Immediate Strengthening of U.S. Cybersecurity Policy Is Essential
On Thursday, May 29th, the Government of Japan introduced a new national cybersecurity strategy, set to take effect later this year, aimed at addressing the growing threat of cyberattacks targeting both public and private sectors. A key component of the strategy is the government's plan to shift its internal communications from the current public-key cryptography system to post-quantum cryptography, which offers enhanced protection against potential threats from quantum computing.
This new strategy will replace the existing one, which has been in place since September 2021. It was formulated following the recent enactment of a new cyber-defense law by the Japanese Parliament and outlines four key areas of action:
Restructuring the Cabinet's cybersecurity center into a central command hub for national cybersecurity policy
Strengthening collaboration between public and private sectors in cyber defense
Enhancing training for personnel and improving technological infrastructure
Expanding international cooperation in cybersecurity efforts
The following are ten (10) urgent recommendations that form the foundation of a new cybersecurity strategy for the United States—crafted in response to an increasingly volatile and complex global threat environment:
Require Software Vendors to build secure software. Software vendors must be legally mandated to implement secure-by-design principles and assume liability for vulnerabilities that result from negligent coding practices, shifting the burden of cybersecurity from end users to the companies profiting from software distribution.
Secure Critical Supply Chains. Introduce rigorous cybersecurity standards and inspection protocols for software, firmware, and hardware vendors, with specific scrutiny on components sourced from adversarial nations.
Support State and Local Cybersecurity Resilience. Expand grants and technical assistance to state, local, tribal, and territorial governments, helping them protect against ransomware, espionage, and infrastructure sabotage. We're asking teachers, nurses, and city hall staff to become cybersecurity experts overnight—an unrealistic expectation that leaves critical institutions vulnerable.
Accelerate Post-Quantum Cryptography Adoption. The U.S. should mandate a phased transition to post-quantum cryptographic standards across all federal agencies and critical infrastructure, following NIST guidelines. This transition should also modernize software development practices by integrating post-quantum cryptography into CI/CD pipelines, ensuring reproducible builds, and establishing secure development frameworks that are quantum-resistant from the ground up.
Expand the National Cyber Workforce. Substantially increase investment in cybersecurity education, apprenticeship programs, and STEM outreach, especially in underrepresented communities and rural areas.
Institutionalize Public-Private Threat Intelligence Sharing. Create a binding but protective framework for continuous, two-way cyber threat sharing between the private sector and federal agencies, modeled on the success of CISA's JCDC (Joint Cyber Defense Collaborative).
Operationalize a National Cyber Command Center. Elevate CISA or a new unified body to act as the central command for civilian cyber defense, coordinating real-time detection, analysis, and response efforts across federal, state, and private entities.
Advance Global Cyber Norms and Alliances. Lead international efforts to define and enforce cyber norms, especially around critical infrastructure protection, election integrity, and state-sponsored cyber operations.
Promote Federal Cybersecurity Modernization. Replace legacy systems in federal agencies with zero-trust architectures and cloud-first, AI-assisted security models to reduce attack surfaces and improve detection speed.
Regulate AI in Cyber Offense and Defense. Establish oversight and policy guidance for AI use in cyber operations, both offensive and defensive, to prevent escalation and ensure responsible innovation.
Requiring software vendors to integrate security from the initial design phase, securing the software supply chain against vulnerabilities, strengthening cybersecurity resilience at state and local levels, and expediting the transition to post-quantum cryptographic standards must be treated as urgent, top-tier national security priorities. These are not optional steps—they are critical imperatives.
The United States must act decisively on these cybersecurity imperatives now. In an increasingly hostile, connected, and complex digital world, America cannot afford to wait for cyber threats to materialize—a reality that Japan's proactive strategy clearly illustrates.