On October 8, the Cybersecurity Coalition and the Cyber Threat Alliance hosted the 9th annual CyberNext DC, convening innovators, policymakers, and security experts to explore the pressing challenges and innovative responses shaping the cybersecurity space.

Key Themes and Highlights

From Firefighting to Fire-Proofing

• Need to shift the approach to proactive security, cybersecurity risk and funding, away from detection and response.

AI’s Risks and Opportunities for Cybersecurity 

• AI continues to dominate the cybersecurity conversation, with agentic applications on the horizon. Human oversight, risk assessment, and training remain vital. 
• Widespread weaponization of AI by threat actors. 

Protecting Critical Infrastructure 

• As IT and OT converge, critical services are vulnerable. Cloud-conscious adversaries are taking advantage of cloud infrastructure. 
• Need for ruthless prioritization of systems too essential to fail, with a focus on civilian-critical infrastructure, and cross-sector efforts. 

Evolving Global Dynamics

• Regulatory efforts in Europe are shaping global standards. Importance of a single, global catalog for identifying vulnerabilities and risks with the Common Vulnerabilities and Exposures (CVE) program’s current governance and funding model.

Clarifying Offensive Cyber Operations

• Currently leveraging strategic ambiguity on offensive cyber operations. 
• Need for resilience as a foundation for offensive operations. Resilience provides the ability to “throw our own punches” in the domain. 
• Potential for a cyber force for force generation in cyber operations. 

Event Recap

Welcome: Ari Schwartz

Ari Schwartz, Executive Director of the Cybersecurity Coalition, kicked off the day, welcoming participants to CyberNext DC and acknowledging the government shutdown. A pressing issue, Schwartz argued, is the expiration of CISA 2015, the Cybersecurity Information Sharing Act of 2015. 

Prior to 2015, the U.S. Government would attempt to get companies to share information about cyber incidents, but legal reviews by the companies would take so long that even if the information was ultimately shared, it would no longer be useful for the government. 

Schwartz argued that CISA 2015 was successful, that it removed barriers for information sharing, and its ongoing lapse means that less information is already being shared now as lawyers start to review sharing agreements. The lapse will become more harmful the longer it lasts. Schwartz urged Congress to reauthorize CISA 2015, and given that some are purposely or not confusing the agency CISA with the Act, Schwartz proposed that we stop using the CISA acronym to refer to the Act and instead say the full term. 

Keynote: Megan Stifel – What Cyber Policy Needs Next Through the Looking Glass of the Ransomware Task Force

Megan Stifel, Chief Strategy Officer at the Institute for Security and Technology, provided a keynote based on her experience with the Ransomware Task Force. Stifel began with the framing that the collective lack of political will has left us vulnerable in cybersecurity. At the same time, the evolving threat and policy landscapes have led to novel solutions. 

Stifel described “the good, the bad, and the ugly” about the state of play for cybersecurity with an eye toward the horizon. “The good,” Stifel explained, includes that international cooperation has led to arrests of major cybercriminals, ransomware attacks have slowed, fewer victims are paying ransom, and there has been progress in mapping the crypto payment ecosystem.  

Stifel explained that “the bad” includes that 50% of the Ransomware Task Force’s recommendations remain unfulfilled. Many grant programs are ineffective, failing to modernize vulnerable IT systems, and legacy technology in both government and critical infrastructure sectors remains a major weakness. Additionally, the post-SolarWinds momentum has faded. Key programs like the State and Local Cyber Grant Program and the FCC cybersecurity pilot for schools have expired or are in limbo.

Meanwhile, threat actors are being forced to evolve — a sign defenses are working when properly funded. U.S. companies spend billions cleaning up poorly built software from other vendors. Procurement incentives — e.g., IoT Cybersecurity Improvement Act of 2020 — remain unimplemented.

Stifel then moved on to “the ugly.” Ransomware gangs now use regulatory rules as leverage — e.g., threatening SEC violations — to extort victims, which suggests a need for policy innovation that protects companies from frivolous lawsuits without eliminating accountability. Additionally, Chinese actors have infiltrated U.S. critical infrastructure. Campaigns like Volt Typhoon have enabled real-time tracking of U.S. intelligence and law enforcement via telecom hacks. Stifel warned that these are not just espionage but pre-positioning for potential conflict.

Stifel remarked that the White House and National Cyber Director Cairncross have an opportunity to let the good flourish, and she provided recommendations to do so. Stifel recommends for “the good” to double down on what works — disruptions, CRI growth, crypto tracking. For “the bad,” follow through on unfinished business — IT modernization, targeted investment, secure software. For “the ugly,” tackle emerging legal and nation-state threats with novel policy solutions.

Panel #1: Cyber Luminaries

• Sam Curry, CISO, Zscaler
• Jaya Baloo, COO, Stealth Startup
• Josh Corman, Executive in Residence for Public Safety & Resilience, Institute for Security and Technology (IST)
• Jen Ellis, Founder, NextJenSecurity 

The ever-popular cyber luminaries panel returned. Discussing what has changed in the past year, the panel noted that everything is AI – AI has become central to almost every cybersecurity discussion, and AI presents both threats and opportunities; offensive actors use it for sophisticated attacks, but defenders can also use it for detection and response. Additionally, the geopolitical situation has changed, which changes things like funding context and motivation. 

Josh Corman discussed the disparate rate of change, that we have many net-new topics and have not closed out old ones, like ransomware. We have typhoons attacking critical infrastructure and those living below the cyber poverty line. We need faster, parallel, and adaptive approaches to cybersecurity policy, investment, and public-private collaboration, and the focus must expand beyond shiny enterprise tech to include public safety, critical infrastructure, and national resilience.

Considering what changes need to be made, Sam Curry argued that CISOs and security leaders should free up internal resources by accepting some risk trade-offs. They should shift the focus from legacy efforts to innovation and experimentation, and make portfolio-style investments: a mix of safe bets, competitive bets, and game-changing bets. Corman noted the tale of two markets for resources to do so, arguing we need a ruthless prioritization of systems that are too essential to fail, with a focus on civilian-critical infrastructure — e.g., water, power, healthcare — that affects public safety and national stability.

On the topic of offensive cyber capabilities, the panel discussed that if we are developing those capabilities, we have to build resilience as a foundation. Resilience gives us the ability to “throw our own punches” in the domain. 

The panel also discussed the activities in Europe that are shaping global standards through regulation, and that while motivated by sovereignty and security, this fragmentation risks global interoperability and could lower competition or quality in some markets.

Concluding with recommendations for policymakers, Corman suggested a task force to focus on resilient continuity of operations in the cross-sector environment with ruthless prioritization. Curry urges policymakers to consider the long-term effect of any regulations; whether they become obsolete or difficult to maintain in the long run should be reconsidered. Jaya Baloo concluded with the very real danger of internal collapse because we are not able to work together to share intelligence about bad actors. Policymakers must overcome bridges and work together. 

Panel #2: Vulnerable: Weaknesses in the Nation’s Vulnerability Management System

• Zack Martin, Senior Policy Advisor, Venable LLP
• Mitch Herckis, Global Head of Government Affairs, Wiz
• Peter Allor, Officer and Director, The CVE Foundation 
• Nick Leiserson, Senior Vice President for Policy at the Institute for Security and Technology

The next panel discussed the future of the CVE program and how it may evolve over the next few years. The panel argued for the importance of bringing in other stakeholders and involving other governments to the conversation about the program’s governance and funding. The panel agreed that strong, diverse governance and transparency are important. The panelists also discussed the importance of private sector involvement, as they are the people who built the program and who use it. 

Nick Leiserson explained that the biggest asset of the program is to be able to globally identify a vulnerability and what we are talking about, and the importance of a single, global catalog for a unique identifier. Leiserson argued that we are on the precipice of real fragmentation, which would reduce the value of the CVE program. IST released a paper on the future of the CVE program as well. 

The panel explored the significant risk and concern that there has been a single source of funding for 25 years, which is the U.S. government. The panelists discussed the need for international buy-in and international stakeholders to engage, and panelists argued for diversity in funding sources. Peter Allor noted that the contract is up in March 2026, but given that the code is open source, the program could work functionally for a time beyond that. 

Keynote: Steve Vintz, Co-CEO, Tenable

Steve Vintz, Co-CEO of Tenable, provided a keynote framing the emerging dynamics in cybersecurity as a storm on the horizon. Vintz described that, for many years, we have been navigating the cyber landscape expertly, but the weather is changing, and there is a dark storm on the horizon moving more viciously than ever before, and it is growing stronger by two stronger forces: our growing digital footprint and the widespread weaponization of AI by threat actors. 

Vintz explained that as threat actors have shifted their focus from data security to systematic attacks on our hospitals, schools, and critical infrastructure, this is amplified by geopolitical enemies. China continues its campaign of persistent data exfiltration for long-term strategic advantage and influence. Russia uses AI to attack our allies and democratic allies. North Korea and Iran are actively leveraging AI to achieve unprecedented scale, speed, and sophistication.

In order to fight back, Vintz described that measures like multifactor authentication and patching vulnerabilities are all important, but we have to be honest that they are not enough. We have to shift how we approach risk and cyber funding, away from just detection and response toward proactive security.

Vintz’s call to action was to champion the shift from firefighting to fire-proofing. We need to move from stopping a breach after it occurs to preventing them in the first place. Vintz argued this should involve a new era of public-private partnerships, championing AI, and streamlining procurement. He also urged Congress to reauthorize the State and Local Cybersecurity Grant Program and argued that sustained federal investment is essential to ensure we continue to be able to build secure systems.

Panel #3: The Next Disruption: Agentic AI and the Business of Cybersecurity

• Kevin Reifsteck, Director for Cybersecurity Policy, Microsoft
• Sasha O'Connell, Senior Director for Cybersecurity Programs, Aspen Digital
• Michael Sikorski, Chief Technology Officer and Vice President of Engineering, Palo Alto Networks
• Michael Daniel, President & CEO, Cyber Threat Alliance
• Camille Stewart Gloster, CEO and Principal, CAS Strategies, LLC

The next panel discussed new applications of AI for cybersecurity, including supply chain vetting, such as in the procurement process and in the hiring process, addressing the cyber workforce mismatch, and compliance with regulations. Kevin Reifsteck noted that each opportunity must be evaluated for potential risks and the importance of humans in the loop. 

Sasha O'Connell raised the potential for AI to support educational campaigns and audience segmentation. Camille Stewart Gloster explained that AI creates a moment, that there is a lot of emotion around this AI moment, and it is an opportunity to orient people towards positive uses of AI and mold the way society uses AI as we move forward.

Michael Sikorski explained that agentic AI is what’s new, giving agents real tasks and responsibilities, which his team is exploring in their threat research center. They are also bringing AI into the conversations around security and compliance reviews. 

Sikorski explained the emerging theme that AI is a complement, not a replacement. The most effective use is using AI tools to complement what humans are already doing. The panel discussed the importance of training so that users understand their limitations. ‍

Panel #4: Cyber Force Commission Update

• Ari Schwartz, Executive Director, Cybersecurity Coalition
• Michael Daniel, President & CEO, Cyber Threat Alliance
• Joshua Stiefel, Vice President for Government Relations, Second Front
• Matt Pearl, Director, Strategic Technologies Program, Center for Strategic and International Studies

The next panel was an update on the commission organized by the Center for Strategic and International Studies (CSIS), which is working from the assumption that if the President orders the establishment of a cyber force, what it would look like. Through this effort, the commission is focused on addressing the absence of force generation for cyberspace, which includes hiring authorities, training, equipping, and retaining for cyber.

The panel explored the potential role of the private sector in supporting a cyber force, potentially paralleling how the space industry has grown following the establishment of the Space Force. The panelists noted that other nations globally are already significantly ahead of the U.S. on this, including Israel, the U.K., Singapore, and China. 

Schwartz raised the potential pushback that the cyber force would be yet another agency in the cybersecurity space, only increasing bureaucracy. Stiefel argued that what's unique is that the force would be doing cyber “operations,” not cybersecurity, and no one is training or focusing on that. The commission seeks constant engagement with stakeholders and welcomes input. ‍

Panel #5: Safeguarding the Backbone: Cybersecurity for Essential Services

• Drew Bagley, Chief Privacy Officer, Crowdstrike
• Kathryn Condello, Fellow, National Security, Lumen
• Patrick Ford, Americas Cybersecurity VP and CISO, Schneider Electric
• Caitlin Clarke, Senior Director for Cybersecurity Services, Venable LLP

The panel on essential services explored the evolving threat landscape and ways that the public and private sectors can better collaborate. Drew Bagley described the threat landscape in which cloud-conscious adversaries are taking advantage of the cloud infrastructure that we have migrated to. Over the past decades, as we merge OT and IT, adversaries have targeted unmanaged devices. Bagley described prepositioning by adversaries and argues that overall, we should accept that critical infrastructure is actively a target, so we should ensure visibility into this risk. 

Patrick Ford described the idea of “secure by operations,” how security works for a product for its full lifecycle, pointing toward the need for a relationship and communication between OEMs, integrators, and asset owners. 

Kathryn Condello discussed resilience in the communication sector, noting that they have doubled down on information sharing, including alerts, and are in the process of having a new communications cyber ISAC (C2-ISAC). Bagley urged policymakers to act with urgency to ensure cyber have-nots get resources, and that we need national capacity for incident response.

The panelists discussed the need to focus on cross-sector implications, make contact information for CISOs available, and consider how we can pool resources to be more proactive. 

Panel #6: Myth Busting: the Real Path to More Effective Offensive Cyber Operations

• Meredith Burkart, Senior Director for Government Affairs and Public Policy, Halcyon
• Leonard Bailey, Computer Crime and Intellectual Property Section, Department of Justice (retired)
• Stacy O'Mara, Senior Director for Cybersecurity Services, Venable LLP
• Mieke Eoyang, Non-Resident Senior Fellow, Carnegie Mellon Institute for Strategy & Technology

The final panel of the day discussed offensive cyber operations. The panel began by discussing the lack of a common lexicon on what is meant by offensive. Stacy O'Mara described that the conversation has focused on an act on someone else’s system without permission that is intended to cause damage or harm, with disruption at the time of action, but she posed to the group the question of how well this holds up in practice. 

Meredith Burkart noted the importance of definitions in policymaking, that you solve a large portion of the policy problems there, but in this space, we do not have a consensus. There are so many terms, many of which are not public, and Burkart argues that there have to be some trust groups in which the cybersecurity community can come together on this. Leonard Bailey described the significant fragmentation in a lot of the relevant terms. Mieke Eoyang also noted the importance of the context, including whether we are at war or not. 

The panelist discussed how escalation risk should shape the boundaries of offensive cyber operations. Eoyang noted that some countries are not good at attributions, and in a period of geopolitical tensions, private sector action could be miscontributed as an intentional act by the U.S. Government, and a potential response outside of the cyber domain could occur. Bailey assessed that we currently have the approach of strategic ambiguity. 

The panel then discussed how much appetite there actually exists in the private sector to participate in offensive cyber operations. Bailey described that the interest in offering services is much narrower than others have argued. Eoyang described how it might be challenging for a private actor to have clear insight into what they are disrupting and that the government may be in a better position to take a more accountable action, such as an indictment or arrest. Burkart argued for strengthening channels in which lone wolf actors can participate and may be deputized, including in contracting, joint FBI task forces, and local cyber squads. 

Closing Remarks: Michael Daniel 

Michael Daniel, President & CEO of Cyber Threat Alliance, closed out the day by describing the emerging dynamics that will force us to change how we think about cybersecurity policy. 

Daniel argued that the rules-based international order is dead, and that the U.S. is no longer perceived as a reliable partner by its European allies. At the same time, innovation and economic development are diversifying, becoming more global, and there are some things that China will win on. Additionally, cybercrime has become intertwined with so many things, such that now some of the actors committing cybercrime are as much victims of human trafficking as the cyber victims. 

These things, Daniel explained, will force change in how we think and approach these problems. Daniel asserted that we can adapt to these changes if we have flexibility, diversity of relationships, curiosity, and humility, but we have to choose to do so. 

The full event can be viewed here.