In his first extended policy statement the new National Cybersecurity Director Sean Cairncross described the state of US cybersecurity economic terms saying we need to thwart our adversaries in cyberspace… shift the burden of risk in cyberspace from Americans to them…vowing that the United States would impose costs” for their behavior”
Critically, Mr. Cairncross went beyond economic metaphor and proposed a series of specific policies that would actually alter the economic balance in cybersecuioty policy. Principle in hos specific policy goals was to eliminate the redundancy in cybersecuioty regulation. “Government must streamline cyber regulations and the compliance burden to ensure that the private sector can focus resources on meaningful actions and assets, rather than on a compliance checklist.”
In so saying Cairncross, representing the Trump Administration, is echoing the congressional leaders who have called on the Administration to do just that. In a letter to OMB Director Vought in April, the Chairs of five congressional Committees and Subcommittees with oversight responsibility over cybersecurity, including Homeland /security and Oversight & Government Affairs, stated that “eliminating the duplicative landscape of cybersecurity regulation is the fastest, most cost-effective way to materially improve our nations cybersecurity.”
Cost-effectiveness is a concept that Cairncross is familiar with. Prior to becoming the nation’s leading cybersecurity person Cairncross led the Millennium Challenge Corporation (MCC) which only approved projects with rigorous cost-benefit analysis, requiring demonstrable returns on investment and measurable outcomes²⁵.
Even if current cybersecurity regulations were scrubbed of their duplicative elements there would still be a remaining core regulatory structure. In the recently released “Zero Cost Plan for American Cybersecurity, the Internet Security Alliance reported an AI-driven analysis that indicated that eliminating duplication in cybersecurity regulations would reduce the number of cybersecurity regulations from the current several hundred down to about 75 core regulations.
Across most federal regulatory domains, cost-benefit analysis is standard practice²³ — ensuring that the benefits of a rule justify its costs. In cybersecurity, however, agencies often impose requirements costing billions without calculating whether those rules actually improve security. If Cairncross follows the precedent, he established at the Millenium Challenge Corporation it would go a long way toward achieving his stared goal of making the cyber regulatory process less focused on compliance and more targeted on their effeteness in achieving sustainable cybersecurity.
Cairncross also prioritized building the cybersecurity workforce. “We also need the workforce to do it.” He said the cybersecurity workforce is “an asset worthy of great investment.” And noting strengthening the cyber workforce will continue to be a priority in President Donald Trump’s second term, but he also called it “a critical team effort.”
“Industry, academia, governments, and military must eliminate roadblocks and align incentives to build a patriotic workforce. We need a pipeline that develops and shares talent,” he said.
“It should be pragmatic and accessible, reconciling and taking advantage of existing avenues within academia, vocational schools, corporations, and venture capital opportunities – to not only educate and train our existing cyber workforce, but to also recruit new talent, preparing the next generation to design and deploy exquisite emerging technologies in cyber,” he said.
This again echo’s the steps his congressional colleagues are taking on cybersecurity workforce development. The House Homeland Security Committee has already approved the PIVOTT Act which is by far the most aggressive cyber workforce legislation even introduced targeting adding 10,000 new cyber professionals a year. There is a bipartisan companion bill in the Senate.
PIVOTT provides a substantial incentive to promote new entrants into the cybersecurity filed. It essentially creates a national, virtual cybersecurity “academy” by knitting together the existing 4-year, community college and certification programs and providing free tuition for individuals who get trained in cybersecurity. Much like West Point and Annapolis the graduate of the PIVOTT program would be required to provide government service for. an equivalent period time for which the government paid their tuition.
After the PIVOTT graduate fulfills their government service obligation most would go into the private sector in cybersecurity jobs where they would continue to defend the country from cyber-attack but this time being paid by the private sector.
Cairn cross’ initial presentation moves the country further down the pathway to enhancing American Cybersecure in rhythm with key cyber leaders in the Congress providing some hope that we will finally see material effective cybersecurity legislation enacted.
