COMMENTARY: The release of the new Cyber Strategy for America by the Trump administration marks an important moment for public and private sector leaders.With persistent nation-state threats, an evolving war in the Middle East, expanding digital dependencies, and the rapid adoption of generative AI, we need a policy that considers cybersecurity foundational to economic strength, national security, and public trust.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The strategy reinforces six priority areas that reflect today’s realities. While strategy documents set direction, progress ultimately depends on execution. It’s an opportunity for agencies, technology providers, and critical infrastructure operators to align around practical steps that meaningfully raise our collective level of defense.Here are six tangible ways that can help translate the strategy’s priorities into real-world impact:First, the “half a million unfilled cyber roles” rhetoric needs a refresh – especially in light of how AI both will increase threats and can aid defendersSecond, with return to office mandates, tech layoffs ensued en masse during 2025.Finally, Gen AI tools and automation will require academia, industry, and government to invest in modernizing workers as wellThe industry also needs to bring more our military veterans into our industry. Veterans inherently come with a mission focus, the skills to adapt and overcome, the ability to participate in and lead teams, and a strong sense of responsibility. They need leading-edge training to create industry and agency mission success. Although it’s easy to criticize the administration’s new cyber strategy, leaders should instead focus on the tangible improvements they can make to address the biggest cybersecurity challenges. With strong public-private sector coordination, the United States can significantly enhance its cybersecurity posture and build an IT infrastructure ready for the modern era.Scott Montgomery, vice president, Federal, IslandSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Shape adversary behavior: The software industry must do its part to raise adversarial costs. First, we need to eliminate passwords altogether. Those of us in the industry have known for more than 30 years that passwords are a rotten way to secure anything. In 2000, The SANS Institute identified weak passwords as a Top 10 threat. Sadly, little has changed. In 2024, Akamai claimed that four out of five breaches were because of weak passwords. The reason: the costs are trivial for adversaries to automate credential-theft attacks. Software and cloud vendors should default to stronger methods and design mechanisms that make multi-factor authentication (MFA) and other strong authentication practices simple for agencies, companies, and consumers alike. While eliminating passwords won’t eliminate breaches outright, it does raise adversarial cost.
- Promote common sense regulation: When industry uses one set of standards and government uses multiple different sets, complexity reigns and both costs and time-to-market increase. For instance, the FedRAMP program has moved toward total automation using the Open Security Controls Assessment Language (OSCAL), while the Department of War (DOW) has created more separation between FedRAMP High and DOW Impact Level 5 to better protect its Non-classified Internet Protocol Router Network (NIPRNet). Is NIPRnet protection truly a worthy regulatory goal? Faster acceleration of automated cloud security compliance through OSCAL would benefit DOW as well by quickening the pace that warfighters could get GenAI and access to other SaaS apps.
- Modernize and secure federal government networks: Between DOW and the Government Services Administration (GSA), the government has been enforcing the Cybersecurity Maturity Model Certification (CMMC) for its contractors and suppliers. One tangible benefit hasn’t received enough attention: if the government enforces contractor accountability, then it doesn’t ever have to buy a contractor or supplier a piece of government-furnished equipment (GFE) again. In 2024, the federal government spent roughly $750 billion with contractors and suppliers. Even if GFE equaled 0.5% of the total, that estimated $3.75 billion could be aimed at zero-trust and other modernization efforts for departments and agencies rather than contractors. Agencies would simply need to offer controlled access to government workflows— a much lower barrier to entry. The government could shrink its focus to its own employees and systems, which while sizable, represents a substantially smaller and more achievable footprint.
- Secure critical infrastructure: Securing critical infrastructure (CI) remains challenging because it's nebulous and vague. While CI isn’t traditionally measured through hierarchies of need, there are clear similarities. Financial and telecommunication system companies are already either federally legislated or industry self-policed, and are already more likely to have a higher floor of security and privacy. To borrow from Maslow's hierarchy, the physiological needs of CI are water utilities and hospitals first, followed closely by the energy grid. We can sharpen our focus by making increased investment in the CI segments that are not only the most critical to the populace, but also in many cases the most vulnerable to adversaries.
- Sustain superiority in critical and emerging technologies: Throughout the recent drive for AI-led productivity increases, both private and public sector want to know how to say “yes'” safely without slowing down innovation. Organizations need modern IT infrastructure that creates both soft and hard guardrails, training, and enablement, giving users what they need: access, tailored workflows, protection of personal and organizational data, and the ability to publish and interact with generated code. Platforms built to accelerate the future of work will help organizations gain productivity faster without incurring undue new risks.
- Build talent and capacity: Workforce gaps, retraining, and expansion have been an issue for the better part of a decade, and it’s likely no longer true as it’s currently written. However, there’s probably an intersection of a few items at once:
