Digital shields over globe showing cyber defense

Cyberspace Solarium Commission: First Regression in US National Cyber Defense Since 2019

The most recent version of the Cyberspace Solarium Commission’s annual report on cyber defense finds that US federal efforts are backsliding for the first time since the commission was formed in 2019. The report cites cuts to budgets, the workforce and cyber diplomacy efforts as the primary reasons.

The commission was formed under the first Trump administration as a bipartisan effort to develop policy for cyber defense against the most significant threats to the nation. It was closed out as a government entity under the Biden administration in late 2021 but continued on as a non-profit with a smaller staff funded primarily by the neoconservative think tank Foundation for Defense of Democracies (FDD). It has continued to issue annual reports since its founding, with this most recent version breaking from previous general support for Trump administration policies.

Report warns cyber defense checklist is falling behind on key items

The report warns that national cyber defense is “stalling” in most areas and “slipping” in some. Its central point of criticism is that only 35% of 82 recommendations that the commission made in 2020 have been fully implemented, with about 13% still facing barriers to progress and another 18% making progress but still distant from actual implementation. This is the first year in which the number of implemented policies has moved backward, falling from about 48% in place in 2024.

The report notes that the first year of a new presidential administration is generally expected to see some downturn in cyber defense developments as what are usually substantial policy and personnel changes take place. However, it warns that the threat landscape has only become more dangerous and that the federal government appears to be in real danger of losing the technological arms race to threat actors, with little room for “unfinished tasks” to continue piling up.

The report divides its 82 ongoing recommendations into six “thematic pillars.” The first of these, reform of government structure and organization for cyberspace, is mostly fully implemented but has a couple of serious “pain points”: the complete collapse of efforts to restore the Office of Technology Assessment (OTA) in 2025, and the ongoing failure to establish House Permanent Select and Senate Select Committees on cybersecurity. The OTA was defunded in 1995 amidst criticism of waste and duplicate work by the Republican-controlled Congress of the time, and the Science, Technology Assessment, and Analytics (STAA) has since been founded to take up some of its former directives. The primary argument for a revived OTA would be as an intermediary for Congress in understanding complex evolving tech issues such as AI and privacy.

Better progress is seen with the second pillar, which addresses strengthening of cyber norms and military tools. In this area only one policy recommendation, improving cyber capacity and consolidating funding for foreign ally assistance, has stalled out as the Trump administration cancelled more than $175 million in cyber assistance as part of its sweeping budget cuts.

The straightforward third pillar, “promote national resilience,” also sees good overall ratings with the main point of criticism being the recent termination of the $2.75 billion in Digital Equity Act programs. More “stalled” ratings are seen in the “reshape cyber ecosystem security” pillar with the report pointing primarily to NIST funding shortfalls, the Trump administration’s freeze of $2.2 billion in research funds for universities, and ongoing failure to pass a federal-level breach notification law.

The final two pillars have strong overall ratings. In the area of “operationalizing cybersecurity collaboration with the private sector,” the one significant pain point is the failure of Congress to act on an amendment to the Pen Register Trap and Trace Devices Statute that would allow qualifying companies to conduct defensive activities on behalf of themselves and their customers. And the pillar related to military cyber only strongly criticizes insufficient funding for the “Under Advisement” program that has federal entities share threat data with private partners.

Trump budget approach is central factor in driving cyber defense concerns

As these examples illustrate, most of the cyber defense report’s assessment of backsliding can be tied back to fairly recent Trump budget cuts. But John Carberry, CMO of Xcape, notes that concerns about agency leadership also contribute: “The report highlights leadership inadequacies, pointing out that, as momentum wanes, the CISA director nominee is still unconfirmed. When combined, the message is clear: recent progress will keep eroding in the absence of fresh funding, power, and skill. If Washington doesn’t reboot its cyber game now, our adversaries will keep dictating the terms.”

The report offers five direct recommendations to the current administration: enhance the authorities of the Office of the National Cyber Director (particularly in allocating budgets), restore CISA’s prior levels of funding and staffing, beef up resources devoted to cyber diplomacy at the State Department, restore the Critical Infrastructure Partnership Advisory Council (CIPAC) in the interest of information sharing with private partners, and improve hiring and retention procedures in the federal cyber workforce.