February 4, 2025
As the intensity and frequency of cyberattacks targeting the U.S. intensifies, with adversaries like the People’s Republic of China (PRC) leading the charge, the new Administration and Congress need to seize the opportunity to deepen their partnership with our nation’s private sector to retool, reimagine, and recalibrate our cyber defenses – and the policies which shape them – for a new era.
America’s broadband providers stand ready to work shoulder-to-shoulder with policy leaders to take a series of concrete actions and strategies as we together advance this critical work.
Current Reality
Today’s attackers enjoy an asymmetric advantage, spending far less to execute cyberattacks than the cost required to defend against them. Consider the economics of ransomware: a small investment in malware development or purchase on the dark web can yield millions of dollars in ransom payments, not to mention the cascading costs to businesses in downtime, recovery, and reputational harm. The attackers remain singularly focused on their objectives: infiltrating critical systems, exfiltrating sensitive data, conducting espionage, and demanding ransom. Nation-state adversaries like the PRC, Russia, and North Korea pursue their cyber strategies with patience, precision, and persistence. Meanwhile, defenders must contend with an overwhelming array of challenges, from safeguarding increasingly complex supply chains to addressing zero-day vulnerabilities. These defenders are responsible for protecting critical networks while regulatory and compliance burdens often siphon time and resources away from the fight. Prescriptive mandates and overly complex regulations demand exhaustive reporting and documentation from cybersecurity teams, diverting attention from the measures needed to thwart adversaries. This imbalance of priorities tips the scales in favor of bad actors.
To change this dynamic, we must embrace a new “whole-of-society” paradigm rooted in active defense, collaboration, and innovation. It is only by focusing intensely on five fundamental pillars—breaking down silos, promoting prioritization, reframing public-private partnerships, allocating risk-based resources and advancing long-term strategic planning—that we can construct the cybersecurity scaffolding that will withstand the cyber storms ahead.
Stop Operating in Silos
Cyber incidents often require immediate, coordinated responses across multiple sectors and government entities. Silos slow down communication and decision-making during critical events, allowing adversaries to exploit gaps in defenses. Adversaries like China, Russia, and other nation-states operate with centralized, strategic approaches to cyber warfare. U.S. silos create an asymmetry, leaving the country fragmented in its defenses.
Additionally, without effective centralized coordination, agencies risk focusing on overlapping priorities instead of addressing broader systemic vulnerabilities. This creates confusion for public and private stakeholders, complicates compliance and creates opportunities for our adversaries to exploit. The Administration must empower a singular White House office to oversee collaboration and lead a dedicated inter-agency group to serve as the central hub for cybersecurity policy and operational coordination. Such a unified approach makes it possible for the private sector to align with national security priorities and for government agencies to operate with the requisite unity-of-purpose that can drive maximum efficiency.
Promote Prioritization
Because cybersecurity is not centered in a single agency there is extensive mission creep with multiple agencies launching cybersecurity initiatives, in many cases on the same topic. Given the complexity and volume of cyber threats, private sector resources are constrained. The 2022 analysis by the Cyber Incident Reporting Council identified over fifty different federal cyber incident reporting requirements, many of which addressed the same issues but with varying standards and timelines. In far too many instances, front-line practitioners are diverted from their daily operational responsibilities to work on government-initiated projects that lack clear objectives and early engagement with industry.
Promoting prioritization ensures that the most critical and impactful cybersecurity initiatives receive the attention, funding, and coordination they require. Prioritization demonstrates a commitment to tackling pressing issues, fostering stronger public-private collaboration. By zeroing in on what matters most, agencies can achieve measurable results in areas like thwarting nation-state attacks, take-down operations, and supply chain security. Requiring agencies to clearly articulate key priorities will help gain buy-in from stakeholders, including private sector partners and Congress.
Strengthen Public-Private Collaboration
Enhancing collaboration between the public and private sectors is essential in today’s cybersecurity landscape, where interconnected systems shared by governments and private enterprises prevail. In an era of increasingly complex cyber risks, no single entity can protect cyberspace alone. With the majority of critical infrastructure owned and operated by private companies, these assets remain prime targets for nation-state actors, cybercriminals, and hacktivists. One notable failure involved the 2022 Colonial Pipeline attack where a ransomware attack disrupted fuel supply across the Eastern United States. Colonial Pipeline initially managed the incident independently, delaying its engagement with federal agencies. There was no established protocol for public-private coordination, creating confusion over the roles of federal agencies like the FBI, CISA, and Department of Energy. This delayed federal involvement, particularly in intelligence-sharing and mitigation planning, underscoring the need for stronger industry-government partnerships in critical infrastructure protection.
The government provides strategic and operational intelligence, national defense resources, and policy oversight, while the private sector contributes operational expertise, technological advancements, and real-time insights into emerging threats. Such robust collaboration among public and private stakeholders can rapidly identify and mitigate systemic risks, coordinate incident responses, and design compelling strategies to secure the cyber ecosystem. Furthermore, a genuine partnership ensures that cybersecurity efforts are not only effective but also sustainable, enabling the private sector to play its critical role in driving innovation and economic growth while maintaining national security.
Prioritize Risk-Based Resource Allocation
Not all risks are created equal, and neither are all assets. In the current cyber threat environment, where nation-state adversaries and sophisticated threat actors increasingly target critical infrastructure, the government must recognize the operational and economic constraints on the private sector. Cybersecurity investments in the private sector, especially in critical infrastructure, must be actionable, efficient and impactful.
A risk-based framework allows an organization to allocate its limited resources based on the likelihood and severity of potential attacks. Asking these organizations to over-invest in low-priority areas risks leaving high-value targets exposed. A risk-based approach aligns cybersecurity efforts with the most pressing vulnerabilities, ensuring that finite resources are directed toward protecting high-value assets and mitigating threats with the greatest potential for harm. This approach not only maximizes the return on cybersecurity investment but also strengthens the overall resilience of the broader digital ecosystem. Moreover, when the government adopts and promotes a risk-based framework, it fosters collaboration with the private sector by aligning its expectations with real-world operational realities.
Shift to a Long-Term Strategy
Cyber threats from nations like China, Russia, Iran, and North Korea are increasingly sophisticated, targeting critical infrastructure, supply chains, and sensitive data. The ongoing cybersecurity workforce shortage, estimated at 660,000 open cybersecurity positions in the U.S., is a clear example of the national imperative to invest strategically in long-term workforce development, particularly to ensure our critical industries have the talent needed to defend against evolving threats. This skills gap exacerbates vulnerabilities and hinders the ability to implement advanced cybersecurity measures. Recent nation-state attacks on our most critical infrastructure underscores the need for deepening public-private coordination in advancing a long-term cybersecurity strategy for the U.S. to maintain global leadership and address these evolving threats. Additionally, rapid developments in AI, quantum computing, and 5G/6G create new attack vectors and amplify risks, especially to our nation’s critical infrastructure. Cybercriminals and nation-state adversaries continuously share and adapt new tactics, techniques, and procedures that necessitate forward-looking defense mechanisms. A short-term, reactive approach leads to inefficiencies and increased risks. Long-term planning allows for better allocation of resources and strategic investments.
Conclusion
The five principles outlined here are not merely recommendations; they are a roadmap for transforming our cybersecurity posture. By breaking down silos, promoting prioritization, reframing public-private partnerships, allocating risk-based resources and advancing long-term strategic planning, we can build a robust defense that keeps pace with evolving technologies and the shifting threat landscape. Investments in such areas as workforce development, advanced technologies, and international standards will ensure that the U.S. not only meets current challenges but also leads the world in shaping the future of cybersecurity.
This transformation requires bold leadership, sustained commitment, and coordinated action across all levels of government, industry, and society. Strengthening our whole-of-society cybersecurity partnership and shifting away from a top-down regulatory mindset is essential to safeguarding our national interests, maintaining economic stability, and securing trust in the digital ecosystem.
It is time for a reset—one that prioritizes resilience, anticipates threats, and embraces the long-term strategies needed to maintain global leadership and protect the nation from harm. The stakes are too high, and the adversaries too determined, for anything less. Let us seize this moment to chart a new course for cybersecurity, ensuring a safer, more secure future for generations to come.