Cybersecurity for the Connected Age

AI is already a critical tool for strengthening cybersecurity. It helps, among other activities, dramatically improve, expedite, and automate identification, detection, and response. By adopting AI-enhanced cybersecurity solutions, organizations can better manage a rapidly evolving risk environment and stay ahead of adversaries. Additionally, organizations should use available AI tools to identify and then secure their AI systems and enable AI adoption.

Governments have been proposing and adopting cyber regulations that do not work together in a coherent manner. Duplicative and fragmented regulations, like those often found in cyber incident reporting and cloud certification schemes, add complexity without improving security. By ensuring coordination across government agencies, building on internationally recognized standards, and pursuing mutual recognition, we can reduce burdens, foster innovation, and achieve better security outcomes.

Outdated and bespoke IT systems, especially in government, are increasingly unable to meet citizens’ needs while withstanding sophisticated threats. These legacy systems also lack the capacity to support PQC, which already renders data vulnerable to “harvest now, decrypt later” attacks. By modernizing IT environments, including migration to secure cloud platforms, we can prepare to upgrade to PQC while simultaneously improving service delivery, security, and resilience.

The best way to meet evolving threats is to foster a marketplace that prioritizes secure innovation, not just first to market. Governments should incent investments in the foundations of a resilient digital economy. These foundations include leveraging secure software development best practices and scalable cloud services, promoting the use of open standards, and avoiding trade barriers disguised as security requirements, like data localization mandates. By providing these incentives, governments can encourage the next generation of security innovations.

Laws and policies should focus on measurement that drives concrete security improvements, not on rewarding bureaucratic activity or box-checking. To ensure value, policies should use metrics like “mean time to detect” and “mean time to respond,” while developing additional consensus metrics as needed. Just as medical professionals rely on vital signs, governments and businesses should establish and adopt cyber vital signs to pinpoint challenges, such as fragmented environments and overlapping tools that create blind spots and slow incident response. These shared metrics can help organizations streamline operations, accelerate threat detection and response, enable meaningful comparison, increase returns on security investment, and drive continuous improvement.