page image

Purpose and Scope

This agenda is designed to assist federal policymakers in prioritizing, planning, and executing actionable cybersecurity initiatives whose goals are achievable in the next four years. Its intended audience is political appointees and career officials across the executive branch, federal lawmakers and their staff teams, and professional staff on congressional committees.

Note that this is not a framework for a national cybersecurity strategy, although most of its content should figure into one. Such comprehensive strategic framework would need to describe clear roles for the private sector and civil society in addition to government—and operate at a global scale.

The next administration and Congress cannot simultaneously address the wide array of cybersecurity risks confronting modern society. Policymakers in the White House, federal agencies, and Congress should zero in on the most important and solvable problems. To that end, this report covers five priority areas where we believe cybersecurity policymakers should focus their attention and resources as they contend with a presidential transition, a new Congress, and massive staff turnover across our nation’s capital.

  • Education and Workforce Development
  • Public Core Resilience
  • Supply Chain Security
  • Measuring Cybersecurity
  • Promoting Operational Collaboration

Each section defines the problem, makes the case for prioritizing it, establishes measurable outcomes, outlines obstacles that stymied past efforts, and details tangible action steps to overcome those obstacles.

This report is designed to be modular, with each section and its subsidiary recommendations able to stand on their own. We hope this will allow champions of specific focus areas to pick and choose based on changing political and business realities.

In selecting the five categories, the Aspen Cybersecurity Group sought to highlight initiatives that:

  1. Create leverage by offering “the greatest advantage to the defender over attackers at the least cost and greatest scale”;
  2. Benefit from an established technical or organizational foundation that can facilitate rapid progress; and
  3. Are relevant to the industry stakeholders, researchers, and security thought leaders whose buy-in is essential.

While technically out-of-scope, some topics are too important to omit without mention. In the section on Additional Priorities, we briefly address other areas that demand urgent attention from federal policymakers.


Education and Workforce
Appropriate new grant funding and direct grantmaking agencies to support organizations dedicated to grow the representation of underrepresented communities in the cybersecurity field.
Change how employers recruit cybersecurity workers to diversify and expand the talent pool.
and fund a national repository of K-12 cybersecurity resources.
and scale an industry-to-school pipeline for part-time instructors.
and scale apprenticeship models.
a leadership structure for coordinating federal cybersecurity workforce activities.
Improve equitable access to broadband Internet services for all communities.
pay flexibility for all federal departments and agencies.
funding for CyberCorps: Scholarship for Service to expand its focus.

Public Core Resilience
the commercial space sector as critical infrastructure.
a national strategy to secure the public core.
a new cyberspace office within the U.S. State Department.

Supply Chain Security
security transparency.
a national industrial base strategy to maximize competition and innovation.
financial support for free and open source software.

Measuring Cybersecurity
a Bureau of Cyber Statistics.
Assess the cost-effectiveness of cybersecurity frameworks and risk analysis tools.
state and local law enforcement’s ability to report cybercrime incidents.
a cross-sector partnership on modeling cybersecurity risk.

Operational Collaboration
Establish a National Cyber Director (NCD) to enhance public-private operational collaboration for proactive disruption and cyber event response.
federal law enforcement employee incentives to reward disruption of adversary operations.
a personnel exchange program between companies and federal agencies.
and publish a review of legal barriers to deeper intelligence and operational coordination between federal agencies and private companies.
a framework to measure the outcomes of disruption and event response activities.

Title Goes Here
Close [X]