This document provides an overview of cybersecurity challenges the United States is facing, including for critical infrastructure, and priority recommendations for the government and industry.
Don’t Trust but Verify: Strengthening U.S. Leadership to Safeguard Our Cyber Defenses
While some cyber risks are well-known and understood, others are emerging with little consensus on how to protect against them and what future challenges they might pose. What’s clear is that critical infrastructure is at risk, the cost of cyber crime is rising, cyber threats are global in scope, emerging technologies present concerns, and zero trust and assurance are crucial.
With the responsibilities and authorities for cybersecurity divided among U.S. government departments, agencies, and offices—and shared with many sectors, critical infrastructure owners and operators, and SLTT governments—our success depends on effective U.S. leadership.
Beyond describing risks and challenges, this paper also provides four sets of specific priority recommendations, namely:
- Implement measures to protect critical infrastructure — update the National Preparedness System to account for large-scale critical infrastructure attacks, require zero trust principles for operational technology, operationalize software bill of materials (SBOM) for critical infrastructure systems, and explore new partnership models.
- Implement zero trust and SBOMs for the federal government — migrate the federal government fully to a zero trust architecture and operationalize SBOMs across the U.S. government.
- Prepare for quantum computing to surpass current cryptographic systems — assess the government’s post-quantum cryptography (PQC) readiness based on the National Institute of Standards and Technology standards, use cryptographic bill of materials information to create a roadmap of what systems need transitioning to PQC, and leverage the expertise of the PQC Coalition.
- Clarify and strengthen roles and responsibilities of key cyber leaders and organizations — complete a comprehensive mapping and clarification of the cybersecurity authorities, roles, and responsibilities across key U.S. government leadership offices, and expand authorities at select agencies.
MITRE’s 2024 presidential transition project leverages our cross-agency insights to develop nonpartisan and evidence-informed policy recommendations to help the next administration succeed.