America is losing the cyber war, not because it lacks intellect or technology, but because the United States is trying to fight a national security conflict with a governance structure designed for fragmented consumer protection oversight. This fragmentation is not a bureaucratic inconvenience—it is a national-defense failure created by jurisdictional paralysis.
The solution requires Congressional action that matches the nation-state cyber threat. The FY2027 National Defense Authorization Act can provide that framework—not by displacing sector-specific oversight, but by establishing overarching defense authorities while preserving consumer protection roles for specialized committees of jurisdiction.
By creating enforceable principles to guide national cybersecurity policy, the NDAA can establish a framework that recognizes the advanced nature of nation-state cyber threats and modernizes our national cyber defense to defend ourselves more efficiently and effectively.
Fortunately, structural improvements to our cybersecurity process can deliver immediate and long-term enhancements to our security, without significant government expense.
In fact, installing this farmwork will actually save the federal government several billion dollars. The private sector will save billions more, which can be put to enhanced innovation and defense.
BRINGING A KNIFE TO A GUN FIGHT
Nation-state adversaries—China, Russia, Iran, and North Korea—conduct unified, military-grade cyber campaigns that target water systems, hospitals, pipelines, ports, financial networks, and the defense industrial base. These nation-state operations are conducted essentially without budgetary ceilings. Meanwhile, the private sector targets in our critical infrastructure are expected to fund national security-level cyber defense within private-sector budgets.
In analogue terminology, we are telling them to bring a knife to a gunfight.
They cannot win that fight, which means we, as a nation, lose. The facts confirming that this has already happened, and continues, are widespread and uncontested.
The National Defense Authorization Act, overseen by the Armed Services Committees, is the only legislative vehicle capable of overcoming the jurisdictional boundaries that unnecessarily complicate and undermine our security. Unlike individual committees that oversee single sectors, the Armed Services Committees can act whenever a cyber threat affects national security—and today virtually every civilian industry is targeted for military effect.
Congress provided substantial precedent for this path when it exercised its authority by enacting 27 cross-sector cyber provisions based on the Cyberspace Solarium Commission’s recommendations in the FY2021 NDAA. Now, Congress must use the FY2027 NDAA to finish the job by enacting five reforms that, together, create the first integrated national cyber defense system. These five reforms address the core national defense failures that adversaries exploit – duplication, inefficiency, workforce shortages, outdated law, and the absence of a practical strategic plan to protect our critical infrastructure.
PRINCIPLE ONE: ELIMINATE ALL DUPLICATIVE CYBERSECURITY REGULATIONS
In the spring of 2025 the Chairs of the House Homeland Security Committee, the Oversight and Government Reform Committee, and the Chairs of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation as well as the Chair of the Subcommittee on Federal Law Enforcement wrote a joint letter to OMB director Vought detailing the major security issues created by the current duplicative cybersecurity regulatory system. The letter concluded that “eliminating the duplicative landscape of cybersecurity regulations is the fastest, most cost-effective way to improve our nation’s cybersecurity materially.”[i]
Whereas identifying duplicative regulations, especially across agencies, was once a time-consuming process, modern technology (not even AI) can now be used to identify duplications fairly quickly and easily. Recently, six major cybersecurity trade groups also wrote to Director Vought, outlining a proposal to use technology to identify applications. Sector-specific agencies could work collaboratively with the private sector under OMB guidance and enforcement authority to establish streamlined regulations by a specific date.[ii]
Eliminating the duplications in cyber regulation would functionally eliminate up to 75% of current federal cyber regulations. However, sector-specific agencies and oversight committees would retain the right and ability to create industry-specific rules, so long as, in the national interest, they embraced due diligence and did not create duplicative regulations.
Not only would eliminating duplicative cyber regulations free up to 70% of the scarce current staff time to focus on functional security as opposed to duplicative compliance – thus enhancing material security– it would also free up nearly 40% of private sector cybersecurity budgets – as saving of roughly $80 billion across all sectors.[iii]
This simple, common-sense reform would enhance security and cut costs simultaneously. Moreover, this reform does not create any significant federal spending obligation. In fact, since the federal government also needs to spend less on compliance, it would save an estimated $5 billion a year on regulatory administration.[iv]
PRINCIPLE TWO: COST-BENEFIT ANALYSIS FOR REMAINING CYBER REGULATION
Military doctrine demands “economy of force”—maximum effectiveness from limited resources. Yet agencies mandate cybersecurity controls without analyzing whether they actually improve security. Despite its obvious relationship to national security, current cyber regulations do not require cost-benefit analysis (CBA). In fact, the best academic research on cyber regulations indicates that none of the current regulatory models have ever been shown to materially improve security.[v]
Across most federal regulatory domains, cost-benefit analysis is a standard process.[vi] Before being confirmed as the White House National Cybersecurity Director, Sean Caincross ran the Millennium Challenge Corporation, which routinely required cost-benefit analysis for any of its funded programs.[vii] The new DHS cybersecurity Performance Goals (CPGs) being released on December 8 require, for the first time, a cost-benefit calculus.[viii]
However, the cybersecurity Performance Goals are voluntary. In the interest of national defense, all the remaining cyber regulations, after being pared for duplication, ought to be on a cost-benefit basis. If the regulations are not meeting the stated goals, they need to be reformed or repealed. Perhaps most importantly, installing CBA will change the focus of cyber regulation from compliance to effectiveness, as that is what is required for our national defense.
As with eliminating duplicative cyber regulation, installing CBA entails no significant federal spending.
PRINCIPLE THREE: CREATE AN ADEQUATELY TRAINED CYBER WORKFORCE
We currently have a shortage of over half a million cybersecurity jobs we cannot fill – 35,000 in the federal government alone, which we currently staff with high-priced independent contractors.
The PIVOTT Act, already approved by the House Homeland Security Committee, essentially established a national virtual cybersecurity academy by knitting together cybersecurity programs around the country through digital technology and stimulating recruitment the same way we recruit soldiers for the Army, Navy, and Air Force – by providing free tuition in return for national service.
There are already smaller programs that follow this model. The significant difference with the PIVOTT Act is its scale. PIVOTT is targeting 10,000 new students a year. At that rate, we would actually solve the federal government’s cyber workforce gap in less than 4 years. Moreover, after their government service, graduates would likely go into cybersecurity jobs in the private sector, where they will continue to defend our country from cyberattacks.
One of the added benefits of PIVOTT is that it is cost-neutral for the federal government. Using the current 4-year college average costs, scholarships for 10,000 recruits would cost the government about $1 billion. The savings in salary costs for PIVOTT graduates compared to the current independent contractors the government uses would be $1 billion.
PRINCIPLE FOUR: MODERNIZE INFORMATION SHARING
Arguably, the most popular and successful piece of cybersecurity legislation ever enacted was the 2015 Cybersecurity Information Sharing Act. In the decade before its enactment, the question of how to facilitate sharing threat information between the public and private sectors was the main issue in cybersecurity policy. The 2015 Act largely resolved this issue by using market incentives, rather than regulations, to promote better sharing between the federal government and a skeptical industry. Over its 10-year authorization, it became the gold standard for the critical government-industry partnership. Despite having 10 years to reauthorize and update this effective statute, which enjoyed bipartisan and virtually universal industry support, it was allowed to lapse on September 30, 2025 (with a short-term extension in the CR through January).
One person, the Chairman of the Senate Homeland Security Committee, stood in its way.
Again, the jurisdictional process for creating American cyber policy has prevented its most basic maintenance. In truth, the 2015 Act needs modernization as the threat picture has obviously changed in the decade since it was initially signed into law. Notwithstanding this obvious need, there is virtually no conversation about updating the statute because almost the entire cybersecurity community – government and industry (except for Dr Paul)- is so desperate to recapture the benefits of the 2015 Act.
It is absolutely impossible for the United States to adequately defend itself against ongoing nation-state attacks on critical infrastructure without robust information sharing. The Armed Services Committees need to take charge of this situation in the national defense interest and not only reauthorize but also modernize the 2015 Information Sharing Act.
PRINCIPLE FIVE: USE SOPHISTICATED MODELING TO MANAGE CYBER RISKS
Virtually every central area of risk – financial risk, environmental risk, geopolitical risk, and weather is managed through the use of sophisticated macroeconomic models. Even though digital systems impact virtually every aspect of modern life, there is no macroeconomic model to assess and empirically manage cyber risk. None.
Five years ago, a proposal from Nobel award winner in Economics, Olive Hart, to create the first cybersecurity macroeconomic model was offered to DHS (cost about $1 million – that’s million with an M). Internal DHS work groups recommended its funding, but DHS has done nothing to create such a model.
Meanwhile, successful cyberattacks across all critical infrastructure have escalated. Core issues, including how to practically support privately held, critical infrastructure in the face of nation-state attacks, how small businesses in essential supply chains can ensure adequate cybersecurity, and how to support adequate cybercrime efforts economically, have been left to opinion and speculation rather than empirical analysis. We are quite possibly wasting vast amounts of our – well-intentioned – multi-billion-dollar investment in cybersecurity.
The NDAA is the only mechanism capable of overcoming these jurisdictional constraints. It carries constitutional authority under Congress’s national-defense powers, establishes precedent for cross-sector cyber reform, has procedural reach under germaneness rules, and can act at the speed required to address escalating threats. America is not losing in cyberspace because of weak technology; it is losing because of a weak jurisdictional structure. Cybersecurity is national defense, and only the FY2027 NDAA has the authority to build the unified defense Congress needs to deliver.
Endnotes:
[i] House Homeland Security / Oversight & Government Reform Committees, et al. “Letter to OMB on Cyber Regulations.” April 7, 2025. U.S. House of Representatives.
[ii] Internet Security Alliance, et al. “Industry Letter to OMB on Redundant Regulations.” April 2025.
[iii] Office of the National Cyber Director, Cybersecurity Regulatory Harmonization RFI Summary (June 2024).
[iv] “The Cost of Regulatory Compliance in the United States” (by F. Trebbi, M. Zhang & M. Simkovic)
[v] Hubbard, Douglas W., and Richard Seiersen. How to Measure Anything in Cybersecurity Risk.
[vi] Congressional Research Service, Cost-Benefit Analysis in Federal Agency Rulemaking, Oct. 28, 2024.
[vii] Millennium Challenge Corporation, Cost-Benefit Analysis Guidelines (2021).
[viii] Cybersecurity and Infrastructure Security Agency. Cybersecurity Performance Goals Adoption Report.
