Introduction

Nov 5, 2025 | Cyber Security, DHS & Cyber, Essay, Policy and Strategy

Jane Holl Lute

It surely is an irony of the current day that, notwithstanding the extraordinary power of the United States, it remains remarkably weak in defending its most important assets against cyber attacks. Part of the explanation for this persistent weakness lies in the nature of the challenge – the world of cyberspace is vast and complex – growing organically, instantaneously, and increasingly wealthy with every passing day. Very simply, the power to connect has vastly outpaced the power to protect, leaving governments, including the world’s most powerful government, in the unfamiliar role of market participant and not market leader in the domain of security.

But part of this sorry state of affairs can also be explained by the way the U.S. government has approached its role in cybersecurity over the past four decades – following the first documented case of a cyber breach in 1986 revealing that one Markus Hess, a German national, had hacked into the Lawrence Berkeley National Lab, selling the information he stole to the Soviets.

For a good part of the years since then, a quiet battle has raged in the bureaucracies of the U.S. federal government and among U.S. national security, law enforcement, and homeland security agencies through the better part of this Century. Which among them would ultimately be tapped to lead the federal effort? Indeed, what, exactly, was the federal government expected to do when it came to ensuring the cybersecurity of the nation?

The question was crystalized in 2010 with the publication of the first ever Quadrennial Homeland Security Review (QHSR). For the first time, the (still relatively new) Department of Homeland Security (DHS) identified “safeguarding and securing the nation’s cyberspace” as one of its five core homeland security missions. And over the past fifteen years, DHS has organized and reorganized itself to achieve this aim – while under near-constant bureaucratic opposition and assault from its sister agencies – principally the National Security Agency and FBI – that believed the mission belonged with them.

It appeared that Congress resolved the question of agency primacy with the creation of the Cybersecurity and Infrastructure Security Agency (CISA) under an act of the same name in 2018. But in many ways, the challenge was just beginning. Notwithstanding Congress’ intent and support from the White House, CISA has struggled to establish its role as the Nation’s leading cyber defender. Why this is so is no mystery, and in the pages that follow, some of the most experienced voices who lived these developments offer explanations to account for the weaknesses that persist.   

Yet, it would be wrong to say that no progress has been made. There can be no question that the owners of U.S. critical infrastructure are now more aware of the hazards in cyberspace, more engaged in active defenses, and more willing to work with the government to further strengthen those defenses than even a few short years ago.

But time is not on the side of defense. With the rapid acceleration of artificial intelligence (AI) in all its manifestations, cyber attackers now have a vastly more powerful set of tools for mischief and crime, not only in cyberspace, but in every conceivable domain. No area is safe or secure from harm: finance, education, health care, biosecurity, national defense, and more. Indeed, it is probably safe to say, again, perhaps ironically, that cyber attacks are not even their own point any more (if they ever were). Cyber intrusions are intended to have a physical world effect – theft, extortion, distortion, and even destruction.

But no single actor can do all that needs doing when it comes to cyber defense, and all that needs doing cannot be done alone. If the Federal Government will now do less in our lives than in previous decades, there remains, nevertheless, an irreducible role for it to play here. The U.S. government must orient its attention and effort on the practical steps necessary to ensure the nation’s cyber protection, and CISA has a critical role to play in the coming months and years ahead. The chapters that follow are focused on the future – which has come for us, whether we are ready or not.