When the landmark Cyberspace Solarium Commission published its first report on the state of U.S. cybersecurity five years ago, the authors detailed more than 80 recommendations to improve America’s security and counter the effects of cybercrime and nation-state attacks, which threaten the country’s critical infrastructure.
While the original bipartisan Cyberspace Solarium Commission concluded its work in 2021, its ongoing mission to improve U.S. cybersecurity continues under the CSC 2.0 project, which is managed by the Center on Cyber and Technology Innovations at the Foundation for Defense of Democracies. The CSC 2.0 project continues to publish reports detailing security improvements and concerns, as well as measuring the federal government’s response.
Over the course of those five years – under the original commission and now with CSC 2.0 – annual reports and updates consistently showed steady progress toward the original goals. Now, however, the CSC 2.0 reports that the U.S. government is slipping backward.
The 2025 Annual Report on Implementation, released in October, finds that current federal agency budget cuts, shifting cyber priorities, technological advances and changes to hiring practices for technical and cybersecurity professionals are hampering the government’s ability to fight cybercrime and counter the rising threat from nation-state groups conducting espionage.
“This year’s assessment makes clear that technology is evolving faster than federal efforts to secure it,” former Cyberspace Solarium Commission co-chairman Sen. Angus King, I-Maine, and current executive director Mark Montgomery, noted in the report’s foreword. “Meanwhile, cuts to cyber diplomacy and science programs and the absence of stable leadership at key agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the State Department, and the Department of Commerce have further eroded momentum.”
For cybersecurity insiders and those who work with their federal counterparts, the lack of talent recruitment and shifting hiring criteria come at a time when the private sector is also struggling to fill many open positions, creating concerns about vulnerabilities and threats that are going unanswered and unaddressed.
“We see firsthand the pressing need for a stronger cybersecurity workforce. There are massive numbers of unfilled cybersecurity roles across the United States, leaving businesses and government agencies vulnerable,” Marcus Fowler, CEO of Darktrace Federal, told Dice.
Fowler noted that proposed legislation, such as the Cyber PIVOTT Act, which aims to offer scholarships for two-year degrees to recipients who commit to working for two years at federal, state, local or tribal agencies, is what’s needed to help close the cybersecurity talent gap.
“The recent Cyber PIVOTT Act is a critical step toward closing this gap by creating smarter workforce development pathways, expanding access to hands-on training and building a skills-based cybersecurity talent pipeline that meets the demands of today’s economy,” Fowler added.
Recommendations for Improving U.S. Cybersecurity
Although the 2025 CSC 2.0 report found that the federal government is starting to lag behind goals laid out by the original commission, there are areas where the White House and Congress can make cybersecurity improvements immediately. These include:
- Increasing the authority of the Office of the National Cyber Director to ensure uniform cybersecurity decisions are enforced across the U.S. government
- Restoring the budget and reversing job cuts made to CISA
- Reinstating the State Department Bureau of Cyberspace and Diplomacy
- Undoing the elimination of the Critical Infrastructure Partnership Advisory Council (CIPAC), which provided an information exchange between private business and the U.S. government
- Expanding the talent pool to bring more potential cybersecurity professionals into government work
While these recommendations might seem obvious, cybersecurity experts noted that all of these remain essential to better secure the nation’s critical infrastructure.
“Each of these ideas is critical to protecting both the nation and the organizations and businesses that rely on the nation's critical infrastructure,” Ed Covert, vice president of advisory services at Fenix24, told Dice. “Cutting the budget and federal workforce in the areas of cybersecurity and resiliency risks leaving the country and its citizens vulnerable to attacks and devastating effects.”
Staffing levels and recruiting are becoming a significant issue, as threat actors seek vulnerabilities in unpatched or neglected networks and infrastructure, said Tim Mackey, head of software supply chain risk strategy at Black Duck.
“If staffing levels are reduced, either because of long-term reductions or due to short-term actions such as business shutdowns or strikes, automation can only help for so long,” Mackey told Dice. “This is the core problem with the staffing cuts at CISA and with the failure to renew CIPAC – attackers know U.S. cyber defenses are weaker today than they were last year.”
When there are interruptions in information flows to and from the federal government and historical knowledge gaps, attackers are free to either replay a successful attack or refine an attack to limit the potential for detection, Mackey said.
“When coupled with the cyber skills gap that the US has had for some time, rebuilding staffing levels isn’t as easy as hanging a proverbial ‘now hiring’ sign,” Mackey added.
With the Trump administration changing hiring practices, including shifting away from diversity, equity and inclusion (DEI), the result is that federal agencies are missing out on finding enough talented cyber professionals to fill critical open positions, according to the CSC 2.0 report.
“The result is a growing gap in filling critical cyber positions from an already limited talent pool. While the administration has wisely called for both ‘skills-based’ and ‘merit-based’ hiring, it has yet to establish a consistent workforce model to deliver on those goals – risking what had been a rare area of bipartisan consensus around building a skills-based cyber workforce,” according to the report.
This can also work against the federal government when it comes to bringing in enough talented tech and cyber pros who understand how cutting-edge technologies such as artificial intelligence (AI) are changing cyber defenses.
“To achieve this goal, we'll also need to ensure security teams are trained on the most advanced tools, to ensure that technology fulfills its potential to augment the workforce and act as a true force multiplier,” Fowler said. “We believe that a smarter federal cyber workforce policy, when combined with greater adoption of AI-powered cybersecurity technologies, marks the best path forward toward meeting America's skills and capabilities needs and building a more resilient national cyber defense.”
States Seeking Cybersecurity Talent
With cuts to federal agencies’ cybersecurity budget and personnel, much of the burden has been shifted to the states. Since the beginning of the year, New York, New Mexico and Pennsylvania have been building up their cybersecurity capabilities and have recruited talent from agencies such as CISA.
Whether looking for work or concerned that further job cuts or reductions are coming, Darren Guccione, CEO and co-founder at Keeper Security, noted that federal cybersecurity professionals should position themselves accordingly to take advantage of state-level opportunities.
“Those looking to transition into state roles can stand out by highlighting their experience in securing critical infrastructure, managing public-sector risks and responding to complex threats – critical skills for protecting essential services and mitigating the impact of cyberattacks on public systems,” Guccione told Dice.
“Many federal agencies already collaborate closely with state governments through joint risk assessments, incident response efforts and the sharing of threat intelligence,” Guccione added. “These overlapping areas of expertise can facilitate a smooth transition, allowing federal cybersecurity professionals to build on these familiar partnerships.”