China’s campaign to break into our critical infrastructure and federal government networks is persistent and growing. Beijing is stealing information while also planting tools and maintaining access in key systems, giving it the option to pressure the United States in the future. Russia also continues to test our critical infrastructure with increasingly sophisticated operations, support criminal operations, gather intelligence, and possibly prepare for future disruption of essential services. Iran and North Korea are also ramping up disruptive attacks on hospitals, schools, local governments, and global commerce. Our adversaries’ offensive cyber operations are not slowing down. But America’s cyber defenses are falling behind.
When Congress created the Cyberspace Solarium Commission in 2019, our mandate was clear: prevent a cyber catastrophe before it strikes. We remember sitting with the commissioners — Republicans, Democrats, industry leaders, and national security veterans — knowing we were attempting something no country had tried before: to build a strategy for defending a digital society at scale. We delivered that strategy, along with 116 actionable recommendations. Many of those reforms reshaped federal cyber policy, and for a time, the United States was gaining ground.
Today, we are seeing erosion across core pillars of America’s cyber posture. Cybersecurity mission capacity is strained; public-private collaboration is losing momentum; federal agencies are operating without stable leadership; and coordination with allies — once one of our greatest strategic advantages — is failing to keep pace with our adversaries who now operate globally and relentlessly. These are not routine dips in activity. They are symptoms of strategic drift.
To reverse that drift, we must recover the clarity and urgency that guided the commission. The entire architecture of layered cyber deterrence depends on stable leadership, predictable budgets, continuous cross-sector collaboration, strong norms, international partnerships, and a healthy cadence of congressional oversight.
The first, most immediate step is obvious: the Cybersecurity and Infrastructure Security Agency (CISA) needs Senate-confirmed leadership and sustained multi-year funding. The agency responsible for advising the entire nation on cybersecurity risk is operating without stable direction at a time of rising threats. CISA has lost approximately one-third of its workforce through reductions and departures while its funding is constantly in flux. The Senate must move swiftly to confirm Sean Plankey—or whomever else is nominated—so CISA can regain the momentum and continuity required to fulfill its role.
Second, the federal government’s cybersecurity workforce crisis must be treated as a national security emergency. Agencies are still bound to hiring models built for the 20th century: rigid classifications, slow timelines, and at-will structures that make it far too easy for private industry to lure talent away. The administration needs to grow, not simply maintain, the CyberCorps: Scholarship for Service — one of our most successful talent pipeline programs for the federal government — which brings highly trained students into agencies in exchange for paying for several years of their education. Even its graduates, fully funded by federal scholarships, run headfirst into hiring barriers and freezes that have nothing to do with skills and everything to do with process.
Third, we must reinstate mechanisms for public-private collaboration. The elimination of the Critical Infrastructure Partnership Advisory Council has created legal uncertainty that chills information sharing between government and industry. Congress’ failure to authorize a long-term extension of the Cybersecurity Information Sharing Act of 2015 creates even more uncertainty about private companies’ ability to share threat information with the government and each other. Most critical infrastructure is privately owned and operated, and we cannot defend it without genuine partnership. Restoring structured collaboration channels is essential to our collective defense.
Lastly, we must rebuild our cyber diplomatic capacity. At the State Department, the seat for the ambassador-at-large for cyberspace and digital policy sits vacant — a troubling signal at a moment when authoritarian regimes are aggressively exporting their vision of a controlled, surveilled internet. The administration should nominate, and the Senate should move urgently to confirm, a new ambassador who can represent American interests in shaping international cyber norms, building allied capacity, and countering digital authoritarianism. The State Department’s Bureau of Cyberspace and Digital Policy’s mission capacity has been gutted through restructuring. Congress should restore personnel and establish consistent funding for capacity-building programs with our partners.
In 2020, the Solarium Commission warned that America could not wait for catastrophe to spur action. That warning stands today. Cybersecurity has long been one of the rare domains that still invites bipartisanship. We should seize that advantage rather than squander it. Congress — on both sides of the aisle — has the capacity to act.
Jim Langevin served in U.S. Congress for 22 years, representing Rhode Island’s second congressional district. He is now the chair of the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation (CCTI) and the distinguished chair of the Institute for Cybersecurity and Emerging Technologies at Rhode Island College.
RADM (Ret.) Mark Montgomery is CCTI’s senior director and served as the executive director of the congressionally mandated Cyberspace Solarium Commission.