USA Cybersecurity in 2030: A Geopolitical and Policy Analysis

Vladimir Tsakanyan

Executive Summary

By 2030, USA cybersecurity will be characterized by a dynamic interplay of advanced technological defenses, evolving state-sponsored and non-state threats, and a robust, yet continually challenged, policy and regulatory framework. The nation’s posture will be significantly shaped by the implementation of the 2023 National Cybersecurity Strategy, the rapid integration of Artificial Intelligence (AI), the critical transition to post-quantum cryptography, and ongoing efforts to secure an expanding digital attack surface, particularly within critical infrastructure and the Internet of Things.

The United States will demonstrate strengths in its strategic policy direction, research and development (R&D) investment in emerging technologies, and a growing emphasis on public-private collaboration. However, persistent challenges will include the increasing sophistication and coordination of adversarial cyber operations, the inherent vulnerabilities of legacy systems and a rapidly expanding Internet of Things (IoT) ecosystem, and the critical need to address the cybersecurity workforce skills gap. Strategic imperatives will center on accelerating the adoption of “secure by design” and Zero Trust principles, ensuring a smooth and timely transition to post-quantum cryptography, fostering a highly skilled and adaptive cyber workforce, and strengthening international alliances to develop and enforce global cyber norms.

I. Introduction: The Evolving Cyber Landscape to 2030

The digital future of the United States, encompassing its economic security, human rights, democratic institutions, and societal equity, is inextricably linked to the strength and resilience of its cybersecurity posture. As the nation approaches 2030, this posture is being fundamentally shaped by strategic policy shifts, an increasingly complex threat environment, and rapid technological advancements.

Contextualizing the 2023 National Cybersecurity Strategy and its Long-Term Vision

The foundational policy document guiding US cybersecurity efforts towards 2030 is the Biden-Harris Administration’s 2023 National Cybersecurity Strategy (NCS), released on March 1, 2023. This strategy articulates an overarching goal: to provide a safe, reliable, and secure Internet for both business and personal use, thereby underpinning national prosperity and values.¹ The NCS superseded the 2018 National Cyber Strategy, building on previous initiatives while introducing two pivotal shifts in approach. First, it seeks to rebalance the responsibility for cyber defense, moving the burden away from individuals, small businesses, and local governments, and placing it instead on the organizations most capable and best-positioned to reduce systemic risks, such as large technology providers.¹ Second, the strategy aims to realign incentives to favor long-term investments in security-by-design principles and collaborative research efforts.¹

This rebalancing of responsibility represents a critical political shift. It signifies a governmental recognition that cybersecurity is no longer solely a technical or individual user problem, but a systemic risk requiring a comprehensive societal approach. By shifting the burden to more capable entities, the government signals an intent to leverage regulatory and market forces to compel private sector actors, particularly major technology providers, to embed security into their products and services from the outset. This approach, while potentially increasing compliance costs for industry, is designed to foster a more resilient national cyber posture by addressing vulnerabilities at their source rather than relying on downstream mitigation by less resourced entities.

The NCS is structured around five critical pillars designed to achieve its vision: Defend Critical Infrastructure; Disrupt and Dismantle Threat Actors; Shape Market Forces to Drive Security and Resilience; Invest in a Resilient Future; and Forge International Partnerships to Pursue Shared Goals.¹ These pillars will continue to define the strategic direction of US cybersecurity through 2030, promoting robust collaboration between the public and private sectors, developing and harmonizing regulations, and creating new frameworks to address identified gaps in existing security measures.¹

The Increasing Complexity and Interconnectedness of Cyberspace

The strategic environment outlined in the NCS acknowledges the accelerating pace of digital transformation and its inherent challenges. It highlights emerging trends, including the increasing complexity of software and digital systems, and the imperative to transition away from older, less secure technologies that cannot adequately protect modern digital assets.¹

A significant aspect of this evolving landscape is the growing reliance on Operational Technology (OT) and the Internet of Things (IoT). OT, which controls critical industrial processes in sectors such as manufacturing, power grids, and water treatment facilities, is becoming increasingly digitally connected.¹ Similarly, advanced wireless technologies and a vast array of IoT devices are becoming essential components of daily life and critical infrastructure.¹ This pervasive interconnectedness dramatically expands the potential attack surface for malicious actors, rendering traditional perimeter-based defenses largely insufficient.³ The integration of these technologies, many of which were not designed with modern cybersecurity in mind, introduces new vulnerabilities that must be addressed proactively to safeguard national security and public safety.

II. The Threat Environment in 2030: Adversaries and Their Capabilities

By 2030, the United States will navigate a highly complex and dynamic cyber threat landscape. Malicious actors have evolved beyond traditional cybercrime to engage in more strategic, state-run operations.¹ These adversaries are increasingly deepening their cooperation, often providing mutual support to circumvent US instruments of power.⁴ The US Homeland faces a persistent array of threats from strategic competitors and non-state entities, all seeking to erode US competitive advantage or directly target US citizens and interests.⁴

A. State-Sponsored Threats

Four nation-states—China, Russia, Iran, and North Korea—are identified as primary state-sponsored cyber adversaries, each possessing evolving capabilities and distinct motivations for targeting US interests.¹

China (PLA, MSS)

China is recognized as the most capable strategic competitor in cyberspace. Beijing is pursuing an aggressive, whole-of-government approach, combined with state direction of the private sector, to achieve global scientific and technological superpower status by 2030.⁶ This ambition prioritizes key technology sectors such as AI, quantum information science, and semiconductors.⁶

The People’s Liberation Army (PLA) has undergone significant reorganization, with a heightened focus on cyber and space warfare. The Strategic Support Force (SSF) is at the forefront of China’s strategic cyber warfare operations, aiming to achieve information dominance and targeting both US military assets and critical infrastructure.⁴ Chinese cyber intrusions, executed by entities like the PLA Cyberspace Force and the Ministry of State Security (MSS), consistently target global information networks, including US government systems, to steal intellectual property, sensitive data, and to pre-position access for future operations.⁴ This pre-positioning, publicly tracked as Volt Typhoon and Salt Typhoon, demonstrates a growing breadth and depth of capabilities intended for use during a crisis or conflict.⁶

China’s cyberespionage activities are increasingly sophisticated, employing advanced tactics, techniques, and procedures (TTPs) such as vulnerability exploitation and third-party compromise.⁸ A critical aspect of China’s strategy is the weaponization of its domestic cybersecurity industry. Beijing mandates that companies and researchers submit all discovered software and hardware vulnerabilities to the Chinese government prior to public notification or vendor patching. This policy, coupled with domestic hacking competitions and academic collaborations, provides China’s security services with a steady stream of vulnerabilities to exploit for state-sponsored operations.⁸

This “whole-of-government” and “cyber sovereignty” approach by China represents a strategic effort to fundamentally reshape the global digital order. By controlling vulnerability disclosure and deeply integrating AI into both military and civilian sectors, China is constructing an ecosystem where cyber capabilities are intrinsically linked to its national power projection. This necessitates that US defenses must not only counter specific cyberattacks but also address the systemic challenge posed by China’s integrated cyber-industrial complex. Countermeasures could involve stricter supply chain restrictions and proactive efforts to promote alternative, more open technological ecosystems globally.

Russia (GRU, FSB, SVR)

Russia continues to possess advanced cyber capabilities, posing a persistent threat for counterintelligence operations and cyberattacks, and has historically attempted to pre-position access on US critical infrastructure.⁴ Russia’s primary cyber forces originate from state groups, including the Federal Security Service (FSB), the Main Directorate of the General Staff of the Armed Forces (GRU), and the Foreign Intelligence Service (SVR).¹³ The FSB focuses on intercepting information and phishing, while the GRU is known for offensive operations (e.g., APT28/Fancy Bear), and the SVR for espionage and information collection (e.g., APT29).¹³

Russian state-sponsored actors have predominantly prioritized cyberespionage over direct cyberattacks, focusing on stealing sensitive data and intellectual property.⁴ Recent campaigns have targeted Western logistics entities and technology companies providing foreign assistance to Ukraine, often exploiting vulnerabilities in small office/home office (SOHO) devices and employing spearphishing tactics.¹⁴

A significant development impacting Russia’s cyber capabilities is the “brain drain” that commenced in 2022, which has reportedly slowed its cybersecurity operations.¹³ This has led to increased collaboration between Russian state actors and cybercrime organizations.¹³ US policymakers are urged to reassess their assumptions about Russia’s cyber might, as its operations may be less centrally directed and more fragmented, involving a diffuse mix of government agencies, criminal groups, and loosely affiliated hackers.¹⁵

The “brain drain” and observed fragmentation of Russia’s cyber operations suggest a shift from highly coordinated, state-led “kill strike” attacks to a more opportunistic, less predictable, and potentially deniable “cyber web” approach involving proxies. This makes attribution more challenging and defense more complex, as the United States must contend with a diffuse threat landscape rather than a singular, centrally controlled adversary. The reliance on criminal groups provides plausible deniability, expanding the “gray zone” of conflict. This necessitates a US defense strategy that emphasizes resilience, rapid detection, and flexible response, rather than solely relying on deterrence through punishment.

Lessons from the ongoing conflict in Ukraine further illuminate Russia’s adaptive capabilities. The war has served as a real-world laboratory for cyber warfare, demonstrating the decisive role of cyber operations in kinetic conflict.¹⁶ Ukraine’s robust cyber defense efforts, including a volunteer “Cyber Army” and leveraging AI-enabled software and data platforms, have successfully safeguarded logistics networks and enhanced decision-making speed.¹⁸ The conflict highlights the rapid adaptation by both sides, the unprecedented integration of commercial technologies (e.g., cheap drones, commercial space capabilities), and the crucial collaboration between government and the private sector.¹⁷ While Russia’s strategic cyber might may be less monolithic than previously assumed due to internal challenges, its adaptive capabilities and willingness to integrate cyber with kinetic warfare, particularly by leveraging commercial technologies, remain a significant threat.

Iran (IRGC-linked groups)

Iran has escalated its cyberattacks, cyberespionage, and information operations, frequently with the aim to disrupt, collect intelligence, or influence perceived adversaries.⁴ State-sponsored Iranian cyber capabilities are often deployed to project political messaging through destructive and psychological tactics.²⁰ Iran has repeatedly demonstrated a willingness to employ cyberattacks against adversaries with stronger cyber capabilities, including Israel.²¹ Its cyber strategy is often geared towards intimidation and disseminating disinformation, with groups linked to the Islamic Revolutionary Guard Corps (IRGC) reportedly using front companies to coordinate hacking campaigns.²¹

Recent geopolitical escalations have led to a sharp increase in cyber activity by Iranian state-sponsored actors and affiliated hacktivist groups. These campaigns prioritize espionage, Distributed Denial-of-Service (DDoS) attacks, ransomware, and destructive wiper malware.²² A strong focus of these operations is disrupting critical infrastructure, including industrial control systems, utilities, and healthcare networks.²² Common tactics include brute-force login attempts, Multi-Factor Authentication (MFA) bombing (push fatigue attacks), credential harvesting, exploitation of outdated software, insecure remote access, and sabotage of industrial control systems (ICS).²⁴ A notable incident involved the CyberAv3ngers, a group reportedly linked to the IRGC, infiltrating US water utilities by exploiting Israeli-made programmable logic controllers (PLCs), causing limited but symbolic disruptions.²⁴

Iran’s cyber strategy, while perhaps not always demonstrating the same level of technical sophistication as China or Russia in all areas, is highly opportunistic and leverages geopolitical tensions to maximize disruptive and psychological impact.²¹ Their focus on critical infrastructure, even with “low-level” attacks, aims for “high-impact, very visible and very inconvenient” disruptions.²³ This highlights that US defenses must prioritize hardening “soft targets” within critical infrastructure, especially those reliant on legacy or poorly secured Operational Technology (OT) and Industrial Control Systems (ICS). Additionally, enhanced public awareness campaigns are crucial to counter the disinformation tactics frequently employed by Iranian actors.

North Korea (Lazarus Group/APT38)

North Korea, primarily through the notorious Lazarus Group (also known as APT38), is extensively engaged in state-sponsored cybercrime, with a particular emphasis on cryptocurrency theft.⁴ These illicit financial activities are critical for funding its military development, including its nuclear and ballistic missile programs, and for evading international sanctions.⁶ In 2024 alone, North Korea is estimated to have stolen $1.34 billion in cryptocurrency.²⁷ The largest single cryptocurrency theft to date, approximately $1.5 billion, occurred in February 2025 from the Bybit exchange, attributed to the Lazarus Group.²⁷

North Korean hackers have evolved from simplistic crypto theft schemes to more sophisticated tactics. These include advanced social engineering techniques, such as faking credentials, resumes, and documents, and disguising themselves as legitimate IT workers (e.g., Canadian IT workers, Japanese blockchain developers) to infiltrate crypto firms.²⁸ They also employ phishing campaigns, supply chain attacks, and infrastructure hacks involving private key or seed phrase compromises.²⁸ To launder illicit funds, they utilize complex techniques like “chain hopping” (moving funds to other blockchains) and “token swapping” (converting funds to other forms of virtual currency).³³

North Korea’s evolving cryptocurrency theft methods represent a direct, financially driven national security threat that effectively bypasses traditional economic sanctions. The shift to sophisticated social engineering and the targeting of “cold” storage wallets, previously considered almost impervious to attacks, indicate a high degree of adaptability and resourcefulness in overcoming security measures.²⁸ This implies that US efforts must not only focus on technical defenses but also on human factors (e.g., training against social engineering tactics) and disrupting the cryptocurrency laundering infrastructure, possibly through enhanced international cooperation and stricter regulations on cryptocurrency exchanges and service providers. Cutting off this financial lifeline is paramount to undermining North Korea’s weapons programs.

B. Non-State Actors and Cybercrime

Beyond state-sponsored operations, the US faces significant and evolving threats from various non-state actors, including financially motivated cybercriminals and hacktivists.

Ransomware-as-a-Service (RaaS) Evolution and State-Sponsored Links

Financially motivated cybercriminals, particularly ransomware actors, continue to aggressively target inadequately defended US entities, including healthcare systems and municipal governments, leading to broad impacts on the populace and economy.⁶ The ransomware landscape in 2025 is highly fragmented, characterized by a mix of unaffiliated lone operators, new ransomware brands that blur the lines between traditional financially motivated cybercrime, espionage, and hacktivism, and a dwindling number of older, surviving groups.³⁴

Ransomware-as-a-Service (RaaS) operations are a significant and growing threat, as they lower the barrier to entry for less-skilled hackers by providing access to sophisticated malware infrastructure.³⁵ Prominent RaaS groups like Akira, RansomHub, and Cl0p are expected to remain aggressive actors, exploiting vulnerabilities, compromised credentials, and employing double-extortion tactics (encrypting data and exfiltrating it for public release).³⁵ The risk of international sanctions looms large for these threat actors, leading to a growing reluctance to associate with business models under constant disturbance.³⁴ This pressure has driven out many players from the traditional ransomware market, resulting in a patchwork of nomadic lone operators and state-linked actors who are experimenting in the cyber extortion space.³⁴

Other Financially Motivated Cybercriminals and Hacktivists

Transnational criminal organizations (TCOs) are actively engaged in diverse illicit activities, including cyber operations, money laundering, and human trafficking, posing threats to US security and prosperity.³⁸ Hacktivists, driven by political sympathies, often pursue cyber disruption for social or political causes, and in some cases, their activities may have elements of state sponsorship.⁵

Identity theft is diversifying, with stolen identities increasingly used to create fraudulent cryptocurrency accounts and manipulate financial systems.³⁹ Artificial Intelligence (AI) adds a new layer of complexity to these criminal endeavors, enabling criminals to bypass identity verification through the creation of convincing deepfakes and synthetic identities.³⁹ AI-powered scams are projected to soar, as the commoditization of AI tools lowers the barrier to entry for sophisticated social engineering attacks, leading to a sharp increase in financial losses.³⁹

The blurring lines between financially motivated cybercrime, particularly Ransomware-as-a-Service (RaaS), and state-sponsored activity significantly complicate attribution and response efforts. This dynamic potentially provides plausible deniability for nation-states, allowing them to leverage criminal enterprises as proxies or testing grounds for state-level operations. This implies that a purely criminal justice approach is insufficient; national security agencies must increasingly engage with and disrupt what appear to be purely criminal enterprises. The rise of AI-powered social engineering further exacerbates this challenge, requiring a fundamental shift in defensive strategies from purely technical solutions to robust human training and advanced behavioral analytics to detect increasingly convincing deceptive tactics.

III. Technological Frontiers: Impact on US Cybersecurity by 2030

The trajectory of US cybersecurity by 2030 will be profoundly influenced by advancements in key technological frontiers: Artificial Intelligence, Quantum Computing, and the Internet of Things. Each presents both unprecedented opportunities for defense and significant new vectors for attack.

A. Artificial Intelligence (AI): Dual-Use Capabilities

Artificial Intelligence is rapidly transforming the cybersecurity landscape, functioning as both a powerful accelerator for cyberattacks and a game-changer for defensive capabilities.

AI’s Role in Accelerating Cyberattacks

AI is dramatically changing the threat landscape, significantly accelerating the speed of cyberattacks, with breakout times often shrinking to under an hour.⁴¹ Cybercriminals are leveraging AI to craft highly convincing phishing emails, create realistic fake websites, and generate deepfake videos, enabling the delivery of personalized, realistic messages and methods that can bypass traditional detection mechanisms on an unprecedented scale.⁴⁰ Beyond social engineering, AI-driven offensive tactics include data poisoning, where attackers manipulate the training data of AI models to induce incorrect or harmful outputs; prompt injection attacks, which exploit vulnerabilities in AI language models by embedding malicious instructions; and enhanced password cracking, accelerating brute-force attacks by predicting and testing combinations at unprecedented speeds.⁴⁰ Furthermore, adaptive malware, utilizing machine learning, can mutate its code structure and attack vectors in real-time, detect sandbox environments, and adjust to endpoint security protocols, making it increasingly difficult for static detection systems to identify and neutralize.⁴²

AI’s Role in Enhancing Defensive Capabilities

Despite its utility for attackers, AI is simultaneously a transformative tool for cybersecurity defense.⁴¹ It significantly enhances security measures, reduces the manual workload for human security teams, and strengthens overall defenses against evolving cyber risks.⁴⁰ AI-driven security systems can analyze vast amounts of data in real-time, providing crucial context across disparate data silos, identifying anomalies, and detecting potential breaches before they escalate.⁴⁰ These systems can also predict potential vulnerabilities based on historical data, enabling proactive threat hunting.⁴⁰ AI-driven automation is revolutionizing how organizations allocate their cybersecurity resources by automating lower-risk, repetitive tasks such as routine system monitoring and compliance checks. This frees human experts to focus on strategic security measures and high-priority threats, improving overall efficiency and response times.⁴⁰ AI is also proving crucial in combating ransomware and is expected to accelerate Security Operations Center (SOC) automation, with AI agents potentially working alongside humans in semi-autonomous roles for alert triage, investigation, and response.⁴¹

US Government Investment and Ethical Guidelines for AI in Defense

The US government is making significant investments in Artificial Intelligence for defense operations, recognizing its transformative potential for national security. The FY 2025 Defense Appropriations Act allocates substantial funding to bolster AI-driven technologies within the military, with the aim of improving decision-making processes, enhancing operational efficiency, and refining predictive analytics.⁴³ This includes $500 million above the budget request specifically for Combatant Commands to adopt and implement AI capabilities.⁴³ OpenAI has secured a Pentagon contract worth up to $200 million to develop “prototype frontier AI” for both back-office business functions and frontline warfighting operations, including “agentic workflows” or semi-autonomous AI agents.⁴⁴ The Chief Digital and AI Office (CDAO) was established in 2022 to merge existing AI efforts and serve as a central hub for AI projects across defense agencies.⁴⁴ Task Force Lima, run by CDAO, has been assessing the reliability and value of new AI waves, effectively giving the technology its blessing with extensive technical guardrails and procedural precautions.⁴⁴

Furthermore, the Department of Defense (DoD) has implemented Responsible AI Guidelines to ensure that ethical principles are integrated into all phases of AI system development and deployment, from planning to operation.⁴⁵ CISA, in collaboration with the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), has released joint guidance on securing data used to train and operate AI systems, emphasizing the critical role of data security in ensuring AI accuracy, integrity, and trustworthiness.⁴⁶

The dual-use nature of AI creates an escalating cyber arms race where defensive AI must continuously outpace offensive AI. The significant US government investment in AI, particularly for defense, signals a strategic recognition that AI is not merely a tool but a fundamental component of future national security capabilities. However, the explicit emphasis on ethical concerns and the necessity for guardrails highlight a political tension between the imperative for rapid technological adoption and the commitment to responsible deployment. This tension will likely influence the pace and nature of AI integration by 2030, shaping not only domestic policy but also international norms around the use of AI in warfare.

B. Quantum Computing: Cryptographic Challenges and Post-Quantum Transition

Quantum computing presents one of the most profound long-term challenges to current cybersecurity paradigms, particularly regarding cryptographic systems.

The “Harvest Now, Decrypt Later” Threat

Quantum computing poses a significant, existential threat to much of the public-key cryptography (e.g., RSA, Diffie-Hellman, Elliptic Curve-based encryption) currently used to secure trillions of dollars in daily transactions and sensitive data globally.⁴⁷ Experts anticipate that cryptanalytically relevant quantum computers (CRQC), capable of breaking conventional encryption, could emerge within the next decade.⁴⁹ A critical and immediate concern is the “harvest now, decrypt later” threat, where adversaries are already collecting encrypted sensitive data with the expectation of decrypting it in the future once powerful quantum systems become available.⁴⁹ This transforms quantum computing from a distant theoretical concern into an immediate national security vulnerability, as data stolen today could be compromised years from now.

NIST’s PQC Standards and the Federal Government’s Migration Strategy and Timeline

The US government is actively pressing federal agencies to adopt post-quantum cryptographic (PQC) standards into their procurement processes.⁴⁹ The National Institute of Standards and Technology (NIST) is leading the global transition to PQC, having finalized three quantum-safe encryption protocols.⁴⁹ NIST has established firm timelines for this transition: widely used algorithms like RSA-2048 and ECC-256 will be officially deprecated by 2030 and completely disallowed after 2035.⁵¹ For practical purposes, industry analysts advise treating 2029 as the operational deadline for PQC migration.⁵¹

The Department of Homeland Security (DHS) Post-Quantum Cryptography Roadmap and CISA’s PQC Initiative oversee activities in critical areas such as risk assessment across critical infrastructure, planning resource allocation, developing policy and standards, and engaging stakeholders to foster adoption.⁵³ Specifically, by December 1, 2025, the Office of Management and Budget (OMB) for non-National Security Systems (NSS) and the National Security Agency (NSA) for NSS are required to issue requirements for agencies to support PQC transition as soon as practicable, but no later than January 2, 2030.⁵⁴ International efforts are also underway, with the European Union initiating a coordinated effort for Member States to switch critical infrastructure to quantum-resistant encryption by 2030.⁵⁵

The “harvest now, decrypt later” threat is the critical political driver behind the aggressive PQC adoption timelines. It means that the long-term value of data stolen today extends into the quantum future, making PQC an urgent, present-day defense requirement, not merely a future-proofing exercise. The political decision to mandate these timelines reflects this urgency.

Table 1: Timeline for Post-Quantum Cryptography Transition in US Critical Infrastructure

Milestone/Deadline	Entity/Action	Impact/Significance	Source Snippets
May 2025	Post-Quantum Cryptography Coalition (PQCC) releases PQC Migration Roadmap.	Provides guidance for organizations of all sizes to navigate the transition.	94
Dec 1, 2025	OMB (non-NSS) and NSA (NSS) to issue requirements for agencies to support PQC.	Mandates federal agencies to prepare for PQC transition.	54
End of 2026	EU Member States to initiate national PQC transition strategies.	Indicates international alignment and urgency for PQC adoption.	55
Jan 2, 2030	US Federal agencies required to support PQC.	Key deadline for federal government to transition to quantum-safe encryption.	54
By 2030	NIST: RSA-2048 and ECC-256 algorithms officially deprecated.	Marks the official shift away from vulnerable algorithms; organizations must have transitioned.	51
No later than End of 2030	EU: Critical infrastructure required to complete PQC transition for high-risk use cases.	Highlights critical infrastructure as a priority for quantum-safe security.	55
By 2035	NIST: RSA-2048 and ECC-256 algorithms completely disallowed.	Final deadline for legacy cryptography, emphasizing the need for full migration.	51

Challenges in PQC Adoption

Despite clear policy directives and the looming threat, the implementation of PQC has been slow. A recent survey indicated that only 5% of organizations had begun deploying quantum-safe encryption, even though 69% recognized the looming quantum risk.⁴⁹ The transition is also projected to be costly, with estimates exceeding $7.1 billion for the federal government alone, excluding classified systems operated by the Department of Defense and intelligence agencies.⁴⁹ The complexity of integrating PQC into existing systems, particularly within critical infrastructure sectors that often rely on long-lifecycle legacy systems, requires specialized expert guidance and customized solutions.⁵⁶

The slow adoption rate and high cost indicate that despite policy directives, significant technical and financial hurdles remain, potentially creating a “cryptographic cliff” for unprepared sectors by 2030. This implies a critical need for sustained political will and consistent funding to ensure compliance and avoid catastrophic data breaches in the future. Without accelerated efforts, the United States could face a growing backlog of vulnerable systems, directly impacting national security and economic stability.

C. Internet of Things (IoT) and Critical Infrastructure Vulnerabilities

The proliferation of Internet of Things (IoT) devices represents a significant expansion of the digital attack surface, introducing both convenience and substantial cybersecurity challenges.

Projected Growth of IoT Devices and Associated Security Challenges

The number of IoT devices is projected to grow exponentially, from an estimated 18 billion currently to 32 billion by 2030.⁵⁸ Some projections suggest this figure could even reach trillions by 2040.⁵⁹ This massive expansion creates an increasingly vast and complex attack surface for malicious actors.⁵⁸ IoT devices inherently pose unique security challenges due to their general lack of native defenses, often incorporating minimal built-in protective software.⁵⁸ Vulnerabilities frequently stem from poor setup or maintenance practices, including the use of embedded non-encrypted passwords that are difficult to change, infrequent or unsafe security updates, and resource constraints (limited storage and processing power) that make them susceptible to attacks like Denial-of-Service (DoS).⁵⁸ Historically, many operational technology (OT) systems were not designed with the same level of connectivity as modern IoT, leading to significant vulnerabilities when these disparate systems are coupled together.⁵⁸ This is particularly critical in OT and Industrial Control Systems (ICS) environments, which control essential services like power grids and water treatment facilities.⁴ Examples of vulnerable sectors extend to automobiles, where malicious access could lead to physical risks like remote control of critical functions, and various industrial equipment.⁵⁸

US Government Initiatives and Regulations for Securing Critical Infrastructure and Smart Cities

The US government recognizes the critical importance of securing IoT, especially in connected communities and critical infrastructure, given that compromise of these devices can lead to data theft and significant disruption of services or critical processes.⁵⁷ The Internet of Things Cybersecurity Improvement Act of 2020 was a significant step, establishing minimum security requirements for IoT devices owned or controlled by the federal government.⁶³ This legislation mandated the National Institute of Standards and Technology (NIST) to publish standards and guidelines, including minimum information security requirements for secure development, identity management, patching, and configuration management of vulnerable IoT devices.⁶³ The Office of Management and Budget (OMB) is subsequently required to review and align federal security policies with these NIST recommendations.⁶³

Beyond federal systems, CISA’s Connected Communities Initiative and the Department of Homeland Security (DHS) Science and Technology (S&T) Directorate’s Smart City Internet of Things Innovation (SCITI) Labs initiative focus on applying new and existing technologies to public safety and national security needs, specifically including cybersecurity for IoT and Industrial Control Systems.⁶² Securing smart cities requires comprehensive strategies that address the unique challenges of municipal IoT deployments, such as managing diverse technology vendors, integrating with legacy systems, ensuring public accessibility, maintaining operational continuity, and complying with multiple regulatory frameworks.⁵⁷ The NIST IoT Cybersecurity Framework provides crucial guidance that increasingly informs regulatory requirements across these domains.⁶⁵

The exponential growth of IoT devices, combined with their inherent security weaknesses and the challenges of integrating them with legacy critical infrastructure, creates a systemic vulnerability that could be exploited for widespread disruption by 2030. While legislation like the IoT Cybersecurity Improvement Act is a positive step, its primary focus on federal devices means that a significant portion of the broader IoT ecosystem, particularly commercial and consumer devices, remains less regulated. This implies a growing political imperative to extend “security by design” principles and stricter regulations to all commercial IoT devices and services. This could involve market incentives or liability shifts to compel manufacturers to embed security from the outset, thereby preventing cascading failures across interdependent critical sectors and raising the baseline security posture of the entire digital ecosystem.

IV. Domestic Policy and Strategic Initiatives to 2030

The effectiveness of US cybersecurity by 2030 will largely depend on the successful execution of domestic policy and strategic initiatives, encompassing budget allocation, workforce development, regulatory frameworks, and the adoption of advanced security architectures.

A. Budget Allocation and Investment Trends

The financial commitment to safeguarding digital assets within both enterprise and governmental sectors is poised for significant expansion in the coming years.

Overall Cybersecurity Market Growth and Investment

The global cybersecurity market is projected to reach $434.76 billion by 2029.⁶⁶ Cumulative global investment in cybersecurity products and services is expected to surpass $1 trillion within the next five years.⁶⁷ The US market alone was estimated at $9.7 billion in 2023.⁶¹ This robust surge in expenditure is primarily driven by the increasing volume and sophistication of global cyber threats, the fundamental operational reliance of businesses on interconnected digital systems, and the rapid proliferation of new technologies such as the Internet of Things (IoT).⁶⁷

Prioritization of Advanced Security Technologies

Cybersecurity spending is consistently on the rise, with 15.1% of organizations reporting increased security budgets in 2025, and an overall annual growth rate of 8%.⁶⁶ Businesses are strategically shifting their investments towards advanced security technologies, particularly Artificial Intelligence (AI), machine learning, and next-generation threat detection systems.⁶⁶ AI-driven security tools, comprehensive cloud security solutions, and robust threat intelligence platforms are identified as the top three spending priorities for organizations, reflecting a proactive approach to emerging cyber threats.⁶⁶

Projected US Federal Spending

An examination of the Cybersecurity and Infrastructure Security Agency’s (CISA) President’s Budget for FY2025 reveals an overall increase in Operations and Support ($2.5 billion) and Mission Support ($485 million).⁶⁸ However, there is a slight decrease in the direct Cybersecurity budget, projected at $1.24 billion, compared to FY2023/2024 enacted levels.⁶⁸ Within the Cybersecurity allocation, funds are distributed across critical areas such as Cyber Operations, Threat Hunting, Vulnerability Management, and Capacity Building.⁶⁸ The Defense Information Systems Agency (DISA) Cyber budget for FY2025 is $504.896 million, specifically focusing on delivering enterprise solutions for Combatant Commands and Department of Defense (DoD) components, with an emphasis on aligning with Zero Trust and software-defined network architectures.⁶⁹ Overall federal contract obligations for cybersecurity services and solutions reached nearly $5.8 billion in FY2025 through mid-May, indicating a significant market, with spending concentrated in a few top departments but diversified among many firms.⁷⁰

The slight decrease in CISA’s direct cybersecurity budget for FY2025, despite an increase in overall operations funding, suggests a potential reallocation or reclassification of funds, or perhaps an assumption of greater efficiency from integrated operations. This apparent contradiction implies a political risk if core cybersecurity functions are inadvertently underfunded relative to the escalating threat landscape, or if the anticipated efficiencies from “integrated operations” do not materialize as planned by 2030. The outcome of this budget allocation strategy will be crucial for the nation’s cyber resilience, highlighting the ongoing challenge of transparently tracking and attributing specific cybersecurity investments across a complex federal budget.

B. Workforce Development and Talent Retention

A persistent and critical challenge for US cybersecurity is the talent and skills gap, which continues to grow in scale and urgency.

Addressing the Persistent Cybersecurity Talent and Skills Gap

The cybersecurity industry faces an astounding 457,000 job openings nationwide by 2025, with roles in cybersecurity expanding at a rate 2.4 times faster than other job sectors.⁷¹ Despite this high demand, only 14% of organizations globally report having the necessary skilled talent to meet their cybersecurity objectives.⁷² The core issue is not simply a lack of people, but a lack of the “right people with the right skills”.⁷³ Significant skills gaps are identified in emerging and critical areas such as Artificial Intelligence (34%) and cloud computing security (30%).⁷⁴

The shift in focus from a “talent shortage” to a “skills gap” implies that traditional recruitment and education models are insufficient. By 2030, success will depend on the US government’s ability to rapidly re-skill its existing workforce and cultivate new talent with specialized expertise in emerging areas like AI and post-quantum cryptography, rather than simply increasing headcount. This requires a political commitment to agile, continuous learning models and potentially incentivizing private sector training programs to bridge the specialized knowledge deficit.

Strategies for Recruitment, Training, and Retention

The Federal Cybersecurity Workforce Strategy emphasizes accountability for managing cybersecurity risk within executive departments and agencies, including ensuring the effectiveness of their cybersecurity workforces.⁷⁵ The NICE Workforce Framework for Cybersecurity provides a nationally focused resource that establishes a common lexicon to help employers develop their cybersecurity workforce across public, private, and academic sectors.⁷⁶

Strategies to address the talent and skills gap include expanding training initiatives for entry-level professionals, upskilling the current workforce, and creating clear, accessible pathways into the cybersecurity profession.⁷¹ This involves investing in educational programs, industry certifications (such as CISSP, CEH, and Security+), and flexible online learning platforms.⁷¹ Cyber ranges are identified as vital for hands-on, realistic training, simulating real-world cyber threats and enabling team-based incident response exercises in high-pressure environments.⁷¹ Retention strategies are also crucial, focusing on fostering flexible work environments, providing robust development programs, and establishing clearly defined career paths.⁷³ Furthermore, there is a growing focus on diversity, with women’s representation in the cybersecurity workforce projected to reach 30% by 2025.⁵⁰

C. Regulatory Frameworks and Public-Private Collaboration

The US cybersecurity landscape is increasingly shaped by evolving regulatory frameworks and a growing emphasis on public-private collaboration.

Evolution of Federal Laws and NIST Guidelines

US cybersecurity operates within a complex web of laws, which vary depending on the state, industry, and type of data involved.⁷⁷ Key federal laws include the Health Insurance Portability and Accountability Act (HIPAA) for patient health information, the Federal Information Security Modernization Act (FISMA) for government agency systems (overhauled in 2023 for improved inter-agency coordination), and the Payment Card Industry Data Security Standard (PCI DSS), with version 4.0 becoming mandatory in 2024.⁷⁷

Recent regulatory developments include the Security and Exchange Commission (SEC) incident disclosure regulations, effective December 2023, which require publicly traded companies to report material cybersecurity incidents within four business days.⁷⁷ The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), passed in March 2022, mandates CISA to develop rules for critical infrastructure companies to report covered cybersecurity incidents within 72 hours.⁷⁷ The Executive Order on Improving the Nation’s Cybersecurity, signed in 2021, aimed to modernize federal cybersecurity, enhance public-private collaboration, and establish the Cyber Safety Review Board (CSRB) to review major incidents and derive lessons learned.¹

NIST guidelines, particularly the NIST Cybersecurity Framework (CSF) 2.0, released in 2024, provide voluntary but widely adopted guidance for managing cybersecurity risks across organizations of all sizes and sectors.⁷⁹ CSF 2.0 introduces a new GOVERN function, emphasizing the importance of governance and supply chains in cybersecurity risk management.⁷⁹

Scaling Public-Private Collaboration

The 2023 National Cybersecurity Strategy explicitly promotes collaboration between the private and public sectors, outlining structured models for support and enhanced data sharing to enable faster threat response.¹ CISA serves as the National Coordinator for Critical Infrastructure Security and Resilience, actively working with partners at every level to identify and manage risk to cyber and physical infrastructure.⁸¹ CISA’s Joint Cyber Defense Collaborative (JCDC) is a key initiative that unifies cyber defense capabilities from government, industry, and international organizations, facilitating rapid threat information sharing, the creation of world-class cybersecurity guidance, and the execution of coordinated plans to counter adversaries.⁸² The Cyber Safety Review Board (CSRB) plays a crucial role in bringing together public and private sector leaders to review major incidents and share lessons learned.¹

Information Sharing Challenges

Despite these collaborative efforts, a significant vulnerability exists: the Cybersecurity Information Sharing Act (CISA 2015), which is critical for facilitating threat information sharing between federal agencies and companies, is set to expire on September 30, 2025.⁸³ Its expiration could jeopardize a wide range of information-sharing partnerships, including crucial private-to-private sharing, and complicate defenders’ ability to monitor and prioritize threats.⁸³

The proliferation of new regulations and the evolution of frameworks like NIST CSF 2.0 indicate a growing political will to impose minimum cybersecurity requirements and accountability across critical sectors. However, the potential expiration of the Cybersecurity Information Sharing Act represents a significant political vulnerability. If not reauthorized, it could severely cripple the public-private information sharing mechanisms that are explicitly called for and central to the 2023 National Cybersecurity Strategy. This implies that by 2030, the United States will either have a more robust, legally protected information-sharing ecosystem or face a fragmented and less effective defense posture, directly impacting its ability to respond to evolving threats.

D. Zero Trust Architecture and Secure by Design Principles

The US cybersecurity strategy is undergoing a fundamental paradigm shift, moving from traditional perimeter-based defenses to more proactive and continuous security models, notably Zero Trust Architecture and “secure by design” principles.

Implementation Progress and Challenges of Zero Trust

Zero Trust Architecture (ZTA) is a cybersecurity approach that fundamentally assumes no user or device can be trusted, regardless of its location or previous verification. It continuously evaluates and verifies every access request, aiming to prevent attackers who have gained initial access from moving freely within the network and causing widespread damage.³ The ZTA market is experiencing rapid growth, projected to reach $38.37 billion in 2025 and more than double by 2030, with 81% of organizations planning to implement it by 2026.⁵⁰ This accelerated adoption is driven by the increasing frequency of cyberattacks, the widespread shift to remote working environments, and the tightening of privacy regulations.⁵⁰

The Office of Management and Budget (OMB) Memorandum M-22-09 provides comprehensive guidance for federal agencies to transition towards Zero Trust principles, with CISA overseeing and advising on implementation plans.⁸⁴ Federal agencies have made significant progress in initial Zero Trust activities, such as implementing phishing-resistant multi-factor authentication (MFA), deploying endpoint detection and response (EDR) systems, and segmenting networks.⁸⁵ However, substantial challenges remain, primarily due to the burden of legacy technical debt and the potential operational impact of widespread changes to critical mission systems.⁸⁵

The widespread adoption of Zero Trust and “secure by design” principles represents a fundamental paradigm shift from reactive perimeter defense to proactive, continuous verification and embedding security from the outset. However, the persistent challenge of “legacy technical debt” in federal agencies and critical infrastructure implies that achieving true Zero Trust and supply chain integrity by 2030 will require substantial, sustained investment and a political willingness to modernize or decommission outdated systems. Failure to address this could create significant security gaps, even with advanced policies in place.

Emphasis on Secure Software Development and Supply Chain Integrity

The 2023 National Cybersecurity Strategy explicitly calls for “security in design” to be a core principle.¹ Executive Order 14028, signed in 2021, established baseline security standards for software sold to the government, requiring developers to maintain greater visibility into their software and make security data publicly available.⁷⁸ This order mandates an update to the Secure Software Development Framework (SSDF) to include practices for the secure and reliable development and delivery of software, as well as the security of the software itself.⁸⁶ There is a strong and growing emphasis on safeguarding software supply chains to mitigate risks stemming from open-source and third-party software vulnerabilities.⁸⁶ This focus is critical, as Gartner predicts that by 2025, nearly 45% of organizations will experience a supply chain cyberattack, a threefold increase from 2021.⁵⁰

V. International Cooperation and Geopolitical Dynamics

The global nature of cyberspace necessitates robust international cooperation and a clear understanding of geopolitical dynamics to effectively secure US interests by 2030.

A. Alliances and Norms Development

International partnerships are a cornerstone of US cybersecurity strategy, aimed at bolstering collective defense and establishing responsible behavior in cyberspace.

Strengthening Integrated Cyber Defense with Allies

The 2023 National Cybersecurity Strategy places significant emphasis on forging international partnerships to pursue shared goals.¹ CISA’s International Strategic Plan for 2025-2026 outlines key objectives: bolstering the resilience of foreign infrastructure critical to US interests, strengthening integrated cyber defense with allies, and unifying agency coordination of international activities.⁸⁷ This involves fostering collaborative relationships, sharing expertise, technical resources, and best practices to collectively fortify cyber resilience against emerging threats in an interconnected world.⁸⁷

Key alliances play a vital role in this integrated defense. The North Atlantic Treaty Organization (NATO) remains a crucial forum, though the 2025 NATO Summit is recognized as a potential target for various threat actors.⁸⁸ The US will likely advocate for an increased focus on China-nexus threats within NATO.⁸⁸ The Five Eyes (FVEY) intelligence alliance, comprising Australia, Canada, New Zealand, the United Kingdom, and the United States, continues to be a robust global surveillance mechanism. It has adapted to new domains such as international terrorism and cyberattacks, providing a strategic advantage in understanding and responding to global events through comprehensive intelligence sharing.⁸⁹

Challenges and Successes in Developing International Cyber Norms and Treaties

Efforts to establish international norms and treaties for cyberspace are ongoing. The United Nations Convention against Cybercrime, slated to be open for signature in October 2025, represents the first comprehensive global treaty on this matter, aiming to strengthen international cooperation and streamline electronic evidence sharing for serious crimes.⁹⁰ International humanitarian law principles are also seen as providing a framework for responsible behavior in cyberspace.⁹¹

Despite these initiatives, significant challenges persist in developing universally accepted international cyber norms. China’s active promotion of “cyber sovereignty,” which advocates for state control over the internet, directly contrasts with widely held international norms that champion a free and open internet.⁸ Furthermore, the United States currently lacks specific cyber treaties with major adversaries like Russia and China, which hinders accountability for cyberattacks originating from those nations.⁶⁰ The increasing complexity of cyberspace and escalating geopolitical tensions underscore the imperative for unprecedented levels of international cooperation to address shared cyber challenges.⁹¹

While the US prioritizes strengthening alliances like NATO and Five Eyes for integrated cyber defense, the lack of formal cyber treaties with major adversaries such as Russia and China represents a critical political gap in establishing accountability and effective deterrence. By 2030, the success of international cyber cooperation will depend on whether the US can bridge this gap through continued diplomatic efforts to establish universally accepted norms of responsible state behavior in cyberspace, or if the “cyber sovereignty” model prevails, leading to a more fragmented and less predictable global cyber landscape.

B. Cyber Deterrence and Persistent Engagement

The US cyber warfare doctrine has evolved to adopt a more proactive posture, reflecting the continuous nature of cyber threats.

Evolution of US Cyber Warfare Doctrine

The US Cyber Command operates under a “persistent engagement” model, supported by a “defend forward” operational concept.⁹² This doctrine represents a strategic shift towards continuously engaging adversaries as close as possible to the origin of their malicious activity. The objective is to expose adversaries’ weaknesses, gather intelligence on their intentions and capabilities, and counter attacks at their source.⁹³ This proactive approach seeks to impose tactical friction and strategic costs on adversaries, compelling them to shift resources to defense and ultimately reduce their offensive cyber operations against the United States.⁹³

The “persistent engagement” and “defend forward” doctrines signify a proactive and aggressive shift in US cyber deterrence, moving beyond passive defense to continuous disruption of adversarial operations. This implies a political acceptance of operating in a “gray zone” below the threshold of armed conflict. However, the lack of clear, mutually agreed-upon rules or treaties with major adversaries means that this proactive posture operates without established boundaries, increasing the risk of miscalculation or escalation by 2030.

Geopolitical Impact on OT/ICS Environments and Critical Infrastructure Protection

Geopolitical tensions have increasingly spilled into the cyber domain, escalating into a new form of warfare where cyberattacks serve both as tools for espionage and as weapons of disruption. This has had a pronounced impact on Operational Technology (OT) and Industrial Control Systems (ICS) environments globally.⁶⁰ The growing convergence of IT and OT networks has expanded the attack surface, making it imperative for nations and corporations to bolster their cyber defenses.⁶⁰ China, in particular, is identified as the biggest threat to critical infrastructure systems.⁶⁰ Modern warfare increasingly leverages cyberspace as a battlefield, with nation-states utilizing cyber capabilities to pursue geopolitical objectives through espionage, sabotage, information warfare, economic attacks, and political manipulation.⁶⁰

C. Lessons from Global Conflicts (Russia-Ukraine)

The ongoing Russia-Ukraine War has served as a “laboratory of innovation and adaptation” in cyber warfare, providing critical global relevance and invaluable lessons for future large-scale combat operations between major powers.¹⁸

Key Takeaways for US Defense

The conflict has highlighted several crucial lessons for US defense planning by 2030:

• Adaptive Warfare: Both Russian and Ukrainian forces have demonstrated remarkable agility, rapidly adapting to new technologies and tactics, with Russian forces showing adaptation in mere weeks.¹⁸ Future warfare will be characterized by innovations that continuously adapt as technologies evolve.¹⁸
• AI Integration: Ukraine has effectively leveraged AI-enabled software and data platforms to enhance its decision-making speed for both warfare and governance.¹⁸ This demonstrates that AI-driven logistics and quantum-enhanced simulations will be critical determinants of which militaries can sustain modern war, with AI-powered swarm warfare and AI-assisted targeting becoming standard tools.¹⁹
• Commercial Technology Integration: The conflict has underscored the effectiveness of low-cost, high-impact technologies. Ukraine’s extensive use of cheap, expendable drones (costing hundreds to thousands of dollars) has delivered precision weapons at scale, proving capable of neutralizing expensive traditional military platforms.¹⁸ The war has also seen unprecedented integration of dual-use commercial space capabilities, providing asymmetric advantages on the battlefield.¹⁸ This highlights the need for rapid acquisition processes driven by direct feedback from warfighters.¹⁸
• Public-Private Collaboration: Ukraine’s robust cyber defense efforts, significantly aided by a volunteer “Cyber Army,” have successfully safeguarded critical logistics networks.¹⁸ The conflict has underscored that collaboration between government and the private sector is indispensable, particularly given that over 90% of Western countries’ cyber infrastructure is privately owned and operated.¹⁷

The Ukraine conflict underscores a critical shift: future warfare is increasingly characterized by rapid technological adaptation, the pervasive integration of commercial AI and dual-use technologies, and the indispensable role of public-private partnerships. This implies a political imperative for the US to accelerate its own defense acquisition processes, foster deeper collaboration with its tech industry, and potentially rethink traditional military structures to integrate agile, commercially-driven innovation more effectively by 2030.

VI. Strategic Outlook for 2030: Strengths, Challenges, and Recommendations

As the United States approaches 2030, its cybersecurity posture will be a testament to its ability to navigate a rapidly evolving digital landscape. A synthesis of current trends and projected developments reveals both significant strengths and persistent vulnerabilities.

Synthesis of Key Findings

The United States possesses a robust and evolving policy framework, exemplified by the 2023 National Cybersecurity Strategy and various Executive Orders, which provide a clear strategic direction. There is substantial and increasing R&D investment in cutting-edge technologies like Artificial Intelligence and Post-Quantum Cryptography. The nation benefits from established and strong international alliances, such as the Five Eyes and NATO, which facilitate integrated cyber defense and intelligence sharing. CISA serves as a dedicated coordinating agency, unifying efforts across government and with the private sector. Critically, there is a growing political recognition of cybersecurity as a strategic imperative, leading to increased budget allocations and a proactive shift towards modern defense doctrines like Zero Trust and “defend forward.”

However, the threat landscape is increasingly sophisticated. Nation-states like China, Russia, Iran, and North Korea employ advanced tactics, including pre-positioning for critical infrastructure attacks, AI-driven operations, and financially motivated cybercrime used for state funding. The “harvest now, decrypt later” threat from quantum computing poses an existential risk to current encryption, demanding an urgent transition. The massive expansion of vulnerable Internet of Things (IoT) devices creates an ever-growing attack surface, particularly within critical infrastructure. Domestically, a persistent cybersecurity workforce skills gap, the burden of legacy technical debt in federal systems, and the potential expiration of crucial information-sharing legislation (CISA 2015) present significant vulnerabilities. Internationally, the lack of universally accepted cyber norms and binding treaties with major adversaries complicates deterrence and accountability.

Identification of Critical Vulnerabilities and Areas Requiring Intensified Focus

Several critical areas demand intensified focus to ensure the US maintains a robust cybersecurity posture by 2030:

• Bridging the Policy-Implementation Gap: Despite strong policy directives, the actual implementation of “secure by design” principles, Zero Trust architectures, and Post-Quantum Cryptography across the vast federal and critical infrastructure landscape faces significant hurdles, particularly related to legacy systems and the substantial costs of modernization.
• Addressing the Skills Mismatch: The cybersecurity workforce challenge is not merely about increasing headcount but about developing specialized skills in rapidly evolving areas like AI, cloud security, and Operational Technology/Industrial Control Systems (OT/ICS) security. This requires adaptive training and retention strategies.
• Securing the Expanding Attack Surface: The proliferation of insecure IoT devices and the ongoing IT/OT convergence in critical infrastructure demand more comprehensive regulatory and market-shaping interventions to mandate security from the outset.
• Sustaining Information Sharing: The potential expiration of the Cybersecurity Information Sharing Act (CISA 2015) threatens a fundamental pillar of public-private collaboration and threat intelligence exchange, which is vital for collective defense.
• Navigating Geopolitical Cyber Escalation: The increasingly aggressive posture of adversaries, combined with a lack of clear international norms for cyberspace, increases the risk of miscalculation and necessitates continuous adaptation of deterrence strategies.
• Modernizing Legacy Critical Infrastructure: The continued reliance on outdated technologies in critical infrastructure sectors significantly increases their susceptibility to exploitation, demanding a concerted effort for modernization.

High-Level Recommendations for Policy, Investment, and Strategic Partnerships

To address these challenges and capitalize on existing strengths, the following high-level recommendations are imperative for US cybersecurity by 2030:

• Accelerate and Enforce PQC Migration: Prioritize and allocate substantial, sustained funding for the full transition to post-quantum cryptography across all critical federal and private sector systems by 2030. Establish clear accountability mechanisms for compliance, incentivize vendor adoption of PQC standards, and proactively address the “harvest now, decrypt later” threat by securing data that could be vulnerable to future quantum attacks.
• Mandate and Incentivize “Security by Design” for IoT and Software: Expand regulatory and market-based initiatives to compel manufacturers and developers to embed security from the outset, particularly for IoT devices and software impacting critical infrastructure. Consider legislative or policy shifts that introduce liability for insecure products to drive market forces towards inherently more secure solutions.
• Invest Strategically in AI for Defensive Capabilities: Maintain and increase robust funding for AI research and development focused on defensive applications, including advanced threat detection, automated response, and secure software development. Simultaneously, establish and enforce clear ethical guidelines and ensure human oversight in all AI-driven systems to mitigate risks and maintain trust.
• Transform Cybersecurity Workforce Development: Implement aggressive, skills-based training programs, leveraging advanced cyber ranges and fostering deeper public-private partnerships, to cultivate specialized expertise in AI, cloud security, and OT/ICS. Develop innovative retention strategies to attract and keep top talent within both government and critical private sectors.
• Reauthorize and Strengthen Cyber Information Sharing Legislation: Ensure the timely and comprehensive reauthorization of the Cybersecurity Information Sharing Act to preserve and enhance critical public-private threat intelligence exchange. Explore mechanisms to further streamline and incentivize information sharing while protecting privacy.
• Enhance International Cyber Diplomacy: Pursue multilateral and bilateral engagements with renewed vigor to establish and enforce clear international norms of responsible state behavior in cyberspace, particularly with major powers. The goal should be to enhance accountability, reduce the risk of miscalculation, and foster a more stable global cyber environment.
• Modernize Legacy Critical Infrastructure: Implement targeted, long-term funding programs and policy incentives for critical infrastructure owners and operators to upgrade outdated systems and operational technologies. This systematic modernization is crucial to reduce the attack surface for both state-sponsored and non-state actors and enhance overall national resilience.

Conclusion

By 2030, USA cybersecurity will be at a critical juncture, defined by its ability to adapt to an increasingly complex and adversarial digital landscape. The strategic foundations laid by current policies, coupled with significant investments in emerging technologies and a commitment to public-private collaboration, position the nation for enhanced resilience. However, persistent challenges, particularly the “harvest now, decrypt later” quantum threat, the vast and vulnerable IoT ecosystem, and the critical skills gap, demand sustained political will and agile execution. The geopolitical environment will continue to shape the cyber domain, necessitating a proactive “defend forward” posture balanced with robust international diplomacy to establish and enforce norms. Ultimately, the strength of US cybersecurity in 2030 will be a direct reflection of its capacity to integrate technological innovation, policy foresight, and collaborative action across all sectors, ensuring a secure and prosperous digital future.

Works cited

1. Summary of the 2023 National Cybersecurity Strategy: Part 1 – CAI, accessed June 25, 2025, https://www.cai.io/resources/thought-leadership/summary-of-2023-national-cybersecurity-strategy-part-1
2. National Cybersecurity Strategy – NASCUS, accessed June 25, 2025, https://www.nascus.org/regulatory-resources/2023-biden-%E2%81%A0harris-administration-announces-national-cybersecurity-strategy/
3. NIST Offers 19 Ways to Build Zero Trust Architectures, accessed June 25, 2025, https://www.nist.gov/news-events/news/2025/06/nist-offers-19-ways-build-zero-trust-architectures
4. US DIA 2025 Threat Assessment warns of growing complexity in global threats, national security – Industrial Cyber, accessed June 25, 2025, https://industrialcyber.co/reports/us-dia-2025-threat-assessment-warns-of-growing-complexity-in-global-threats-national-security/
5. Line of Thought: A Primer on State-Sponsored Cyberattacks – Verisk’s, accessed June 25, 2025, https://core.verisk.com/Insights/Emerging-Issues/Articles/2024/June/Week-4/Primer-on-State-Sponsored-Cyberattacks
6. ODNI 2025 Threat Assessment notes threats from Russia, China, Iran, North Korea targeting critical infrastructure, telecom – Industrial Cyber, accessed June 25, 2025, https://industrialcyber.co/reports/odni-2025-threat-assessment-notes-threats-from-russia-china-iran-north-korea-targeting-critical-infrastructure-telecom/
7. The PLA’s Strategic Support Force and AI Innovation – Brookings Institution, accessed June 25, 2025, https://www.brookings.edu/articles/the-plas-strategic-support-force-and-ai-innovation-china-military-tech/
8. SECTION 2: CHINA’S CYBER CAPABILITIES: WARFARE, ESPIONAGE, AND IMPLICATIONS FOR THE UNITED STATES Abstract, accessed June 25, 2025, https://www.uscc.gov/sites/default/files/2022-11/Chapter_3_Section_2–Chinas_Cyber_Capabilities.pdf
9. DNI Gabbard Opening Statement for the SSCI As Prepared on the 2025 Annual Threat Assessment of the U.S. Intelligence Community, accessed June 25, 2025, https://www.dni.gov/index.php/newsroom/congressional-testimonies/congressional-testimonies-2025/4059-ata-opening-statement-as-prepared
10. The Element of Surprise: Space and Cyber Warfare in U.S.-China Rivalry | United States Institute of Peace, accessed June 25, 2025, https://www.usip.org/publications/2025/06/element-surprise-space-and-cyber-warfare-us-china-rivalry
11. People’s Republic of China cyber threat activity, accessed June 25, 2025, https://www.ic3.gov/CSA/2025/250620.pdf
12. Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace – Atlantic Council, accessed June 25, 2025, https://www.atlanticcouncil.org/in-depth-research-reports/report/crash-exploit-and-burn/
13. Cybersecurity Profile 2025: Russia – The Henry M. Jackson School of International Studies, accessed June 25, 2025, https://jsis.washington.edu/news/cybersecurity-profile-2025-russia/
14. Russian GRU Targeting Western Logistics Entities and Technology Companies – Department of Defense, accessed June 25, 2025, https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF
15. US should rethink current views of Russia’s cyber might, new report says – Nextgov, accessed June 25, 2025, https://www.nextgov.com/cybersecurity/2025/05/us-should-rethink-current-views-russias-cyber-might-new-report-says/405440/
16. Korea faces a crucial turning point in cybersecurity reform, accessed June 25, 2025, https://koreajoongangdaily.joins.com/news/2025-06-25/opinion/columns/Korea-faces-a-crucial-turning-point-in-cybersecurity-reform/2337587
17. Cybersecurity in the Shadow of War: Lessons from Ukraine and the Future of Conflict, accessed June 25, 2025, https://futurehorizons.ai/cybersecurity-in-the-shadow-of-war-lessons-from-ukraine-and-the-future-of-conflict/
18. Insights for Future Conflicts from the Russia-Ukraine War – CSIS, accessed June 25, 2025, https://features.csis.org/Insights-from-the-Russia-Ukraine-War/
19. Lessons from the Russia-Ukraine Frontline – Defense.info, accessed June 25, 2025, https://defense.info/re-shaping-defense-security/2025/06/lessons-from-the-russia-ukraine-frontline/
20. Threat Brief: Escalation of Cyber Risk Related to Iran – Palo Alto Networks Unit 42, accessed June 25, 2025, https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/
21. U.S. Braces for ‘Low-Level’ Cyber Attacks by Iran After Airstrikes – Carrier Management, accessed June 25, 2025, https://www.carriermanagement.com/news/2025/06/25/276701.htm
22. Radware warns of surge in Iranian cyber activity targeting Israeli industrial, critical systems, accessed June 25, 2025, https://industrialcyber.co/industrial-cyber-attacks/radware-warns-of-surge-in-iranian-cyber-activity-targeting-israeli-industrial-critical-systems/
23. NTAS bulletin highlights rising cyber, terror threats to US critical infrastructure from Iran-linked hackers, accessed June 25, 2025, https://industrialcyber.co/threat-landscape/ntas-bulletin-highlights-rising-cyber-terror-threats-to-us-critical-infrastructure-from-iran-linked-hackers/
24. Cyber Threats to U.S. Critical Infrastructure: What’s Going On and How to Stay Prepared, accessed June 25, 2025, https://www.bitlyft.com/resources/cyber-threats-to-u.s.-critical-infrastructure-whats-going-on-and-how-to-stay-prepared
25. US critical infrastructure could become casualty of Iran-Israel conflict | Cybersecurity Dive, accessed June 25, 2025, https://www.cybersecuritydive.com/news/us-critical-infrastructure-iran-israel-conflict/750799/
26. The Lazarus Group (APT38): North Korean Threat Actor – Radware, accessed June 25, 2025, https://www.radware.com/cyberpedia/ddos-attacks/the-lazarus-group-apt38-north-korean-threat-actor/
27. Deterrence Under Pressure: Sustaining U.S.–ROK Cyber Cooperation Against North Korea, accessed June 25, 2025, https://www.csis.org/analysis/deterrence-under-pressure-sustaining-us-rok-cyber-cooperation-against-north-korea
28. Warren, Reed Press Treasury and DOJ on North Korea’s $1.5 Billion Crypto Heist, accessed June 25, 2025, https://www.reed.senate.gov/news/releases/warren-reed-press-treasury-and-doj-on-north-koreas-15-billion-crypto-heist
29. North Korea Responsible for $1.5 Billion Bybit Hack – Internet Crime Complaint Center, accessed June 25, 2025, https://www.ic3.gov/psa/2025/psa250226
30. FATF: North Korea, crypto crime are major threats – ICBA, accessed June 25, 2025, https://www.icba.org/newsroom/news-and-articles/2025/06/23/fatf-north-korea-crypto-crime-are-major-threats
31. The ByBit Heist and the Future of U.S. Crypto Regulation – CSIS, accessed June 25, 2025, https://www.csis.org/analysis/bybit-heist-and-future-us-crypto-regulation
32. Warren Reed Letter to Treasury and DOJ re NK Crypto Theft – Senate Banking Committee, accessed June 25, 2025, https://www.banking.senate.gov/imo/media/doc/warren_reed_letter_to_treasury_and_doj_re_nk_crypto_theft.pdf
33. Department Files Civil Forfeiture Complaint Against Over $7.74M Laundered on Behalf of the North Korean Government, accessed June 25, 2025, https://www.justice.gov/opa/pr/department-files-civil-forfeiture-complaint-against-over-774m-laundered-behalf-north-korean
34. Evolution of Ransomware Threats 2025: Trends & Key Changes – Veeam, accessed June 25, 2025, https://www.veeam.com/blog/evolution-ransomware-threats-2025.html
35. Ransomware as a Service (RaaS) – NMFTA, accessed June 25, 2025, https://nmfta.org/wp-content/media/2025/04/NMFTA-RansomewareAsAService_1.0.pdf
36. Last Year in Ransomware: Threat Trends and Outlook for 2025 – Halcyon, accessed June 25, 2025, https://www.halcyon.ai/blog/last-year-in-ransomware-threat-trends-and-outlook-for-2025
37. The State of Ransomware 2025 – Sophos News, accessed June 25, 2025, https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/
38. Annual Threat Assessment of the U.S. Intelligence Community – DNI.gov, accessed June 25, 2025, https://www.dni.gov/files/ODNI/documents/assessments/ATA-2025-Unclassified-Report.pdf
39. Cybersecurity Predictions for 2025: Challenges and Opportunities, accessed June 25, 2025, https://www.staysafeonline.org/articles/cybersecurity-predictions-for-2025-challenges-and-opportunities
40. Impact of AI on Cyber Security: Key Stats & Protective Tips | BD Emerson, accessed June 25, 2025, https://www.bdemerson.com/article/impact-of-artificial-intelligence-on-cybersecurity
41. AI is the greatest threat—and defense—in cybersecurity today. Here’s why. – McKinsey, accessed June 25, 2025, https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today
42. Biggest Cyber Security Challenges in 2025 – Check Point Software, accessed June 25, 2025, https://www.checkpoint.com/cyber-hub/cyber-security/what-is-cybersecurity/cyber-security-challenges-in-2025/
43. New U.S. Legislation Aims to Bolster AI Initiatives in Defense Operations, accessed June 25, 2025, https://www.oxfordcorp.com/insights/industry-commentary/new-u-s-legislation-aims-to-bolster-ai-initiatives-in-defense-operations/
44. ‘OpenAI For Government’ launches with $200M win from Pentagon CDAO – Breaking Defense, accessed June 25, 2025, https://breakingdefense.com/2025/06/openai-for-government-launches-with-200m-win-from-pentagon-cdao/
45. Responsible AI Guidelines, accessed June 25, 2025, https://www.diu.mil/responsible-ai-guidelines
46. New Best Practices Guide for Securing AI Data Released | CISA, accessed June 25, 2025, https://www.cisa.gov/news-events/alerts/2025/05/22/new-best-practices-guide-securing-ai-data-released
47. How Quantum Computing Could Disrupt Wall Street by 2030, accessed June 25, 2025, https://www.disruptionbanking.com/2025/03/04/how-quantum-computing-could-disrupt-wall-street-by-2030/
48. Quantum Computing + Cybersecurity | CSA – Cloud Security Alliance, accessed June 25, 2025, https://cloudsecurityalliance.org/research/topics/quantum-safe-security
49. U.S. Presses Federal Agencies to Adopt Post-Quantum Cryptography in Government Acquisitions, accessed June 25, 2025, https://thequantuminsider.com/2025/05/15/u-s-presses-federal-agencies-to-adopt-post-quantum-cryptography-in-government-acquisitions/
50. Top Cybersecurity Trends in 2025: 9 Trends to Watch | Splunk, accessed June 25, 2025, https://www.splunk.com/en_us/blog/learn/cybersecurity-trends.html
51. Prepare for NIST’s Post-Quantum Cryptography deadline | Sectigo® Official, accessed June 25, 2025, https://www.sectigo.com/resource-library/nist-move-towards-post-quantum-cryptography-pqc
52. Hearing Wrap Up: U.S. Must Update Technology to Prepare for the Quantum Age, accessed June 25, 2025, https://oversight.house.gov/release/hearing-wrap-up-u-s-must-update-technology-to-prepare-for-the-quantum-age/
53. Post-Quantum Cryptography Initiative | CISA, accessed June 25, 2025, https://www.cisa.gov/quantum
54. Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144 – The White House, accessed June 25, 2025, https://www.whitehouse.gov/presidential-actions/2025/06/sustaining-select-efforts-to-strengthen-the-nations-cybersecurity-and-amending-executive-order-13694-and-executive-order-14144/
55. EU begins coordinated effort for Member States to switch critical infrastructure to quantum-resistant encryption by 2030 – Industrial Cyber, accessed June 25, 2025, https://industrialcyber.co/regulation-standards-and-compliance/eu-begins-coordinated-effort-for-member-states-to-switch-critical-infrastructure-to-quantum-resistant-encryption-by-2030/
56. Post-Quantum Cryptography Market | Industry Report, 2030 – Grand View Research, accessed June 25, 2025, https://www.grandviewresearch.com/industry-analysis/post-quantum-cryptography-market-report
57. Smart City Security: Protecting Critical Infrastructure with IoT – Device Authority, accessed June 25, 2025, https://deviceauthority.com/smart-city-security-protecting-critical-infrastructure-with-iot/
58. IoT Security Challenges (Most Critical Risk of 2025) – StationX, accessed June 25, 2025, https://www.stationx.net/iot-security-challenges/
59. 2040 – DNI.gov, accessed June 25, 2025, https://www.dni.gov/files/ODNI/documents/assessments/GlobalTrends_2040.pdf
60. Growing convergence of geopolitics and cyber warfare continue to threaten OT and ICS environments in 2024, accessed June 25, 2025, https://industrialcyber.co/features/growing-convergence-of-geopolitics-and-cyber-warfare-continue-to-threaten-ot-and-ics-environments-in-2024/
61. Internet of Things (IoT) Security Strategic Market Report 2024-2030 – GlobeNewswire, accessed June 25, 2025, https://www.globenewswire.com/news-release/2024/11/21/2985377/28124/en/Internet-of-Things-IoT-Security-Strategic-Market-Report-2024-2030-Focus-on-Real-Time-Threat-Detection-and-Response-in-IoT-Networks-Expands-Opportunities.html
62. Connected Communities Initiative IoT Device Risk and Mitigation Infographic – CISA, accessed June 25, 2025, https://www.cisa.gov/resources-tools/resources/connected-communities-initiative-iot-device-risk-and-mitigation-infographic
63. A Step in the Right Direction: The IoT Cybersecurity Improvement Act, accessed June 25, 2025, https://phosphorus.io/iot-cybersecurity-improvement-act/
64. S&T Smart City Internet of Things Innovation (SCITI) Labs – Homeland Security, accessed June 25, 2025, https://www.dhs.gov/science-and-technology/st-smart-city-internet-things-innovation-sciti-labs
65. How IoT Security Challenges Impact Regulatory Compliance – Finite State, accessed June 25, 2025, https://finitestate.io/blog/iot-compliance-regulations-security-challenges
66. 200+ cybersecurity statistics 2025 – CyVent, accessed June 25, 2025, https://www.cyvent.com/post/cybersecurity-statistics-2025
67. Cybersecurity Market Report 2025-2030 | Surge in Cybersecurity Expenditure with $1 Trillion Investment Projected by 2028 – ResearchAndMarkets.com – Business Wire, accessed June 25, 2025, https://www.businesswire.com/news/home/20250526192433/en/Cybersecurity-Market-Report-2025-2030-Surge-in-Cybersecurity-Expenditure-with-%241-Trillion-Investment-Projected-by-2028—ResearchAndMarkets.com
68. Cybersecurity and Infrastructure Security Agency Budget Overview, accessed June 25, 2025, https://www.dhs.gov/sites/default/files/2024-04/2024_0318_cybersecurity_and_infrastructure_security_agency.pdf
69. Defense Information Systems Agency Cyber – Fiscal Year 2025 Budget Estimates, accessed June 25, 2025, https://comptroller.defense.gov/Portals/45/Documents/defbudget/FY2025/budget_justification/pdfs/01_Operation_and_Maintenance/O_M_VOL_1_PART_1/DISA_Cyber_OP-5.pdf
70. Federal Cybersecurity Spending in FY 2025, So Far – GovWin IQ, accessed June 25, 2025, https://iq.govwin.com/neo/marketAnalysis/view/Federal-Cybersecurity-Spending-in-FY-2025-So-Far/8410
71. The cyber talent challenge: Bridging the gap in cybersecurity workforce development, accessed June 25, 2025, https://www.leidos.com/insights/cyber-talent-challenge-bridging-gap-cybersecurity-workforce-development
72. Cybersecurity jobs on the rise as US industries navigate economic uncertainty, accessed June 25, 2025, https://www.weforum.org/stories/2025/06/cybersecurity-jobs-rise-us-industries-navigate-economic-uncertainty/
73. New SANS/GIAC study finds cybersecurity skills gap, not talent shortage, at core of workforce crisis – Industrial Cyber, accessed June 25, 2025, https://industrialcyber.co/news/new-sans-giac-study-finds-cybersecurity-skills-gap-not-talent-shortage-at-core-of-workforce-crisis/
74. The Cybersecurity Job Demand and Landscape: What You Need to Know, accessed June 25, 2025, https://destcert.com/resources/cybersecurity-job-demand/
75. Federal Cybersecurity Workforce Strategy – Policies & Priorities | CIO.GOV, accessed June 25, 2025, https://www.cio.gov/policies-and-priorities/cyber-workforce-strategy/
76. NICE Workforce Framework for Cybersecurity (NICE Framework) – NICCS – CISA, accessed June 25, 2025, https://niccs.cisa.gov/tools/nice-framework
77. Cybersecurity Regulations and Laws – ConnectWise, accessed June 25, 2025, https://www.connectwise.com/blog/cybersecurity-laws-and-legislation
78. Improving the Nation’s Cybersecurity – GSA, accessed June 25, 2025, https://www.gsa.gov/technology/government-it-initiatives/cybersecurity/executive-order-14028
79. The NIST Cybersecurity Framework (CSF) 2.0 – NIST Technical …, accessed June 25, 2025, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
80. NIST Cybersecurity Framework – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
81. About CISA, accessed June 25, 2025, https://www.cisa.gov/about
82. Joint Cyber Defense Collaborative – CISA, accessed June 25, 2025, https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative
83. Congress faces pressure to renew cyber information-sharing law – Cybersecurity Dive, accessed June 25, 2025, https://www.cybersecuritydive.com/news/cisa-reauthorization-congress-industry-letter/748053/
84. Zero Trust Architecture | GSA, accessed June 25, 2025, https://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/it-security/zero-trust-architecture
85. Zero Trust Architecture Implementation – Homeland Security, accessed June 25, 2025, https://www.dhs.gov/sites/default/files/2025-04/2025_0129_cisa_zero_trust_architecture_implementation.pdf
86. White House Executive Order: Strengthening and Promoting Innovation in the Nation’s Cybersecurity – Legit Security, accessed June 25, 2025, https://www.legitsecurity.com/blog/white-house-executive-order-cybersecurity
87. FY2025-2026 CISA International Strategic Plan, accessed June 25, 2025, https://www.cisa.gov/2025-2026-cisa-international-strategic-plan
88. Threats to the 2025 NATO Summit: Cyber, Influence, and Hybrid Risks – Recorded Future, accessed June 25, 2025, https://www.recordedfuture.com/research/threats-2025-nato-summit
89. Five Eyes – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Five_Eyes
90. United Nations Convention against Cybercrime – Unodc, accessed June 25, 2025, https://www.unodc.org/unodc/en/cybercrime/convention/home.html
91. The growing complexity of global cybersecurity: Moving from challenges to action, accessed June 25, 2025, https://www.weforum.org/stories/2025/01/growing-complexity-global-cybersecurity-from-challenges-action/
92. Cyber Deterrence and Digital Resilience: Towards a New Doctrine of Global Defense, accessed June 25, 2025, https://moderndiplomacy.eu/2025/06/18/cyber-deterrence-and-digital-resilience-towards-a-new-doctrine-of-global-defense/
93. The Contours of ‘Defend Forward’ Under International Law – CCDCOE, accessed June 25, 2025, https://ccdcoe.org/uploads/2019/06/Art_17_The-Contours-of-Defend-Forward.pdf
94. Post-Quantum Cryptography Coalition Unveils PQC Migration Roadmap – Mitre, accessed June 25, 2025, https://www.mitre.org/news-insights/news-release/post-quantum-cryptography-coalition-unveils-pqc-migration-roadmap