Shortly after the 2024 election, Senator Rand Paul (R-KY), Chairman of the U.S. Senate Committee on Homeland Security and Governmental Affairs, called to eliminate the U.S. Cybersecurity and Infrastructure Security Agency(CISA), the country’s primary federal cybersecurity agency, over concerns about online censorship. However, CISA has several critical cybersecurity functions that are unrelated to the issues Sen. Paul targeted in calling for its dissolution. If Congress does decide to eliminate the sub-agency, it would significantly disrupt and weaken the United States’ ability to deter or respond to cyberattacks, leaving American consumers, businesses, and critical infrastructure vulnerable. If it does dissolve the sub-agency, it must retain its cybersecurity functions in other offices at the Department of Homeland Security (DHS). Either way, instead of diminishing the country’s cybersecurity posture, policymakers should bolster CISA’s capabilities, support widespread encryption adoption, and invest in continued technological innovation.
Now is a bad time to hamstring American cybersecurity capabilities. The United States recently experienced a massive cyberattack from Salt Typhoon, a Chinese hacking group, that breached U.S. telecommunications firms and exposed the data of millions of Americans, including President Trump. While the scale of the Salt Typhoon attack was unprecedented, cyberattacks have long posed a persistent and growing threat. As more people and businesses rely on online platforms for their daily activities, these threats will likely become more frequent and severe. Weakening CISA will frustrate the U.S. government’s ability to respond effectively to future cyberattacks and disrupt coordinated mitigation efforts. Policymakers should ensure that the top U.S. cyber agency has the resources it needs to effectively defend American consumers and businesses.
In addition to supporting CISA’s cybersecurity efforts, policymakers should encourage consumers and businesses to adopt technologies that enhance privacy and security, such as encryption, to create a more resilient cybersecurity framework. Some policymakers and government agencies have previously opposed encryption, arguing that it enables bad actors to communicate privately and hinders law enforcement investigations. However, weakening encryption leaves consumers—including journalists, members of marginalized communities, and more—without a valuable means of communicating privately and securely. Moreover, breaking encryption does not guarantee useful investigative outcomes. Indeed, in 2016, the Federal Bureau of Investigations (FBI) requested that Apple create a new mobile operating system that would allow law enforcement to unlock an iPhone used by one of the perpetrators of the San Bernardino shooting. The company refused out of fear that the system could leak or be exploited and threaten iPhone users’ security and privacy. The FBI eventually gained access to the phone through other sources yet found no new information for their investigation. The case highlights how undermining encryption can harm consumers’ privacy and security without necessarily aiding law enforcement investigations. Instead of weakening encryption, policymakers should advocate for its increased adoption and use.
Finally, policymakers should support technological advancements to prepare for future cyber threats. The invention and proliferation of new technologies, such as quantum computers capable of breaking encrypted systems, may give bad actors enhanced capabilities to access consumers’ data without authorization. In order to better protect consumers’ privacy and security, policymakers should facilitate the development of secure technologies that can thwart attempted breaches and deter attacks enabled by emerging technologies. For example, policymakers should fully fund the National Institute of Standards and Technology (NIST) and establish public-private partnerships to advance research and development into secure technologies.
As policymakers transition to a new Administration, it is vitally important that they continue to prepare for and mitigate potential cyber threats. To strengthen the country’s cyber resilience, policymakers should provide CISA and public and private researchers with the resources necessary to safeguard Americans’ privacy and security while also supporting the widespread adoption and use of encrypted technologies.