5 cyber issues the next presidential administration needs to prioritize immediately

The United States remains highly vulnerable to the negative economic and security impacts posed by cyber threats. Despite the robust work of numerous administrations, our nation’s critical infrastructure still lacks resiliency and we have failed to secure our most systemically important entities. In order for this to change, cybersecurity must be an essential, day-one policy priority for the next administration.

Adversarial nation-states like Russia, China, Iran, and North Korea continue to successfully target the nation’s critical infrastructure, threatening disruptions to power, water, and transportation at the time of their choosing. Nonstate criminal actors regularly exploit cyber vulnerabilities to extract ransomware payments from hospitals, schools, and small businesses across the country, disrupting operations and costing the U.S. economy tens of billions of dollars annually.

In the past few weeks alone, reporting revealed that China had burrowed deep into U.S
telecommunications networks. American Water Works shut down some customer-facing systems to ensure malicious cyber activity could not disrupt services to its 14 million customers, including 18 U.S. military installations. Multiple federal agencies issued a joint warning that Iran-based cyber actors are attempting to break into multiple organizations in the health care, government, and energy sectors.

As cyber threats have grown, consecutive administrations have worked with Congress to make significant investments in cybersecurity. But it’s not enough. Cybersecurity vulnerabilities remain a huge challenge for both government and industry, and bad actors adapt despite efforts to curb threats. The next administration must hit the ground running to mitigate evolving cyber threats from day one.

That is why we convened a leading group of cybersecurity experts to publish a new report, “Securing America’s Digital Future: A Bipartisan Cybersecurity Roadmap for the Next Administration.” This cohort of cyber professionals cut across sectors, bringing together a robust network of ideas on what is working, what is not, and where we, as a nation, go from here. If the 42 recommendations outlined in the report are adopted by the next administration, we believe that the American people will be significantly more secure. While all are important, five demand immediate action in the first 100 days of the new administration:

First, the current patchwork of federal rules for cybersecurity and incident reporting are often duplicative or contradictory, leaving the private sector with burgeoning compliance costs and inadequate protection. The next administration must conduct a comprehensive review of cyber regulations, empowering an interagency task force to deconflict and clarify requirements, and making regulations adaptable to sector-specific needs. 

The current administration launched and made progress on regulatory harmonization efforts in accordance with its National Cybersecurity Strategy, but the Government Accountability Office testified before Congress that interagency coordination to reduce duplicative regulations remains inadequate. And so, a bipartisan group of lawmakers introduced legislation to require the administration to examine this challenge. Whether or not this bill becomes a law, the next administration should take up the charge.

Next, attacks are continuing because Washington has failed to establish deterrence in cyberspace. The next administration should review existing strategies and enhance our ability to impose real costs on our adversaries. This should include proactively detecting, mitigating, and attributing successful and even attempted cyberattacks, as well as establishing a process to designate state sponsors of cybercrime to disincentivize knowingly harboring and enabling bad actors. Strengthening international standards and promoting cooperation among likeminded international partners could also elevate the costs of attacks if hackers and their state-backers know that an attack on one will be punished by all.

Third, our nation cannot improve cyber resilience if we do not have a robust cyber workforce. The next administration must launch a national initiative to address the shortages by expanding training programs and creating new pathways into the cybersecurity field. The initiative should develop a national curriculum to improve cybersecurity education at the K-12 level and grow programs like CyberCorps: Scholarship for Service, so that early career professionals can be recruited to support government and industry alike. The initiative should also work with industry to create volunteer opportunities and flexible work arrangements.

Fourth, national cyber resilience requires close collaboration between government and the private sector, which owns and operates the infrastructure malicious actors are attacking. The next administration should start by convening a summit with industry leaders to develop plans to improve public-private collaboration. 

These plans should involve identifying systemically important entities — those national assets that have to be held to a higher security standard and can be prioritized for support during major events. The plan should also include developing security standards for cloud-based systems, information technology, and operational technology, which will require more cybersecurity funding for the National Institute of Standards and Technology. 

The plan should outline regular and frequent national-level exercises to help develop the relationships and lines of communication necessary between government and industry partners to shortening response time during cyber incidents, as well as steps to identify critical technologies and protect supply chains for those technologies. Ultimately, the plan will need to recognize that public-private collaboration will never reach its full potential if sector risk management agencies — those federal agencies tasked with working with the private sector — remain underfunded.

All of the efforts, however, will be for naught if our nation cannot bounce back in the face of a debilitating cyber incident. And so, as a final priority for the first 100 days, the next administration must begin the process of developing a national “Continuity of the Economy” plan to ensure our ability to maintain essential economic functions in the face of significant disruptions. Congress called for this planning nearly four years ago, but the current administration has overlooked gaps in current federal incident response capabilities, and failed to grapple with the ways the private sector must participate in the development and implementation of the plan. The next administration must do better.

The scope and severity of cyber threats facing our nation cannot be overstated. In fact, these threats represent an existential threat to our democratic way of life. From state- sponsored attacks and cyber espionage to the relentless surge of ransomware targeting our critical infrastructure, the cyber domain has become a battlefield where our adversaries seek to undermine our strengths and exploit our vulnerabilities. It is with this in mind that we implore whoever wins the upcoming presidential election to approach cyber policy with the weight that the threat demands, and we stand ready to support the next administration in securing America’s digital future.

Frank Cilluffo directs the McCrary Institute for Cyber & Critical Infrastructure Security at Auburn University and previously served as a Special Assistant to President George W. Bush for Homeland Security and on the Cyberspace Solarium Commission.

Mark Montgomery is a retired U.S. Navy Rear Admiral and the Executive Director of the Cyber Solarium 2.0 project at the Foundation for Defense of Democracies. He is also a Senior Fellow at the McCrary Institute.