Eric Cole Is A Tough Grader

Eric Cole recently posted his review on Substack of the new US Cybersecurity strategy. His review is meant to be brief and touches on four parts of the strategy that move us toward better practices and processes. He also enumerates three ways in which the strategy comes up short. We're amplifying here because of the implications of both the strategy and the review for behavioral cybersecurity.

1. The strategy "correctly frames cybersecurity as an element of national power rather than simply an IT hygiene issue. Cyber now intersects directly with economic growth, military capability, supply chain resilience, artificial intelligence, and national infrastructure."

2. It "recognizes that modern cyber adversaries are no longer focused solely on data theft. Increasingly, they are targeting operational continuity and daily life, including healthcare systems, energy infrastructure, telecommunications, and financial networks."

3. "The strategy acknowledges an important reality: passive defense alone is insufficient. Effective cyber deterrence requires the ability to impose costs on adversaries and disrupt their operations."

4. "The document correctly identifies emerging domains that will shape the next phase of cyber conflict, including AI security, post-quantum cryptography, supply chain resilience, and the architecture of modern digital infrastructure. Understanding the threat landscape is an important starting point for any national cyber strategy. However, understanding the problem is not the same as solving it."

And now, the parts that are less rosy.

5. Lack of operational clarity. "The document outlines broad goals for securing infrastructure, strengthening federal systems, addressing emerging technologies, and coordinating public-private efforts. Those are all worthwhile objectives. However, the strategy often stops at describing what should happen rather than explaining how it will actually be implemented."

6. Protection does not equal resilience. "Cybersecurity discussions often focus on preventing attacks. In reality, prevention alone is not enough. Even the most secure systems can eventually be compromised. The real question is whether the nation can continue to function when that happens. True resilience means designing systems that can withstand disruption and recover quickly. It means ensuring that hospitals can still operate during network outages, that power systems can be restored rapidly after cyber incidents, and that financial systems can continue processing transactions even during major disruptions. Without explicit resilience standards, organizations may focus on compliance rather than operational continuity."

7. We have met the people who need protection, and they are us. "Protecting citizens from digital exploitation requires stronger collaboration between financial institutions, telecommunications providers, technology platforms, and law enforcement agencies. It also requires widespread public awareness of cyber risks. Many cyber attacks succeed not because of technical vulnerabilities but because they exploit human trust. Helping people understand those risks is a critical part of national cyber defense."

Bravo Eric!

Probably point 3 is not in your domain* but 1, 2, & 4 squarely implicate your team's capacity to operate effectively in the new cybersecurity threat environment. The new cybersecurity strategy also is helpful in creating 'top-cover' for what you need to accomplish as a cybersecurity leader. Your perimeter is now any supplier or unpatched port or wearable, etc. You don't get a pass because they 'wouldn't dream of taking down a hospital.' The target is not only money, it's any way to inflict vengeance (maybe in exchange for money).

If you're an investor, you may want to redouble your review of the prospect's capacity to strategize its cybersecurity processes systemically, #s 5, 6, & 7. Is it all planning for planning's sake? What are the contingencies? How have the company's systems been made resilient and their employees (and customers) made trust-partners?

If you're a leader trying to figure out what to do now, give us a call. Ask us how you can strategize effectively.

*We are aware that some private-sector organizations are planning on adapting adversarial AI approaches in a red-team model...