U.S. Cyber Defense Starts with Defining Standards and Driving Collaboration

OPINION — President Donald J. Trump has returned to office with the renewed revelations that Chinese government-affiliated hackers continue to outmatch America’s critical infrastructure cyber defenders through sabotage and espionage campaigns such as Volt Typhoon and Salt Typhoon.

The new Trump Administration must rebalance the cyber battlefield in America’s favor by raising and incentivizing cyber cybersecurity standards for the electric, oil and gas, nuclear power, water, telecommunications, financial services, public health, transportation, and other critical infrastructure sectors.

The mechanism would be the U.S. government, insurance providers, critical infrastructure operators, and technology providers collaboratively defining and maintaining data-based “good” standards for each sector, building on the greatest strengths of the public and private domains for a “common defense” of the homeland, with cyberspace being recognized and prioritized as the first line of defense.

A new national security prioritization schema is essential because, unlike our traditional, kinetic focused military components, every moment of every day, America’s public and private sector cyber warriors are battling nation-states in cyberspace. We must respond accordingly.

Raising Standards through Transparency and Accountability

The U.S. Department of Defense (DoD) currently mandates high cyber defense standards for corporate members of the Defense Industrial Base (DIB). The new Trump team should extend this standard-setting practice, partnering with the insurance industry to establish high standards for America’s private critical infrastructure operators.

The insurance industry would leverage its experience with cyber incident data from hundreds of thousands of cyber incidents to help government set these minimum standards across sectors and functions within sectors.

The government would require operators to establish Cybersecurity Information Centers (CICs) to audit organizational standards compliance, report their results to the government, and inform the management of their internal cyber security posture.

In much the same way that U.S. public companies are required to report financial results following Generally Accepted Accounting Principles (GAAP), the CIC reporting standard would provide the government and insurers important visibility into operator risk and provide operators a standardized framework for cyber risk management.

Join us in Sea Island, Georgia for The Cipher Brief’s 2025 Threat Conference from October 19-22. See how you can save your seat at tcbconference.com

Leveraging Bi-Partisan Consensus and Policy Precedents

A bi-partisan policy consensus over two administrations has laid the groundwork for this public-private CIC collaboration. The 2020 bi-partisan Congressional Cyber Solarium Commission (CSC) made recommendations for “operationalizing cybersecurity collaboration” in relevant information sharing between the government and private sector.

President Joe Biden’s 2024 National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) built on the CSC’s Congressional consensus by establishing “the appropriate sharing of timely, actionable information” through a “robust information sharing environment” that enables actions and outcomes that reduce cyber risk.

The Joint Cyber Defense Collaborative (JCDC) established by Congress under the Cybersecurity Infrastructure Security Agency (CISA) through the 2021 National Defense Authorization Act provides the ideal structure for gathering and processing CIC data.

How CICs Would Work in Action

The government and insurance providers would leverage CIC data to monitor each operator’s progress (or lack thereof) in meeting their standards and determine action based on the risks posed to the American people.

For instance, the government and insurers would set a ground truth of “good” cybersecurity standards for a local water utility. The water utility’s CIC would continuously monitor its cyber risks against the sector’s ground truth. The water operator, the government, and insurance companies would be informed of whether the utility complies and how well it performs compared to other operators.

Through the U.S. Securities and Exchange Commission (SEC), industry regulators, and potential reinsurance vehicles, the government would work with the insurance industry to mandate compliance or the water utility would be denied cyber insurance coverage.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

Driving Investment and Innovation in Private Sector Cybersecurity

The CIC data collection would enable the government to drive smarter investments in private sector cyber defenses and spark a boom in private sector cybersecurity and risk management innovation.

Infrastructure owners and operators would have quality data to inform investments in their own defenses. The federal government would use CIC insights to invest intelligently in cyber grants for cash-poor state and local entities such as water utilities. Through these smart grants, the government would assume the role of “cyber insurer of last resort”, shifting the risk of catastrophic cyber-attacks from the weakest and most vulnerable operators to the federal government.

The CIC insights would also inform and bolster CISA’s JCDC efforts to protect vulnerable operators and, where necessary, engage the unique capabilities of the National Security Agency’s Cybersecurity Collaboration Center (CCC).

Finally, the administration could unleash a private sector boom in cybersecurity and risk management innovation by enabling technology solution providers to conduct the CIC standards audits. Beyond creating a market for audits, the government could share anonymized versions of the overall pool of CIC data to enable private sector partners to develop and train better cyber solutions.

America’s Common Defense, Built on Public-Private Collaboration

Vulnerable populations in medieval times responded to existential threats by collaborating for a “common defense” through the construction of walls around their villages. From our nation’s very beginning it was the federal government that maintained a “common defense” for our citizens, consistently relying upon, amongst other things, two great oceans, and mostly friendly neighbors to the north and south to serve as 20th century defensive walls to protect us.

In 2025, the new Trump Administration has a unique opportunity to build a new public-private collaboration framework that builds cyber “walls” to fill remaining digital gaps and effectively provides for our national “common cyber defense”.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief