US Federal Cyber Defense is Slipping, Warns Cyberspace Solarium Commission

The non-profit Cyberspace Solarium Commission (CSC) has issued an annual opinion report on the state of US federal cyber defense since 2020, and this year’s edition is noteworthy for being the first in which preparedness is seen as having regressed from prior years.

A number of factors are named, but the recurring theme is the sweeping Trump-era budget cuts. The report judges the state of cyber defense by implementation of a set of 82 recommendations first made in 2020, with this being the first year in which policies that were considered “fully implemented” have backslid in total.

CSC: National cyber defense in concerning state after extensive budget cuts

The report finds several factors contributing to what appears to be a general erosion of cyber defense: failures in agency leadership (chiefly ongoing failure to get a new CISA director in place), problems with hiring and retention practices, and public-private communication among them. But the central theme that the report keeps coming back to is recent budget cuts.

Among its biggest concerns, articulated as its top five recommendations to the Trump administration going forward, is the slashing of funding and staffing at CISA and the State Department’s cyber divisions. The report also sees restoration of the Critical Infrastructure Partnership Advisory Council (CIPAC) as critical to bolstering public-private threat information sharing, and giving the Office of the National Cyber Director more leeway to independently set budgets.

The report is centered on 82 ongoing recommendations. Of these, almost half (48%) were considered fully implemented in 2024. This is the first year in which that number dropped rather than climbed, now down to 35% mostly due to programs and budgets being cut at some point this year.

“Pillars” of cyber defense weakening?

It is not unusual for some amount of weakening of cyber defense to be seen as a new presidential administration steps in, given this usually involves big staff and priority changes that unfold over a period of months. The unique factor for 2025 seems to be the Trump administration’s immediate slash-and-burn approach to government spending. The report sees this as increasing the number of unfinished tasks that ultimately undermine the government’s ability to respond to the increasingly dangerous threat landscape.

The 82 recommendations are divided into six groups called “pillars,” and the pillar that seems to be suffering the most is “reshap(ing) cyber ecosystem security” on the basis of cuts to research funding for universities ($2.2 billion in total thus far) and regular funding for NIST. Another cited failure in this area is the continuing issue of Congress failing to come up with a national breach notification standard, with a patchwork of state laws continuing to cover industries outside of critical infrastructure.

The other pillar that seems to have the most serious problems is “reform of government structure and organization for cyberspace,” with the continuing absence of House Permanent Select and Senate Select Committees on cybersecurity and the restoration of the Office of Technology Assessment (OTA) as the central complaints. The report sees both of these elements as necessary to keep Congress, not always the most technically-inclined people on Earth, apprised of rapidly changing threats in the area of AI and privacy developments.