Light Dark
December 24, 2024 By Mark Stone 4 min read
Government

As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.

The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?

Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should we be looking out for?

To get the answers to these pressing questions, we spoke with Jake Braun, former Principal Deputy National Cyber Director under President Biden and lecturer and senior advisor at Harris School of Public Policy at the University of Chicago.

The current state of cybersecurity

According to Braun, the current state of cybersecurity in the country is showing significant progress. Still, he says, it remains a work in progress.

Recent initiatives, such as the White House’s efforts to modernize security policies, are moving the needle forward. Braun notes that the push towards using memory-safe programming languages like Rust to replace older, vulnerable languages and initiatives for improving BGP security are signs that national-level cybersecurity is receiving strategic attention.

“The focus has shifted from addressing specific vulnerabilities to eliminating entire classes of threats by enhancing infrastructure fundamentals,” he said.

Another exciting development is the government’s approach to the cybersecurity skills gap, as they move away from requiring traditional four-year degrees for cybersecurity roles. Instead, there’s a push towards skill-based training, aiming to fill gaps in cybersecurity staffing quickly and effectively.

“We need to move past the outdated notion that every cybersecurity role requires a Ph.D. or even a four-year degree,” Braun said. “Many of these roles can be filled by individuals with hands-on experience and targeted skills training, which allows us to broaden the talent pool and address critical workforce shortages more effectively.”

While challenges like over-regulation and fragmented compliance requirements still exist, there is notable progress in streamlining these areas to free up resources for actual security improvements.

What will government cybersecurity look like in 2025?

Government cybersecurity is expected to evolve into a more cohesive and strategically aligned effort. There will likely be continued work on harmonizing cybersecurity regulations, which will reduce the bureaucratic overhead for corporations and government entities alike.

“By 2025, I expect we will see a much more unified approach to cybersecurity regulations,” he said. “It will significantly reduce the burden on corporations and allow them to focus on real security measures rather than compliance paperwork.”

Another key area of focus, while not directly cybersecurity-related at first glance, is improving the resilience of critical infrastructure. The Bipartisan Infrastructure Law (BIL), the CHIPS Act and the Inflation Reduction Act have already laid the groundwork for enhancing cybersecurity in sectors like energy, transportation and telecommunications. These investments are expected to bring about significant improvements in the security posture of both public and private infrastructure — essentially ensuring that cybersecurity is built into the core of modernization efforts rather than being an afterthought.

One example Braun points to is modernizing the electrical grid and water systems, including enhanced cyber protections to prevent both physical and digital disruptions.

“Those three bills make up almost $2 trillion of investment in our infrastructure around the country,” he said. “And while cyber’s only called out explicitly in a few places, it’s kind of implicit in pretty much every single aspect of these bills. You can’t build a new wind farm and hook it up to the grid without there being cyber involved.”

Another effort that is expected to continue is the focus on public-private partnerships. While a distrust in information sharing still exists, the government recognizes that effective cybersecurity cannot be achieved in isolation. Increased collaboration with private sector companies will be critical for sharing threat intelligence, aligning security standards and responding swiftly to emerging threats.

Circling back to the skills gap issue, Braun expects there will be an increased emphasis on cybersecurity education and workforce development. Programs to re-skill workers, provide hands-on training, and promote diversity within the cybersecurity workforce will be expanded.

“While technology is inherently not secure because… just talk to any hacker at DefCon and they’ll tell you that you can hack pretty much anything… I do think that we’re being more strategic, and we’ve got more resources and more initiatives that are strategic and not just tactical going on now than we did before.”

What threats should we be aware of?

Despite the many reasons for optimism, potentially harmful threats are on the horizon. According to Braun, geopolitical tensions, particularly with Ukraine as well as China’s ambitions in Taiwan, pose significant cybersecurity challenges.

“These situations could dramatically influence the evolution of cyber threats and how we need to position ourselves defensively,” he said.

The outcome of these international developments will shape how cyber threats evolve and how the U.S. can position itself to defend against both state-sponsored and independent actors.

Braun suggests that The New Great Game over control of the internet — whether it will remain free and democratic or become fragmented and authoritarian — is another issue that governments around the world must pay attention to. The outcome can impact the future of digital freedom across the globe.

“China’s Belt and Road Initiative has put many smaller countries in a tough predicament, giving China leverage to push their authoritarian model of internet governance. This could lead to a fragmented global internet, which would have serious implications for cybersecurity and digital freedom.”

Facing cybersecurity in 2025 with proactive measures

Still, Braun is approaching 2025 with cautious optimism. He emphasized that while technology will always have inherent vulnerabilities, the strategic approach of the government — coupled with substantial investments — lays the foundation for the future of national cybersecurity to be more promising than it has been in previous years.

“The country will likely be better prepared due to the significant investments in infrastructure and security standards, as well as initiatives to enhance workforce capabilities,” he said. “The significant investments we’re making in infrastructure and cybersecurity standards are going to put us in a much better place. We’re seeing proactive measures, like bolstering cybersecurity in critical areas such as water utilities, which are crucial for both civilian and military stability.”

 |  |  |  |  |  | 
Mark Stone

More from Government
August 14, 2024

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

May 30, 2024

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

April 18, 2024

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature