THE PROBLEM
Cybersecurity failures have resulted in severe consequences, including massive data theft, significant financial losses, and widespread disruption of critical services.
For example, SolarWinds supply chain attack (2020)
This highly sophisticated supply chain attack involved Russian state-sponsored hackers inserting malicious code into software updates for SolarWinds' Orion platform.
Espionage and data theft: The breach compromised at least nine U.S. federal agencies and hundreds of Fortune 500 companies, giving attackers undetected access to government and corporate networks for months.
Reputational and legal damage: SolarWinds faced significant financial losses, a class-action lawsuit, and an SEC investigation over its security failures.
The attack also exposed the fragility of the digital supply chain, impacting countless downstream customers.
National security concerns:
The attack prompted the U.S. government to issue an emergency directive for federal agencies to disconnect from SolarWinds software, highlighting the profound national security implications of a successful cyberattack on a trusted vendor.
LATEST EVALUATION
A 2025 report from the Cyberspace Solarium Commission 2.0 (CSC 2.0) has concluded that the US has gone backward on cybersecurity, citing significant funding and personnel cuts to federal cyber agencies.
The independent group, which tracks implementation of cybersecurity recommendations, noted this marks the first major regression since the original commission's inception.
The Biden White House, however, released a different assessment in May 2024, claiming that the national cybersecurity posture had improved.
Key findings from the CSC 2.0 report
Federal budget and workforce cuts: According to the report, federal cybersecurity efforts are faltering due to the elimination of key positions and a 17% budget reduction at the Cybersecurity and Infrastructure Security Agency (CISA).
Mark Montgomery, executive director of the CSC 2.0, warned that these cuts have "reduced capabilities at a time when its mission is more critical than ever".
Reduced implementation of recommendations: The CSC 2.0 tracks recommendations issued by the original commission. This year's report found that just 35% of the original recommendations are fully implemented, a drop from 48% the previous year. This reversal highlights the fragility of the nation's cyber policy progress.
Deterioration of private-public partnerships: The cuts are also eroding trust between the federal government and the private sector, particularly regarding threat intelligence sharing.
The CSC 2.0 is concerned that the reduction in federal resources will weaken these crucial information-sharing relationships.
Stalling state-level protections: States are increasingly worried about reduced federal support for their cybersecurity programs. As federal funding and threat-sharing programs decline, state leaders are banding together to coordinate their own responses.
Stagnant readiness among defense contractors: A separate 2025 report by CyberSheath found that only 1% of US defense contractors were fully prepared for the Department of Defense's Cybersecurity Maturity Model Certification program, a decline in readiness from two years prior.
Competing report from the White House
The CSC 2.0 report's conclusions contrast with the Biden administration's own 2024 Report on the Cybersecurity Posture of the United States, released in May 2024.
A "steady progress" assessment: The White House report claimed that the US cybersecurity posture had "improved" in 2023 and 2024, driven by progress toward the 2023 National Cybersecurity Strategy.
Focus on strategy implementation: This report noted that the administration had successfully begun implementing its new National Cybersecurity Strategy.
Highlighting persistent risks: Despite the positive spin, the White House report did acknowledge persistent threats, including ransomware and attacks on critical infrastructure from nation-state actors.
Wider context and other relevant reports:
Several other reports and assessments provide additional context on US cybersecurity challenges in 2024 and 2025:
Industry and AI threats: A 2024 ISACA report highlighted rising job stress among cybersecurity professionals due to an increasingly complex threat landscape.
A 2025 Accenture report noted that AI and automation were both critical security tools and new threat vectors, but found that most organizations lacked the maturity to counter AI-enabled threats.
Skills gap and talent recruitment: Industry surveys noted that the US faces a persistent cybersecurity skills gap, which is exacerbated by budget cuts and staffing attrition.
The CSC 2.0 pointed out that rolling back diversity, equity, and inclusion initiatives in the federal government has narrowed the talent pool.
Lack of public awareness: A September 2025 NordVPN report showed that while Americans have some cyber knowledge, they placed fourth globally in cybersecurity awareness. The report also noted that AI privacy risks and Wi-Fi security were significant blind spots for many users.
Source: https://share.google/aimode/3bDahKK55lTvlJzBB
PROPOSED SOLUTIONS
FOR AVERAGE CITIZENS
Voting and political engagement
Research candidates' stances on cybersecurity: Look into what elected officials and candidates are saying and doing about cybersecurity policy. Do they support increasing federal budgets for cyber agencies like CISA, or do they advocate for cuts? Are they up-to-date on the latest cyber threats?.
Support bills promoting cybersecurity: Look for policies that fund election security and mandate better cybersecurity for critical infrastructure, such as the Coast Guard's cyber authorities. Stay informed about key legislation, like the annual National Defense Authorization Act (NDAA), which often includes major cyber provisions.
Question candidates on policy specifics: Move beyond general statements to ask specific questions:
Do they support shifting liability for insecure software to manufacturers?
Do they support making manufacturers of Internet of Things (IoT) devices more accountable for vulnerabilities?
How do they propose closing the national cybersecurity skills gap?
Advocate for election infrastructure security: As a voter, you can support policies that enhance the security of local election systems. This includes promoting the use of paper ballots, post-election audits, and strong physical and cybersecurity controls.
Stay informed about election cybersecurity: Rely on official, non-partisan sources like the U.S. Election Assistance Commission (EAC) and CISA for information on election security. Be wary of misinformation campaigns, which are often used to disrupt trust in elections.
TECHNICAL AND OTHER SOLUTIONS
Here are some proposed solutions to the U.S. cybersecurity threat, listed from the generally cheapest to the most expensive approaches. This ranking is based on the resources typically required for implementation and maintenance, with exact costs varying by scope and application.
Cheapest: Policy, training, and awareness
These solutions require minimal direct financial investment, focusing instead on optimizing existing human and regulatory resources.
Strengthen internal policies and processes: The White House and CSC 2.0 recommend implementing stronger cybersecurity standards across all federal government agencies. This includes modernizing federal IT and moving to secure cloud services with a zero-trust architecture.
Mandate security best practices: Require all federal government employees to use multi-factor authentication (MFA) and strong passwords. This is a low-cost, high-impact measure that can be implemented with existing technology.
Expand free CISA services: CISA already offers free cyber hygiene and other resources to U.S. federal, state, local, tribal, and territorial governments, as well as critical infrastructure organizations. Promoting broader enrollment and use of these existing services is low-cost.
Improve information sharing: Break down barriers to threat information sharing between the government and the private sector, and between federal agencies. This includes legally protecting private companies for sharing threat data.
Conduct employee training: Mandate regular, no-cost or low-cost cybersecurity training for federal employees. Educating the workforce on phishing, malware, and secure online practices is a crucial first line of defense.
Moderately expensive: Regulatory and workforce changes
These solutions involve new regulations, targeted funding, and adjustments to market incentives to drive security improvements across the private and public sectors.
Shift liability for insecure software: To force better security practices, the White House proposes making software manufacturers more liable for insecure products. This would realign market incentives so that liability for breaches falls on the technology providers rather than end-users and small businesses.
Accelerate federal workforce development: Launch new initiatives to address the persistent cybersecurity skills gap in the U.S. This would require targeted investment in new training programs and resources to build a more robust national cyber workforce.
Mandate secure practices for critical infrastructure: The White House proposes new regulations to force owners and operators of critical infrastructure (such as water, energy, and transportation) to meet a baseline of cybersecurity standards.
Develop a software bill of materials (SBOM): Require software vendors to provide a list of all components in their products. This increases supply chain transparency and accountability.
Create a Cyber Trust Mark for IoT devices: The federal government plans to develop a security labeling program for smart devices to help consumers and agencies identify secure products.
Most expensive: Major federal initiatives and large-scale investment
These are large-scale projects and investments that demand billions of dollars and extensive interagency and public-private coordination.
Increase federal agency budgets: The CSC 2.0 report criticizes cuts to federal cybersecurity spending and personnel at CISA and other agencies. Restoring and increasing these budgets is a major financial undertaking.
Advance the Joint Collaborative Environment (JCE): The CSC 2.0 recommends codifying the JCE, an advanced platform for real-time threat intelligence sharing and analysis among government and private sector entities, which would require significant investment.
Strengthen military cyber capabilities: For fiscal year 2025, the U.S. military received approximately $30 billion in cybersecurity funding under the National Defense Authorization Act (NDAA). Maintaining and increasing this level of investment is necessary to defend against sophisticated nation-state actors.
Transition to post-quantum cryptography: This expensive, large-scale initiative involves transitioning federal agencies to new quantum-resistant algorithms to safeguard sensitive data from future threats posed by quantum computing.
Explore a federal cyber insurance backstop: Assessing and potentially creating a federal insurance program to aid recovery from catastrophic cyber events is a massive financial and policy undertaking. The White House included this as a possible solution in its strategy.
How could an average citizen contribute to help with this, including voting options?
Personal online safety and hygiene
Use strong and unique passwords: Never reuse passwords across different accounts. Use a password manager to securely store and generate complex, unique passwords.
Enable multi-factor authentication (MFA): Where possible, enable MFA on all important accounts, especially for banking and email. This adds a crucial layer of security, as an attacker would need a second form of verification to log in, even with a stolen password.
Keep software and devices updated: Regularly install updates for your operating system, web browser, and other software. Updates often contain security patches that fix vulnerabilities exploited by hackers.
Recognize and report phishing attempts: Be vigilant for suspicious emails, texts, or pop-ups. Hover over links to check their destination before clicking and report fraudulent messages to the Federal Trade Commission (FTC).
Practice safe browsing: Avoid using public Wi-Fi for sensitive transactions. Use a reputable VPN to encrypt your internet traffic and prevent others from intercepting your data.
Supporting and promoting cybersecurity in your community
Volunteer your expertise:
Organizations like the Center for Cyber Safety and Education and CISA's Cyber Volunteer Resource Center offer opportunities to share your skills. They help protect underserved communities, small businesses, and non-profits from cyber threats.
Spread awareness: CISA's Cybersecurity Awareness Program provides materials for individuals to promote good cyber hygiene practices in their organizations, schools, and communities.
Educate others: Share your cybersecurity knowledge with your family and friends. Help them implement best practices like using password managers and enabling MFA.
Engage with law
enforcement: Report cybercrimes and scams to the FTC and local law enforcement. This helps authorities track threat actors and protect others from becoming victims.
Leave Your Comment Here