The Eroding Advantage: Systematic Gaps in Nation-State Cyber Deconfliction and a Framework for Strategic Restoration (2019–2025)

Jacob Wohl & other unnamed contributors

Jacob@IRISC2.com

Download PDF

Abstract

Building on Juan Andrés Guerrero-Saade’s seminal 2019 “King of the Hill” analysis of adversarial deconfliction, this paper examines the evolution and failure of nation-state cyber deconfliction mechanisms from 2019–2025. Through empirical analysis of major incidents – including the SolarWinds supply chain compromise, the Colonial Pipeline ransomware attack, the Clop ransomware campaign exploiting MOVEit file-transfer software, the 3CX double supply chain intrusion, and China’s i-Soon leaks of state hacking contractors – we demonstrate how adversarial innovations have systematically exploited Western coordination gaps. We expand the theoretical framework beyond the traditional bureaucratic vs. technical deconfliction dichotomy to encompass temporal deconfliction, attribution deconfliction, and incentive deconfliction as critical dimensions. Our findings reveal that while Western nations achieved partial successes through hunt-forward cyber operations and enhanced public-private partnerships, these improvements have failed to match the blistering pace of adversarial innovation. For example, China’s Volt Typhoon campaign demonstrates advanced pre-positioning within U.S. critical infrastructure, exploiting gaps between IT and OT security. Russia’s Sandworm unit has integrated cyber attacks with conventional military strikes – as seen in the October 2022 Ukraine grid attack timed with missile barrages. North Korea has industrialized cryptocurrency theft at an unprecedented scale, stealing over $1.3 billion in 2024 alone to fund its state operations. These developments, combined with systemic coordination failures documented by government oversight reports, reveal a fundamental misalignment between Western defensive architectures and the evolving threat landscape. We conclude with recommendations for structural reforms – addressing classification barriers, trust deficits, technological fragmentation, and incentive misalignments that perpetuate the current crisis in cyber deconfliction – and outline a framework to restore strategic competence.

1. Introduction

Five years after Guerrero-Saade identified the core challenges of nation-state cyber deconfliction, the digital domain has witnessed an unprecedented escalation in both the sophistication of attacks and the strain on defensive coordination mechanisms. The “magnet of threats” phenomenon he described – whereby high-value targets attract multiple nation-state intruders simultaneously – has evolved into a systematic exploitation of Western coordination gaps by adversaries who have mastered operating in the seams between agencies, nations, and sectors. The result is a crisis of capability rot, where billions are spent on cyber tools that are often obsolete upon arrival, leak faster than they can be deployed, and face increasingly sophisticated adversaries.

From 2019 to 2025, cyber operations transformed from discrete intelligence-gathering efforts into integrated campaigns of strategic pre-positioning, economic warfare, and coordinated disruption. Detailed analyses of major incidents and systemic failures demonstrate that while Western nations developed new coordination mechanisms, these efforts have struggled to match the speed and complexity of adversary innovations. The strategic advantage in cyberspace is eroding, requiring urgent action to restore Western leadership in the digital domain.

2. The Evolution of Adversarial Deconfliction

2.1 From Technical Deconfliction to Strategic Coordination

Where Guerrero-Saade highlighted how advanced threat actors embedded “anti-virus-like” techniques into their malware to avoid overlapping with peers, the 2019–2025 period saw a fundamental shift toward strategic coordination designed to exploit Western deconfliction failures. This evolution is evident in three key dimensions:

Temporal Deconfliction: Adversaries now carefully time their operations to maximize impact before detection. The SolarWinds SUNBURST compromise exemplified this, with Russian SVR operatives injecting a backdoor in February 2020 and removing it by June – months before the intrusion was discovered. This temporal precision exploited the significant lag between compromise and detection, effectively weaponizing the West’s own slow incident response cycle. Recent metrics underscore this asymmetry: threat actors’ average “breakout” time (time from initial access to lateral movement) has accelerated to just 62 minutes, while defenders’ average breach identification time remains about 207 days. In other words, attackers operate on the order of hours, while defenders lag by many months – an imbalance of roughly 1:5,400 in favor of the offense.

Attribution Deconfliction: State-sponsored hackers have grown adept at obscuring their identities and piggybacking on others’ operations to hinder attribution. In 2023, the 3CX software supply-chain incident revealed North Korea’s Lazarus Group compromising a company via a prior supply-chain backdoor planted by another nation, creating a multi-layered attack that confounded initial responders. Similarly, Russia’s Sandworm unit has perfected false-flag tactics – as seen in the 2018 Olympic Destroyer attack, where they planted bogus clues implicating Lazarus Group to mislead investigators. These techniques deliberately create attribution confusion, delaying or paralyzing coordinated response as agencies debate who is behind an attack.

Incentive Deconfliction: Perhaps the most insidious evolution, adversaries now exploit misaligned incentives between stakeholders in target countries. For instance, Iran’s cyber saboteurs targeted water utility control systems (using compromised programmable logic controllers made by a third-party supplier) to exploit the gap between private infrastructure ownership and public-sector security responsibility. Likewise, North Korea’s brazen cryptocurrency theft – which reached an estimated $1.34 billion in 2024 alone – took advantage of the unclear division of regulatory authority between financial oversight and cybersecurity enforcement. By operating in gray areas where no single entity feels accountable, these actors avoid a swift and unified response.

2.2 The Professionalization of Cyber Operations

During 2019–2025, nation-state cyber operations evolved from ad hoc espionage into professionalized, industrialized campaigns. Nowhere is this more apparent than in China’s recently exposed “i-Soon” leaks, which revealed a mature marketplace of private contractors competing for state hacking contracts – essentially an APT-as-a-Service ecosystem complete with pricing schedules and service-level agreements. This professionalization extends beyond technical prowess; adversaries are demonstrating a sophisticated understanding of Western coordination failures and bureaucratic sluggishness.

In sharp contrast, the U.S. and its allies have struggled to adapt their own practices. A striking example is the persistent cybersecurity deficiencies among defense contractors. An estimated 87% of U.S. defense contractors fail to meet basic cybersecurity requirements despite billions spent on compliance regimes. This gap means that while adversaries innovate and integrate rapidly, many frontline suppliers to Western governments remain dangerously vulnerable. In effect, Western cyber defenses are often fragmented and outdated, whereas adversaries operate with agility and unity of purpose.

3. Empirical Evidence: Major Incidents and Coordination Failures

3.1 SolarWinds: The Anatomy of Coordination Collapse

The 2020 SolarWinds Orion compromise epitomized modern deconfliction failure in the West. Although Presidential Policy Directive 41 (PPD-41) had established clear frameworks for interagency coordination in significant cyber incidents, the real-world response to SolarWinds exposed fundamental breakdowns. For months in 2020, Russian intelligence actors secretly piggybacked on SolarWinds software updates, ultimately infiltrating at least nine U.S. federal agencies and 100 companies. When the intrusion came to light in December 2020, the ensuing investigation revealed disjointed lines of effort and information silos. A Cyber Unified Coordination Group was formed under PPD-41, but by then the damage was done: each agency had been “monitoring” its own network with varying effectiveness, and there was no single authority to quickly unify the forensic picture.

A Senate review later noted inadequate data logging and sharing between agencies during SolarWinds, describing “uneven levels of data preservation,” with some organizations lacking even basic forensic capabilities. This technical deficit created cascading failures: agencies cannot share what they don’t collect. The lack of a common operating picture allowed the attackers to remain undetected for over half a year. By the time a private security firm uncovered the breach, the adversaries had long exfiltrated sensitive data. The SolarWinds incident underscored that even well-designed coordination policies mean little if not operationalized with robust information-sharing and incident response capacity on the ground.

3.2 Colonial Pipeline: Private Sector Coordination Gaps

The May 2021 ransomware attack on Colonial Pipeline highlighted the dangerous gap between private critical infrastructure operators and government response mechanisms. Colonial Pipeline, which supplies 45% of the U.S. East Coast’s fuel, suffered a ransomware intrusion that forced a six-day shutdown of operations. The immediate response revealed fundamental confusion about reporting and authority: rather than contacting the Cybersecurity and Infrastructure Security Agency (CISA) – the lead federal agency for asset response – the pipeline company reached out only to the FBI. This choice stemmed in part from unclear guidance on whom to call first, and it delayed the involvement of other key agencies. During the crisis, federal and state authorities scrambled to coordinate emergency fuel transport and address public panic, all while lacking direct channels to the victim company.

In post-mortems, the Colonial incident made plain that voluntary, trust-based partnerships are insufficient when a private company’s decisions can have national security implications. The economic impact was significant – drivers faced fuel shortages and price spikes along the East Coast – illustrating how a single cyber-induced outage can cascade into a national security concern. This case galvanized efforts to mandate incident reporting for critical infrastructure. Indeed, by 2022 the U.S. enacted a law requiring such companies to report major cyber incidents to CISA within 72 hours. The Colonial Pipeline episode thus serves as a cautionary tale: without clear mandates and integrated response plans bridging the public-private divide, adversaries will continue to exploit the seams in our defense.

3.3 MOVEit: Mass Exploitation and Notification Chaos

In mid-2023, the Clop ransomware group launched a mass exploitation of a zero-day vulnerability in MOVEit Transfer, a widely used file-transfer application. Over a few weeks, Clop illicitly accessed data from more than 2,700 organizations, affecting approximately 93.3 million individuals worldwide. The sheer scale of this supply-chain breach created a notification and remediation crisis that overwhelmed existing coordination mechanisms. Companies and government agencies using MOVEit were suddenly forced to determine if they were affected, what data was stolen, and how to alert millions of people – all under the threat that Clop would leak the data if ransoms were not paid.

The MOVEit episode revealed the inadequacy of current victim notification protocols and the reactive nature of cyber coordination. CISA and the FBI issued joint advisories about the MOVEit vulnerability and the ongoing exploitation, but these came after Clop had already compromised scores of targets. Many victim organizations learned of their breach not from government warning, but from Clop’s own extortion site or belated internal audits. The incident became a chaotic scramble: law enforcement and incident responders had to triage thousands of cases, and many affected individuals were notified of their data exposure only weeks or months later. This highlights a dire need for real-time information sharing and automated notification processes when a mass exploitation is underway. In an era of rapid, widespread cyberattacks, purely reactive coordination leaves defenders perpetually behind the curve.

3.4 3CX and i-Soon: Adversarial Coordination Superiority

Two stark events in 2023–2024 demonstrated that our adversaries are coordinating better than we are. First, the 3CX incident in early 2023 involved North Korea’s Lazarus Group inserting malware into the software supply chain of 3CX (a VoIP software provider) after that company had already been compromised via another supplier. This “double supply chain” attack created immense attribution confusion – the overlap of North Korean and possibly other nation’s footprints delayed a coordinated response for weeks. While investigators untangled the source of the breach, valuable time was lost in which the malware spread to 3CX customers. The 3CX case showed how skillfully an attacker can exploit bureaucratic hesitation; responders were unsure at first whether they were dealing with a North Korean operation or a false flag, which stalled decisive action.

Contrast that with the i-Soon leaks that emerged from China in February 2024. These leaked files exposed a highly structured Chinese cyber contractor ecosystem: private companies and institutes working at the behest of the state, with clearly defined reporting lines, performance metrics, and division of labor. In effect, China has achieved a unity of effort between government and industry in cyber operations – a unified offensive coordination that outstrips the West’s patchwork of public-private partnerships. Where Western cyber defense often relies on voluntary information sharing and unclear authorities across agencies and sectors, the Chinese model demonstrated clear command-and-control and strategic integration of capabilities. This asymmetry was evident when comparing responses: Western defenders struggled to piece together clues across 3CX’s incident, whereas Chinese operations (as revealed by i-Soon) proceed with an almost corporate efficiency. These examples underscore a uncomfortable reality: adversarial nation-states are out-coordinating the defenders, leveraging unity of effort and strategic clarity that we have yet to attain.

4. Adversarial Innovation in Counter-Deconfliction

Adversaries have not only adapted to Western cyber defenses – they are innovating specifically to counter our deconfliction efforts. Several notable developments from 2019–2025 illustrate how threat actors are exploiting our systemic weaknesses:

4.1 China’s Volt Typhoon – Strategic Pre-Positioning

China’s Volt Typhoon campaign represents a paradigm shift from traditional cyber espionage to long-term pre-positioning for potential conflict. As revealed in early 2024 by a joint CISA–NSA–FBI advisory (Alert AA24-038A), Volt Typhoon operators – a state-sponsored group – had maintained persistent access inside the networks of U.S. critical infrastructure for at least five years. Even more striking, these intruders practiced “living off the land” by using valid credentials and built-in network tools to avoid detection, and they periodically refreshed their access. For example, in one case Volt Typhoon actors quietly extracted password hashes (by stealing Active Directory database files) from multiple domain controllers over a span of four years, returning at intervals to ensure they always had current credentials. This patient, methodical approach – essentially cyber persistence – exploits the gap between episodic defensive scans and the attackers’ continuous presence. Volt Typhoon’s operations also blurred the line between cyber and physical domains: by embedding deep in the IT networks of utilities and communication providers, the group was preparing to disrupt critical services (like power or water) in the event of future crises. Such strategic pre-positioning is difficult to counter under the West’s current incident-focused paradigm; it requires a continuous hunting and monitoring effort that our fragmented system struggles to sustain.

4.2 Russia’s Sandworm – Military-Cyber Integration

Russia’s Sandworm group (also known as Unit 74455 of the GRU) has evolved from conducting isolated cyberattacks (like the 2017 NotPetya malware) to integrating cyber operations directly into military campaigns. The coordinated attack on Ukraine’s power grid in October 2022 exemplified this convergence. On the same day that Russian missiles bombarded Ukrainian energy facilities, Sandworm hackers launched a parallel cyber attack on a regional electricity provider, temporarily taking down its substations. Mandiant analysts noted this was the first known instance of a cyber-induced blackout coinciding with kinetic strikes in the war. The operation used a new variant of Industroyer malware to open breakers and disrupt power, demonstrating a rare cyber-physical one-two punch. Ukrainian officials had warned of possible combined cyber/missile operations, but until this event the concept remained largely theoretical. Western defenders, who typically treat cyber and kinetic threats in separate channels, were ill-prepared to face both at once. The Sandworm case highlights how an authoritarian adversary can tightly synchronize military and cyber units under one strategic objective – something Western democracies have been cautious to do due to legal and organizational boundaries. A U.S. government advisory in 2022 warned that Russian state actors pose an elevated threat to critical infrastructure, but even with warning, the challenge of defending against simultaneous kinetic and cyber assaults is immense. Sandworm’s integration of digital attacks with battlefield operations underscores an uncomfortable truth: our adversaries will not fight in silos, and neither can we.

4.3 Iran’s Cyber-Physical Escalation

Iran has increasingly pivoted to cyber-physical attacks that exploit Western hesitance to respond below the threshold of traditional warfare. Notably, Iranian operators have repeatedly targeted water infrastructure. In 2021, Iranian-linked hackers penetrated control systems of regional water utilities (including systems using Israeli-made PLC controllers) with the apparent intent to alter chemical treatments. These attempts were thwarted, but they signaled a new strategy: blending cyber means to achieve physical effects in ways that stay just under the level that would trigger a military response. By causing public safety scares (e.g. threatening a city’s drinking water) without direct casualties, Iran creates political pressure and fear, yet leaves the victim government grappling with attribution and proportional retaliation dilemmas. Western decision-makers, constrained by the need for clear evidence and mindful of escalation, often respond only with indictments or sanctions – measures that do little to deter future attacks. Iran’s calculated cyber provocation exploits our adherence to law and norms. Moreover, these incidents revealed gaps between agencies: those responsible for water sector safety were not always plugged into real-time cyber threat intelligence. Iran has essentially found a soft spot – critical civilian infrastructure that can be hit via cyber means, where Western coordination and response are weakest. This calls for a reevaluation of what constitutes an “attack” and how we organize cross-sector defenses for threats that deliberately straddle the cyber and physical realms.

4.4 North Korea’s Cryptocurrency Innovation

Under heavy economic sanctions, North Korea has turned to cyber theft to bankroll its regime – pioneering techniques that many others are now emulating. Pyongyang’s hacking units, particularly the Lazarus Group, have stolen staggering sums from cryptocurrency exchanges, decentralized finance platforms, and individual wallets. In 2022 alone, U.S. authorities attributed over $1 billion in crypto theft to North Korean actors, a figure that climbed to $1.34 billion in 2024, the highest annual total on record. This is not smash-and-grab crime; it is a strategic, state-run revenue stream. North Korea has shown mastery of regulatory arbitrage – targeting exchanges in jurisdictions with weak anti-money-laundering enforcement and rapidly laundering funds through mixers, bridges, and shadowy brokers. According to blockchain analysis firms, North Korean hackers were responsible for over 60% of the cryptocurrency value stolen globally in 2024. Their operations overwhelm the capacity of law enforcement: by the time authorities trace one batch of stolen coins, the regime has already converted them or shifted tactics. U.S. Treasury sanctions and FBI seizures have had some success (e.g. sanctioning crypto mixer services used by DPRK), but North Korea’s nimble adaptation – from exploiting DeFi protocols to targeting NFT platforms – keeps it a step ahead. The broader implication is that cyber financial theft is becoming a nation-state tool that can underwrite other malicious activities (like WMD development) without the need for direct confrontation. Western coordination against this threat remains siloed among financial regulators, law enforcement, and intelligence, providing ample cracks for North Korea to slip through. As one U.N. report noted, Pyongyang’s cyber heists have directly financed its advancing missile programs. Countering this demands an unprecedented fusion of finance, cyber, and intelligence efforts – something that has only begun in recent years.

5. The Eroding Advantage: Structural Contradictions in Western Cyber Defense

Despite the systemic challenges outlined above, Western nations have scored some defensive successes in recent years – proving that progress is possible when coordination and will are mustered. U.S. Cyber Command’s hunt-forward operations, for example, have been deployed 55+ times across 20+ countries since 2018, resulting in the exposure and public release of over 90 novel malware samples. These proactive missions, where cyber teams assist partner nations to find and flush out adversary malware, have preempted numerous attacks and protected an estimated hundreds of thousands of would-be victims. Another bright spot is CISA’s Joint Cyber Defense Collaborative (JCDC), launched in 2021 to foster operational collaboration with industry. JCDC has grown from an initial 4 major companies to over 340 participating organizations in a few years, enabling faster sharing of threats and collective response to incidents like the Log4j vulnerability. International cooperation also saw breakthroughs: in 2023 the FBI led Operation Duck Hunt, a multinational takedown of the Qakbot botnet that remotely neutralized Qakbot malware on over 700,000 infected computers worldwide – an action that likely prevented countless ransomware attacks. Similarly, the 2021 disruption of the Emotet botnet by a global task force removed one of the most dangerous malware platforms; Europol estimated Emotet had caused $2 billion in damages over its lifespan, damages that will now be averted by its elimination. These examples show that when the West aligns its resources and expertise, it can impose real costs on adversaries and even temporarily regain the upper hand.

However, these tactical victories have yet to fully resolve the deeper structural asymmetries that favor attackers. Several fundamental contradictions in Western cyber defense remain:

The Paradox of Openness. The West’s greatest strengths – openness, interconnectedness, and a vibrant private sector – also create exploitable attack surfaces. Authoritarian adversaries operate through unified state direction, tightly controlling information and orchestrating cyber campaigns with military precision. By contrast, Western defense must navigate a maze of stakeholders: federal agencies, local governments, critical infrastructure owners, vendors, threat intel companies, ISPs, and more. Aligning all these players is painfully slow, allowing adversaries to divide and conquer. Our open societies also mean we publicize our cyber shortcomings in audits and hearings, which agile foes study and exploit. As one U.S. Intelligence Community watchdog report noted in 2024, problems like over-classification and interagency frictions continue to hinder rapid cyber threat sharing. Meanwhile, adversaries face no such constraints – their hackers share information within a single chain of command and are free from public scrutiny. This structural asymmetry means offense will keep outpacing defense unless we find ways to streamline coordination without sacrificing our values.

The Classification Trap. While classification of intelligence is vital to protect sources and methods, it has inadvertently become a barricade to collective cyber defense. The most actionable threat intelligence – such as adversary tools or indicators of compromise – often originates from classified programs and thus remains locked behind clearances. Even when agencies attempt to “declassify” technical indicators for industry use, the process is too slow for the speed of cyber attacks. Although frameworks exist (e.g. the Traffic Light Protocol (TLP) 2.0 adopted in over 70 countries to standardize sharing permissions), many organizations still err on the side of secrecy. An Intelligence Community Inspector General review in late 2023 found that over-classification and slow cross-domain declassification processes were recurring barriers to sharing cyber threat data quickly with those who need it. The result: valuable warnings and forensic clues stay siloed in classified channels until it’s too late. Technological solutions could mitigate this – for instance, CISA’s Automated Indicator Sharing (AIS) platform enables machine-speed exchange of threat indicators in standardized formats. AIS has shown that with the right system, a malware signature seen by one agency can be pushed to others (and to companies) in near real time. Yet adoption of such platforms has been sluggish, and many private firms still complain that government intel reaches them only after they’ve been hit. We must move beyond the paradigm of one-way, after-the-fact intelligence release. Techniques like “tear-line” reporting (whereby sensitive sources are stripped out but tactical details are shared) and time-bound classification (automatic downgrade of purely technical data after days or weeks) need to be embraced. Unless we can free critical threat information from bureaucratic shackles – without compromising genuine secrets – we will continue to fight at a disadvantage.

The Accountability Dilemma. In Western democracies, transparency and accountability are foundational – but in the cyber arena they can introduce operational friction. Any major cyber response or offensive countermeasure may be subject to legal review, oversight inquiries, or public disclosure requirements. These safeguards are important to prevent overreach and protect civil liberties, yet adversaries exploit them by operating in the shadows and denying involvement. Western cyber operators thus often find themselves constrained by “what if this becomes public” concerns, needing extensive interagency consultations and sign-offs, whereas an adversary unit has no such compunction – they simply act on orders from the top. For example, a military cyber unit in a democracy might hesitate to disrupt an enemy server if it’s co-located in a friendly country’s network, fearing diplomatic fallout if exposed. Meanwhile, an authoritarian actor would hack recklessly in third countries, indifferent to collateral damage or sovereignty issues. The result is that Western responses can be slower and more measured, giving the initiative to the attacker. Moreover, after a cyber incident, Western institutions tend toward blame-seeking (Who missed the warning? Which contractor leaked the tool?) rather than blameless analysis. A culture of punitive inquiry can make agencies risk-averse – nobody wants to be the next headline for a cyber operation gone wrong. To restore agility, we may need to borrow from safety engineering disciplines: conduct post-incident reviews that focus on learning, not blaming. The goal should be to rapidly absorb lessons and adapt defenses, rather than to publicly shame institutions for cyber mishaps. If we treat every cyber incident primarily as a potential scandal, defenders will remain risk-averse and reactive. Balancing democratic oversight with effective cyber operations is delicate, but essential to deny adversaries the advantage of our self-imposed restraint.

In sum, Western nations confront a paradox: our open, rule-of-law societies have built the most connected and digitally dependent economies on earth – but those very attributes are being used against us in cyberspace. We can neither abandon our values nor ignore the tactical reality that they create complexities adversaries do not face. The following section outlines a path forward through this strategic thicket, recommending structural reforms to turn these contradictions into strengths.

6. Recommendations for Structural Reform

The strategic position of Western cyber defense in 2025 stands at a critical inflection point: either undertake comprehensive reform or witness a continued erosion of advantage. The evidence from 2019–2025 makes clear that business-as-usual is leading to gradual strategic decline. Restoring Western leadership and deterrence will require reforms commensurate with the scope of the challenge. Half-measures and incremental fixes will not suffice. We must fundamentally realign our structures and incentives to outpace adversaries. The following reforms are essential steps toward that end:

6.1 Immediate Operational Reforms

Establish a Unified Cyber Defense Command and Real-Time Intelligence Sharing. As a first step, the U.S. should create a singular national authority for coordinating major cyber incident response – effectively a “joint cyber command center” empowered not merely to coordinate but to direct defensive actions across civilian agencies, military commands, and private-sector utilities during significant incidents. This unified command structure would eliminate the confusion of “who’s in charge” that has plagued incidents like SolarWinds and Colonial Pipeline. It should operate on a 24/7 basis and include liaisons from key sectors. In parallel, we must deploy standardized technical platforms for machine-speed threat intelligence sharing that bypass human bottlenecks. Every relevant stakeholder – from a small county government to a Fortune 500 company – should be able to receive and contribute to a common threat picture in real time. This means greatly expanding automated indicator sharing networks (building on CISA’s AIS) and possibly using classified-to-unclassified dissemination technology so that critical alerts (e.g. a specific malware signature or IP address) reach defenders within minutes of discovery. Additionally, Congress and regulators should mandate timely incident reporting for all operators of critical infrastructure. The Cyber Incident Reporting for Critical Infrastructure Act (enacted in 2022) needs robust implementation: companies must report substantial cyber incidents to CISA within 72 hours, with penalties for non-compliance. This will ensure the unified command center and all partners have prompt awareness of emerging crises. By instituting these measures – clear authority, mandatory reporting, and automated intel sharing – we can dramatically shorten response times and present a coordinated front to fast-moving threats.

6.2 Institutional Transformation

Remake Organizations for IT-OT-Converged Security and Embedded Partnerships. Our defense institutions must be retooled for the modern threat environment, particularly the convergence of IT (information technology) and OT (operational technology) systems. Adversaries like Volt Typhoon and Sandworm target the seams between enterprise IT networks and industrial control systems, knowing that organizationally we separate those domains. We should establish cross-domain cyber units or task forces explicitly tasked with securing critical infrastructure holistically – for example, combining energy sector engineers, industrial control security experts, and traditional IT cybersecurity personnel under one roof. Whether this means expanding DHS’s industrial control security initiative or creating new joint units, the goal is the same: no more gaps between corporate IT security and control system security.

Furthermore, we must move beyond information sharing toward true public-private operational integration. This could involve embedding private sector cyber experts directly in government cyber operations centers (and vice versa) on a rotating basis. For instance, during a major incident affecting cloud services, having cloud provider engineers on-site at CISA or Cyber Command’s watch floor could significantly speed up mitigation and attribution. We have precedents in the counterterrorism realm (with analysts from telecom companies embedded at NSA, for example) – it’s time to do the equivalent for cyber defense.

At the international level, Western allies and partners should establish standing cyber coordination bodies with pre-negotiated protocols for mutual assistance. NATO’s cyber defense arrangements and the bilateral cyber partnerships (like U.S.–UK Joint Cyber Cell) are steps in this direction, but remain largely ad hoc. We need something akin to a “Cyber UCG” on the international stage for major transnational incidents – so that if, say, a global malware outbreak occurs, trusted nations can immediately pool information and resources without weeks of diplomatic wrangling. Regular joint exercises among these nations’ cyber emergency teams would cement habits of cooperation. Adversaries operate continuously across borders; our defensive alliances must be just as seamless and persistent.

6.3 Technical Innovation Priorities

Pivot from Static Defense to Proactive, Adaptive Security. The prevailing “prevent and detect” approach must be augmented with a philosophy of resilience and agility. First, we need defensive automation at machine speed – systems that use artificial intelligence to hunt threats, respond to incidents, and fortify systems in seconds, not days. For example, deploying self-healing networks that automatically isolate a compromised node, or AI-driven security agents that can scan and patch thousands of endpoints immediately when a new critical vulnerability is disclosed. Given that over 28% of new vulnerabilities are exploited by adversaries within 24 hours of public disclosure, our defense tools must react in hours or less. This will require significant investment in AI and machine learning for cybersecurity applications (and careful validation to avoid false moves by automated systems).

Second, we must strategically shift from an over-emphasis on perimeter prevention to a focus on resilience – assuming breach and engineering systems to degrade gracefully under attack. This might include wider use of zero trust architectures, redundancies in critical functions, and manual fallbacks for core services (so that, for instance, an electrical grid can be operated in limited fashion even if its network is penetrated). The goal is to deny adversaries a high-impact payoff even if they get in.

Third, we should develop attribution-independent defenses – security mechanisms that do not rely on knowing exactly which actor is behind an intrusion to be effective. Currently, debates over attribution can delay responses and policy actions. Instead, consider defenses like behavior-based anomaly disruption: if any credential starts behaving suspiciously (whether it’s a Russian hacker or an insider or automated malware), the system automatically suspends it and requires re-validation. Such responses don’t care who the attacker is, only what they are doing, thus sidestepping the attribution trap and stopping damage faster.

Finally, breaking free from the traditional government technology acquisition cycle is imperative. In the Pentagon, for example, the procurement of a new cyber tool or capability can take years – by which time the tool may only have a useful life measured in weeks once deployed. A 2018 RAND analysis found that the average lifespan of certain offensive cyber capabilities was on the order of one month. We need agile development and acquisition processes that deliver tools in months or days, not years. This might expand on initiatives like the Pentagon’s Software Fast Track (SWFT) programs that aim to bypass lengthy certification in favor of continuous integration and deployment. In practice, this could mean provisional authorities to operate new defensive software within 72 hours of need, subject to testing in parallel. Where current rules demand exhaustive vetting, we might use AI-driven modeling to assess risk on the fly. If we continue with business-as-usual procurement, we’ll keep arming our cyber defenders with yesterday’s technology against today’s threats.

6.4 Cultural and Talent Transformation

Foster a Cyber Defense Culture of Agility and Attract the Best Talent. Technology and structure alone won’t save us if our people and culture remain stuck in legacy modes. A deep cultural shift is required, starting with an “assume compromise” mindset at all levels. This means training leadership and staff to operate under the expectation that systems are breached (or could be at any moment), thereby encouraging proactive threat hunting and zero-trust behaviors by default. We should reward organizations for admitting and fixing vulnerabilities, not stigmatize them – so that there is less incentive to sweep issues under the rug. Blameless post-incident reviews, as mentioned, should become standard, reinforcing continuous learning.

Crucially, we must overhaul how we recruit and retain cyber talent. The current model often fails to attract or keep elite talent, and in some cases actively excludes it. Arbitrary requirements – such as rigid education credentials or years of menial “butts-in-seats” contract experience – have disqualified prodigious young hackers who lack a traditional resume but possess world-class skills. A new approach is needed to identify and cultivate talent early, and to bring it into government service through innovative pathways.

One recommendation is to establish a National Cyber Talent Discovery Program, a systematic pipeline to find high-potential cyber operators (as teenagers or even younger) and guide them through progressively advanced training and challenges. This could be modeled on elite sports development programs. For example, Australia’s Olympian development follows a Foundation–Talent–Elite–Mastery (FTEM) progression over 8–12 years, with only a small fraction of initial talent reaching the elite level – a model that could apply to developing cyber virtuosos. A U.S. cyber talent program might start with nationwide competitions (expanding on initiatives like CyberPatriot) to scout youths with exceptional aptitude. Those identified would enter specialized camps and mentoring programs, much as promising athletes go to training centers. The program would emphasize not just technical prowess but also attributes like creativity, problem-solving under stress, and teamwork – using tests analogous to special forces selection for resilience and cognitive flexibility. By the time participants reach early adulthood, they would have a decade of tailored development, positioning them as world-class cyber defenders or tool developers.

Simultaneously, we should remove unnecessary barriers for bringing fresh talent into government work. Direct government-to-talent contracting pathways would allow agencies to hire brilliant individuals straight out of school (or straight off the street, in the case of self-taught phenoms) without requiring them to go work for an established contractor first. Congress could create an “Individual Cyber Operator” hiring authority with competitive salaries and flexible terms, so that a 19-year-old coding wizard isn’t automatically passed over because he or she lacks a 5-year corporate track record. To prevent abuse, these individuals could be vetted via practical exams and limited-scope background checks. The key is to prioritize demonstrated skill over pedigree. If someone can prove in a live test that they can, say, reverse-engineer malware or secure a cloud architecture as well as a veteran, then age or formal degree should not matter.

The Defense Department has already recognized the need for faster clearance processes for cyber specialists. The Trusted Workforce 2.0 initiative aims to speed up security clearance vetting to as short as 25–75 days for certain roles. But current clearance processing for DoD contractor personnel still averages around 138 days for Secret clearances – far too long when trying to onboard a hot prospect. We should implement risk-based clearance adjudications that accept some calculated risk for faster hiring, perhaps granting interim clearances to high-skill hires with clean records so they can start work immediately while full vetting continues.

Another cultural change is needed in the contracting incentives for cybersecurity services. Too often, government contracts pay by the “seat” or by credentials of staff, which motivates vendors to supply bodies rather than outcomes. We need to flip this to an outcomes-based model. For example, contracts could tie payment to measurable improvements in an agency’s security (such as reducing incident response times or demonstrably closing certain vulnerabilities), rather than to having X number of staff present for Y hours. Contractors should also be encouraged or required to use live technical skill assessments when hiring for these contracts, rather than relying on paper certifications. A talented 20-year-old without a CISSP should be able to beat a mediocre 40-year-old with multiple certifications in a fair skills competition – and if so, that younger talent should be working on our nation’s problems. By mandating performance outcomes and skill proofs in contracts, agencies can incentivize their vendors to seek out the truly capable individuals and not just those who check bureaucratic boxes.

In essence, the West needs to revive its “competitive spirit” in cyber defense. We still have many of the world’s best minds and innovators; the task is to harness that talent to public purpose. During the Cold War, programs like the Astronaut Corps or DARPA’s researcher community drew top talent to tackle national challenges. We need an equivalent prestige and sense of mission around cyber defense. National Cyber Scholarships, elite cyber units with public recognition, and clear, exciting career paths can help. If we create an environment where a gifted hacker sees government service as the highest calling – rather than jumping to a tech giant or, worse, being lured by criminal or foreign operators – we will have turned the talent tide. It is a long-term play, but absolutely vital.

7. Conclusion: The Strategic Imperative

Five years after Guerrero-Saade’s influential analysis, the competitive landscape in cyberspace has shifted dramatically. Adversarial innovation continues to accelerate, challenging Western defensive adaptation at every turn. The hard truth is that our current coordination mechanisms – many of them designed for a bygone era of isolated intrusions – must evolve to counter the continuous, multi-domain campaigns we face today. The period from 2019 to 2025 has shown that nation-state opponents can achieve a form of “victim deconfliction” and unified strategy, while we remain fragmented. Western democracies must find a way to achieve equivalent unity of effort in cyber defense while preserving democratic values. This is not merely a technical puzzle; it is a fundamental test of whether open societies can effectively defend themselves in a domain where openness can be a liability.

The encouraging news is that strategic advantage can be restored. The West still possesses immense strengths: world-leading technology companies, alliances spanning the globe, and a tradition of innovation and resilience. By implementing the structural reforms detailed above – from unifying command and speeding intelligence flow to recruiting the brightest talent and aligning incentives – we can demonstrate a renewed commitment to cyber leadership. The question is not whether Western nations can afford such sweeping changes, but whether we can afford to delay them any longer. The adversary is moving at network speed. Our response must be bold and decisive.

The time for decisive action is now. Just as prior generations mobilized to meet the challenges of nuclear proliferation or terrorism, we must mobilize to meet the cyber challenge. This will require sustained focus from both intelligence professionals and policymakers. It will require investing in capabilities and people in new ways, and perhaps relinquishing some old bureaucratic comforts. But the cost of inaction is clear: a future in which we are constantly on the back foot, our prosperity and security persistently eroded by unseen digital hands.

We cannot allow the erosion of our cyber advantage to continue. By recognizing the scope of the threat and rising to meet it with equal scope of vision, Western nations can reclaim strategic dominance in the cyber domain. The reforms outlined are ambitious, but they are grounded in the painful lessons of the past five years. We know what must be done; what remains is the will to do it. History will not wait for us – the restoration of strategic competence in cyberspace must begin today.

The specific, actionable policies required to implement this transformation are detailed in the appendix that follows.

Appendix: Enhanced Formal Policy Recommendations – Accelerating U.S. Cyber Capabilities Beyond Current Reforms

Executive Summary

The United States government has initiated cyber reforms in recent years, but more aggressive action is needed to overcome the adversary’s momentum. The incoming administration’s early 2025 efforts under President Trump have addressed some systemic issues – for example, launching the Software Fast Track Initiative (SWFT) to accelerate secure software deployment, and terminating $5.1 billion in wasteful IT consulting contracts to refocus resources on operational cyber needs. Yet a fundamental mismatch persists between the realities of cyber warfare and the government’s ability to acquire and field capabilities. Over 28% of known exploited software vulnerabilities are now weaponized by attackers within 24 hours of their disclosure, while the Department of Defense’s 16 most critical IT programs (worth over $50 billion) continue to suffer cybersecurity shortfalls and delays. The recommendations below build upon current reforms to close the remaining gaps and to accelerate America’s transition to continuous cyber capability development and deployment. They are organized by timeframe – immediate (0–6 months), mid-term (6–18 months), and longer-term (12–36+ months) – reflecting both urgency and the practical sequencing of implementation.

A.1 Enhancing Current Software Fast Track Initiatives (0–6 months)

Recommendation 1: Expand AI-Powered Authorization Beyond SWFT. (Policy Action: Broaden the Pentagon’s SWFT program – originally focused on expediting general software acquisition – to cover all cyber-specific tools and offensive capabilities.)* Under the expanded SWFT, any cyber defense or offense tool should go through a streamlined “72-hour to deploy” authorization process, using automated risk assessments. The current gap is that while SWFT has improved supply chain security checks for new software, it has not yet delivered true rapid deployment for cyber tools – traditional Authority to Operate (ATO) processes still drag on for months for malware analysis sandboxes or hunt team kits. We must integrate AI-powered threat modeling and testing into the authorization pipeline for cyber capabilities. For instance, whenever a new network sensor or exploit toolkit is developed, AI models can simulate its behavior in a controlled environment to evaluate risks, producing an automated risk report in hours. This would replace weeks of paperwork and human review. Implementation: The DoD Chief Information Officer should create a “Cyber Capabilities Fast Track” within SWFT, with the directive that any cyber tool meeting mission-critical needs gets fast-tracked. The target is to grant provisional ATO for new cyber tools within 72 hours of request, pending further refinement. The process would mandate automated red-team testing pipelines – essentially continuous integration but for security, where new code is relentlessly tested by scripts and AI for vulnerabilities – and include auto-generated rollback and kill-switch features. Every tool should also have a built-in telemetry and kill mechanism so that if a problem emerges (e.g., the tool is compromised or misbehaving), it can be instantly revoked from all endpoints. This aggressive expansion of SWFT will ensure our cyber warriors aren’t waiting on bureaucratic approvals while adversaries act.

Recommendation 2: Leverage AI for Continuous Vulnerability Analysis and Patch Deployment. (Policy Action: Task the intelligence community and DHS to deploy AI systems that scan government and defense networks for newly disclosed vulnerabilities and autonomously implement virtual patches or mitigations.)* The volume of software vulnerabilities (“CVEs”) disclosed each year is overwhelming, and many agencies struggle to patch within safe timeframes. We need AI assistants monitoring feeds like CISA’s Known Exploited Vulnerabilities catalog and immediately cross-referencing against asset inventories. If a new critical flaw is announced (say in a widely used VPN), the AI should be able to flag all instances on .gov or .mil networks within minutes. Further, using machine learning, it can often suggest or apply a temporary mitigation (such as reconfiguring a firewall, disabling a service, or applying a vendor patch if available). The goal is to shrink the window between vulnerability disclosure and defender action, ideally ahead of adversaries exploiting it. Implementation: The National Security Agency (NSA) could expand its existing endpoint security platform (the “GHOST” program, hypothetically) with AI modules that simulate how an exploit of a new CVE would behave in our environment, then push out a blocking rule enterprise-wide. CISA’s National Cybersecurity Protection System (“Einstein”) can similarly be upgraded to use AI for pattern recognition of emerging exploits. These AI agents should operate under human supervision but with latitude to act quickly – a “test, then apply broadly” approach. In effect, this creates an automated immune system for government networks, buying time until permanent patches are applied. This recommendation requires ensuring the AI systems themselves are secure and have fail-safes to avoid false positives disrupting operations.

Recommendation 3: Mandatory Incident Reporting and Assistive Response for Critical Infrastructure. (Policy Action: Fully implement and enforce the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 with clear rules, and establish a federal rapid reaction team to assist reported incidents.)* In the immediate term, DHS should publish the final rule for mandatory reporting (covering what constitutes a significant incident, timelines, and the form of reports) and widely communicate it to industry. Simultaneously, stand up a Cyber Incident Surge Team – a joint unit drawing from CISA, FBI cyber task forces, and National Guard cyber units – that can deploy onsite or remotely to aid any critical infrastructure entity that reports a major incident. The mindset must shift so that a company hit by ransomware or a nation-state attack promptly calls this team for help, akin to calling 911, without fear of regulatory punishment. This team can provide instant advice (e.g., whether to isolate systems, how to preserve logs, etc.), connect the victim with federal intel (such as indicators to look for), and if needed send “boots on the ground” within hours. Implementation: The Administration should direct that any critical infrastructure operator that fails to report a covered cyber incident within 72 hours faces penalties (as per CIRCIA), to ensure compliance. At the same time, incentives (like liability protections or technical aid) should encourage reporting. The Surge Team can be exercised in table-tops in the first 6 months to iron out processes. By quickly operationalizing mandatory reporting along with immediate federal assistance, we close the gap that adversaries have exploited – the current hesitation and delay in engaging government during the most crucial early hours of an attack.

Recommendation 4: Launch a “Cyber National Guard” Pilot for Surge Personnel. (Policy Action: Create a pilot program to recruit a reserve of civilian cyber experts who can be called up during national cyber emergencies.)* The idea is analogous to the National Guard or volunteer fire departments: talented cybersecurity professionals in the private sector or academia would commit to serve, if needed, a certain number of days per year in a federal cyber response capacity. In return, they could receive training, security clearances, and perhaps a stipend or student loan benefits. In the first six months, DHS and DoD could jointly stand up a pilot “Cyber Guard” unit of, say, 100 experts. These individuals would drill periodically (e.g., one weekend a quarter for training exercises) and be reachable for activation. During a major incident (like a big supply-chain compromise or critical infrastructure hack), the Cyber Guard could augment government teams, bringing in fresh expertise in malware analysis, cloud forensics, industrial control systems, etc. Implementation: Congress may need to authorize this structure and appropriate funds. The pilot can start with volunteers identified through existing programs like the Civil Air Patrol’s CyberPatriot alumni network or NSA’s Centers of Academic Excellence. Over time, this reserve could grow and possibly integrate with state-level efforts. The key benefit is surge capacity – adversaries often time attacks for maximum disruption (e.g., holidays), and a Cyber National Guard ensures we have skilled responders beyond the full-time federal cadre. This also builds civilian-military ties and cross-pollinates best practices. If successful, within a year the pilot could be expanded nationally.

A.2 Addressing Leadership and Organizational Gaps (6–18 months)

Recommendation 5: Create a Cyber Capabilities Innovation Corps (CCIC) within Existing Structures. (Policy Action: Establish a specialized unit – the CCIC – inside the Department of Defense or DHS to rapidly develop and field cyber tools, without adding new bureaucracy.)* Instead of standing up an entirely new agency, the CCIC would be co-located with an existing innovation hub such as the Defense Innovation Unit (DIU) in Silicon Valley, leveraging their facilities and contracting agility. The CCIC’s mission: accelerate the development of niche cyber capabilities (both defensive and offensive) that have very short life cycles. This team would essentially be an in-house skunkworks for cyber. To staff it, we envisage about 150 technical experts – drawn 75% from rotating military cyber operators and 25% from industry fellowships – to ensure a mix of operational experience and cutting-edge skill. The CCIC would have flexible authority, utilizing existing rapid procurement mechanisms like Other Transaction Authorities (OTAs) to contract with small tech firms or academic labs quickly. For example, if a sudden need arises for a tool to scan for a new type of firmware malware, the CCIC could contract a startup and deliver a prototype in weeks.

To integrate with current efforts, the CCIC should align with the Software Fast Track processes and feed outputs directly to Cyber Command and CISA. In effect, CCIC becomes the “special forces” of cyber capability development, focusing on tools that might only be useful for a few months but can offer a decisive edge. Implementation: DoD can initiate CCIC as a pilot program under DIU’s umbrella. Identify a small facility and redirect some existing cyber R&D funds. This unit should report to a high-level steering group (perhaps co-chaired by U.S. Cyber Command and DHS Cyber Directorate leadership) to ensure it addresses joint priorities rather than service-specific ones. Success can be measured by CCIC’s output – e.g., how many new tools deployed per quarter, and feedback from operators on their effectiveness. By 18 months, CCIC should be fully operational and showing results, at which point Congress could consider formalizing it if needed.

Recommendation 6: Modernize Cyber Personnel Security Clearance Processes. (Policy Action: Implement risk-based and expedited clearance processes tailored for cyber roles, while maintaining security standards.)* One of the leadership challenges has been the slow and inflexible vetting of cyber talent. Trusted Workforce 2.0, the ongoing reform, aspires to clearance processing goals of 25–75 days, but reality is still far from that, with DoD contractor Secret clearances averaging ~138 days as of recent data. We recommend creating cyber-specific clearance categories that recognize different risk profiles. For example, an 18-year-old prodigy with no work history might be deemed low risk for espionage (if carefully supervised) but high risk for impulsive behavior – manageable through mentorship rather than outright disqualification. We could establish an “Interim Cyber Clearance” allowing access to certain ranges of systems after an initial check (say 30 days of checks) so new hires can start contributing while a deeper investigation continues. Also, clearance reciprocity must be improved – talent moving between government and industry or between agencies should not have to restart the clock each time.

To pilot these ideas, the clearance authorities (DCSA for DoD, and NBIB/OPM for civilians) should set up a fast-track clearance unit for critical cyber recruitments. Use polygraph and automated background checks as appropriate, but prioritize speed – even accepting some risk by granting conditional access with extra monitoring. For instance, a new cyber hire could be allowed on unclassified threat intel systems immediately and on classified systems in read-only mode pending full clearance. Implementation: Within 6–12 months, update directives to allow conditional access for mission-critical cyber roles. Engage Congress if needed to adjust legal requirements (they did so for Trusted Workforce reforms already). Track the outcomes: if interim cleared individuals perform well and no incidents occur, expand the practice. Additionally, invest in technologies to assist clearance processing (like continuous evaluation tools that use automated record checks). This recommendation aligns with the cultural shift to trust in demonstrated ability and integrity, and it will help leadership fill vacancies faster with top talent. By 18 months, the goal should be an average of under 90 days to fully clear a new cyber hire and under 30 days for interim approval – metrics that can be reported to oversight bodies to demonstrate progress.

Recommendation 7: Incentivize Interagency Cyber Rotations and Cross-Pollination. (Policy Action: Mandate and facilitate short-term rotations of cyber personnel across key federal agencies and establish a unified cyber career framework.)* One organizational gap is the siloing of expertise; NSA’s cyber operators, DHS’s cyber responders, FBI’s cyber investigators, etc., each have different cultures and methods. We need to grow a generation of leaders and practitioners who are fluent across these domains. Therefore, institute a program where mid-career cyber professionals (GS-13 to GS-15 or military O-3 to O-5 equivalents) must do a 3–6 month rotation in a different agency’s cyber unit to broaden perspective. A DHS analyst might work at Cyber Command’s Cyber National Mission Force for a tour, or a DoD cyber planner might spend time at the FBI’s National Cyber Investigative Task Force. These rotations should be credited towards promotion, not seen as a detour.

At a higher level, create a Cyber Joint Duty Program similar to the joint duty requirement for military officers – meaning to reach senior ranks, one must have experience in at least two different “communities” (e.g., intel, law enforcement, homeland security, diplomacy) in the cyber field. Implementation: The Office of the National Cyber Director (ONCD) in the White House can coordinate with OPM and agency HR to set this up within a year. Identify initial billets for exchange and remove bureaucratic hurdles (like differences in pay or clearance) to make it seamless. Perhaps use the model of the Intelligence Community Joint Duty Program as a template, expanding it to more agencies. In addition, design a unified Cyber Career Pathways Framework so that skills and training in one agency carry over equivalently to another (facilitating lateral hires and transfers). Over 18 months, we should see dozens of personnel rotating, and the insights gained will feed back into improving coordination. This effort builds the “one team” ethos we desperately need – so that in a crisis, leaders have personal relationships and understanding across agency lines.

A.3 Building on Current AI and Technology Integration (12–24 months)

Recommendation 8: Expand AI Integration Mandates Specifically for Cyber Operations. (Policy Action: Take the administration’s broad directives on AI adoption in government and carve out cyber-specific applications to be fast-tracked, under oversight of the DoD’s Chief Digital and AI Office (CDAO) and DHS.)* We have national strategies calling for more AI use – we must ensure cybersecurity is a primary beneficiary. Concretely, this means setting requirements and funding for the development of AI tools in four cyber mission areas: Autonomous Threat Hunting, Real-Time Vulnerability Exploitation, Adaptive Cyber Defense, and Predictive Security Analytics. For instance, mandate that within two years, every federal SOC (Security Operations Center) shall deploy an AI system capable of autonomously scanning logs and network traffic to identify new threat patterns without human cue. Similarly, for offense (under proper legal authority), develop machine learning models that can generate or suggest exploit code within hours of a new vulnerability being revealed – essentially automating parts of what nation-state hackers do manually. On defense, require AI-driven systems that can automatically adjust network security policies as an attack unfolds (like dynamically reconfiguring firewall rules, trust relationships, or authentication requirements when an intrusion is detected). And for strategic planning, invest in predictive models that analyze current threat telemetry to forecast what kind of cyber operations adversaries might attempt next. These may sound ambitious, but prototypes of each exist in industry or academia. The policy step is to prioritize and resource them government-wide.

Implementation: The CDAO, in coordination with NSA’s Cybersecurity Directorate and DHS’s Science & Technology, should issue an AI Cyber roadmap in the next year. Select pilot projects – for example, an AI Threat Hunter deployed at a major federal agency SOC, an AI Red Team Agent at USCYBERCOM to assist cyber offense planning, etc. Work closely with U.S. tech companies and research labs – perhaps via challenge problems or prize competitions – to accelerate development. Ensure proper testing and verification (AI can be error-prone or fooled, so human oversight is key). By the 24-month mark, aim to have at least one AI capability in each of the four mission areas deployed in operational settings for evaluation. This will keep us on the cutting edge as adversaries are certainly pursuing AI for their own cyber operations.

Recommendation 9: Enhance Cyber Capability Sharing Mechanisms Among Allies and Agencies. (Policy Action: Evolve existing info-sharing frameworks into real-time capability sharing systems, using automation and cloud distribution.)* It is no longer enough to share threat data; we should strive to share actual defensive tools and code modules instantly across coalition lines. Building on arrangements like the Five Eyes intelligence partnership and NATO’s malware information sharing platform, we propose creating a real-time cyber arsenal distribution system. For example, if the CIA’s Directorate of Digital Innovation (DDI) develops a script to disable a new strain of malware, that tool (appropriately sanitized) could be pushed to all partner endpoints via a secure cloud within minutes. Or if a UK agency creates a fix for a SCADA vulnerability, it’s immediately available to US, Canadian, Australian, etc. teams through a shared repository. This requires technical integration – likely an automated DevSecOps pipeline between trusted parties – as well as policy integration (legal agreements that such code sharing is pre-authorized under certain conditions). Domestically, we need the same between agencies: a platform where, say, FBI or NSA can drop a newly discovered detection signature and all other agencies’ sensors pick it up in real time.

Implementation: The ONCD can convene a working group with key intelligence community, defense, and foreign partners to design this system. Building on CIA DDI’s model (they have rapid protoyping for tools), we can adapt their protocols to a multi-entity environment. Use modern package management and containerization (e.g., Docker containers with defensive tools) distributed over classified and unclassified clouds depending on tool sensitivity. The system should incorporate automated trust and safety checks – perhaps AI that scans a shared tool for backdoors or errors before deployment to others. Within 18 months, pilot this with a small group (maybe US-UK-Australia in a specific mission area like critical infrastructure protection). Once proven, expand to other close allies and across U.S. agencies. The vision is that when one defender creates a countermeasure, all defenders benefit almost immediately. This turns our diversity from a weakness into a strength – a vast distributed network of innovators whose outputs are pooled.

Recommendation 10: Automate Deconfliction of Offensive Cyber Operations. (Policy Action: Develop and deploy an AI-driven deconfliction system that helps identify and avoid conflicts between simultaneous cyber operations or between operations and defense activities.)* One of the challenges identified in 2019 was the risk of multiple Western actors unknowingly targeting the same system (or each other) – the classic “victim deconfliction” problem Guerrero-Saade outlined. To mitigate this, an automated system could act as a real-time coordinator. For example, before a U.S. agency executes a disruptive cyber operation, they could query a deconfliction AI which checks if any allied operation or sensitive intelligence collection is ongoing on that target. This system would need a database (shared securely among coalition partners) of active operations tagged by some metadata (target sector, region, maybe a pseudonymous identifier for the target). The AI could then alert operators if a potential clash exists – e.g., “Operation X may disrupt an asset currently used by Ally Y for collection” – allowing leadership to adjust timing or approach. Similarly, for defensive deconfliction: if an intelligence agency is running a honeypot on an adversary server but a defensive team is about to block traffic to it, the system would flag that.

Implementation: This is sensitive, as it touches on some of the most classified planning. Likely it would be run out of U.S. Cyber Command or ODNI’s Cyber Threat Intelligence Integration Center (CTIIC). Begin by automating deconfliction within the U.S. government first – an internal system where NSA, Cyber Command, FBI, etc., log basic parameters of their operations. Use AI matching to detect overlaps (AI can consider various factors like IP ranges, malware family, timing, etc.). Once internal efficacy is shown, expand to Five Eyes partners who already share a level of operational deconfliction through informal channels. Ultimately, such a system reduces the chance we inadvertently disrupt each other’s efforts. Adversaries are adept at exploiting coordination lapses – this tool makes those lapses less likely by giving us a sort of “traffic control” for cyber operations. By 24 months, we should have an initial operating capability, and although final decision-making will always rest with humans, they will be far better informed.

A.4 Elite Cyber Talent Discovery and Cultivation (18–36 months)

Recommendation 11: Establish a National Cyber Talent Discovery Program. (Policy Action: Launch a systematic program to identify young individuals with exceptional cyber talent and nurture them through a long-term development pipeline.)* As discussed, elite cyber operators are often “born, not made” – traditional training can’t easily produce the intuitive genius-level skills that some individuals possess. We need to find those people early (high school or even middle school) and guide them towards national service. The program would be modeled on proven talent cultivation frameworks such as the FTEM model (Foundation, Talent, Elite, Mastery) used in sports like Olympic development.

  • Foundation stage: Expand the cybersecurity content in general STEM education and competitions. For example, sponsor national coding challenges, cyber leagues, or problem-solving games accessible to all teenagers. Track participants and use standardized tests or AI evaluators to spot those who naturally excel (the top few percent).
  • Talent stage: For those identified, provide scholarships to attend cyber camps, advanced training courses, or university programs. Perhaps create Cyber Centers of Excellence at select universities where these students can get mentorship from experts (similar to sports academies). During this stage (late high school to college), emphasize both technical breadth and creative hacking challenges to further gauge who has the potential to reach elite status.
  • Elite stage: Offer the best performers exclusive opportunities – internships at NSA’s Cybersecurity Directorate, working in a tech company’s security research division, or special military cyber units – to give real-world experience and hook their interest in national service. They should be paired with mentors (senior cyber operators) who groom their skills and also inculcate ethics and mission focus.
  • Mastery stage: The very few who emerge at the top (perhaps 4–5% of the talent pool) would be given fast-track pathways into critical roles – whether in government agencies, top defense tech companies, or research labs – with a career plan that challenges and rewards them. They might rotate through elite teams to broaden experience. The goal is by their late 20s, these individuals are world-class “cyber warriors” or innovators, having already a decade of targeted development behind them.

A crucial component is psychological and resilience training. High-end cyber operations can be stressful; operators face burnout or even temptations (like lucrative offers from industry or abroad). Borrowing from special forces selection, include assessments for grit, adaptability, and integrity. Provide support systems (wellness, community building among participants) to keep them engaged and healthy.

Implementation: Within 18 months, stand up a task force (perhaps under the Office of Science and Technology Policy with DHS and DoD participation) to design the program. Secure funding for scholarships and competitions. By the 2-year mark, pilot the identification phase via a national competition open to all 16-year-olds (for example) to create buzz and establish baseline metrics. Within 3 years, the first cohort of high-potential youths should be entering the talent development pipeline (cyber bootcamps, etc.). This is a longer-term investment, but one that pays compounding dividends. Over a decade, it could produce hundreds of elite practitioners to lead the defense, and thousands of highly skilled others to populate the broader cybersecurity workforce. In an environment where a single brilliant innovator can create a tool that thwarts an entire class of threats, cultivating even a handful of such people can change the game.

Recommendation 12: Prohibit Age and Credential Discrimination in Cyber Hiring and Contracting. (Policy Action: Enact regulations (or legislation if necessary) that forbid federal cyber contracts from imposing unjustified minimum experience or degree requirements, and require hiring to be based on demonstrated skill proficiency.)* Too often, federal solicitations for cybersecurity roles include boilerplate language like “10 years of experience, CISSP required” which automatically filters out young talent who may be equally or more capable. We should mandate a shift to performance-based qualification. For example, instead of requiring 10 years experience, require the candidate to pass a rigorous practical exam or have a track record of relevant project achievement. If a 19-year-old can outperform a 35-year-old on a network penetration test, the government should be allowed (indeed encouraged) to hire the 19-year-old. Current contracting rules, influenced by risk aversion and bureaucratic tradition, often prevent that.

The DoD has already acknowledged that rigid requirements have kept out some of its best potential hackers. We propose an explicit prohibition on what we might call “paper ceiling” practices for cyber roles. Age should not be a factor at all (aside from legal minor status issues which can be handled case by case with guardianship consent, etc.). Educational degrees similarly – many top technologists are self-taught or learned outside formal academia. Security clearances are necessary but as we covered, those can be expedited or granted interim.

Implementation: The Office of Personnel Management (OPM) can issue guidance to agencies to reform hiring standards for cyber positions, emphasizing skills-based assessments. The Federal Acquisition Regulation (FAR) could be amended to instruct that for cyber services contracts, vendors must not exclude candidates based on age or lack of degree if they can prove competence. Oversight might be needed to ensure compliance – agencies should report on how many younger professionals or non-traditional hires they are bringing in. Additionally, create more pathways for direct hire authority in cyber fields (several such authorities exist but could be expanded in usage). The message needs to be sent clearly: capability trumps credentials. Within 12–18 months, we should see pilot hiring exercises where candidates of any background can come and take a “capture-the-flag” style test for a job – with the highest scorers getting the offers. This not only finds talent but sends a signal that the government is serious about embracing fresh blood.

Recommendation 13: Create Direct Government-to-Talent Contracting Pathways. (Policy Action: Establish a legal mechanism for agencies to contract directly with individual experts for cyber work, outside the traditional contracting firm model.)* Many of the best cybersecurity practitioners prefer to work as independents, consultants, or within small elite teams – not for large government contractors. Yet currently, it is very difficult for an agency to pay an individual for their expertise without going through a company intermediary (due to contract rules, liability concerns, etc.). We should create a framework analogous to how special artists or scientists are sometimes commissioned directly. For example, a registry of vetted cyber experts (could be U.S. citizens who pass background checks and agree to certain terms) who can be hired on short-term contracts to perform specific tasks – such as audit a system, develop a exploit for a red-team exercise, or train a cyber unit – and be compensated at competitive market rates without all the overhead. This bypasses the scenario where a top hacker is only accessible to the government if they join a big contractor that takes a 50% cut of their labor cost and potentially bogs them down.

Key considerations include ensuring legal and security vetting for these individuals (solvable via clearance as discussed) and perhaps limiting their roles to non inherently-governmental functions (though in cyber, the line can blur – but for instance, they might advise or build tools, while actual use of the tools in operations stays with federal employees).

A complementary idea is a Cyber Auxiliary program (somewhat like what the FBI has piloted, and similar to how police have auxiliary officers) where private experts volunteer some time to advise or assist government missions in exchange for perhaps training or just patriotic satisfaction.

Implementation: ONCD along with OMB’s Office of Federal Procurement Policy can propose a pilot authority for, say, DHS and DoD, to directly engage up to a certain number of individual experts per year. Alternatively, leverage existing excepted service hiring but on term appointments – basically hiring someone for 6 months at a time as a highly paid expert, then releasing them. But contracting might be cleaner since many will prefer to remain independent. Work out issues like intellectual property (the government should get needed rights to anything developed), and conflict of interest (someone working for agency A one week and agency B the next – manageable with proper ethics agreements). Within 2 years, aim to have at least a handful of cases where an individual was brought in directly to solve a critical cyber problem and delivered results more efficiently than a traditional contract.

This recommendation, along with the others in the talent space, aims to dramatically widen and accelerate the intake of top skills into government missions. By removing middlemen and barriers, we can tap expertise that currently either sits on the sidelines or is only serving indirectly. Given the pace of cyber conflict, we must use all talent at our disposal, in as agile a manner as possible.

Collectively, the above formal recommendations chart a course to rebuild and enhance our cyber defense and offense posture. They address urgent gaps in technology, process, and human capital. Some require significant departures from status quo, but all are grounded in practical experiences of recent years and leverage successful models from other domains (like aviation safety, special operations, and sports). Implementing these will demand high-level sponsorship, resources, and perhaps most challenging, cultural change. Yet each recommendation is a step toward a more secure, resilient, and agile cyber ecosystem for the nation.

We must recognize that adversaries will not stand still. They will adapt to our moves, and thus this framework for strategic restoration is not a one-time fix but the beginning of an enduring campaign of continuous improvement. The United States and its allies have surmounted strategic threats in the past by combining innovation with the strength of our values and alliances. Cyberspace should be no different. By systematically closing the gaps and misalignments that have plagued us, we can ensure that the coming years (2025 and beyond) mark the restoration of a robust cyber deterrence and defense advantage for the free world.

References

  • Guerrero-Saade, J. A. (2019). King of the Hill: Nation-State Counterintelligence for Victim Deconfliction. Virus Bulletin Conference Proceedings.
  • Cybersecurity and Infrastructure Security Agency (CISA). (2020). Alert AA20-352A: Supply Chain Compromise Affecting SolarWinds Orion Platform. [PDF].
  • U.S. Government Accountability Office (GAO). (2022). Critical Infrastructure Protection: Colonial Pipeline Cyberattack Highlights Need to Better Secure Cross-Sector Systems. GAO-22-104746.
  • CISA. (2023). #StopRansomware: CL0P Ransomware Gang Exploits MOVEit Vulnerability. CISA Cybersecurity Advisory (AA23-158A).
  • Mandiant. (2023). Cutting Edge: A Novel Cyber Espionage Campaign (3CX Software Supply Chain Compromise). Mandiant Threat Research Blog.
  • Recorded Future. (2024). China-Linked “i-Soon” Leak Exposes PRC Hacking Operations. Insikt Group Report.
  • CISA, NSA, FBI. (2024). Joint Cybersecurity Advisory (AA24-038A): PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (Volt Typhoon).
  • Mandiant. (2023). Sandworm’s Oct 2022 Attack on Ukraine – Integrated Cyber and Kinetic Operations. (Referenced in Recorded Future News report)
  • U.S. Department of Justice. (2023). Qakbot Malware Disrupted in International Cyber Takedown. Press Release, August 29, 2023.
  • The Guardian. (2025). “North Korea behind $1.5bn hack of crypto exchange ByBit, says FBI”. (Chainalysis: $1.34B stolen in 2024).
  • Office of the Director of National Intelligence (ODNI). (2021). Trusted Workforce 2.0 – Transforming the Security Clearance Process. (Goals for clearance timeliness).
  • Nextgov/FCW – Riotta, C. (2022). “Majority of Defense Contractors Fail to Implement Critical Cybersecurity Requirements, Report Says.” (87% of contractors below compliance standards).
  • Security Magazine. (2024). “Report: Average breakout time for intrusive activity is 62 minutes.” (CrowdStrike 2023 threat report data).
  • Treacle Tech Blog. (2025). “207 Days to Spot a Hack? IBM 2023 Cost of a Breach Report Highlights Detection Delays.” (207-day average breach identification).
  • CyberScoop – Vasquez, C. (2024). “Age-old problems to sharing cyber threat info remain, IG report finds.” (Over-classification and sharing barriers).
  • Wired – Greenberg, A. (2021). “Cops Disrupt Emotet...Most Dangerous Malware.” (Emotet caused $2.5B in damages per Ukrainian police).
  • Krebs on Security – Krebs, B. (2021). “International Action Targets Emotet Crimeware.” (Ukrainian police: $2B+ losses from Emotet).
  • Breaking Defense – Welch, C. (2025). “Hegseth slashes $5.1B in Pentagon contracts for IT consulting…” (SecDef memo terminating $5.1B in contracts).
  • BankInfoSecurity – Riotta, C. (2024). “US Cyber Command Expanded 'Hunt Forward' Operations in 2023.” (55 deployments since 2018; 90 malware samples released).
  • FBI News. (2021). “FBI, Partners Disarm Emotet Malware.” (45,000 U.S. machines cleaned; costs up to $1M per incident).
  • U.S. Department of Defense. (2022). “DOD Announces Establishment of Chief Digital and AI Office (CDAO).” (Leverage CDAO for AI integration in cyber).
  • Federal News Network – Ciralsky, A. (2023). “Hegseth cracks down on Pentagon use of IT consulting contracts.” (Background on consulting cuts and insourcing plans).
  • ClearanceJobs News – Kuranda, K. (2023). “How Long Does It Take to Get a Clearance? Q4 2022 Timelines.” (Secret clearance fastest 90%: 138 days).
  • Europol. (2021). “World’s most dangerous malware EMOTET disrupted through global action.” (International coalition Operation Ladybird).
  • U.S. Senate Intelligence Committee. (2020). “Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, Volume 1.” (NotPetya and Sandworm context for integrated attacks).
← Back to Home