WE ARE FIGHTING THE LAST WAR – AND LOSING
For more than a decade, the United States has misdiagnosed the nature of the cyber threat. We treated cybersecurity as if it were a primarily consumer protection matter, and in the early days, perhaps it was. Our strategy was mostly geared to directing private companies to reinforce their systems to protect personal data via corporate checklists.
While we still need to be mindful of those issues, the primary cyber threat has morphed and grown. Our adversaries are not just cyber criminals but nation-states like China, Russia, Iran, and North Korea. These ultra-sophisticated adversaries are not focusing on stealing credit cards and health information. They are engaged in strategic efforts to compromise our critical infrastructure – all of it, from agriculture to water systems.
No private company is able to adequately defend itself against these nation-state attacks. It’s not just smaller companies that are fighting over their economic weight. Compared to China, Iran, Russia, etc., every company is a “smaller company.”
These nation-states have treated American networks as targets in an ongoing campaign to erode national strength. The results are unmistakable. We are getting killed out there – or more precisely – we are getting killed in here, at home.
Nation-state actors have burrowed into American critical infrastructure so thoroughly with attacks like Volt Typhoon that, after years of our being aware of them, we have not been able to eradicate them. A recent series of reports from the Internet Security Alliance has documented that foreign military and intelligence services have penetrated virtually every element of our critical infrastructure — our supply chains, our defense contractors, our hospitals, our utilities, and even our schools and more.
WE ARE MISSING THE FOREST FOR THE TREES
The economic damage is immense. The strategic damage is far worse: collapsing deterrence, weakened readiness, and eroding national resilience. Yet despite this reality, Congress continues to operate under a structure designed for a bygone era—one that divides cybersecurity across dozens of committees, each focused on incremental issues rather than defending the country against the broad national threat.
This fractured system is not merely inefficient; it is structurally incapable of producing a unified cyber defense. Cybersecurity does not map neatly onto congressional jurisdictions. CISA falls under Homeland Security, federal IT oversight under Oversight and Government Reform, and critical infrastructure oversight is scattered across Energy and Commerce, Agriculture, Transportation, Financial Services, Natural Resources, and Armed Services. Privacy and consumer protection fall under Commerce and Judiciary, while supply-chain security is split among Armed Services, Homeland Security, and Energy.
When responsibility is sliced this thinly, no single committee owns the whole problem, no committee is empowered to solve it comprehensively, and adversaries can exploit the seams faster than committees can resolve jurisdictional arguments. The consequences are visible everywhere. Defense contractors must report a single cyber incident to multiple agencies under conflicting rules. Water utilities face dozens of overlapping mandates from various regulators. Hospitals, electric grids, and manufacturers spend more money filling out compliance paperwork than actually defending their systems. Overall we waste about 40% of our cyber budgets.
The ISA Reports document that these same problems permeate virtually all of our critical infrastructures. This diffusion of responsibility is not just wasteful; it functionally undermines our national security. We have a massive shortage of trained cybersecurity personnel – 500,000 nationwide, 35,000 in the federal government alone. This massively overburdened workforce is diverted into doing multiple duplicative compliance forms while they should be focused on functional defense. The attackers know this and design this aspect into their attacks, making them more effective. Ironically, there is no evidence that the compliance regimes actually improve security.
THE ONE RIGHT TOO: THE NATIONAL DEFENSE AUTHORIZATION ACT (NDAA)
This is not a failure of intent. It is a failure of structure—a structure that was never built to protect our country from cyber siege by aggressive nation-states.
The only tool Congress has that is large enough, fast enough, and authoritative enough to break this gridlock is the National Defense Authorization Act. The NDAA is not simply a defense bill; it is Congress’s most powerful mechanism for addressing threats that cut across agencies, sectors, and jurisdictions. Its use for cybersecurity has legislative precedent but needs to be expanded.
Whenever cyberattacks degrade military readiness, threaten supply chains, interfere with logistics, disrupt ports, undermine base operations, compromise communications, or endanger force health, the issue becomes inseparable from national defense. An attack on a seaport interferes with military mobility. A breach in a power grid disrupts base operations. A ransomware attack on a hospital affects the force’s health. An attack on a pipeline affects logistics. A compromised telecommunications system affects command and control. These are defense problems. They are not consumer-protection problems. That is why the NDAA should be used as the vehicle for major cyber reforms across civilian agencies: because cyber defense is national defense.
The success of the Cyberspace Solarium Commission proves this point beyond debate. Solarium understood that if it tried to push its eighty-two recommendations through traditional committee silos, nothing would pass. Instead, it anchored its reforms in the defense implications of cyber risk and routed them through the NDAA. The outcome was historic. Twenty-seven provisions were enacted in the FY2021 NDAA, including the creation of the National Cyber Director, strengthened DHS authorities, expanded diplomatic cyber capabilities, workforce development initiatives, continuity-of-the-economy planning, and enhanced intelligence coordination.
Not a single provision was rejected on germaneness grounds. Congress accepted the fundamental proposition: when cyber vulnerabilities threaten national defense, they belong in the defense bill. The Solarium model is the blueprint for the next generation of reforms.
The constitutional foundation for this approach is equally clear. Congress’s first responsibility is to provide for the common defense. Modern warfare is now inseparable from civilian infrastructure; the systems that power America’s economy also powers the nation’s military. Congress has always used the NDAA to confront cross-jurisdictional threats, from CFIUS reform to space policy to supply-chain resilience. By using the NDAA to create a broad, integrated cybersecurity framework of policy principles, Congress will be employing the only instrument capable of addressing a threat that touches every sector simultaneously.
The principal framework NDAA needs to adopt – requiring all cyber regulations to be tested for cost effectiveness, eliminating duplication in cyber regulations, modernizing the 2015 Cybersecurity Information Sharing Act, recruiting an adequately trained workforce, and using sophisticated modeling to evaluate cyber policy and spending – leave abundant room for other committees to exercise their jurisdiction to address sector specific issues in the cyber realm.
WE ARE ALREADY LATE TO THE PARTY. WE NEED TO ACT NOW
The timing could not be more urgent. The FY2027 NDAA cycle aligns with a decisive moment in national security: a crippling cyber workforce shortage across every critical sector, a tangle of duplicative regulations that drain resources, essential information-sharing protections on track to expire, increasingly sophisticated intrusions from foreign adversaries, and rising operational risk across the defense industrial base. Other committees will continue to provide essential oversight, but only the Armed Services Committees possess the constitutional authority, legislative reach, and procedural precedent to unify the nation’s cyber posture.
The public-policy conclusion is straightforward and unavoidable. Cybersecurity is no longer a compliance issue. It is a national-defense imperative. And the NDAA is the only legislative mechanism capable of delivering the cross-sector reforms America needs before adversaries exploit our fragmentation even further.
