The White House recently revealed the Cyber Strategy for America. This is a meaningful first step for the administration and a positive sign for both the industry and broader national security implications. It’s encouraging to see cybersecurity broken out into its own distinct national strategy document, not just a piece of a broader defense policy, elevating it to a first order national security issue. 

It includes six pillars of action:

  1. Shape adversary behavior
  2. Promote common sense regulation
  3. Modernize and secure federal government networks
  4. Secure critical infrastructure
  5. Sustain superiority in critical and emerging technologies
  6. Build talent and capacity

Historically, I’ve seen executive orders and strategy documents like this one drive rapid change, although without budget aligned to these pillars, they’re just talking points. I have a few initial reactions and insights into where we go next. 

The challenge of securing the public sector

This strategy is crucial because there are still major gaps in the U.S. government’s approach to building cyber resilience. The biggest gap isn’t in strategy, it’s in the speed of operating. Adversaries are operating at machine speed, yet the government is limited by bureaucratic processes, limited resources, and increasingly frequent shutdowns. The reality is, adversaries move faster than the government, and AI is only amplifying this fact. This forces the public sector as a whole to be in a constant state of catch-up. 

The majority of federal cybersecurity policy is based on compliance frameworks, post-breach policy, and incident response. There is an urgent need to shift to a more preemptive approach, focusing on proactive vulnerability discovery to avoid major issues before attackers can strike. While we’ve seen strategies like bug bounty programs and vulnerability disclosure programs (e.g., The Office of the Minnesota Secretary of State, the State of Maryland, and The State of California) be successful all across the public sector, they’re still not standard practice or required for every agency or critical infrastructure operator. 

I’m especially concerned about less sophisticated agencies. There is a misconception that because major agencies hold critical data and information, the majority of targets will be towards them. However, cybercriminal groups are disproportionately targeting smaller, less sophisticated agencies. State and local governments are falling behind in terms of capability, capacity, and funding. I’m seeing the same thing happen in the private sector across large versus small healthcare systems, utility providers, and financial services organizations. 

How the public sector can take action

When I read the Cyber Strategy for America document, the focus on offensive deterrents, reforming the regulatory environment, modernizing critical infrastructure, and workforce development really excited me. These topics align with what I’m hearing in the industry when I speak to customers.

However, I’m concerned about the vagueness of the document. I hope to see more details like timing, the responsible agencies, and execution plans.

I believe that a meaningful action plan against cybercrime networks should focus on the following:

  • Intelligence sharing—We need to enable sharing of intelligence between the private and public sectors in as much detail, and in as near real-time, as possible. This happens in pockets today, but generally not at a meaningful speed. This also should be done globally, working with international partners to meaningfully impact change. 
  • Proactively reducing vulnerability exposure—Cybercrime networks and groups typically leverage existing vulnerabilities in core applications and infrastructure. By working to modernize government systems, reduce vulnerabilities across the private sector, and secure critical infrastructure, government teams can proactively reduce vulnerability exposure at scale. 
  • Increased transparency and accountability—Agencies should provide clear metrics and accountability publicly to show the effectiveness of the work being done behind the scenes. 
  • Target financial and technical infrastructure—Cybercrime networks are being run as a business and should be viewed that way in terms of how to best impact their operations. Leveraging the government’s power of sanctions and seizing funds can cut off the lifeblood of these groups. 

How Bugcrowd can help

Just last week, Bugcrowd announced that we officially achieved FedRAMP Moderate Authorization. Federal agencies can now rapidly engage Bugcrowd’s offensive security testing solutions to identify and remediate vulnerabilities proactively and at scale. Historically, federal agencies have been bogged down by months of compliance paperwork just to access the world’s best researchers, but by achieving FedRAMP Moderate, we’ve removed those barriers. 

In a time where speed is the ultimate currency in cybersecurity, this is a massive step forward for increased resilience in the public sector. Download our Bugcrowd for Government Guide to learn why federal agencies choose Bugcrowd, the additional measures we put in place to ensure researcher trust, the solutions available via our FedRAMP-authorized platform, and how our products help teams align with cyber mandates like BOD 20-01. 

Tags: