National Cyber Director Cairncross Is Right to Emphasize Preemptive Cyber Defense

At his first major public address since his Senate confirmation, National Cyber Director Sean Cairncross, on September 9, outlined a directive signaling a shift in U.S. cyber strategy from absorbing the costs of cyber attacks to imposing them on adversaries. While not entirely new, this approach echoes other voices in the Trump administration calling for the United States to take a more proactive cyber stance. As Cairncross begins his tenure to accomplish his goals, he should focus on three priorities: modernizing the 2015 Cybersecurity Information Sharing Act (CISA 2015), reaffirming federal leadership in the Common Vulnerabilities and Exposures (CVE) program, and institutionalizing cybersecurity coordination with allies.

Cairncross’s first priority should be working with Congress to not only reauthorize CISA 2015 but also modernize it. This law, passed in 2015, established the foundation for public-private cyber threat information sharing by granting companies liability protections and encouraging cross-sector participation. Allowing the law to lapse leaves both the government and industry without clear mechanisms for timely data exchange, weakening collective security.

To address this, reauthorization should go beyond simply extending the law’s expiration date to ensure long-term stability and rebuild trust between government and industry. While Congress has the authority to reauthorize CISA 2015, the Office of the National Cyber Director (ONCD) should influence the process by advocating for reforms, such as multi-year renewals tied to clear threat-reduction metrics. For example, Congress could structure appropriations over three- to five-year cycles, with continued funding contingent on measurable outcomes such as timely sharing of critical vulnerabilities, successful mitigation by participating organizations, and reductions in the time between threat detection and disclosure. Linking funding to performance rather than politics would prevent future lapses during congressional gridlock and provide predictable operational stability.

Another priority should be the Common Vulnerabilities and Exposures program, which catalogs cybersecurity flaws. CVE’s standardized identifiers and centralized database enable coordination worldwide, but a funding scare earlier this year nearly ended the program, prompting the use of alternatives, such as the EU’s Vulnerability Database and the U.S. nonprofit CVE Foundation. This moment gives Cairncross and the Trump administration a chance to modernize and secure CVE's future by working with the Cybersecurity and Infrastructure Security Agency (CISA) to reaffirm federal stewardship through sustained funding and governance. The near-shutdown in April, only averted by an 11-month contract extension, revealed CVE’s reliance on short-term contracts. A long-term funding model, whether through a trust or stable appropriation, would prevent future disruption and preserve CVE as the single globally trusted source for vulnerability data, without which, governments and vendors could splinter across competing databases, weakening coordinated threat response.

ONCD should also support CISA’s efforts to modernize the CVE program by broadening participation, including the involvement of international partners, academia, open-source communities, and vulnerability tool providers in governance. Establishing a technical advisory board could help keep CVE neutral, global, and resilient. ONCD should further accelerate automation and streamline CVE assignments to improve data accuracy and speed, especially during crises like Log4Shell in 2021, when delays and inconsistent vulnerability listings left organizations unsure which systems were at risk, slowing coordinated response. Faster, more accurate CVE data would give defenders a shared, real-time picture of active threats, allowing them to prioritize patches before attackers can exploit them.

Finally, as Cairncross noted in his remarks, the United States should take proactive steps in cyberspace, including monitoring adversaries’ activities and disrupting attacks before they spread, but it cannot do so alone, as adversaries like Russia and China operate globally and exploit gaps across countries’ networks and regions faster than a single nation can respond. To proactively strengthen collective defense, ONCD should make allied cooperation a central pillar of U.S. cyber strategy. Building on frameworks like the EU’s Cyber Blueprint—which outlines a coordinated, multi-step response process for EU member states during major cyber incidents—ONCD should establish similar standing mechanisms with allies in Europe and the Indo-Pacific, who face growing cyber threats. Such mechanisms could enable joint threat-hunting, real-time incident response, and shared vulnerability management. Regular cross-border exercises and synchronized disclosure timelines would further help allies detect, respond to, and recover from attacks together, closing gaps that adversaries currently exploit.

Cairncross wants to shift from reactive defense to active cyber deterrence. Achieving that vision requires revitalizing foundational policies. Modernizing CISA 2015 will sustain trusted information sharing. Reaffirming federal leadership in the CVE program will preserve a unified vulnerability ecosystem. Institutionalizing allied coordination will raise the costs for adversaries and strengthen collective resilience. By advancing these priorities, Cairncross can turn strategic intent into durable policy, laying the groundwork for a more assertive and resilient U.S. cyber posture.