcement mandate, the FBI plays a crucial role in cybercrime investigations and threat response. The NSA, leveraging its foreign intelligence capabilities, provides invaluable insights into international cyber threats. The DoD contributes its vast resources and expertise in defending against nation-state actors and sophisticated cyberspace operations.

However, due to coordination challenges and resource constraints, these agencies' full potential remains unmet. Scaling up the FBI's activities in cost imposition strategies and enhancing the NSA's role in bringing intelligence to bear on cyber threats are critical steps. These agencies possess collection capabilities that, when properly leveraged and coordinated, can significantly bolster our cyber defenses.

The NSA's Cybersecurity Collaboration Center, for instance, represents a significant step forward in operational collaboration. By bringing together government and industry partners, it facilitates the sharing of critical cybersecurity information and enhances our collective ability to defend against sophisticated cyber threats. The center's focus on analyzing and disseminating information about nation-state actors and their tools provides invaluable intelligence to both government and private sector entities.

Moreover, the United States Secret Service, often overlooked in cybersecurity discussions, brings unique capabilities to the table, particularly in financial crimes and critical infrastructure protection. Incorporating the USSS more prominently into our coordinated cybersecurity efforts can enhance our overall defensive posture. Their expertise in investigating complex financial crimes, coupled with their role in protecting critical infrastructure, makes them a valuable asset in the fight against cyber threats.

A key aspect of strengthening coordination lies in prioritizing the needs of critical infrastructure owners and operators. These entities form the backbone of our national security and economic well-being. Effective coordination between government agencies and critical infrastructure operators is essential for rapid threat information sharing, incident response, and resilience planning. The growing focus on operational technology in critical infrastructure sectors further highlights the need for specialized knowledge and tailored coordination mechanisms.

The role of Sector Risk Management Agencies cannot be overstated in this context. SRMAs serve as the primary federal interlocutors for their respective critical infrastructure sectors, bridging the gap between government and industry. However, their effectiveness has been hampered by resource constraints and unclear delineations of responsibility. Empowering SRMAs with adequate resources, expected baseline capabilities, and clear mandates is crucial for improving sector-specific cybersecurity coordination.

It's important to note that CISA, as the national coordinator for critical infrastructure security and resilience, plays a crucial role in drawing up and maintaining lists of critical assets and entities across multiple sectors despite lacking direct regulatory authority in many of these areas.

Another crucial element in the coordination landscape is the Office of the National Cyber Director. Established to provide strategic direction and oversight of national cybersecurity policy and strategy, ONCD's role in facilitating interagency coordination and public-private partnerships is pivotal. However, to fulfill its mandate effectively, ONCD requires enhanced authorities and resources. The office's potential to serve as a central coordinating body for national cybersecurity efforts is significant, but it needs to be fully realized through a clear delineation of responsibilities—clarifying the roles of the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) serving within the Department of Homeland Security, the federal Chief Information Security Officer now serving within the Office of Management and Budget and informally dual-hatted as the Deputy NCD for federal cyber security, and National Security Council—and robust support from other federal entities (see also recommendation 2.3).

The Cybersecurity and Infrastructure Security Agency, as the nation's risk advisor, plays a central role in coordinating cybersecurity efforts across the civilian federal government and with the private sector. Strengthening CISA's capabilities and clarifying its responsibilities vis-à-vis other agencies is crucial for a more coherent national cybersecurity strategy. CISA's role in information sharing, threat analysis, and incident response coordination positions it as a key player in the national cybersecurity ecosystem. However, challenges remain in terms of its authority to compel action from other federal agencies, its ability to streamline and/or integrate the federal government’s engagement of the private sector, and its own capacity given longstanding resource limitations and its ability to engage effectively with the private sector.

The Cyber Safety Review Board has emerged as a best practice in fostering accountability and driving improvements in cybersecurity. Their comprehensive reports have prompted significant response actions from both government and industry stakeholders. The CSRB's model of in-depth incident analysis and actionable recommendations should be highlighted and potentially expanded to cover a wider range of significant cyber incidents.

The importance of operational models that bring together government and private sector entities cannot be overstated. Initiatives like the Joint Cyber Defense Collaborative, the NSA's Cybersecurity Collaboration Center, and Project Fortress in the financial sector demonstrate the power of operationalized public-private partnerships. Expanding and replicating these models can significantly enhance our collective cyber defense capabilities. These collaborative efforts improve information sharing and foster a deeper understanding of the threat landscape while promoting the development of joint strategies to address cybersecurity challenges.

The U.S. Cyber Command's Cyber National Mission Force plays a crucial operational role in thwarting foreign malicious cyber activity threats and actions against U.S. interests. The CNMF works closely with the National Security Agency to gather intelligence and with the Federal Bureau of Investigation to take action. This collaborative approach exemplifies the kind of interagency cooperation necessary to effectively combat sophisticated cyber threats. Strengthening the CNMF's capabilities and enhancing its integration with other key cybersecurity entities should be a priority in our national cyber defense strategy.

The concept of co-managed risk and resilience organizations, drawing inspiration from models like the North American Electric Reliability Corporation, offers a promising avenue for enhancing public-private collaboration. Such organizations can provide a structured framework for sharing information, developing standards, and coordinating response efforts across critical infrastructure sectors. These organizations can help bridge the gap between public and private sector cybersecurity efforts by involving both government and private sector stakeholders in governance and decision-making processes.

The role of state, local, tribal, and territorial entities in national cybersecurity efforts is often underappreciated. These entities are often on the front lines of cyber incidents, particularly those affecting critical infrastructure and essential services at the local level. Enhancing the cybersecurity capabilities of SLTT governments and improving their coordination with federal efforts is crucial for building a comprehensive national cybersecurity posture. This includes not only providing resources and training but also ensuring that SLTT entities are integrated into national-level cybersecurity planning and exercises.

The National Guard plays a unique role in bridging the gap between federal and state-level cybersecurity efforts. With its dual state-federal mission, the National Guard can provide critical cyber capabilities to support both state and federal responses to cyber incidents. Leveraging the National Guard's cyber units more effectively in national cybersecurity efforts could significantly enhance our overall resilience and response capabilities.

Research and development in cybersecurity is another area where improved coordination can yield significant benefits. Currently, cybersecurity R&D efforts are often fragmented across various government agencies, quasi-government entities, academic institutions, and private sector entities. Establishing a national-level coordination body for cybersecurity R&D could help align research priorities with national needs, identify gaps, reduce duplication of efforts, and accelerate the transition of research findings into practical applications.

In light of these considerations, we propose the following recommendations to strengthen coordination in the cybersecurity domain:

Enhance mechanisms for sharing classified threat intelligence with cleared private sector leaders, particularly those in critical infrastructure sectors. Implement a reform for cyber positions across the government, requiring interagency experience for career advancement in cybersecurity roles akin to the Goldwater-Nichols Act. This will foster a more integrated and coordinated approach to cybersecurity across different agencies. Develop clear processes and focused resourcing for rapid downgrading, declassification, and sharing of actionable threat intelligence during cyber incidents. This should include mechanisms for downgrading classified intelligence to the For Official Use Only level for controlled sharing with pertinent entities, as well as full declassification when appropriate. It's crucial to establish efficient procedures for both processes, recognizing that downgraded information remains controlled while declassified information has all controls removed. Any review should determine if legislative changes are required to facilitate improved intelligence sharing and operational collaboration. This nuanced approach will enable more timely and appropriate sharing of critical threat intelligence with relevant stakeholders while maintaining necessary protections for sensitive information.

The need for robust coordination across various stakeholders in cybersecurity has never been more critical. The complex nature of cyber threats demands a cohesive and efficient approach to incident prevention and response. This section explores the imperative of enhancing multi-stakeholder coordination, addressing the intricate web of relationships between federal agencies, state, local, tribal, and territorial entities, and the private sector.

While evolving, the current cybersecurity ecosystem often suffers from fragmentation and duplication of efforts. This inefficiency hampers effective response to cyber incidents and leaves vulnerabilities that malicious actors can exploit. By strengthening coordination, we can create a more resilient and responsive cybersecurity posture for the nation.

Operational collaboration among key agencies such as the FBI, DHS/CISA, DOD, and NSA forms the backbone of our national cybersecurity efforts. These agencies bring unique capabilities and perspectives to the table. With its domestic intelligence and law enforcement mandate, the FBI plays a crucial role in cybercrime investigations and threat response. The NSA, leveraging its foreign intelligence capabilities, provides invaluable insights into international cyber threats. The DoD contributes its vast resources and expertise in defending against nation-state actors and sophisticated cyberspace operations.

However, due to coordination challenges and resource constraints, these agencies' full potential remains unmet. Scaling up the FBI's activities in cost imposition strategies and enhancing the NSA's role in bringing intelligence to bear on cyber threats are critical steps. These agencies possess collection capabilities that, when properly leveraged and coordinated, can significantly bolster our cyber defenses.

The NSA's Cybersecurity Collaboration Center, for instance, represents a significant step forward in operational collaboration. By bringing together government and industry partners, it facilitates the sharing of critical cybersecurity information and enhances our collective ability to defend against sophisticated cyber threats. The center's focus on analyzing and disseminating information about nation-state actors and their tools provides invaluable intelligence to both government and private sector entities.

Moreover, the United States Secret Service, often overlooked in cybersecurity discussions, brings unique capabilities to the table, particularly in financial crimes and critical infrastructure protection. Incorporating the USSS more prominently into our coordinated cybersecurity efforts can enhance our overall defensive posture. Their expertise in investigating complex financial crimes, coupled with their role in protecting critical infrastructure, makes them a valuable asset in the fight against cyber threats.

A key aspect of strengthening coordination lies in prioritizing the needs of critical infrastructure owners and operators. These entities form the backbone of our national security and economic well-being. Effective coordination between government agencies and critical infrastructure operators is essential for rapid threat information sharing, incident response, and resilience planning. The growing focus on operational technology in critical infrastructure sectors further highlights the need for specialized knowledge and tailored coordination mechanisms.

The role of Sector Risk Management Agencies cannot be overstated in this context. SRMAs serve as the primary federal interlocutors for their respective critical infrastructure sectors, bridging the gap between government and industry. However, their effectiveness has been hampered by resource constraints and unclear delineations of responsibility. Empowering SRMAs with adequate resources, expected baseline capabilities, and clear mandates is crucial for improving sector-specific cybersecurity coordination.

It's important to note that CISA, as the national coordinator for critical infrastructure security and resilience, plays a crucial role in drawing up and maintaining lists of critical assets and entities across multiple sectors despite lacking direct regulatory authority in many of these areas.

Another crucial element in the coordination landscape is the Office of the National Cyber Director. Established to provide strategic direction and oversight of national cybersecurity policy and strategy, ONCD's role in facilitating interagency coordination and public-private partnerships is pivotal. However, to fulfill its mandate effectively, ONCD requires enhanced authorities and resources. The office's potential to serve as a central coordinating body for national cybersecurity efforts is significant, but it needs to be fully realized through a clear delineation of responsibilities—clarifying the roles of the National Cyber Director, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) serving within the Department of Homeland Security, the federal Chief Information Security Officer now serving within the Office of Management and Budget and informally dual-hatted as the Deputy NCD for federal cyber security, and National Security Council—and robust support from other federal entities (see also recommendation 2.3).

The Cybersecurity and Infrastructure Security Agency, as the nation's risk advisor, plays a central role in coordinating cybersecurity efforts across the civilian federal government and with the private sector. Strengthening CISA's capabilities and clarifying its responsibilities vis-à-vis other agencies is crucial for a more coherent national cybersecurity strategy. CISA's role in information sharing, threat analysis, and incident response coordination positions it as a key player in the national cybersecurity ecosystem. However, challenges remain in terms of its authority to compel action from other federal agencies, its ability to streamline and/or integrate the federal government’s engagement of the private sector, and its own capacity given longstanding resource limitations and its ability to engage effectively with the private sector.

The Cyber Safety Review Board has emerged as a best practice in fostering accountability and driving improvements in cybersecurity. Their comprehensive reports have prompted significant response actions from both government and industry stakeholders. The CSRB's model of in-depth incident analysis and actionable recommendations should be highlighted and potentially expanded to cover a wider range of significant cyber incidents.

The importance of operational models that bring together government and private sector entities cannot be overstated. Initiatives like the Joint Cyber Defense Collaborative, the NSA's Cybersecurity Collaboration Center, and Project Fortress in the financial sector demonstrate the power of operationalized public-private partnerships. Expanding and replicating these models can significantly enhance our collective cyber defense capabilities. These collaborative efforts improve information sharing and foster a deeper understanding of the threat landscape while promoting the development of joint strategies to address cybersecurity challenges.

The U.S. Cyber Command's Cyber National Mission Force plays a crucial operational role in thwarting foreign malicious cyber activity threats and actions against U.S. interests. The CNMF works closely with the National Security Agency to gather intelligence and with the Federal Bureau of Investigation to take action. This collaborative approach exemplifies the kind of interagency cooperation necessary to effectively combat sophisticated cyber threats. Strengthening the CNMF's capabilities and enhancing its integration with other key cybersecurity entities should be a priority in our national cyber defense strategy.

The concept of co-managed risk and resilience organizations, drawing inspiration from models like the North American Electric Reliability Corporation, offers a promising avenue for enhancing public-private collaboration. Such organizations can provide a structured framework for sharing information, developing standards, and coordinating response efforts across critical infrastructure sectors. These organizations can help bridge the gap between public and private sector cybersecurity efforts by involving both government and private sector stakeholders in governance and decision-making processes.

The role of state, local, tribal, and territorial entities in national cybersecurity efforts is often underappreciated. These entities are often on the front lines of cyber incidents, particularly those affecting critical infrastructure and essential services at the local level. Enhancing the cybersecurity capabilities of SLTT governments and improving their coordination with federal efforts is crucial for building a comprehensive national cybersecurity posture. This includes not only providing resources and training but also ensuring that SLTT entities are integrated into national-level cybersecurity planning and exercises.

The National Guard plays a unique role in bridging the gap between federal and state-level cybersecurity efforts. With its dual state-federal mission, the National Guard can provide critical cyber capabilities to support both state and federal responses to cyber incidents. Leveraging the National Guard's cyber units more effectively in national cybersecurity efforts could significantly enhance our overall resilience and response capabilities.

Research and development in cybersecurity is another area where improved coordination can yield significant benefits. Currently, cybersecurity R&D efforts are often fragmented across various government agencies, quasi-government entities, academic institutions, and private sector entities. Establishing a national-level coordination body for cybersecurity R&D could help align research priorities with national needs, identify gaps, reduce duplication of efforts, and accelerate the transition of research findings into practical applications.

In light of these considerations, we propose the following recommendations to strengthen coordination in the cybersecurity domain:

Maintain and accelerate the legal framework established by National Security Presidential Memorandum 13 for conducting offensive cyber operations while developing a streamlined process for approving time-sensitive cyber operations.41 This recommendation fully supports the intent of NSPM-13 while seeking to build upon and enhance its framework to meet evolving cyber threats. This recommendation aims to clarify roles, authorities, and processes without delving into classified specifics of NSPM-13. By enabling more effective and timely cyber responses while maintaining appropriate oversight, this approach will enhance the U.S. government's ability to respond to emerging threats.

Furthermore, develop and implement a comprehensive offensive strategy that proactively disrupts and degrades adversary cyber capabilities before they can be used against U.S. interests. This strategy should emphasize a whole-of-government approach, ensuring that all relevant agencies and departments are aligned in their efforts to impose costs on adversaries in cyberspace. This strategy should outline long-term approaches for imposing costs and shaping adversary behavior, while also establishing clear guidelines for escalation management and international cooperation.

The United States faces an unprecedented challenge in the cyber domain: how to effectively deter and impose costs on adversaries who operate with relative impunity in the digital domain. The traditional models of deterrence, rooted in Cold War-era strategies, require significant adaptation to address the unique characteristics of cyberspace. This section builds upon and extends the framing of deterrence in the cyber environment as established by the Cyberspace Solarium Commission, emphasizing the need for a more proactive and assertive approach.

The "dissuade, deter, compel" model provides a useful framework for understanding cyber deterrence. In this context, dissuasion aims to prevent adversaries from developing or expanding their cyber threat capabilities. Deterrence seeks to convince potential attackers that the costs of their actions will outweigh any perceived benefits. Compellence, the most assertive stance, involves forcing an adversary to change their behavior through the threat or use of punitive measures.

The challenges of attribution and escalation management in cyberspace significantly influence the development and implementation of effective deterrence strategies. Unlike conventional warfare, cyber attacks often occur below the threshold of armed conflict, making it difficult to justify traditional military responses. Moreover, the ability to definitively attribute attacks to specific actors remains a persistent challenge, complicating efforts to hold adversaries accountable.

The exponential rise of cybercrime demands an escalated international response.39 Ransomware attacks alone are projected to cost the world more than $40 billion in 2024,40 affecting nation-states, major corporations, critical infrastructure providers, schools, hospitals, and ordinary citizens. This challenge is exacerbated by the proliferation of cybercrime safe havens – nations that allow cybercriminal syndicates to operate within their borders without fear of extradition or prosecution. These safe havens provide cybercriminals with the stability and infrastructure to plan complex attacks and safely store illicit proceeds, further complicating efforts to attribute and respond to cyber threats.

To address these challenges, the United States must recalibrate its escalation-risk calculus, demonstrating a willingness to take more offensive deterrent actions against cyber threats. This shift requires a delicate balance – maintaining a robust defensive posture while developing and deploying offensive capabilities that can precisely target adversary systems with minimal collateral damage.

The concept of "defend forward" represents a strategic approach that aligns with this more assertive stance. This approach must be balanced with robust defensive measures and enhanced international cooperation to ensure a comprehensive and effective cyber deterrence strategy. By proactively disrupting and degrading adversary cyber capabilities before they can be used against U.S. interests, this strategy aims to shape the behavior of potential attackers and raise the costs of malicious cyber activities.

However, the implementation of such strategies must be carefully calibrated. The evolving nature of cyber threats necessitates flexible, adaptable deterrence mechanisms that can respond to a range of potential scenarios. Furthermore, any offensive actions must be weighed against the risk of escalation and potential impacts on international relations.

These additional costs span multiple domains, each designed to increase the financial, operational, and reputational burdens on malicious actors. Financial costs can be imposed through targeted sanctions on individuals, organizations, and state-sponsored entities involved in cybercrime, including asset freezes and restrictions on access to international financial systems. Operational costs can be inflicted by disrupting the infrastructure used by cybercriminals, such as command and control servers and communication channels, forcing adversaries to expend more resources to maintain their operations. Technical costs can be increased through the development and deployment of advanced defensive technologies, making attacks more difficult and time-consuming to execute.

Intelligence costs can be raised by enhancing information sharing among allies and partners, increasing the risk of exposure for adversaries. Reputational costs can be imposed through strategic communication campaigns that publicly attribute attacks to specific actors, damaging their credibility and hampering their ability to recruit talent or form alliances. Diplomatic costs can be leveraged by isolating bad actors in international forums, restricting their engagement in legitimate international commerce and diplomacy. Legal costs can be pursued through civil litigation against cyber criminals and their enablers, potentially seizing assets and disrupting their business models. Finally, market costs can be imposed by working with private sector partners to make certain types of attacks economically unviable, such as coordinating ransom payment policies to reduce the profitability of ransomware attacks.

Implementing this broader approach requires a whole-of-government effort, leveraging diplomatic, economic, and intelligence tools in addition to law enforcement and military capabilities. The development of a clear, consistent strategy for imposing costs on adversaries in cyberspace is essential to shape their behavior and protect U.S. interests in the digital domain. This multifaceted approach recognizes that adversaries in the interconnected digital landscape must simultaneously be confronted on multiple fronts to effectively deter malicious activities and safeguard national security.

A critical aspect of effective deterrence and cost imposition in cyberspace is the ability to trace and disrupt the financial flows that sustain cybercriminal operations. However, today's efforts to 'follow the money' as a key component of ransomware actor attribution and cost imposition are significantly hindered by robust obfuscation capabilities employed by malicious actors. This challenge affects intelligence gathering, law enforcement actions, and other cost-imposition operations. Enhancing our capabilities to illuminate these obfuscated finance flows is crucial for undermining the economic incentives driving cybercrime and for improving our ability to attribute attacks to specific actors or groups. Investment in advanced technologies and methodologies to track complex financial trails will be essential in strengthening our overall deterrence and cost imposition strategies.

With these considerations in mind, we propose the following recommendations to enhance the United States' ability to impose costs and deter malicious cyber activities:

Create a formal process for designating nations as state sponsors of cyber attacks, similar to the existing state sponsors of terrorism list. This designation process should explicitly address the issue of nations providing safe haven to cybercriminal groups, recognizing that allowing cybercriminals to operate freely within a nation's borders is tantamount to state sponsorship of cyber attacks. This process should address both direct cyber attacks and the provision of safe haven to cybercriminal groups, recognizing the symbiotic relationships that often exist between state actors and cybercriminal organizations. This approach aligns with recent legislative efforts, such as Sen. Mark Warner's proposal to treat ransomware threats with the same level of priority as terrorism, highlighting the growing recognition of cyber threats as national security issues.42

Russia and North Korea exemplify the model of state cyber sanctuaries. Despite public condemnations, these nations quietly support hacking groups, with cybercriminals sharing stolen data with state intelligence agencies in exchange for refuge from U.S. law and access to money laundering services. North Korea has even institutionalized cybercrime to circumvent international sanctions and fund its nuclear program.

Establish clear criteria for such designations, including evidence standards and the types of cyber activities that would qualify. Develop a range of diplomatic, economic, and cyber-specific sanctions that can be applied to designated state sponsors of cyber attacks, ensuring that there are real consequences for nations that engage in or support malicious cyber activities.

This approach should build upon established precedents in combating global threats, such as the State Department's annual reports on global terrorism. Similar annual reports on state-sponsored cybercrime could prove equally effective in identifying major cybercriminal syndicates and documenting their most significant attacks.

Implement a regular review process to assess designated nations and provide a clear path for removal from the list based on changed behavior. This approach incentivizes positive changes in state behavior while maintaining pressure on persistent bad actors.

While some may argue that such designations could escalate tensions between cyber superpowers or that proving explicit state sponsorship sets an unnecessarily high legal bar, these risks pale in comparison to the existential threat that cyber safe havens pose to the rules-based international order. The United States has both the justification and capabilities to productively initiate an international cyber designation regime now, particularly as the constant barrage of cyber attacks collectively poses a significant threat to our security.

The United States faces an unprecedented challenge in the cyber domain: how to effectively deter and impose costs on adversaries who operate with relative impunity in the digital domain. The traditional models of deterrence, rooted in Cold War-era strategies, require significant adaptation to address the unique characteristics of cyberspace. This section builds upon and extends the framing of deterrence in the cyber environment as established by the Cyberspace Solarium Commission, emphasizing the need for a more proactive and assertive approach.

The "dissuade, deter, compel" model provides a useful framework for understanding cyber deterrence. In this context, dissuasion aims to prevent adversaries from developing or expanding their cyber threat capabilities. Deterrence seeks to convince potential attackers that the costs of their actions will outweigh any perceived benefits. Compellence, the most assertive stance, involves forcing an adversary to change their behavior through the threat or use of punitive measures.

The challenges of attribution and escalation management in cyberspace significantly influence the development and implementation of effective deterrence strategies. Unlike conventional warfare, cyber attacks often occur below the threshold of armed conflict, making it difficult to justify traditional military responses. Moreover, the ability to definitively attribute attacks to specific actors remains a persistent challenge, complicating efforts to hold adversaries accountable.

The exponential rise of cybercrime demands an escalated international response.39 Ransomware attacks alone are projected to cost the world more than $40 billion in 2024,40 affecting nation-states, major corporations, critical infrastructure providers, schools, hospitals, and ordinary citizens. This challenge is exacerbated by the proliferation of cybercrime safe havens – nations that allow cybercriminal syndicates to operate within their borders without fear of extradition or prosecution. These safe havens provide cybercriminals with the stability and infrastructure to plan complex attacks and safely store illicit proceeds, further complicating efforts to attribute and respond to cyber threats.

To address these challenges, the United States must recalibrate its escalation-risk calculus, demonstrating a willingness to take more offensive deterrent actions against cyber threats. This shift requires a delicate balance – maintaining a robust defensive posture while developing and deploying offensive capabilities that can precisely target adversary systems with minimal collateral damage.

The concept of "defend forward" represents a strategic approach that aligns with this more assertive stance. This approach must be balanced with robust defensive measures and enhanced international cooperation to ensure a comprehensive and effective cyber deterrence strategy. By proactively disrupting and degrading adversary cyber capabilities before they can be used against U.S. interests, this strategy aims to shape the behavior of potential attackers and raise the costs of malicious cyber activities.

However, the implementation of such strategies must be carefully calibrated. The evolving nature of cyber threats necessitates flexible, adaptable deterrence mechanisms that can respond to a range of potential scenarios. Furthermore, any offensive actions must be weighed against the risk of escalation and potential impacts on international relations.

These additional costs span multiple domains, each designed to increase the financial, operational, and reputational burdens on malicious actors. Financial costs can be imposed through targeted sanctions on individuals, organizations, and state-sponsored entities involved in cybercrime, including asset freezes and restrictions on access to international financial systems. Operational costs can be inflicted by disrupting the infrastructure used by cybercriminals, such as command and control servers and communication channels, forcing adversaries to expend more resources to maintain their operations. Technical costs can be increased through the development and deployment of advanced defensive technologies, making attacks more difficult and time-consuming to execute.

Intelligence costs can be raised by enhancing information sharing among allies and partners, increasing the risk of exposure for adversaries. Reputational costs can be imposed through strategic communication campaigns that publicly attribute attacks to specific actors, damaging their credibility and hampering their ability to recruit talent or form alliances. Diplomatic costs can be leveraged by isolating bad actors in international forums, restricting their engagement in legitimate international commerce and diplomacy. Legal costs can be pursued through civil litigation against cyber criminals and their enablers, potentially seizing assets and disrupting their business models. Finally, market costs can be imposed by working with private sector partners to make certain types of attacks economically unviable, such as coordinating ransom payment policies to reduce the profitability of ransomware attacks.

Implementing this broader approach requires a whole-of-government effort, leveraging diplomatic, economic, and intelligence tools in addition to law enforcement and military capabilities. The development of a clear, consistent strategy for imposing costs on adversaries in cyberspace is essential to shape their behavior and protect U.S. interests in the digital domain. This multifaceted approach recognizes that adversaries in the interconnected digital landscape must simultaneously be confronted on multiple fronts to effectively deter malicious activities and safeguard national security.

A critical aspect of effective deterrence and cost imposition in cyberspace is the ability to trace and disrupt the financial flows that sustain cybercriminal operations. However, today's efforts to 'follow the money' as a key component of ransomware actor attribution and cost imposition are significantly hindered by robust obfuscation capabilities employed by malicious actors. This challenge affects intelligence gathering, law enforcement actions, and other cost-imposition operations. Enhancing our capabilities to illuminate these obfuscated finance flows is crucial for undermining the economic incentives driving cybercrime and for improving our ability to attribute attacks to specific actors or groups. Investment in advanced technologies and methodologies to track complex financial trails will be essential in strengthening our overall deterrence and cost imposition strategies.

With these considerations in mind, we propose the following recommendations to enhance the United States' ability to impose costs and deter malicious cyber activities:

This recommendation calls for the establishment of a robust system to identify and prioritize critical entities, with a particular focus on Systemically Important Entities. This system, to be developed and maintained by CISA, should define clear rules, benefits, and burdens for designated entities. The system should define clear rules, benefits, and burdens for designated entities. Benefits might include enhanced government support, access to threat intelligence, and participation in specialized cybersecurity programs. Conversely, SIEs may be required to meet more stringent security standards and reporting requirements.

Implementing this system will provide a clear framework for allocating resources and prioritizing cybersecurity efforts across various sectors. It will also facilitate more targeted and effective collaboration.

In the ever-evolving landscape of cyber threats, the concept of resilience has become paramount. No longer is it sufficient to merely withstand attacks; organizations must be prepared to maintain operational continuity and rapidly recover from disruptive cyber incidents.43 This shift requires a fundamental change in our approach to cybersecurity, moving from a reactive stance to a proactive risk reduction posture.

One of the most pressing issues in this evolving landscape is the identification and protection of our most critical assets. The concept of Systemically Important Entities has emerged as a crucial framework for prioritizing cybersecurity efforts. These are organizations whose compromise could have significant cascading effects on national security, economic stability, or public health and safety. By focusing on SIEs, we can ensure that our most vital assets receive the highest level of protection and support.

However, the challenges extend beyond just identifying critical entities. The increasing reliance on cloud services introduces new vulnerabilities that must be addressed. Cloud environments present unique security challenges, including multi-tenancy risks and supply chain vulnerabilities. Establishing comprehensive standards and certification processes for cloud security and resilience, particularly for critical infrastructure and SIEs, is essential to mitigate these risks.44

While cloud environments present unique security challenges, they also offer significant security advantages. Cloud service providers often have more robust security measures, regular updates, and dedicated security teams that can enhance an organization's overall security posture. The scalability and flexibility of cloud services also allow for more rapid response to emerging threats.

The convergence of information technology and operational technology systems presents both opportunities and challenges. Physical systems are increasingly digitized, censored, and interconnected. As the lines between these domains blur, organizations face unprecedented complexity in safeguarding their digital assets, an increasing volume of data, and critical infrastructure. This convergence necessitates a comprehensive strategy that addresses both the technological and operational aspects of cybersecurity.

The distinct nature of OT systems requires special consideration and recognition of the specialized needs for securing these systems. Traditional IT security approaches may not be sufficient or appropriate for OT environments, which often involve legacy systems and have different operational requirements. Developing sector-specific security standards aligned to other non-cyber standards prevalent in OT system requirements, and that address both IT and OT systems is crucial to ensure comprehensive protection across all critical infrastructure sectors.

The cybersecurity landscape is further complicated by the rapid growth of technology startups, which often develop critical components or services used across various sectors. Recent incidents, such as the SolarWinds breach, highlight the potential for supply chain vulnerabilities originating from these younger companies.45 Startups, while driving innovation, may lack the resources or experience to implement robust cybersecurity measures, especially in their early stages. This gap presents a twofold challenge: ensuring that startups adhere to appropriate cybersecurity standards and safeguarding the investment processes in these companies to prevent potential exploitation by foreign adversaries seeking access to emerging technologies. Addressing these challenges requires a delicate balance between fostering innovation and maintaining security, potentially through tailored cybersecurity guidelines for startups and enhanced scrutiny of early-stage investments in critical technology areas.

As we strengthen our technological defenses, we must not overlook the human element of cybersecurity. Malign cyber influence operations pose a significant threat to societal resilience, if not to the foundational elements of Democracy. These operations, often orchestrated by foreign actors, aim to manipulate public opinion, sow discord, and undermine trust in institutions. Countering these threats requires a multifaceted approach that combines law enforcement efforts, proactive engagement strategies, and public awareness initiatives.

Finally, as the scale and sophistication of cyber threats continue to grow, we must consider innovative approaches to risk management. The concept of the federal government serving as an "insurer of last resort" for catastrophic cyber events merits serious examination. Such a model, similar to the TRIA (Terrorism Risk Insurance Act),46 could provide a crucial backstop for the cyber insurance market while incentivizing organizations to improve their cybersecurity posture while strengthening economic and societal resilience.

To address these multifaceted challenges and enhance our national cybersecurity resilience, we propose the following recommendations:

Recognizing the distinct nature of IT and OT environments, this recommendation calls for the development of sector-specific security standards that address both domains. These standards should take into account the unique operational requirements and constraints of each sector, from energy and healthcare to manufacturing and transportation, and recognize that these sectors typically have a mix of regulatory requirements, guidelines, and standards – and gaps where none of these are present. Many OT sectors are regulated for safety and not explicitly for security and data privacy. To be effective in advancing cybersecurity, a holistic understanding of how these guidelines intersect is needed, as well as a shared view among stakeholders of what the end state goal is for a policy architecture to achieve improved cybersecurity.

To drive adoption, we propose creating incentives for critical infrastructure owners and operators to invest in cybersecurity improvements. These could include tax breaks, preferential contracting for entities meeting enhanced standards, or access to specialized government resources and support. The standards should also address both the growing importance of the Industrial Internet of Things in OT environments and requirements that are distinct from IIoT, ensuring that security measures can scale with technological advancements.

In the ever-evolving landscape of cyber threats, the concept of resilience has become paramount. No longer is it sufficient to merely withstand attacks; organizations must be prepared to maintain operational continuity and rapidly recover from disruptive cyber incidents.43 This shift requires a fundamental change in our approach to cybersecurity, moving from a reactive stance to a proactive risk reduction posture.

One of the most pressing issues in this evolving landscape is the identification and protection of our most critical assets. The concept of Systemically Important Entities has emerged as a crucial framework for prioritizing cybersecurity efforts. These are organizations whose compromise could have significant cascading effects on national security, economic stability, or public health and safety. By focusing on SIEs, we can ensure that our most vital assets receive the highest level of protection and support.

However, the challenges extend beyond just identifying critical entities. The increasing reliance on cloud services introduces new vulnerabilities that must be addressed. Cloud environments present unique security challenges, including multi-tenancy risks and supply chain vulnerabilities. Establishing comprehensive standards and certification processes for cloud security and resilience, particularly for critical infrastructure and SIEs, is essential to mitigate these risks.44

While cloud environments present unique security challenges, they also offer significant security advantages. Cloud service providers often have more robust security measures, regular updates, and dedicated security teams that can enhance an organization's overall security posture. The scalability and flexibility of cloud services also allow for more rapid response to emerging threats.

The convergence of information technology and operational technology systems presents both opportunities and challenges. Physical systems are increasingly digitized, censored, and interconnected. As the lines between these domains blur, organizations face unprecedented complexity in safeguarding their digital assets, an increasing volume of data, and critical infrastructure. This convergence necessitates a comprehensive strategy that addresses both the technological and operational aspects of cybersecurity.

The distinct nature of OT systems requires special consideration and recognition of the specialized needs for securing these systems. Traditional IT security approaches may not be sufficient or appropriate for OT environments, which often involve legacy systems and have different operational requirements. Developing sector-specific security standards aligned to other non-cyber standards prevalent in OT system requirements, and that address both IT and OT systems is crucial to ensure comprehensive protection across all critical infrastructure sectors.

The cybersecurity landscape is further complicated by the rapid growth of technology startups, which often develop critical components or services used across various sectors. Recent incidents, such as the SolarWinds breach, highlight the potential for supply chain vulnerabilities originating from these younger companies.45 Startups, while driving innovation, may lack the resources or experience to implement robust cybersecurity measures, especially in their early stages. This gap presents a twofold challenge: ensuring that startups adhere to appropriate cybersecurity standards and safeguarding the investment processes in these companies to prevent potential exploitation by foreign adversaries seeking access to emerging technologies. Addressing these challenges requires a delicate balance between fostering innovation and maintaining security, potentially through tailored cybersecurity guidelines for startups and enhanced scrutiny of early-stage investments in critical technology areas.

As we strengthen our technological defenses, we must not overlook the human element of cybersecurity. Malign cyber influence operations pose a significant threat to societal resilience, if not to the foundational elements of Democracy. These operations, often orchestrated by foreign actors, aim to manipulate public opinion, sow discord, and undermine trust in institutions. Countering these threats requires a multifaceted approach that combines law enforcement efforts, proactive engagement strategies, and public awareness initiatives.

Finally, as the scale and sophistication of cyber threats continue to grow, we must consider innovative approaches to risk management. The concept of the federal government serving as an "insurer of last resort" for catastrophic cyber events merits serious examination. Such a model, similar to the TRIA (Terrorism Risk Insurance Act),46 could provide a crucial backstop for the cyber insurance market while incentivizing organizations to improve their cybersecurity posture while strengthening economic and societal resilience.

To address these multifaceted challenges and enhance our national cybersecurity resilience, we propose the following recommendations:

This recommendation proposes examining models that position the federal government as an "insurer of last resort" for catastrophic cyber events. Similar to the TRIA model, this approach could provide a crucial backstop for the cyber insurance market, which is facing significant challenges that may lead to a reduction in available coverage.

Key elements of this model should include clearly defined activation thresholds, requirements for insurers to cover a percentage of losses before government assistance activates, a loss-sharing structure, liability caps on governmental exposure, and mechanisms for the government to recoup payments over time. The model should aim to support and stabilize the existing cyber insurance market, not replace it. It should also incorporate a common framework for assessing cyber risks and standards of care for different operational technology verticals. Importantly, entities seeking to benefit from this backstop must first take substantial risk reduction steps, incentivizing improved cybersecurity practices across the board while mitigating moral hazard concerns.

In the ever-evolving landscape of cyber threats, the concept of resilience has become paramount. No longer is it sufficient to merely withstand attacks; organizations must be prepared to maintain operational continuity and rapidly recover from disruptive cyber incidents.43 This shift requires a fundamental change in our approach to cybersecurity, moving from a reactive stance to a proactive risk reduction posture.

One of the most pressing issues in this evolving landscape is the identification and protection of our most critical assets. The concept of Systemically Important Entities has emerged as a crucial framework for prioritizing cybersecurity efforts. These are organizations whose compromise could have significant cascading effects on national security, economic stability, or public health and safety. By focusing on SIEs, we can ensure that our most vital assets receive the highest level of protection and support.

However, the challenges extend beyond just identifying critical entities. The increasing reliance on cloud services introduces new vulnerabilities that must be addressed. Cloud environments present unique security challenges, including multi-tenancy risks and supply chain vulnerabilities. Establishing comprehensive standards and certification processes for cloud security and resilience, particularly for critical infrastructure and SIEs, is essential to mitigate these risks.44

While cloud environments present unique security challenges, they also offer significant security advantages. Cloud service providers often have more robust security measures, regular updates, and dedicated security teams that can enhance an organization's overall security posture. The scalability and flexibility of cloud services also allow for more rapid response to emerging threats.

The convergence of information technology and operational technology systems presents both opportunities and challenges. Physical systems are increasingly digitized, censored, and interconnected. As the lines between these domains blur, organizations face unprecedented complexity in safeguarding their digital assets, an increasing volume of data, and critical infrastructure. This convergence necessitates a comprehensive strategy that addresses both the technological and operational aspects of cybersecurity.

The distinct nature of OT systems requires special consideration and recognition of the specialized needs for securing these systems. Traditional IT security approaches may not be sufficient or appropriate for OT environments, which often involve legacy systems and have different operational requirements. Developing sector-specific security standards aligned to other non-cyber standards prevalent in OT system requirements, and that address both IT and OT systems is crucial to ensure comprehensive protection across all critical infrastructure sectors.

The cybersecurity landscape is further complicated by the rapid growth of technology startups, which often develop critical components or services used across various sectors. Recent incidents, such as the SolarWinds breach, highlight the potential for supply chain vulnerabilities originating from these younger companies.45 Startups, while driving innovation, may lack the resources or experience to implement robust cybersecurity measures, especially in their early stages. This gap presents a twofold challenge: ensuring that startups adhere to appropriate cybersecurity standards and safeguarding the investment processes in these companies to prevent potential exploitation by foreign adversaries seeking access to emerging technologies. Addressing these challenges requires a delicate balance between fostering innovation and maintaining security, potentially through tailored cybersecurity guidelines for startups and enhanced scrutiny of early-stage investments in critical technology areas.

As we strengthen our technological defenses, we must not overlook the human element of cybersecurity. Malign cyber influence operations pose a significant threat to societal resilience, if not to the foundational elements of Democracy. These operations, often orchestrated by foreign actors, aim to manipulate public opinion, sow discord, and undermine trust in institutions. Countering these threats requires a multifaceted approach that combines law enforcement efforts, proactive engagement strategies, and public awareness initiatives.

Finally, as the scale and sophistication of cyber threats continue to grow, we must consider innovative approaches to risk management. The concept of the federal government serving as an "insurer of last resort" for catastrophic cyber events merits serious examination. Such a model, similar to the TRIA (Terrorism Risk Insurance Act),46 could provide a crucial backstop for the cyber insurance market while incentivizing organizations to improve their cybersecurity posture while strengthening economic and societal resilience.

To address these multifaceted challenges and enhance our national cybersecurity resilience, we propose the following recommendations:

The Department of State should significantly enhance its cyber diplomacy capabilities to effectively lead U.S. efforts in shaping the international cyber environment. This comprehensive strengthening should begin with the development of a robust international cybersecurity engagement strategy that aligns diplomatic efforts with national security and economic objectives. Such a strategy would provide a cohesive framework for the United States' global cyber engagements, ensuring that diplomatic initiatives are coordinated and mutually reinforcing across different regions and issue areas.

Central to this effort should be an expansion of the role and resources of the Bureau of Cyberspace and Digital Policy. This bureau should be empowered to serve as the focal point for coordinating cyber diplomacy efforts across the U.S. government, as well as engaging with international partners. To support this expanded role, the State Department should increase the number and capacity of cyber attachés at key U.S. embassies. These attachés would play a crucial role in enhancing international cooperation and information sharing on cyber threats and best practices, serving as on-the-ground experts who can build relationships with host country counterparts and facilitate rapid response to emerging cyber issues.

While strengthening the State Department's capabilities, it's essential to foster closer coordination with other agencies that have international cyber programs. For instance, the FBI's cyber attaché program provides valuable law enforcement expertise and connections, while the Department of Defense's cyber capacity-building initiatives offer important military and strategic perspectives. By coordinating these efforts under a unified diplomatic strategy, the United States can leverage the unique capabilities of each agency while presenting a coherent and comprehensive approach to international partners. This coordinated approach would enhance the U.S.'s ability to shape global cyber norms, respond to threats, and build the capacity of allies and partners to secure themselves against cyber threats.

In an increasingly interconnected digital world, the United States faces both unprecedented opportunities and challenges in shaping the international cyber landscape. As cyber threats evolve and transcend national borders, the importance of robust international partnerships and cooperation in cybersecurity has never been more critical. The 2023 Cyber Strategy of The Department of Defense aptly recognizes allies and partners as America's "foundational advantage in the cyber domain," highlighting the need for a comprehensive and coordinated approach to international cyber engagement.

The global cyber environment is characterized by a complex interplay of state and non-state actors, rapidly advancing technologies, and competing visions for the future of the internet. In this context, the United States must leverage its diplomatic, economic, and technological strengths to promote an open, secure, and interoperable global internet while countering authoritarian models that seek to restrict freedom and stifle innovation. This effort requires a multifaceted strategy that encompasses robust cyber diplomacy, active participation in international standards-setting bodies, and close collaboration with like-minded nations and private sector partners.

Central to this endeavor is the role of the U.S. Department of State in spearheading cyber diplomacy efforts. As the primary agency responsible for conducting U.S. foreign policy, the State Department is uniquely positioned to lead in shaping the international cyber environment. However, to fully realize this potential, there is a pressing need to strengthen and expand the department's cyber diplomacy capabilities, ensuring they are commensurate with the growing importance of cyber issues in international relations.

Simultaneously, the United States must redouble its efforts to promote and protect a free, open, and secure internet globally. This vision stands in stark contrast to authoritarian models, exemplified by China's approach, which seeks to exert strict control over information flows and digital infrastructure. By developing and advocating for an affirmative vision of an open internet, the U.S. can help safeguard fundamental freedoms, foster innovation, and promote economic growth on a global scale.

Enhancing international cooperation on cybersecurity standards represents another critical avenue for shaping the global cyber environment. As digital technologies become increasingly integrated into critical infrastructure and everyday life, the importance of robust, widely adopted cybersecurity standards cannot be overstated. The United States must take a leadership role in international standards-setting bodies, leveraging both government expertise and private sector innovation to ensure that emerging standards align with values of openness, security, and interoperability.

It is crucial to recognize that shaping the international cyber environment is not solely the purview of government agencies. Private sector entities, civil society organizations, and individual experts all play vital roles in this ecosystem. Encouraging and facilitating their participation in international forums and standards development processes can significantly amplify the U.S.'s influence and ensure that diverse perspectives are represented.

The interconnected nature of cybersecurity, digital infrastructure policy, and economic development presents both challenges and opportunities. As nations around the world seek to modernize their digital infrastructure, the United States has a strategic interest in promoting secure and reliable solutions. This not only helps allies and partners avoid potentially compromised equipment but also creates economic opportunities for U.S. companies and strengthens global cyber resilience.

Addressing the challenge of attribution in cyberspace requires enhanced international cooperation. Developing mechanisms for sharing intelligence and technical analysis related to cyber incidents with allies and partners can improve collective defense capabilities and serve as a deterrent to malicious actors. Similarly, expanding bilateral and multilateral research and development initiatives on cybersecurity can foster innovation and strengthen ties with key allies.

As we navigate this complex landscape, it is essential to maintain flexibility and adaptability in our approach. The rapid pace of technological change and the evolving nature of cyber threats demand that international cooperation mechanisms be agile and responsive. By fostering a culture of continuous learning and adaptation, the United States can stay at the forefront of global cybersecurity efforts.

In light of these considerations, we propose the following recommendations to enhance the United States' ability to shape the international cyber environment:

The United States should increase its leadership, participation, consistency, and quality in international standards-setting bodies related to cybersecurity and emerging technologies. To effectively coordinate these efforts across the approximately 19 different agencies involved in international cyber initiatives, a clear "quarterback" role should be established within the U.S. government. This quarterback, potentially positioned within the Office of the National Cyber Director or the National Security Council, would be responsible for aligning and directing U.S. efforts in international cybersecurity cooperation and standards development.

This effort should start with a concerted push to increase both U.S. government and private sector participation in international standards development processes, particularly in areas related to critical and emerging technologies. By having a strong presence in these forums, the U.S. can ensure that developing standards align with its values of openness, security, and interoperability. This increased participation is crucial, as other nations have been aggressively promoting their technical standards in these bodies, often outnumbering U.S. representatives by significant margins.

To facilitate this increased participation, the U.S. should create incentives for private sector experts to engage in international standards development processes. These incentives could include grants, tax benefits, or recognition programs that highlight the importance of this work to national security and economic competitiveness. The government should also work to streamline the process for private sector experts to participate in these forums, reducing bureaucratic barriers that might otherwise discourage involvement.

A national program office should be established to identify incentives and remove barriers to participation. This office should develop approaches to incentivize consistent, long-term participation by technical experts from National Labs, universities, and other research institutions, focusing particularly on emerging technologies prior to commercialization.

The CHIPS Act provides a valuable opportunity to support U.S. leadership in international standards and cybersecurity cooperation. Funds and programs established under this act should be leveraged to bolster U.S. expertise in key technology areas and support participation in international standards forums. This approach can help ensure that U.S. technological leadership translates into influence over the global standards that will shape the future of cybersecurity and emerging technologies.

In line with the National Standards Strategy for Critical and Emerging Technology, efforts should be made to enhance U.S. and like-minded nations' representation and influence in international standards governance and leadership. This could involve coordinated campaigns to secure key positions in standards organizations, as well as efforts to build coalitions around shared interests and values in the standards-setting process.

Finally, the U.S. should expand bilateral and multilateral research and development initiatives on cybersecurity with key allies. Programs like the Israel-U.S. Binational Industrial Research and Development Cyber program provide a model for collaborative innovation in cybersecurity. By replicating and expanding such programs with other allies, the U.S. can accelerate the development of cutting-edge cybersecurity technologies while strengthening diplomatic ties and promoting a shared vision of cybersecurity.

The designated quarterback would be responsible for overseeing these various initiatives, ensuring coherent strategy implementation, and serving as the primary point of contact for both interagency coordination and private-sector engagement on international cybersecurity matters. This coordinated approach will help eliminate redundancies, ensure consistent messaging across agencies, and maximize the impact of U.S. efforts in shaping the international cybersecurity landscape.

In an increasingly interconnected digital world, the United States faces both unprecedented opportunities and challenges in shaping the international cyber landscape. As cyber threats evolve and transcend national borders, the importance of robust international partnerships and cooperation in cybersecurity has never been more critical. The 2023 Cyber Strategy of The Department of Defense aptly recognizes allies and partners as America's "foundational advantage in the cyber domain," highlighting the need for a comprehensive and coordinated approach to international cyber engagement.

The global cyber environment is characterized by a complex interplay of state and non-state actors, rapidly advancing technologies, and competing visions for the future of the internet. In this context, the United States must leverage its diplomatic, economic, and technological strengths to promote an open, secure, and interoperable global internet while countering authoritarian models that seek to restrict freedom and stifle innovation. This effort requires a multifaceted strategy that encompasses robust cyber diplomacy, active participation in international standards-setting bodies, and close collaboration with like-minded nations and private sector partners.

Central to this endeavor is the role of the U.S. Department of State in spearheading cyber diplomacy efforts. As the primary agency responsible for conducting U.S. foreign policy, the State Department is uniquely positioned to lead in shaping the international cyber environment. However, to fully realize this potential, there is a pressing need to strengthen and expand the department's cyber diplomacy capabilities, ensuring they are commensurate with the growing importance of cyber issues in international relations.

Simultaneously, the United States must redouble its efforts to promote and protect a free, open, and secure internet globally. This vision stands in stark contrast to authoritarian models, exemplified by China's approach, which seeks to exert strict control over information flows and digital infrastructure. By developing and advocating for an affirmative vision of an open internet, the U.S. can help safeguard fundamental freedoms, foster innovation, and promote economic growth on a global scale.

Enhancing international cooperation on cybersecurity standards represents another critical avenue for shaping the global cyber environment. As digital technologies become increasingly integrated into critical infrastructure and everyday life, the importance of robust, widely adopted cybersecurity standards cannot be overstated. The United States must take a leadership role in international standards-setting bodies, leveraging both government expertise and private sector innovation to ensure that emerging standards align with values of openness, security, and interoperability.

It is crucial to recognize that shaping the international cyber environment is not solely the purview of government agencies. Private sector entities, civil society organizations, and individual experts all play vital roles in this ecosystem. Encouraging and facilitating their participation in international forums and standards development processes can significantly amplify the U.S.'s influence and ensure that diverse perspectives are represented.

The interconnected nature of cybersecurity, digital infrastructure policy, and economic development presents both challenges and opportunities. As nations around the world seek to modernize their digital infrastructure, the United States has a strategic interest in promoting secure and reliable solutions. This not only helps allies and partners avoid potentially compromised equipment but also creates economic opportunities for U.S. companies and strengthens global cyber resilience.

Addressing the challenge of attribution in cyberspace requires enhanced international cooperation. Developing mechanisms for sharing intelligence and technical analysis related to cyber incidents with allies and partners can improve collective defense capabilities and serve as a deterrent to malicious actors. Similarly, expanding bilateral and multilateral research and development initiatives on cybersecurity can foster innovation and strengthen ties with key allies.

As we navigate this complex landscape, it is essential to maintain flexibility and adaptability in our approach. The rapid pace of technological change and the evolving nature of cyber threats demand that international cooperation mechanisms be agile and responsive. By fostering a culture of continuous learning and adaptation, the United States can stay at the forefront of global cybersecurity efforts.

In light of these considerations, we propose the following recommendations to enhance the United States' ability to shape the international cyber environment:

Virtual CISO organizations can provide on-demand cybersecurity leadership and guidance to organizations that cannot afford full-time security executives. This model allows for the sharing of expertise across multiple entities, ensuring that even smaller organizations can benefit from high-level cybersecurity guidance and strategy. Through a mix of public-private collaboration involving NGOs, private sector organizations, and government entities where appropriate, these virtual CISO organizations can be established to meet the varied needs of different sectors. Pooling resources and expertise can help level the playing field for smaller entities while also enhancing the nation's overall cybersecurity posture.

Developing, expanding, and maintaining a skilled cybersecurity workforce is a critical national security imperative. The United States faces a severe shortage of cybersecurity professionals, with hundreds of thousands of positions unfilled across both the public and private sectors. This shortage poses significant risks to our national security, economic prosperity, and ability to innovate in an increasingly digital world. Addressing this challenge requires a comprehensive and multi-faceted approach that focuses on removing barriers to workforce mobility, improving education and training programs, enhancing scholarship initiatives, and promoting diversity in the field. This approach aligns with and builds upon the Office of the National Cyber Director's National Cyber Workforce and Education Strategy, which emphasizes the importance of developing a skilled and diverse cybersecurity workforce.

The cybersecurity workforce shortage is not merely a matter of numbers; it's also about having the right mix of skills and expertise to address the complex and evolving nature of cyber threats. From defending critical infrastructure to protecting sensitive data and responding to sophisticated cyber attacks, the demands on cybersecurity professionals are constantly adapting. Additionally, all professions, from engineering to accounting to nursing, need professionals who understand how cybersecurity applies to the digital systems that are now an inherent part of their professions. Programs like the implementation of the National Cyber-Informed Engineering Strategy and its focus on inculcating cybersecurity principles in engineering design represent an exemplar of best practices for driving cyber into the practices and requirements of disciplines. This reality necessitates a workforce that is not only larger but also more flexible, diverse, and continuously learning.

The severe shortage of qualified professionals disproportionately affects smaller and rural organizations. This shortage is twofold: these entities often lack the financial resources to compete for scarce cybersecurity talent, and the limited pool of available professionals tends to gravitate toward larger, more urban organizations offering competitive salaries and career advancement opportunities. As a result, smaller and more rural organizations frequently find themselves without adequate cybersecurity expertise, leaving them arguably more vulnerable to attacks. This vulnerability extends beyond the individual organizations by creating potential weak links in larger supply chain networks. The ripple effects of these vulnerabilities can cascade through sectors and the economy.

Another obstacle is the lack of mobility between public and private sector roles. Currently, there are substantial barriers that prevent cybersecurity professionals from easily transitioning between government and industry positions. This lack of mobility limits the cross-pollination of ideas and experiences that could greatly benefit both sectors. It also restricts the ability of the government to tap into the expertise of private sector professionals during times of crisis or for specific high-priority projects.

The education and training pipeline for cybersecurity professionals also needs attention. Currently, a lack of standardized cybersecurity education at the K-12 level limits the pipeline of future cyber professionals. At the higher-education level, programs like the CyberCorps, the National Centers of Academic Excellence in Cybersecurity (NCAE-C) program, and Scholarships for Service have been effective and are continuing to evolve, but they are also limited in scale and scope and are challenged to keep pace with the emerging range of cybersecurity specialties needed in today's workforce.

Furthermore, rapidly evolving cyber threats mean that cybersecurity education cannot stop at formal schooling. There's a critical need for continuous learning and upskilling throughout a cybersecurity professional's career. This need for lifelong learning poses challenges for both individuals and organizations in terms of time, resources, and access to cutting-edge training.

Diversity in the cybersecurity workforce is another crucial area that requires attention. The field currently suffers from a lack of diversity in terms of gender, race, and background. This lack of diversity not only limits the pool of available talent but also narrows the range of perspectives and ideas brought to bear on cybersecurity challenges. A more diverse workforce can lead to more innovative solutions and a better understanding of the wide range of users and systems that need protection.

To address these challenges, we propose a...

These flexible arrangements would enable cybersecurity professionals to contribute their skills and knowledge to government projects without requiring a full-time commitment, thereby increasing the pool of available talent for critical public sector initiatives. This could include policies for sabbaticals, job rotations, or project-based assignments that allow professionals to move between sectors more easily. Such flexibility could also help in retaining talent by offering diverse career experiences and opportunities for growth.

Developing, expanding, and maintaining a skilled cybersecurity workforce is a critical national security imperative. The United States faces a severe shortage of cybersecurity professionals, with hundreds of thousands of positions unfilled across both the public and private sectors. This shortage poses significant risks to our national security, economic prosperity, and ability to innovate in an increasingly digital world. Addressing this challenge requires a comprehensive and multi-faceted approach that focuses on removing barriers to workforce mobility, improving education and training programs, enhancing scholarship initiatives, and promoting diversity in the field. This approach aligns with and builds upon the Office of the National Cyber Director's National Cyber Workforce and Education Strategy, which emphasizes the importance of developing a skilled and diverse cybersecurity workforce.

The cybersecurity workforce shortage is not merely a matter of numbers; it's also about having the right mix of skills and expertise to address the complex and evolving nature of cyber threats. From defending critical infrastructure to protecting sensitive data and responding to sophisticated cyber attacks, the demands on cybersecurity professionals are constantly adapting. Additionally, all professions, from engineering to accounting to nursing, need professionals who understand how cybersecurity applies to the digital systems that are now an inherent part of their professions. Programs like the implementation of the National Cyber-Informed Engineering Strategy and its focus on inculcating cybersecurity principles in engineering design represent an exemplar of best practices for driving cyber into the practices and requirements of disciplines. This reality necessitates a workforce that is not only larger but also more flexible, diverse, and continuously learning.

The severe shortage of qualified professionals disproportionately affects smaller and rural organizations. This shortage is twofold: these entities often lack the financial resources to compete for scarce cybersecurity talent, and the limited pool of available professionals tends to gravitate toward larger, more urban organizations offering competitive salaries and career advancement opportunities. As a result, smaller and more rural organizations frequently find themselves without adequate cybersecurity expertise, leaving them arguably more vulnerable to attacks. This vulnerability extends beyond the individual organizations by creating potential weak links in larger supply chain networks. The ripple effects of these vulnerabilities can cascade through sectors and the economy.

Another obstacle is the lack of mobility between public and private sector roles. Currently, there are substantial barriers that prevent cybersecurity professionals from easily transitioning between government and industry positions. This lack of mobility limits the cross-pollination of ideas and experiences that could greatly benefit both sectors. It also restricts the ability of the government to tap into the expertise of private sector professionals during times of crisis or for specific high-priority projects.

The education and training pipeline for cybersecurity professionals also needs attention. Currently, a lack of standardized cybersecurity education at the K-12 level limits the pipeline of future cyber professionals. At the higher-education level, programs like the CyberCorps, the National Centers of Academic Excellence in Cybersecurity (NCAE-C) program, and Scholarships for Service have been effective and are continuing to evolve, but they are also limited in scale and scope and are challenged to keep pace with the emerging range of cybersecurity specialties needed in today's workforce.

Furthermore, rapidly evolving cyber threats mean that cybersecurity education cannot stop at formal schooling. There's a critical need for continuous learning and upskilling throughout a cybersecurity professional's career. This need for lifelong learning poses challenges for both individuals and organizations in terms of time, resources, and access to cutting-edge training.

Diversity in the cybersecurity workforce is another crucial area that requires attention. The field currently suffers from a lack of diversity in terms of gender, race, and background. This lack of diversity not only limits the pool of available talent but also narrows the range of perspectives and ideas brought to bear on cybersecurity challenges. A more diverse workforce can lead to more innovative solutions and a better understanding of the wide range of users and systems that need protection.

To address these challenges, we propose a...

By broadening the scope of these scholarship and academic excellence programs, we can attract a more diverse pool of candidates and address the need for specialized skills in emerging areas of cybersecurity. This expansion should include support for associate's degrees, certifications, and other non-traditional educational paths, recognizing that valuable cybersecurity skills can be developed through various routes. The expanded programs should also focus on areas of critical need, such as industrial control systems security, engineering, artificial intelligence in cybersecurity, and secure software development.

Developing, expanding, and maintaining a skilled cybersecurity workforce is a critical national security imperative. The United States faces a severe shortage of cybersecurity professionals, with hundreds of thousands of positions unfilled across both the public and private sectors. This shortage poses significant risks to our national security, economic prosperity, and ability to innovate in an increasingly digital world. Addressing this challenge requires a comprehensive and multi-faceted approach that focuses on removing barriers to workforce mobility, improving education and training programs, enhancing scholarship initiatives, and promoting diversity in the field. This approach aligns with and builds upon the Office of the National Cyber Director's National Cyber Workforce and Education Strategy, which emphasizes the importance of developing a skilled and diverse cybersecurity workforce.

The cybersecurity workforce shortage is not merely a matter of numbers; it's also about having the right mix of skills and expertise to address the complex and evolving nature of cyber threats. From defending critical infrastructure to protecting sensitive data and responding to sophisticated cyber attacks, the demands on cybersecurity professionals are constantly adapting. Additionally, all professions, from engineering to accounting to nursing, need professionals who understand how cybersecurity applies to the digital systems that are now an inherent part of their professions. Programs like the implementation of the National Cyber-Informed Engineering Strategy and its focus on inculcating cybersecurity principles in engineering design represent an exemplar of best practices for driving cyber into the practices and requirements of disciplines. This reality necessitates a workforce that is not only larger but also more flexible, diverse, and continuously learning.

The severe shortage of qualified professionals disproportionately affects smaller and rural organizations. This shortage is twofold: these entities often lack the financial resources to compete for scarce cybersecurity talent, and the limited pool of available professionals tends to gravitate toward larger, more urban organizations offering competitive salaries and career advancement opportunities. As a result, smaller and more rural organizations frequently find themselves without adequate cybersecurity expertise, leaving them arguably more vulnerable to attacks. This vulnerability extends beyond the individual organizations by creating potential weak links in larger supply chain networks. The ripple effects of these vulnerabilities can cascade through sectors and the economy.

Another obstacle is the lack of mobility between public and private sector roles. Currently, there are substantial barriers that prevent cybersecurity professionals from easily transitioning between government and industry positions. This lack of mobility limits the cross-pollination of ideas and experiences that could greatly benefit both sectors. It also restricts the ability of the government to tap into the expertise of private sector professionals during times of crisis or for specific high-priority projects.

The education and training pipeline for cybersecurity professionals also needs attention. Currently, a lack of standardized cybersecurity education at the K-12 level limits the pipeline of future cyber professionals. At the higher-education level, programs like the CyberCorps, the National Centers of Academic Excellence in Cybersecurity (NCAE-C) program, and Scholarships for Service have been effective and are continuing to evolve, but they are also limited in scale and scope and are challenged to keep pace with the emerging range of cybersecurity specialties needed in today's workforce.

Furthermore, rapidly evolving cyber threats mean that cybersecurity education cannot stop at formal schooling. There's a critical need for continuous learning and upskilling throughout a cybersecurity professional's career. This need for lifelong learning poses challenges for both individuals and organizations in terms of time, resources, and access to cutting-edge training.

Diversity in the cybersecurity workforce is another crucial area that requires attention. The field currently suffers from a lack of diversity in terms of gender, race, and background. This lack of diversity not only limits the pool of available talent but also narrows the range of perspectives and ideas brought to bear on cybersecurity challenges. A more diverse workforce can lead to more innovative solutions and a better understanding of the wide range of users and systems that need protection.

To address these challenges, we propose a...

Critical and Emerging Technologies List

The Office of Science and Technology Policy, in collaboration with the Department of Commerce and other relevant agencies, should evolve and maintain a unified list of critical and emerging technologies. This effort should incorporate insights from existing initiatives, such as the National Academies of Sciences, Engineering, and Medicine's study to refresh the "Cyber Hard Problem List." This consolidated list will serve as a crucial tool for identifying and prioritizing technologies that are vital to U.S. national security, economic resilience, and economic competitiveness. A cross-agency task force should be created to continuously assess and update this list, evaluating new technologies and their potential implications. Clear criteria and processes for adding to and removing technologies from the list must be established, striking a balance between protection needs and innovation concerns.

Prohibited Entities List

Separately, the Department of Commerce should consolidate existing lists of prohibited entities into a single, authoritative list. This list will identify companies, organizations, and individuals that pose security risks or are subject to restrictions due to national security concerns. The consolidation will enhance coordination across government agencies and simplify industry compliance.

To ensure the ongoing relevance and effectiveness of both lists, regular updates will be essential to reflect the rapidly evolving technological and geopolitical landscape. These lists should be considered holistically in developing national priorities and enhancing supply chain security efforts. This approach will ensure that the United States remains proactive in identifying and protecting critical technologies while also maintaining clear guidelines on restricted entities.

The United States faces both great opportunities and significant challenges in maintaining its global leadership in critical and emerging technologies. These technologies, including artificial intelligence, quantum computing, and advanced semiconductors, have profound implications for national security. As such, it is imperative that the United States adopt a comprehensive, strategic, and proactive approach to identifying, protecting, and promoting its leadership in these key areas while simultaneously addressing the associated cybersecurity risks.

The U.S. government has already taken important steps in this direction, such as the issuance of National Security Memorandum 10, which mandates the implementation of quantum-resistant cryptography across government systems. Additionally, National Security Memorandum 33 has addressed the critical issue of research security, aiming to protect America's research enterprise from foreign interference and exploitation while maintaining an open and collaborative scientific environment.

The landscape of critical and emerging technologies is constantly evolving, necessitating a dynamic and adaptable strategy. Currently, the U.S. government's approach to managing these technologies is fragmented, with multiple agencies maintaining separate lists and oversight mechanisms. Also, government budget cycles also slow down agility in meeting emerging challenges. This disjointed approach hinders effective coordination and can lead to gaps in protection or, conversely, unnecessary duplication of efforts. To address this, a unified and comprehensive approach is essential.

One of the primary challenges in this domain is the identification and protection of critical technologies. The current system, where multiple agencies such as the Departments of Commerce and State, as well as the Intelligence Community, maintain separate lists, is inefficient and potentially leaves vulnerabilities. A consolidated, authoritative list managed by a single entity would significantly enhance the government's ability to protect these crucial technologies and ensure a coordinated response across all relevant agencies.

An emerging concern in this landscape is the potential exploitation of early-stage investment processes in critical technology startups. While mechanisms like the Committee on Foreign Investment in the United States provide oversight for many foreign investments, there may be loopholes in early-stage funding that could allow adversarial nations to gain access to critical technologies. This issue is particularly pertinent for cybersecurity and other advanced technology startups, where even minority investments in venture capital funds could have significant national security implications. Addressing these vulnerabilities requires a delicate balance between maintaining an open investment environment that fosters innovation and ensuring that critical technologies are adequately protected from potential exploitation by foreign adversaries.

Moreover, the rapid pace of technological innovation requires a continuous assessment of emerging technologies and their potential national security implications. This ongoing evaluation is crucial not only for updating protection lists but also for informing policy decisions and research priorities. It's also equally important to establish clear criteria for removing technologies from protection lists when appropriate to avoid stifling innovation and economic growth.

The security of technology supply chains is another critical aspect that demands immediate attention. Recent global events, including the COVID-19 pandemic and geopolitical tensions, have highlighted the vulnerabilities in our current supply chain systems, particularly for critical components and technologies. Supply chain security is not a future problem; we are operating in a compromised environment today. Consequently, a national strategy for securing technology supply chains and making sure critical elements are available is essential, focusing not only on critical components but also on reducing dependence on potentially adversarial nations through reshoring or friend-shoring initiatives.

Emerging technologies, particularly in the realm of quantum computing, pose unique challenges to our current cybersecurity paradigms. The potential of quantum computers to break many of our current encryption methods necessitates a proactive approach to developing and implementing quantum-safe cryptography. This transition is not a simple task and requires a comprehensive evaluation at the programmatic level across government systems and critical infrastructure.

To maintain its technological edge, the United States must also focus on promoting leadership in key technology areas. The CHIPS and Science Act and other recent legislation represent a crucial, strategic reversal in the decades-long erosion of U.S. national research and development spending. We need to not only continue rebuilding our national investment in R&D and developing our nation’s R&D infrastructure but also ensure that technology investments include requirements for security and resilience. This involves not just increased funding for research and development but strategic investment in areas that will secure America's competitive advantage. However, this investment must be balanced and coordinated to avoid duplication of efforts and ensure maximum impact.

In light of these challenges and opportunities, we propose the following recommendations:

A comprehensive plan for transitioning government systems and critical infrastructure to quantum-safe cryptography is essential. This plan should begin with a thorough assessment of current systems and infrastructure to identify vulnerabilities to quantum computing attacks. Based on this assessment, agency-specific plans for transitioning to post-quantum encryption should be developed, addressing unique challenges and timelines for each agency. The plan should establish clear milestones and deadlines for the implementation of quantum-safe cryptography across different sectors and systems, ensuring a coordinated and timely transition. Adequate resources must be allocated for research, development, and implementation of quantum-safe cryptographic solutions, recognizing that this transition is a significant undertaking that requires substantial investment in both technology and expertise.

The United States faces both great opportunities and significant challenges in maintaining its global leadership in critical and emerging technologies. These technologies, including artificial intelligence, quantum computing, and advanced semiconductors, have profound implications for national security. As such, it is imperative that the United States adopt a comprehensive, strategic, and proactive approach to identifying, protecting, and promoting its leadership in these key areas while simultaneously addressing the associated cybersecurity risks.

The U.S. government has already taken important steps in this direction, such as the issuance of National Security Memorandum 10, which mandates the implementation of quantum-resistant cryptography across government systems. Additionally, National Security Memorandum 33 has addressed the critical issue of research security, aiming to protect America's research enterprise from foreign interference and exploitation while maintaining an open and collaborative scientific environment.

The landscape of critical and emerging technologies is constantly evolving, necessitating a dynamic and adaptable strategy. Currently, the U.S. government's approach to managing these technologies is fragmented, with multiple agencies maintaining separate lists and oversight mechanisms. Also, government budget cycles also slow down agility in meeting emerging challenges. This disjointed approach hinders effective coordination and can lead to gaps in protection or, conversely, unnecessary duplication of efforts. To address this, a unified and comprehensive approach is essential.

One of the primary challenges in this domain is the identification and protection of critical technologies. The current system, where multiple agencies such as the Departments of Commerce and State, as well as the Intelligence Community, maintain separate lists, is inefficient and potentially leaves vulnerabilities. A consolidated, authoritative list managed by a single entity would significantly enhance the government's ability to protect these crucial technologies and ensure a coordinated response across all relevant agencies.

An emerging concern in this landscape is the potential exploitation of early-stage investment processes in critical technology startups. While mechanisms like the Committee on Foreign Investment in the United States provide oversight for many foreign investments, there may be loopholes in early-stage funding that could allow adversarial nations to gain access to critical technologies. This issue is particularly pertinent for cybersecurity and other advanced technology startups, where even minority investments in venture capital funds could have significant national security implications. Addressing these vulnerabilities requires a delicate balance between maintaining an open investment environment that fosters innovation and ensuring that critical technologies are adequately protected from potential exploitation by foreign adversaries.

Moreover, the rapid pace of technological innovation requires a continuous assessment of emerging technologies and their potential national security implications. This ongoing evaluation is crucial not only for updating protection lists but also for informing policy decisions and research priorities. It's also equally important to establish clear criteria for removing technologies from protection lists when appropriate to avoid stifling innovation and economic growth.

The security of technology supply chains is another critical aspect that demands immediate attention. Recent global events, including the COVID-19 pandemic and geopolitical tensions, have highlighted the vulnerabilities in our current supply chain systems, particularly for critical components and technologies. Supply chain security is not a future problem; we are operating in a compromised environment today. Consequently, a national strategy for securing technology supply chains and making sure critical elements are available is essential, focusing not only on critical components but also on reducing dependence on potentially adversarial nations through reshoring or friend-shoring initiatives.

Emerging technologies, particularly in the realm of quantum computing, pose unique challenges to our current cybersecurity paradigms. The potential of quantum computers to break many of our current encryption methods necessitates a proactive approach to developing and implementing quantum-safe cryptography. This transition is not a simple task and requires a comprehensive evaluation at the programmatic level across government systems and critical infrastructure.

To maintain its technological edge, the United States must also focus on promoting leadership in key technology areas. The CHIPS and Science Act and other recent legislation represent a crucial, strategic reversal in the decades-long erosion of U.S. national research and development spending. We need to not only continue rebuilding our national investment in R&D and developing our nation’s R&D infrastructure but also ensure that technology investments include requirements for security and resilience. This involves not just increased funding for research and development but strategic investment in areas that will secure America's competitive advantage. However, this investment must be balanced and coordinated to avoid duplication of efforts and ensure maximum impact.

In light of these challenges and opportunities, we propose the following recommendations:

SRMAs are crucial in coordinating and managing cybersecurity risks across the U.S. critical infrastructure sectors. However, inadequate funding often limits their ability to provide necessary guidance, share threat intelligence, conduct exercises, and support critical infrastructure owners and operators. To enhance the operational effectiveness of SRMAs, it is essential to substantially increase their budgeting and resourcing across the federal government. This increased funding should be specifically targeted towards enhancing SRMA capabilities in threat analysis, information sharing, exercises, and sector-specific support services. Properly resourcing SRMAs to conduct defined baseline capabilities will empower them to fulfill their expanded duties, implement more robust policies, and bolster national resilience against increasingly sophisticated cyber threats. This financial commitment will ensure SRMAs can lead proactive and coordinated efforts to safeguard critical infrastructure, significantly strengthening the overall cybersecurity posture of the United States.

This increase in funding and resources should explicitly address the unique challenges faced by CISA in its role as SRMA for multiple sectors. The allocation should support a comprehensive review of CISA's SRMA assignments, potentially rationalizing the number of sectors under its purview and ensuring that CISA has the specific resources needed to effectively fulfill its SRMA duties across all assigned sectors. This targeted approach will help address the strain on CISA's resources and improve its effectiveness in coordinating cybersecurity efforts across its designated critical infrastructure sectors.

The rapidly evolving cyber threat landscape has underscored the need for the U.S. government to be properly organized and adequately resourced to safeguard America’s national security and economic stability. Cybersecurity policies are of strategic importance and are foundational to the safe functioning of government, critical infrastructure, and the private sector; they should also ensure the continuity of the economy during significant cyber disruptions. Sector Risk Management Agencies responsible for coordinating critical infrastructure cybersecurity often struggle to provide necessary guidance and support to critical infrastructure owners and operators due to insufficient funding. Without proper resourcing and defined baseline capabilities, SRMAs are unable to fulfill their duties effectively, undermining the nation's overall cybersecurity posture.

There is a need to review and potentially rationalize the number of sectors where CISA serves as SRMA. Currently, CISA is responsible for multiple critical infrastructure sectors, which may strain its resources and dilute its effectiveness. A comprehensive review of critical infrastructure designations and SRMA assignments should be conducted to ensure that each sector receives adequate attention and that CISA's roles as National Coordinator and SRMA are clearly delineated and properly resourced.

Effective cybersecurity management hinges on a critical triad: authority, accountability, and resources. Agencies and agency leaders must have the authority to implement necessary measures, be held accountable for outcomes, and be provided with sufficient resources to execute their responsibilities.

The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts. While the Biden administration has announced a $13 billion investment in cybersecurity for federal civilian agencies in Fiscal Year (FY) 2025, this funding is undermined by critical gaps in allocation.72 Recent appropriations have included notable investments like $2.8 billion for the Cybersecurity and Infrastructure Security Agency,73 but funding for SRMAs remains uneven, often failing to support interagency efforts and collaboration with critical infrastructure owners and operators. These budgetary shortfalls reflect a broader failure among federal agencies to fully recognize their responsibilities.

Several agencies face significant budgetary shortfalls. The office within the U.S. Department of Health and Human Services, which helps hospitals address risks from cyber and physical threats, has requested only a $12-million increase in the FY25 president's budget over the previous year despite a doubling of the number of ransomware attacks against the healthcare and public health sector. The U.S. Department of Agriculture has requested only an additional $500,000 in FY2025 and one full-time employee to support its sector risk management responsibilities.

The Environmental Protection Agency also faces a similar fate. Four years ago, the Cyberspace Solarium Commission recommended $45 million budget as the SRMA for water and wastewater sector cybersecurity support,74 but EPA only provided $11.8 million in funding for FY23, and this is to support 52,000 drinking water and 16,000 wastewater systems, most of which service small- to medium-sized communities of less than 50,000 residents.

Most concerning of all is that the current budget proposal contains no dedicated funding for the U.S. Coast Guard to safeguard the maritime transportation systems subsector despite the fact that the recent Executive Order 1017375 expanded and clarified the Coast Guard’s roles and responsibilities in protecting vessels, harbors, ports, and waterfront facilities from cyber threats. The Coast Guard needs proper resources and personnel to implement the increased requirements.

Despite these problems, there is some good news for critical infrastructure resourcing. The SRMA for the energy sector, the Office of Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, saw a steady funding of $200 million in FY25. With these funds, they are able to offer grant programs, provide training, and conduct exercises and research that support the sector's cybersecurity.

These funding inconsistencies overlook essential programs that aim to strengthen the cyber resilience of U.S. critical infrastructure, which remains vulnerable to cyber threats by adversaries. The failure to define baseline capabilities and adequately resource SRMAs and other key cybersecurity programs not only affects their immediate operational capabilities but also has long-term implications for national security. Without robust funding, these agencies cannot provide the proactive guidance, threat intelligence, exercises, and support necessary to protect critical infrastructure sectors from increasingly sophisticated cyber threats.

CISA has been designated as the national coordinator for critical infrastructure security and resilience under the National Security Memorandum-22. In this role, CISA will ensure SRMAs are fulfilling their responsibilities and identify cross-sector risks. In addition, CISA provides federal civilian government agencies with cybersecurity guidance, technical support, and coordination in working with the private sector. However, for CISA to expand its services effectively and improve its operational capabilities to respond swiftly to emerging threats, enhanced and sustained investment is required.

Furthermore, underfunding of essential programs, such as those supporting foundational research and standards setting, threatens the success of broader cybersecurity efforts. For example, the National Institute of Standards and Technology, tasked with critical roles in developing cybersecurity guidelines and standards, has seen its budget requests consistently fall short. NIST's FY25 budget request proposes only $96.8 million for its cybersecurity and privacy program, below funding levels the Cyberspace Solarium Commission recommended four years ago.76 This chronic underfunding forces NIST to make difficult choices between maintaining its core responsibilities and addressing new high-priority tasks, ultimately jeopardizing its ability to provide the necessary support to both the public and private sectors. Additionally, efforts to modernize federal IT infrastructure should consider findings from the CSIS Commission on Federal Cloud Policy77 to optimize resource allocation and improve efficiency in cloud adoption across agencies.

As cyber threats continue to evolve, so too must the strategies that defend against them. There must be a parallel commitment to addressing funding and capability disparities across SRMAs and a renewed focus on strategic planning to enhance coordination among agencies as a core component of national resilience.

One such area for government-led planning is a national Continuity of the Economy plan, which is essential for restoring critical economic functions in the event of a significant cyber disruption or other natural or manmade disaster. Developing a COTE plan requires gaining comprehensive insights through cyber threat intelligence, national-level tabletop exercises, and stakeholder engagements with the private sector and critical infrastructure owners. Although the FY21 NDAA authorized the development of a COTE plan, the report that the administration belatedly delivered to Congress in August 2023 dismissed the need for additional COTE planning. The report brushed aside gaps in current federal incident response capabilities and failed to grapple with the ways the private sector must participate in the development and implementation of the plan. Fortunately, the next administration will have a chance to reassess the prior report since the legislation mandating the original COTE plan requires updates every three years.

It is crucial to align cybersecurity efforts with the congressional calendar to maximize impact and ensure timely action. Key dates in the 119th Congress that will affect cybersecurity policy and funding include committee assignments in January, posture hearings from February to May, the release of the President's Budget in February or March, NDAA member requests due in April, NDAA markups in May/June, and appropriations markups in June/July. The final passage of the NDAA is likely to occur in December. By proactively planning around these dates, the administration can more effectively advocate for and secure the necessary resources for critical cybersecurity initiatives. This approach will help ensure that cybersecurity priorities are properly addressed in both policy discussions and budget allocations throughout the congressional cycle.

To address these crosscutting resource and policy challenges, we propose a series of recommendations aimed at adequately resourcing federal agencies.

CISA plays a critical role in defending federal civilian networks against increasingly complex cyber threats.80 To effectively fulfill its mission as the national coordinator and lead civilian cybersecurity agency, CISA must be adequately funded and equipped with the necessary resources. This includes not only direct funding for CISA's operations but also continued investments in technology modernization efforts across the federal government. These investments should address both Information Technology and Operational Technology systems, recognizing the critical importance of OT in many sectors of critical infrastructure. Legacy systems across government agencies pose significant security risks, and without proper funding, efforts to secure these systems will continue to fall short. Consider establishing dedicated funding or specific criteria for OT modernization projects within the Technology Modernization Fund to ensure they receive appropriate attention and resources alongside IT initiatives. Robust resourcing for CISA, combined with targeted investments in both IT and OT modernization, will enhance the agency's capacity to detect, mitigate, and respond to cyber incidents across the full spectrum of federal and critical infrastructure systems.

The rapidly evolving cyber threat landscape has underscored the need for the U.S. government to be properly organized and adequately resourced to safeguard America’s national security and economic stability. Cybersecurity policies are of strategic importance and are foundational to the safe functioning of government, critical infrastructure, and the private sector; they should also ensure the continuity of the economy during significant cyber disruptions. Sector Risk Management Agencies responsible for coordinating critical infrastructure cybersecurity often struggle to provide necessary guidance and support to critical infrastructure owners and operators due to insufficient funding. Without proper resourcing and defined baseline capabilities, SRMAs are unable to fulfill their duties effectively, undermining the nation's overall cybersecurity posture.

There is a need to review and potentially rationalize the number of sectors where CISA serves as SRMA. Currently, CISA is responsible for multiple critical infrastructure sectors, which may strain its resources and dilute its effectiveness. A comprehensive review of critical infrastructure designations and SRMA assignments should be conducted to ensure that each sector receives adequate attention and that CISA's roles as National Coordinator and SRMA are clearly delineated and properly resourced.

Effective cybersecurity management hinges on a critical triad: authority, accountability, and resources. Agencies and agency leaders must have the authority to implement necessary measures, be held accountable for outcomes, and be provided with sufficient resources to execute their responsibilities.

The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts. While the Biden administration has announced a $13 billion investment in cybersecurity for federal civilian agencies in Fiscal Year (FY) 2025, this funding is undermined by critical gaps in allocation.72 Recent appropriations have included notable investments like $2.8 billion for the Cybersecurity and Infrastructure Security Agency,73 but funding for SRMAs remains uneven, often failing to support interagency efforts and collaboration with critical infrastructure owners and operators. These budgetary shortfalls reflect a broader failure among federal agencies to fully recognize their responsibilities.

Several agencies face significant budgetary shortfalls. The office within the U.S. Department of Health and Human Services, which helps hospitals address risks from cyber and physical threats, has requested only a $12-million increase in the FY25 president's budget over the previous year despite a doubling of the number of ransomware attacks against the healthcare and public health sector. The U.S. Department of Agriculture has requested only an additional $500,000 in FY2025 and one full-time employee to support its sector risk management responsibilities.

The Environmental Protection Agency also faces a similar fate. Four years ago, the Cyberspace Solarium Commission recommended $45 million budget as the SRMA for water and wastewater sector cybersecurity support,74 but EPA only provided $11.8 million in funding for FY23, and this is to support 52,000 drinking water and 16,000 wastewater systems, most of which service small- to medium-sized communities of less than 50,000 residents.

Most concerning of all is that the current budget proposal contains no dedicated funding for the U.S. Coast Guard to safeguard the maritime transportation systems subsector despite the fact that the recent Executive Order 1017375 expanded and clarified the Coast Guard’s roles and responsibilities in protecting vessels, harbors, ports, and waterfront facilities from cyber threats. The Coast Guard needs proper resources and personnel to implement the increased requirements.

Despite these problems, there is some good news for critical infrastructure resourcing. The SRMA for the energy sector, the Office of Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, saw a steady funding of $200 million in FY25. With these funds, they are able to offer grant programs, provide training, and conduct exercises and research that support the sector's cybersecurity.

These funding inconsistencies overlook essential programs that aim to strengthen the cyber resilience of U.S. critical infrastructure, which remains vulnerable to cyber threats by adversaries. The failure to define baseline capabilities and adequately resource SRMAs and other key cybersecurity programs not only affects their immediate operational capabilities but also has long-term implications for national security. Without robust funding, these agencies cannot provide the proactive guidance, threat intelligence, exercises, and support necessary to protect critical infrastructure sectors from increasingly sophisticated cyber threats.

CISA has been designated as the national coordinator for critical infrastructure security and resilience under the National Security Memorandum-22. In this role, CISA will ensure SRMAs are fulfilling their responsibilities and identify cross-sector risks. In addition, CISA provides federal civilian government agencies with cybersecurity guidance, technical support, and coordination in working with the private sector. However, for CISA to expand its services effectively and improve its operational capabilities to respond swiftly to emerging threats, enhanced and sustained investment is required.

Furthermore, underfunding of essential programs, such as those supporting foundational research and standards setting, threatens the success of broader cybersecurity efforts. For example, the National Institute of Standards and Technology, tasked with critical roles in developing cybersecurity guidelines and standards, has seen its budget requests consistently fall short. NIST's FY25 budget request proposes only $96.8 million for its cybersecurity and privacy program, below funding levels the Cyberspace Solarium Commission recommended four years ago.76 This chronic underfunding forces NIST to make difficult choices between maintaining its core responsibilities and addressing new high-priority tasks, ultimately jeopardizing its ability to provide the necessary support to both the public and private sectors. Additionally, efforts to modernize federal IT infrastructure should consider findings from the CSIS Commission on Federal Cloud Policy77 to optimize resource allocation and improve efficiency in cloud adoption across agencies.

As cyber threats continue to evolve, so too must the strategies that defend against them. There must be a parallel commitment to addressing funding and capability disparities across SRMAs and a renewed focus on strategic planning to enhance coordination among agencies as a core component of national resilience.

One such area for government-led planning is a national Continuity of the Economy plan, which is essential for restoring critical economic functions in the event of a significant cyber disruption or other natural or manmade disaster. Developing a COTE plan requires gaining comprehensive insights through cyber threat intelligence, national-level tabletop exercises, and stakeholder engagements with the private sector and critical infrastructure owners. Although the FY21 NDAA authorized the development of a COTE plan, the report that the administration belatedly delivered to Congress in August 2023 dismissed the need for additional COTE planning. The report brushed aside gaps in current federal incident response capabilities and failed to grapple with the ways the private sector must participate in the development and implementation of the plan. Fortunately, the next administration will have a chance to reassess the prior report since the legislation mandating the original COTE plan requires updates every three years.

It is crucial to align cybersecurity efforts with the congressional calendar to maximize impact and ensure timely action. Key dates in the 119th Congress that will affect cybersecurity policy and funding include committee assignments in January, posture hearings from February to May, the release of the President's Budget in February or March, NDAA member requests due in April, NDAA markups in May/June, and appropriations markups in June/July. The final passage of the NDAA is likely to occur in December. By proactively planning around these dates, the administration can more effectively advocate for and secure the necessary resources for critical cybersecurity initiatives. This approach will help ensure that cybersecurity priorities are properly addressed in both policy discussions and budget allocations throughout the congressional cycle.

To address these crosscutting resource and policy challenges, we propose a series of recommendations aimed at adequately resourcing federal agencies.