Rebuilding America’s Cybersecurity Defenses at a Time of Growing Peril

The security of our nation’s cyber assets is increasingly at risk of theft and attack, yet America’s cyber defenses fall far short of the ideal. There are steps to be taken – and soon.

Published: June 2021

For more than two decades, the ideal design for a solid and sustainable U.S. cybersecurity strategy has been predicated on the need for government and private enterprise to work together in order to counter threats and protect the integrity of the nation’s cyber assets, public and private. Yet over that time, despite much talk and in the face of increasingly persistent and dangerous threats, this nation has failed to build the structures or capabilities needed to implement an effective strategy.

Instead, every four to eight years, the president or Congress has assembled a new group of experts to hash out its own proposed strategy. Recent years have witnessed a succession of such attempts:  The Center for Strategic and International Studies’ Commission on Cybersecurity in 2008, the White House Commission on Enhancing National Cybersecurity in 2016 and the U.S. Cyberspace Solarium Commission (CSC) in 2020.

 Yet none of their work products, nor those of their predecessors, have been implemented in ways that approached the much-needed ideal. Meanwhile the number and magnitude of dangerous cybersecurity threats – and actual attacks – continues to grow.

 Given these recurring and ultimately disappointing attempts to agree to and then implement the ideal cyber defense, Two Paths America feels strongly that the United States needs to get serious about building a lasting, effective and forward-looking cybersecurity system. This must be a system developed in tandem by government and private-sector partners with cooperative buy-in from America’s world allies. And it must be built to stand up to all forms of cyber intrusion, foreign and domestic, performing in ways that safeguard our current interests and deter attacks in the future.  


The Current State of Affairs: A Pattern of Vulnerability
Russia uses cyberspace for espionage and theft, most alarmingly to disrupt U.S. infrastructure while attempting to erode confidence in our nation’s democratic processes. Iran undertakes online influence campaigns, espionage efforts and outright attacks against American government and industrial sectors. North Korea flouts sanctions by hacking international financial networks and cryptocurrency exchanges in order to generate revenue to fund the regime’s weapons-development activities. Violent extremist organizations have used the Internet to recruit terrorists, raise funds, direct violent attacks and disseminate repugnant propaganda. The U.S. and its allies are ill prepared to adequately address these and many other threats that the future is certain to bring.

  • In 2014, North Korean hackers attacked the U.S. film studio Sony Pictures in order to block the release of a movie depicting the attempted assassination of North Korean leader Kim Jong Un. This cyberattack erased the content of thousands of computers, released embarrassing internal Sony e-mails and intimidated the company into canceling the movie’s theatrical release.

  • In 2016, the U.S. became a victim of one of the most sophisticated and far-reaching hostile social-manipulation campaigns initiated by a foreign actor to generate disinformation designed to influence elections and threaten the foundation of American democracy. All the intelligence agencies concluded that the Russian government directed a wide-ranging misinformation campaign and other cyber assaults against U.S. election infrastructure at the state and local levels.

  • In 2020, the FBI and the U.S. Department of Homeland Security warned of efforts by the People’s Republic of China (PRC) to compromise U.S. medical research into COVID-19 and related vaccine development. The PRC has supplemented its cyberspace operations with covert influence campaigns to obscure international narratives about their own activities. 

  • In 2021, it was revealed that SolarWinds, a major U.S. information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months. Foreign hackers, who some top U.S. officials believe were from Russia, were able to spy on private companies and the upper echelons of the U.S. government. At least nine federal agencies were targeted, including the Department of Homeland Security and the Department of State. Experts believe it will be well into 2022 before officials have fully secured the compromised networks. Even fully understanding the extent of the damage will take months. From this, it appears that the U.S. has failed to persuade Russia that an attack aimed at our government and corporate networks will lead to costly retaliation.

  • Most recently, the Microsoft Exchange Server has suffered attacks from a Chinese state-sponsored group known as Hafnium. This ongoing assault has left American businesses and government entities exposed to devastating ransomware attacks. Rather than being launched solely for information-gathering purposes, the Microsoft Exchange Server attack has already resulted in several attempts to ransom stolen data. It is estimated that the attack has affected 250,000 Exchange servers to date, of which at least 30,000 servers appear to have been compromised.

  • In early May 2021, just weeks prior to the release of this paper, Colonial Pipeline – which transports 45 percent of the gasoline and diesel fuel consumed on the U.S. East Coast – was hacked by a professional cybercriminal group known as DarkSide. This caused pipeline operations to be completely shut down, disrupting fuel supplies across southern and eastern parts of the country. This is the largest attack on a major piece of U.S.-based infrastructure, but it is far from being an isolated incident. According to data compiled by Temple University, there were 396 ransomware attacks on critical infrastructure systems in 2020. These escalating threats prompted the Biden administration to respond in April 2021 with a plan to increase security at utilities and their suppliers. This has been a positive step, but it is not enough, and the U.S. needs to do more to improve our cyber capabilities in detection and prevention of such attacks, especially when it comes to networks inside the most critical sectors of our economy such as infrastructure. If the U.S. government does not get this problem under control and we do not provide the necessary resources to private and public entities to secure their networks, we could certainly see things like mass energy outages or worse.

Expensive and far-reaching attacks such as these prove that no organization, public or private, large or small, can be sure of finding and fully eliminating the presence of bad actors in their networks. The success of these recent attacks undoubtedly will embolden the perpetrators and other foreign actors to continue developing new and more sophisticated techniques that will have even greater impact on targeted societies. China will continue leveraging its dominant position in the world to accelerate its economic growth, undermine America’s role on the world stage, and continue silencing and suppressing the Beijing regime’s political opponents. Russia will continue capitalizing on its recent successes in Ukraine and Georgia by spreading misinformation and disrupting critical infrastructure of energy companies. Its successful meddling in U.S. and European elections reveals only a glimpse of capabilities the Russians are developing.

Cybercriminals will continue hacking and holding hostage the most critical sectors of our economy, putting our nation’s security at risk. If Russia, China and other adversaries, including non-state actors, succeed at degrading U.S. security alliances such as NATO, we will find ourselves in a world dominated by our nation’s adversaries, not only in the cyber world but also economically, socially and militarily.

Recent hacks demonstrate the need for much greater collaboration between the federal government, state and local governments, and the private sector, not only to protect critical infrastructure but also to act proactively in anticipating what adversaries are planning. To do that the United States needs a more deliberate offensive strategy, one allowing us to get an early look at adversarial networks and counteract them inside those networks before determined foes can attack us.

We live at a time when most of the free world’s major entities have already been breached in one way or the other, but with two very different outcomes:  1) they know of the breaches and are taking active steps to mitigate it or 2) they haven’t yet realized that they have been breached at all. Some experts believe – and Two Paths America agrees – that we need to stop focusing our attention on prevention, but rather concentrate on detection, containment and remediation. This means there is a lot of work and innovation that needs to be done in order to help us figure out the extent of the threats that are currently facing us and limit damages by reducing the time it takes for us to detect those breaches.  


Our Most Urgent Need: A Centralized and Coordinated Authority
The United States lacks the coordinated and centralized authority it sorely needs to effectively deal with cyber threats. Each U.S. government agency is largely responsible for its own data security, while each of the 50 states holds individual responsibility of its own data and IT systems. Even when federal and state governments coordinate their efforts, which doesn’t happen often enough, they are still not able to keep up with the rapidly changing technological environment.

In 2020, in response to threats posed by foreign actors and in preparation for the next ten years, Congress established the Cyberspace Solarium Commission (CSC). The commission was tasked with developing a new cyber strategy and providing recommendations for action across private and public sectors. A detailed overview of the commission’s report – which Two Paths America endorses – can be found here, but a summary of key points includes:

  • The executive branch should issue a new national cyber strategy bringing coherence to the federal government’s efforts. This strategy should be based on cyber deterrence, emphasize resilience and public-private collaboration, and build on the Department of Defense’s concept of Defend Forward. The strategy should be proactive in maneuvering outside of U.S. cyberspace to observe and understand evolving adversary organizations and conduct operations to disrupt their capabilities before they come knocking on our doors.

  • Congress should reorganize and centralize its committee structure and jurisdictions. Cybersecurity matters currently fall under several different congressional committees and subcommittees, which limits legislative authority and prevents the federal government from being able to respond quickly. Similar to a recommendation from the House Permanent Committee on Intelligence, the CSC report advocates for creating a Permanent Select Committee on Cybersecurity in the House and a Select Committee on Intelligence in the Senate. These committees would have legislative jurisdiction over the broad integration of systemic cybersecurity strategy and policy both within government and between government and the private sector. They would also have oversight of responsibilities over the executive branch’s responses. It is of course vital that these committees be structured in a bipartisan manner and prioritize the expertise of their appointed members.

  • Until recently, the executive branch lacked a single voice charged and empowered with harmonizing administration policies, budgets and responsibilities in cyberspace. Instead, several departments and agencies with widely varied responsibilities for (and interest in) cybersecurity have been competing for already slim resources. The CSC report had recommended establishing a National Cyber Director Office within the Executive Office of the President, a position to serve as the president’s principal advisor for cybersecurity and associated emerging technology issues while also acting as the nation’s chief representative and spokesperson on cybersecurity issues. Indeed, President Biden recently announced the appointment of a national cyber director, in line with the CSC recommendation.  He also appointed a deputy national security adviser for cyber and emerging technologies on the National Security Council. At this writing, it is not yet clear how these two new positions will fit within the federal government and the ecosystem of public and private partnerships.

    Update December 2021: After publication of this white paper – and in line with recommendations by Two Paths America – the bipartisan Infrastructure Investment and Jobs Act, signed by President Biden on November 15, 2021, formally established the Office of the National Cyber Director to address the federal government’s response to cybersecurity issues and resiliency matters. The act appropriated $21 million as initial funding for office operations. Chris Inglis, a retired brigadier general and former deputy director of the National Security Agency, now serves as the nation’s first National Cyber Director.

  • Furthermore, Congress should strengthen the Cybersecurity and Infrastructure Security Agency (CISA) in its mission to provide technical assistance to operators and partners with stakeholders across the executive branch, state and local communities, and the private sector. For CISA to serve as the nation’s central civilian cybersecurity authority, it needs to be adequately resourced to hire the best talent, expand its capabilities, and command respect within the government and the private sector.

  • The federal government must reform and put more resources into the ways it recruits, trains and educates its workforce to ensure it has the necessary cybersecurity talent in place. Shortages in qualified talent are widespread in government as well as in private business, and both sectors must work together to build the talent pipelines and career paths that put the right people in the right places for confronting threats from cyberspace. Policymakers need to promote and enable cyber-oriented education, because future careers will require both a basic and ongoing education in cyber. The government needs to work together with the private sector to provide resources, tools and incentives to encourage implementation of robust cyber education in schools (K-12), technical and community colleges, universities and other institutions of higher learning.


Other Roadblocks to the Cybersecurity Ideal
Based on candid input from respected cybersecurity experts, Two Paths America can expand on the Cyber Solarium Commission’s recommendations with observations and additional recommendations of our own:

  • Lack of Organization:  The federal government has parceled out single components of the nation’s vast cyber-defense responsibilities to a disparate and unequally proficient array of agencies:

    • National Security Agency - NSA:  the one agency responsible for foreign intelligence and counterintelligence, including reconnaissance and cybersecurity.

    • Cybersecurity and Infrastructure Security Agency – CISA:  the one organization responsible for helping domestic entities with cyber defense.

    • Federal Bureau of Investigation - FBI:  the one organization responsible for law enforcement and an agency acknowledged as having a very good cyber unit.

    • U.S. Cyber Command in the Department of Defense:  the one organization responsible for offense against adversaries and unifying the direction of the department’s cyberspace operations.

    • Office of the National Cyber Director within the Executive Office of the President – Office of the NCD:  the new office created for the purposes of leading and implementing national cyber strategy across government agencies, as well as advising the president and federal agencies.

    • National Security Council - NSC:  Part of the Executive Office of the President and composed of senior administration and military officials, the National Security Council coordinates national security and foreign policy decisions across federal agencies. The newly created position of the deputy national security adviser for cyber and emerging technologies on the NSC will be responsible for coordinating cybersecurity operations across the federal government and all its agencies and departments.

    • Defense Innovation Advisory Board:  an independent advisory board set up to bring the private sector’s technological innovation and best practices to the Department of Defense and provide independent recommendations to the Secretary of Defense.

  • The resources and talents of these organizations are by no means on an equal footing, which means their ability to act quickly and proficiently varies widely. As a result, whenever there is a breach of a SolarWinds magnitude, this unclear and divided organizational structure begs the question:  whose responsibility is it both to detect this and to defend the U.S. from it?

  • Lack of an Effective Authority:  The NSA is widely considered to employ this country's best cyber talent, but by law the agency may not operate on U.S. soil. As a result, bad actors from other nations need only use servers hosted in the U.S. – a task made simple by today’s cloud-computing environment – in order to evade detection by even the best of our best. The CISA is supposed to act as the nation's premier domestic cyber defender. Yet in reality that agency acts in an advisory role to the private sector as well as all government organizations. In this dual position, they have no operational power to actually ensure effective defense at each of the government's many branches and departments. The newly established Office of the National Cyber Director and its head, the national cyber director (NCD), are responsible for preparing plans for the federal government’s response to cyberattacks, while the deputy national security advisor for cyber at the National Security Council is responsible for coordinating offensive and defensive operations by the federal government. It is our hope that these newly created positions within the Executive Office of the President will act as intended and assist the CISA in ensuring the agency’s central role in cybersecurity.

  • Lack of Effective Onshore Tracking of Offshore Cybercriminals:  We either need to reorganize or to change authorities, permitting the NSA to track what they believe to be foreign entities on U.S. soil. That would be using an organization’s best operators to go after cybercriminals, which is what the leaders of a well-organized private company would do. But given the controversial prospect of domestically expanded NSA authority, an alternative would be to make the CISA as good or better than the NSA and give the CISA the proper authorities to achieve that level of protection. In other words, make it so they’re not just a consulting group, but a very well-equipped operational group in this battle.

  • Lack of Coherent Policy Making:  Within the Senate and the House there are numerous groups laying claim to a role in U.S. cybersecurity policy and decision making. This profusion of groups and responsibilities makes it impossible to educate all participants and keep them abreast of events and technologies. In the end this makes it difficult to receive anything coherent in return. One of the stronger choices for policy responsibility is the deputy national security adviser for cyber and emerging technologies at the NSC, who is exceptionally positioned to have worked with the private and public sectors, and who understands all the intricacies to educate Congress and administration on what rules of engagement we are going to need and why we need them, and will be responsible for coordinating the government’s overall response to cyber threats. The national cyber director will play a key role in supporting the deputy national security adviser, but it is not yet clear who is responsible for what within the nation’s cybersecurity policymaking space. Clearly defined rules of engagement and equally well-understood consequences for breaking those rules are sorely needed. Working together on this with our allies as a united front will be more impactful. Aggressors need to know:  if you breach us, that is one thing. If you do something harmful with that breach, then you will suffer consequences.

  • Lack of Capabilities:  If this country's number-one domestic cyber defense is the Cybersecurity and Infrastructure Security Agency, then it should be equipped to be a rival to the NSA for talent and ability. It needs to be feared by others and respected by all. Today the CISA is still a very young organization, which some would argue is poorly staffed and lacking any authority to act effectively. We need to elevate and empower the CISA, assigning it new focus areas for coordinating cybersecurity in the executive branch and Congress. For example, at present the CISA doesn’t have control over the government’s networks. A private company would never be run this way, and the United States of America is the largest and most complicated company in the world. Despite this, we have designed a bureaucratic, decentralized infrastructure because that’s what the federal government has always been best at. But this slow and deliberate core competency has been applied in cyberspace, where breaches take place in milliseconds. In this realm, our old bureaucratic ways don’t work. The key is to build a technically excellent CISA, which needs to be empowered as the federal government’s lead agency for cybersecurity and the private sector’s preferred partner. If this ideal is achieved, a Fortune 500 firm that’s been breached might go with confidence to the CISA for help and then actually want U.S. Cyber Command to take action – a level of confidence that is lacking today. We must now give these organizations the tools they need to defend our networks and impose costs on adversaries who work to breach them.

Recommendations for Building a Better Cybersecurity System
Alarmed by the growth and increasing sophistication of cyberattacks against the United States – especially those directed at us by our most dangerous adversaries – Two Paths America has identified key structural vulnerabilities and policy failings that keep the U.S. open to more and even greater threats. Based on our study and in consultation with experts in the field, we have identified three primary areas of focus for improvement – with recommendations for action on each – that we feel require the most urgent attention from government and private-sector authorities at the highest level.

  • Develop an Expanded Approach to Cyber Deterrence

    • Systems of cyber deterrence are designed to change the calculations of adversaries by persuading them that the risks of an attack outweigh any potential rewards or that they will be blocked from the outset from reaping any benefits. But cyber deterrence by that definition alone does not ensure a sufficient defense. With its present emphasis on merely deterring cyber enemies, the United States constantly finds itself on the back foot when it should instead be pursuing a more active cyber policy that is aimed not only at deterring enemies, but also at disrupting their capabilities. For such deterrence to work, the U.S. needs to have concrete rules of engagement in place, rules that have buy-in from our allies.

    • The United States needs to develop a system of norms, built through international engagement and cooperation, to delineate behaviors that are internationally recognized as unacceptable. These norms would promote responsible behavior and, over time, dissuade adversaries from using cyber operations to undermine any allied nation’s interests. While, in fact, the United States and others have agreed to certain norms of responsible behavior for cyberspace, these rules go largely unenforced today. The United States can strengthen the current system of cyber norms by using non-military tools, including law enforcement actions, sanctions, diplomacy and information sharing, to more effectively persuade states to conform to these norms and punish those in violation. Building a coalition of like-minded allies who are willing to collectively use these tools to support a rules-based international order in cyberspace will more effectively hold bad actors accountable.

    • Today’s cyberspace conflict occurs in the gray zone between war and peace. If the United States hopes to win these battles, it should implement a two-prong approach:  1) deterring adversaries from hacking our systems by implementing tools that allow U.S. to secure its systems and quickly respond (i.e., strong private-public partnerships, empowering a single, capable government entity such as the CISA, and taking critical infrastructure pinpoints and election security very seriously) and 2) proactively preempting adversaries and degrading their ability to disrupt U.S. systems and sow discord by spreading misinformation.

    • The United States must proactively observe, pursue and counter adversarial operations and impose costs on the culprits short of armed conflict. This posture signals to adversaries that the U.S. and its allies will respond to cyberattacks and that we’ll do this with all the tools at our disposal and consistent with international law.

    • If an attack were to pose a significant disruption of critical U.S. infrastructure, our government must be able to retaliate. If there are no adequate international agreements in place to permit such action, the U.S. must work with its allies to develop stronger agreements.

    • As part of the process of diplomacy and norm building, the United States needs to get to a position where certain kinds of behaviors are internationally recognized as unacceptable. Since there is little confidence that adversaries like Russia or China would cooperate in this way, there must be measures and agreements in place that would allow U.S. or allies to penalize, even retaliate against, such actors.

    • The federal government needs to continue appropriations to fund modernization of election infrastructure at the state and local levels. At the same time, states and localities need to pay their fair share to ensure secure elections, a process best driven from the bottom up rather than by waiting for top-down direction and funding.

    • The United States needs to develop the capacity to withstand and quickly recover from attacks that could cause harm or coerce, deter, restrain or otherwise shape U.S. behavior. This is key to denying adversaries the benefits of their operations and reducing self-confidence in their ability to achieve their strategic ends. National resilience efforts rely on this country’s ability, in both the public and private sectors, to accurately identify, assess and mitigate risk across all elements of critical infrastructure.

    • Whenever a breach in an area of critical infrastructure is determined, there should be a multiagency rapid-response team ready to research and respond to the incursion.  Such a team should include members from the CISA, NSA and FBI as well as the private sector. Including the NSA in these types of conversations has traditionally been avoided due to the agency’s foreign intelligence focus, but the NSA can bring to the table some of the best information and expertise to understand and act on any given breach.

    • We need to rethink the role of the Pentagon and either direct or re-direct resources to make it the world’s largest software company. Wars in the future will be largely fought in cyberspace, where the weapons of choice are software and data. That’s what the Chinese have focused on. If someone is going to go to war with the U.S., they are less likely to concentrate on sinking our aircraft carriers and much more likely to find ways to make sure our aircraft carriers can’t communicate with our planes and that our planes can’t communicate with our satellites.

  • Forge Stronger Government Partnerships with the Private Sector

    • There must be greater collaboration between government and the private sector. Given that many of the most innovative cybersecurity ideas and technologies come from the private sector, the federal government needs to pursue stronger partnerships with American companies. To strengthen these efforts, a centralized government entity needs to be assigned responsibility for working with the private sector to harness emerging technologies that will prepare U.S. for threats and attacks going forward.

    • Deterrence will require private-sector entities to step up and strengthen their security posture. Most of America’s critical infrastructure is owned by the private sector. While government should not saddle private entities with onerous and counterproductive regulations, nor force companies to hand over their data to the federal government, there is a pressing need for the private sector to take cyber threats to national security seriously, since they stand with U.S. on the front lines. With support from the federal government, private-sector entities must be able to act with speed and agility to stop cyberattacks on their own networks as well as the larger array of networks on which the nation’s defense and economic security relies.

    • In order to ensure the full cooperation of private-sector enterprises and persuade them to secure themselves at an optimal level, the government should offer a liability waiver to the private sector. Private enterprises should employ whatever standards the federal government deems necessary to protect themselves from a breach. In return, they should be granted a waiver should their systems be breached, with a clear expectation that they will notify and cooperate with the proper federal authorities immediately.

    • Not all systems in a public- or private-sector enterprise are created equal. Some systems are mission critical and if they get hacked the entire organization will be compromised. Cybersecurity strategists need to start thinking of how to segment and prioritize those systems so that the most critical ones have significantly higher levels of security. This process can be aided with some truly innovative technology being developed. 

    • Two Paths America calls for a national emergency conference with experts from the public and private sectors to come together to identify the existing pitfalls in our cybersecurity system and come up with collaborative solutions.

  • Agree to International Norms of Responsible State Behavior in Cyberspace

    • In 2013, the United Nation’s Group of Government Experts (GGE) – assembled to advance responsible state behavior in cyberspace in the context of international security – agreed to the idea that international law, and the United Nations Charter in particular, are applicable and essential to maintaining international stability and promoting an open, secure, peaceful and accessible cyberspace environment. This conclusion was reiterated in a subsequent GGE meeting in 2015. Both reports have been endorsed by U.N. member states.

    • At the 2015 GGE meeting, the group’s member states agreed not to conduct or to knowingly support cyber activity that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure. The U.N. General Assembly has by consensus called on all states to be guided by these norms. Despite that agreement, actors such as Russia and China have recently begun walking back their commitment to this principle. The United States and other members must join in not only condemning but also holding a clear line against this concerning trend.

    • The United States needs to expand its efforts by engaging and assembling a coalition of allies and other like-minded partners to collectively incentivize responsible state behavior in cyberspace and hold noncompliant states accountable for their bad behavior.

    • The U.S. also needs to work with its allies to reassess and strengthen agreed-upon norms and rules of engagement. Because cyberspace extends beyond geographical borders, it is even more critically important to ensure widespread international support. To achieve this level of buy-in, the U.S. needs to direct considerably more resources toward its diplomatic efforts.

    • This can be achieved by concentrating on one sector at a time and prioritizing the sectors that are not only most vulnerable and critical to the U.S., but also are ones shared by like-minded nations in today’s interconnected world.

    • Any group that perpetrates a ransomware attack against the U.S. government or a U.S.-based private-sector enterprise should be labeled as a terrorist organization and treated as such. Just as important, any nation harboring such groups or individuals should be sanctioned by the international community.

  • Establish Priorities for the Future of Cybersecurity

    • Too often the U.S. government and the private sector find themselves playing defense when it comes to cybersecurity and managing cyber threats. Proactive defensive measures put in place on U.S. networks in recent years have provided an essential boost to cybersecurity, but they are insufficient to address evolving threats. An ideal level of security will require prioritizing a stronger focus on the changing nature of threats to be faced in the future such as the rapidly evolving and advanced use of social media platforms, artificial intelligence systems, voice-activated personal assistants and virtual reality. All will be used as tools of hostile social manipulation on a scale not seen before.

    • We need to prioritize our understanding of the characteristics of virtual societal warfare and the risks this presents to the U.S. and its allies. What are the emerging techniques and tools that are being utilized by America’s adversaries such as deep fakes, virtual and augmented reality, and what are the ultimate goals these adversaries are trying to achieve through state-sponsored and state-directed social media manipulation and propaganda?

    • We must focus on the emerging “internet of things,” where information security is too often a minimal priority for manufacturers. Private companies hold the largest share of our country’s critical infrastructure and consequently the majority of the American people’s data. They need to take responsibility for protecting those assets.

    • We must increase our focus on what happens inside all government networks, not just on the walls around them, and adopt a different way of thinking about networks, treating every host, server and connection as potentially hostile.

    • Cultivate a mindset of accountability in which government and private sector treat the defense of computer networks as an essential requirement not an afterthought to be dealt with only after something goes wrong.

    • Digital literacy must be a priority. For that, we can learn from Estonia, which in response to a 2007 Russian cyberattack made cybersecurity education a national priority. The Estonian government considers data ownership a civic responsibility and has made free computer education and computer literacy programs widely available for adults and required for youth. Students learn how to code from age seven onward, while secondary school students take media and manipulation courses. Citizens compete in civic “hack-a-thons,” and every Estonian has access to the tools to use information technology systems effectively. Estonians believe that they should rely on an informed and skilled public to deter cyber threats rather than cyber weapons. This collective approach to cybersecurity is something the United States needs to encourage and strive toward through smart policymaking, public-private partnerships and a robust incentives structure.

    • The U.S. government should take several immediate steps, including developing a more formal and concrete framework for understanding the full range of cyber issues and funding additional research to understand the scope of the challenge. Congress and administration need to empower a bipartisan group of experts to develop recommendations that they would then pledge to implement.

    • The U.S. State Department needs a bureau to be assigned full-time responsibility to address cyberspace, cybersecurity and emerging-technology issues. In 2021, the Bureau of Cyberspace Security and Emerging Technologies (CSET) was formed with responsibility for ensuring that the State Department was fully staffed and prepared for the ongoing challenges of cyberspace security diplomacy. This calls for a presence of full-time specialists with diplomatic expertise within the Department of State to address the security challenges presented by new developments in emerging-technology areas, including artificial intelligence and machine learning, quantum information science, nanotechnology, biological sciences, hypersonic systems and space technologies. Perhaps, the newly appointed national cyber director can play this role on behalf of the U.S. government. Or in seeking to further its efforts toward cyber engagement, the U.S. could designate its first ambassador-at-large for cyber diplomacy to help improve bilateral relationships by consulting with other countries on tech projects.


The Bottom Line
Each of us in today’s world is heavily dependent on ensuring that our data is reliant, secure and readily available to serve our daily needs. Data security is an even greater concern for governments and private businesses of every size, who know that adversaries see their data and information technology systems as open to exploitation for economic, diplomatic or military gain. Foreign and state-sponsored actors that aim to hurt the U.S., its businesses and its allies are well aware of our growing reliance on data, just as they understand the interconnected nature of the world and the vulnerabilities of our cybersecurity systems. This creates tremendous incentives for the world’s bad actors to develop systems that can disrupt our way of life, access and steal our most personal information, disable our critical infrastructure, and threaten our government and military operations.

Two Paths America is convinced that the United States cannot achieve an effective, sustainable and internationally respected cybersecurity defense with half measures, decentralized defenses and a reliance solely on hindsight. To achieve the cybersecurity ideal, government and the private sector must build a strong new system of cyber deterrence, centralize federal policy and decision making, reach allied agreement on responsible cyberworld norms, strengthen public/private and international partnerships, and maintain a prioritized focus on the future of this all.