The cyber threats we face are not abstract or distant; they are clear, present, and growing. Every day that passes without decisive action increases our vulnerability and emboldens our adversaries. The incoming administration has a unique opportunity – and a solemn responsibility – to chart a new course in our nation’s cybersecurity journey.
As early voting begins around the country ahead of Election Day on November 5th, the United States continues to face heightened cyber threats from China. These threats manifest in an ongoing campaign to infiltrate critical infrastructure including through digital means—whether cloud services, operational technology, or software—for the purposes of espionage and preparations for escalation.
However, the cyber threat from the Chinese government is not the only reason cybersecurity is a critical issue as Americans go to the ballot box. The wars in Ukraine and the Middle East involve a significant “hybrid” element, combining cyber and traditional warfare. Criminal gangs continue to push the boundaries of illicit activity through ransomware attacks, impacting critical services across the U.S. Meanwhile, digital supply chains are becoming increasingly important, raising new security and availability concerns. At the same time, the number of unfilled cybersecurity jobs continues to grow, necessitating new approaches to education and workforce development. Cybersecurity is now key to protecting U.S. national interests and achieving global objectives.
Given these challenges, as a new president is elected and assumes office in January, it is crucial that the new administration is prepared to lead national cybersecurity efforts on Day One. With this imperative in mind, we came together as part of a Task Force sponsored by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security (https://mccrary.auburn.edu/), which Frank leads, to offer recommendations on the direction the new administration should take in cybersecurity. The Task Force brought together former officials from across the last four presidential administrations, as well as career government executives from DHS, DOD, the FBI, and the Intelligence Community. Among the areas of consensus: there is no room for going backward in cyberspace.
Our report, published on October 22, lays out “A Bipartisan Cybersecurity Roadmap for the Next Administration.” It offers recommendations across eight categories, including enhancing regulatory harmonization, strengthening multi-stakeholder collaboration, raising deterrence against adversaries, building cyber resilience, fostering international collaboration, strengthening cyber workforce development, safeguarding critical technologies, and investing in the federal government’s cyber efforts.
The themes we highlight are consistent with efforts of the last two administrations—intentionally so, because there is much to applaud from both the Biden and Trump administrations. However, these recommendations also recognize that the nation has not yet achieved the level of cybersecurity it needs. Instead of rehashing the national strategy, it’s time to double down on core efforts, focus on smart policy implementation, bring the right talent to the table, allocate resources to strategy, and set aside partisan bickering when national security is at stake.
One of the most critical areas is ensuring the security and resilience of critical infrastructure—both today and in the future. Much of the report’s recommendations address this imperative. One of the most important areas is the need to move beyond the current outdated regulatory model, which often works against security. A comprehensive review of existing approaches is necessary, involving critical infrastructure owners to identify gaps and inconsistencies. This effort should result in a common set of standards that can be adapted to sector-specific needs. These standards must be implemented across critical infrastructure, with particular attention to Systemically Important Entities (SIEs), including cloud service providers and operational technology. Efforts to impose additional requirements on such entities have thus far failed, and there is still a lack of clarity on areas of systemic risk across critical infrastructure and supporting technologies.
As part of identifying Systemically Important Entities, there is also a need to deepen operational coordination with critical infrastructure companies and enhance resilience planning and response. The report recommends developing detailed, adaptable playbooks for responding to different types of cyber incidents and adversary actions. This will reduce response times and ensure consistency. Industry and state and local governments should have a seat at the table in this process, with the SIE approach providing a risk-based method for setting priorities—improving on the unclear criteria currently in place.
To further enhance operational collaboration, we recommend rationalizing the numerous public-private operational bodies currently in place and developing an approach that leverages the National Cyber Investigative Joint Task Force (NCIJTF) model. This would allow for improved agency-to-agency collaboration and strengthen private-sector partnerships. Such a collaboration body needs the authorities, legal protections, and processes to enable trusted joint problem-solving, free from bureaucratic delays. Revising the National Cyber Incident Response Plan to include stronger operational concepts and private-sector involvement is essential.
What has held back efforts so far is the gap between the recognized strategic imperative to enhance risk analysis, joint risk management, and operational collaboration. Multiple administrations have argued for improvements, but the new administration has an opportunity to align resources with strategy—particularly for Sector Risk Management Agencies, the Cybersecurity and Infrastructure Security Agency (CISA), and structures to support planning and exercises. Spearheading this effort must be a fully empowered Office of the National Cyber Director, capable of developing interagency processes that guide budgeting. These processes should give Congress confidence in the new administration’s resource ask, potentially being in place by the time the Fiscal Year 2026 budget is delivered to Congress in late winter.
This reinforces the need for the new administration to enter office with a robust cybersecurity agenda. Our recommendations can guide such an agenda and present an opportunity for the next president to act swiftly, building on the progress made while recognizing the need for renewed urgency and focus on follow through on implementation.
