At the Information Technology Industry Council’s Intersect Summit, White House National Cyber Director Sean Cairncross previewed an upcoming national cybersecurity strategy expected to be released soon. While details remain limited, the strategy is built around six pillars, including shaping adversary behavior in cyberspace. The aim is to move away from reactive responses and toward reducing incentives for cybercrime and state-backed attacks. Prevention, rather than damage control, is driving the update, with layered actions and long-term thinking guiding near-term decisions. Much of the work happens behind the scenes, with success measured by systems that remain secure.
Cairncross noted that cyber harm often occurs before responses begin. The updated approach targets a wide range of threats, including nation states, state-linked criminal groups, ransomware actors, and fraud operations. By reshaping the digital environment, officials hope to make cybercrime less profitable and less attractive. This philosophy now sits at the core of federal cybersecurity policy.
Another pillar focuses on refining the regulatory environment through closer collaboration with industry. Instead of rigid compliance checklists, officials want cybersecurity rules aligned with real-world threats and operational realities. According to Cairncross, effective oversight depends on adaptability and practicality, ensuring regulations support security outcomes rather than burden organizations unnecessarily.
Additional priorities include modernizing and securing federal IT systems, protecting critical infrastructure such as power and transportation networks, maintaining leadership in emerging technologies like artificial intelligence, and addressing shortages in skilled cyber professionals. Officials are under pressure to deliver visible progress quickly, given political time constraints.
Meanwhile, the Cybersecurity and Infrastructure Security Agency is preparing updates to the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. Although Congress passed the law in 2022, it will not take effect until final rules are issued.
Once implemented, organizations across 16 critical infrastructure sectors must report significant cyber incidents to CISA within 72 hours. Nick Andersen, CISA’s executive assistant director for cybersecurity, said clarification on the rules could arrive within weeks. Until then, reporting remains voluntary.
CISA released a proposed CIRCIA rule in early 2024, estimating it would apply to roughly 316,000 entities. Industry groups and some lawmakers criticized the proposal as overly broad and raised concerns about overlapping reporting requirements. They have urged CISA to better align CIRCIA with existing federal and sector-specific disclosure mandates.
Originally expected in October 2025, the final rules are now delayed until May 2026. Some Republicans, including House Homeland Security Committee Chairman Andrew Garbarino, are calling for an ex parte process to allow direct industry feedback.
Andersen also discussed progress on establishing an AI Information Sharing and Analysis Center, or AI-ISAC, outlined in the administration’s AI Action Plan. The proposed group would facilitate sharing AI-related threat intelligence across critical infrastructure sectors. He stressed the importance of avoiding fragmented public and private efforts and ensuring coordination from the outset as AI adoption accelerates.
Separately, the Office of the National Cyber Director is developing an AI security policy framework. Cairncross emphasized that security must be built into AI systems from the start, not added later, as AI becomes embedded in essential services and daily life.
Uncertainty remains around a replacement for the Critical Infrastructure Partnership Advisory Council, which DHS disbanded last year. A successor body, potentially called the Alliance of National Councils for Homeland Operational Resilience, or ANCHOR, is under consideration. Andersen said the redesign aims to address past shortcomings, including limited focus on cybersecurity and inflexible structures that restricted targeted collaboration.
