Alliance Unwraps Zero-Cost Plan To Improve Nation’s Cybersecurity
By John P. Mello Jr.
A plan to bolster the nation’s cybersecurity that will cost virtually nothing was unveiled Tuesday by the Internet Security Alliance (ISA).
In a 21-page document, the alliance offers five recommendations that it maintains “will cost the federal government virtually nothing” and, as a bonus, save private industry billions.
The document titled “A Zero Cost Path to American Cybersecurity” outlines initiatives that operationalize the Trump administration’s philosophy of government.
“These are pragmatic programs that can be implemented quickly,” the document noted. “They will generate significant material improvements in our nation’s cybersecurity almost immediately.
“These steps will also put our nation’s intermediate and long-term security on a measurably effective and economically sustainable path that will enable us to address newly growing threats of systemic failure,” it continued.
“With White House backing,” it added, “these initiatives can transform cybersecurity from a compliance burden into a competitive advantage — and secure both the nation’s digital future and the president’s legacy as the leader who turned deregulation into a national security triumph.”
Cutting Duplicate Rules
One recommendation from the alliance is that the federal Office of Management and Budget (OMB) should utilize its existing authority to eliminate duplicative cybersecurity regulations.
“The scope of duplicative cybersecurity regulations is staggering,” declared David Bader, director of the Institute for Data Science at the New Jersey Institute of Technology (NJIT) in Newark, N.J.
“A recent GAO analysis found that among just four major federal agencies, 49% to 79% of cybersecurity requirement parameters were in direct conflict with each other,” he told TechNewsWorld. “The most glaring example is incident reporting, where we currently have 45 different cyber incident reporting requirements spread across 22 federal agencies, each with their own forms and websites.”
“This regulatory chaos is severely undermining our cybersecurity capabilities,” he continued. “Large financial institutions report their cyber teams now spend more than 70% of their time on regulatory compliance rather than actually improving security. Some companies are spending nearly half their entire cybersecurity budget just filling out duplicative compliance reports.”
“When cybersecurity professionals are buried in paperwork instead of defending networks, we’re essentially doing the attackers’ work for them,” he said. “Eliminating these duplicative requirements would immediately free up billions of dollars in resources that could be redirected toward actual threat detection, incident response, and security improvements.”
The problem is not only that duplicative regulations waste time for anyone involved with them, but they are often different and sometimes at cross-purposes with each other, added Roger Grimes, a defense evangelist at KnowBe4 a security awareness training provider, in Clearwater, Fla.
“NIST [National Institute of Standards and Technology] recommends not having a minimum password size, removing the need to change it on a periodic basis and removing the complexity requirement,” he told TechNewsWorld. “Most other cybersecurity guides, including many governmental regulations, require the exact opposite.”
There may also be a significant hurdle in implementing the ISA’s recommendation through the OMB. “The OMB’s role is to coordinate regulations and look to see if they’re inconsistent or duplicative or whatever,” said Berin Szóka, president of TechFreedom, a technology advocacy group, in Washington, D.C. “They can’t repeal regulations as this document claims.”
“It’s up to the agencies to repeal rules,” he told TechNewsWorld. “Then the question that you get into is whether the agencies can short-circuit the normal rulemaking process. The Trump administration has claimed that agencies don’t have to go through normal rulemaking if they think that a rule is unlawful. That’s just not true. That’s not how the Administrative Procedure Act works.”
Cyber Rule Cost-Benefit Analysis
The ISA is also recommending that a cost-benefit analysis be required for all cybersecurity regulations. “Despite spending trillions of dollars on cybersecurity regulatory compliance, no study has ever documented that the cybersecurity regulations actually enhance security,” it contended.
However, Heath Renfrow, CISO and co-founder of Fenix24, a cyber disaster recovery firm in Chattanooga, Tenn., pointed out that while on the surface, a cost-benefit analysis seems like an economic safeguard, in cybersecurity, the cost side is tangible while the benefit side is probabilistic.
“How do you quantify the avoided cost of a ransomware event that didn’t occur because of MFA adoption?” he asked. “Traditional cost-benefit frameworks, like OMB Circular A-4, break down because cyberattacks are low-frequency, high-impact events with cascading second-order effects.”
“That said, forcing agencies to at least articulate assumptions, model scenarios, and test proportionality would raise the quality of regulatory drafting,” he told TechNewsWorld. “The danger is in weaponization. Companies may argue that unless you can prove a breach will cost X amount of money, the regulation isn’t worth it. The balance is ensuring analysis informs regulation, without paralyzing it.”
NJIT’s Bader agreed that the risk of using cost-benefit analysis to avoid necessary regulations is real and concerning. “Many cybersecurity benefits are preventative and systemic, making them difficult to capture in traditional economic models,” he said. “The cascading effects we’ve seen from supply chain attacks like SolarWinds demonstrate that the true cost of cyber incidents often far exceeds initial estimates.”
“However,” he continued, “when properly implemented with methodologies that account for these uncertainties, cost-benefit analysis could actually improve cybersecurity by ensuring resources go to the most impactful security measures. The key is developing models sophisticated enough to handle the unique characteristics of cyber risk, rather than applying standard regulatory cost-benefit frameworks that weren’t designed for this domain.”
Overhaul Cybersecurity Information Act
Another recommendation by the ISA is that the 2015 Cybersecurity Information Sharing Act should be reauthorized and modernized.
The Cybersecurity Information Sharing Act (CISA 2015) — the legal foundation for public-private cyber collaboration — will expire on September 30, 2025, unless reauthorized, the ISA explained. “Allowing it to lapse would severely limit the government’s ability to share threat intelligence with industry, undermining national security,” it maintained.
Bader argued that CISA needs urgent modernization because it was written for a threat landscape that no longer exists. “The 2015 law was crafted before we understood AI-enabled attacks, sophisticated supply chain compromises, or the unique vulnerabilities of cloud infrastructure,” he said. The definitions of what constitutes shareable cybersecurity information are too narrow for today’s threat environment.”
“With the advent of AI and the ability to build malicious code a lot faster than we’ve ever seen before, traditional ways of sharing information can’t keep up with the threat,” added Matt Stern, chief security officer at Hypori, a mobile infrastructure security firm, in Reston, Va.
“If we’re going to even get parity with the threat,” he told TechNewsWorld. “We have to be able to modernize the regulation so that it can deal with getting threat information into the hands of the people that need it in a much more realistic and quicker fashion.”
Fenix24’s Renfrow added that private sector participation in sharing is still weak under the existing act. “Modernization should include liability safe harbors for companies that share indicators of compromise in good faith and reciprocal obligations for the government to return actionable intel in real time,” he said.
Solving Cyber Workforce Shortage
The ISA is also recommending that a cost-effective cybersecurity workforce be created for the government, largely through the PIVOTT Act currently before Congress.
Under PIVOTT (Providing Individuals Various Opportunities for Technical Training), students can enroll in existing cybersecurity programs offered by colleges, community colleges, and certificate programs. The federal government would pay for their tuition. In return, the students would be required to perform a specified amount of government service.
PIVOTT’s target is to enroll up to 10,000 students a year eventually. “At that rate, PIVOTT would solve the federal government’s cybersecurity workforce gap (35,000) in less than 4 years,” the ISA noted.
“The PIVOTT Act’s apprenticeship and rotation model is promising because it treats cyber talent like a renewable resource,” Renfrow said. “You move skilled practitioners across agencies rather than each agency trying to grow its own siloed pipeline.”
“Four years is optimistic,” he added, “but without structural change like PIVOTT, the problem will persist indefinitely.”
While finding the PIVOTT concept a good one, Ida Byrd-Hill, CEO and founder of Automation Workz, a reskilling and diversity consulting firm in Detroit, Mich., argued that more money should be directed at the workforce development system in the Department of Labor. “Most people do not realize that just getting technology training at a university, college, or community college is not sufficient if you don’t have a certification,” she told TechNewsWorld.
“The problem could have long been solved if the government supported learn and earn programs,” she added. “The government has not acquiesced to do that yet. They have to step up. It’s not just about scholarships and training.”
Building a National Cybersecurity Dashboard
A fifth recommendation by ISA is to establish a national macroeconomic cybersecurity dashboard.
The ISA explained that the federal government is spending tens of billions of dollars every year on an extensive range of cybersecurity projects. “Yet without a sophisticated model, policymakers are blind to the full economic cost of cyber threats, the ROI of defenses, the usefulness of alternative methods such as incentive programs rather than regulation, the systemic impacts of major incidents, and the most cost-effective ways to eliminate, mitigate, or transfer risk,” it noted.
It advised the National Cyber Director to collaborate with federal government agencies to promote a more sophisticated cyber risk assessment methodology based on the proven NACD-ISA framework.
“We desperately need a national cybersecurity dashboard because our current approach to cyber risk assessment is fundamentally broken,” Bader said. “Right now, we have dozens of agencies doing their own cyber risk assessments with no coordination or common methodology. It’s like trying to understand the health of the U.S. economy by looking at 22 different, incompatible financial reports.”
“The NACD-ISA framework that would underpin this dashboard has been independently validated by MIT and PwC research,” he continued. “Organizations using these principles have 85% fewer cyber incidents and significantly better risk management outcomes. This isn’t theoretical — it’s a proven approach that works at the enterprise level.”
“Think of it as a Cyber Dow Jones Index — not predicting daily movements but measuring the structural health of the economy under cyber stress,” Renfrow added. “Without that visibility, policymakers are steering blind in a domain where adversaries are already treating cyber as macroeconomic warfare.”
David A. Bader
Distinguished Professor and Director of the Institute for Data Science
David A. Bader is a Distinguished Professor in the Department of Computer Science at New Jersey Institute of Technology.