When the next president and their administration takes office in January, they will confront perennial problems and a long list of unfinished cyber business.
A group of 40 cybersecurity experts from McCrary Institute for Cyber and Critical Infrastructure at Auburn University and the Cyberspace Solarium Commission 2.0 released 39 recommendations last week to provide a roadmap for how the incoming administration can address gaps in cyber defense.
The most pressing recommendations — priorities for the first 100 days of the next administration — include regulatory harmonization and a review of the national cybersecurity strategy the Biden administration released in March 2023. The recommendations also call on the administration to prioritize efforts to address the cyber workforce shortage and strengthen public-private partnerships.
The task force insists the time for bold, decisive action is now. While the recommendations in the report don’t break new ground, they do emphasize and reinforce goals long sought by the current and previous administrations.
“There is no obvious course correction here,” Katell Thielemann, distinguished VP analyst at Gartner, said via email.
There are some outliers in the 36-page report, according to Thielemann. The task force had particularly forceful language around the need to “move beyond a purely defensive posture to one that imposes real costs on those who would do us harm in cyberspace.”
This stance is bolder than the “defend forward” strategy the Defense Department introduced for cybersecurity in 2018, Thielemann said.
The report’s push to use “all elements of national power — diplomatic, economic, and when necessary, military” is a signal that the current state of cybersecurity demands broader and more vigorous efforts, experts told Cybersecurity Dive.
“A lot of these issues, unfortunately, have been long-standing issues, and there's been incremental improvements, but perhaps not as quickly as some would like,” said Brandon Pugh, director and resident senior fellow of cybersecurity and emerging threats at R Street Institute.
Chance to reassess, adjust priorities
The change in leadership presents an opportunity for the next president and lawmakers to assess what the outgoing administration accomplished, where adjustments could be made and areas that are in most need of prioritization.
“I don't think we should see that as cynical or critical of the past. It just perhaps is a different belief in how we get to the same outcome,” Pugh said.
The details cannot be overlooked and the next administration, regardless of who wins the election, is going to wrestle with sometimes competing visions in Congress over how to bolster the nation’s defense.
In addition to the priorities the task force set for the first 100 days of the next administration, the report calls for a mobilization of national resources to build resilience into digital infrastructure and ensure the supply chain of critical and emerging technologies.
The report also encourages the next administration to lead the shaping of global standards and increase investment in National Institute of Standards and Technology and sector-risk management agencies, which took on a growing role in the Biden administration’s implementation plan for the national cybersecurity strategy.
Already, the task force's goals have all been addressed in incremental ways by different stakeholders, Thielemann said.
“They are all sound in principle because the ‘why’ has broad support,” Thielemann said. “But things get very complicated very fast the moment you start thinking about the ‘how,’ the ‘who,’ the ‘when’ and the ‘how much.’”
The recommendations, which largely repeat altered versions of efforts already underway, are a tacit acknowledgment that the work of cybersecurity is never done.
“From a security standpoint, that's actually a good thing to see. The job is never done, because we will never have 100% security,” Pugh said. “This should be an iterative process and ongoing.”
The industry and stakeholders across sectors have the roadmaps and guidance they need to mitigate risk and lower the volume of malicious activity. Reaching consensus on how to execute and adhere to those plans is a long-term problem.
“As long as humans use technology, cybersecurity will be a concern,” Thielemann said. “The work will never be done, because attackers and defenders alike will continue to innovate and try to outsmart each other.”