The Role of Government in Cybersecurity: Policies and Initiatives

img blog role government cybersecurity policies initiatives
logo adaptive

In 1964, Bob Dylan released an album called “The Times They Are a-Changin.” One haunting part of the lyrics could be applied to the current state of cyber threats…

“Come senators, congressmen
Please heed the call
Don’t stand in the doorway
Don’t block up the hall
For he that gets hurt
Will be he who has stalled
The battle outside ragin’
Will soon shake your windows
And rattle your walls
For the times they are a-changin’”

When cyberthreats have gotten to the point that governments have to get involved, you know it’s got to be serious. And why are they getting involved? Because individuals, businesses, healthcare, public, private, and government entities have elected to throw caution to the wind.

Most people don’t seem to realize that as the digital landscape continues to evolve, so do the threats posed by malicious actors seeking to exploit vulnerabilities for various purposes, ranging from espionage to financial gain. In this context, the role of government in cybersecurity has taken center stage, prompting the need for comprehensive policies and initiatives to fortify defenses, respond to incidents, and ensure the resilience of national digital infrastructures.

The once hesitant government is now forced to create various policies and initiatives that nations will deploy to navigate the complex challenges posed by an ever-evolving cyber threat landscape. For the purposes of this article, we will focus on the United States and Canada.

In excerpts pulled from an exhaustive 39-page report, created by the White House, they wrote, “Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

This strategy recognizes that robust collaboration, particularly between the public and private sectors, is essential to securing cyberspace. It also takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small organizations.

By working in partnership with industry; civil society; and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and more equitable. We will realign incentives to favor long-term investments in security, resilience, and promising new technologies.

Emerging Trends

Software and systems are growing more complex, providing value to companies and consumers but also increasing our collective insecurity. Too often, we are layering new functionality and technology onto already intricate and brittle systems at the expense of security and resilience. The widespread introduction of artificial intelligence systems—which can act in ways unexpected to even their own creators—is heightening the complexity and risk associated with many of our most important technological systems.

The Internet continues to connect individuals, businesses, communities, and countries on shared platforms that enable scaled business solutions and international exchange. But this accelerating global interconnectivity also introduces risks. An attack on one organization, sector, or state can rapidly spill over to other sectors and regions.

As our lives become intertwined with video and audio streaming, wearable devices, and biometric technologies, the quantity and intimacy of personal data collection is growing exponentially.

Theft of that data is also growing rapidly and opening up novel vectors for malicious actors to surveil, manipulate, and blackmail individuals. Next-generation interconnectivity is collapsing the boundary between the digital and physical worlds and exposing some of our most essential systems to disruption.

Our factories, power grids, and water treatment facilities, among other essential infrastructure, are increasingly shedding old analog control systems and rapidly bringing online digital operational technology (OT). Advanced wireless technologies, IoT, and space-based assets—including those enabling positioning, navigation, and timing for civilian and military uses, environmental and weather monitoring, and everyday Internet-based activities from banking to telemedicine—will accelerate this trend, moving many of our essential systems online and making cyberattacks inherently more destructive and impactful to our daily lives.

Malicious Actors

Malicious cyber activity has evolved from nuisance defacement to espionage and intellectual property theft, to damaging attacks against critical infrastructure, to ransomware attacks and cyber-enabled influence campaigns designed to undermine public trust in the foundation of our democracy. Once available only to a small number of well-resourced countries, offensive hacking tools and services, including foreign commercial spyware, are now widely accessible.

The cyber operations of criminal syndicates now represent a threat to the national security, public safety, and economic prosperity of the United States and its allies and partners. Ransomware incidents have disrupted critical services and businesses across the country and around the world, from energy pipelines and food companies to schools and hospitals.


Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity.

A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual Citizens.

The government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats. Together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.


Our economy and society must incentivize decision-making to make cyberspace more resilient and defensible over the long term. Balancing short-term imperatives against a long-term vision will be no easy task. We must defend the systems we have now while investing in and building toward a future digital ecosystem that is more inherently defensible and resilient.

This strategy outlines how the Federal Government will use all tools available to reshape incentives and achieve unity of effort in a collaborative, equitable, and mutually beneficial manner. We must ensure that market forces and public programs alike reward security and resilience, build a robust and diverse cyber workforce, embrace security and resilience by design, strategically coordinate research and development investments in cybersecurity, and promote the collaborative stewardship of our digital ecosystem. To achieve these goals, the Federal Government will focus on points of leverage, where minimally invasive actions will produce the greatest gains in defensibility and systemic resilience.

Defend Critical Infrastructure

Collaboration to address advanced threats will only be effective if owners and operators of critical infrastructure have cybersecurity protections in place to make it harder for adversaries to disrupt them. The Administration has established new cybersecurity requirements in certain critical sectors.

In other sectors, new authorities will be required to set regulations that can drive better cybersecurity practices at scale. This Administration has conducted sector-specific engagement with industry to construct consistent, predictable regulatory frameworks for cybersecurity that focus on achieving security outcomes and enabling continuity of operations and functions while promoting collaboration and innovation.

We must build new and innovative capabilities that allow owners and operators of critical
infrastructure, Federal agencies, product vendors and service providers, and other stakeholders to effectively collaborate with each other at speed and scale. Federal agencies that support critical infrastructure providers must enhance their own capabilities and their ability to collaborate with other Federal entities.

When incidents occur, Federal response efforts must be coordinated and tightly integrated with private sector and State, local, Tribal, and territorial (SLTT) partners.

Finally, the Federal Government can better support the defense of critical infrastructure by making its own systems more defensible and resilient. This Administration is committed to improving Federal cybersecurity through long-term efforts to implement a zero-trust architecture strategy and modernize IT and OT infrastructure.

In doing so, Federal cybersecurity can be a model for critical infrastructure across the United States for how to successfully build and operate secure and resilient systems.


While voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. Today’s marketplace insufficiently rewards—and often disadvantages—the owners and operators of critical infrastructure who invest in proactive measures to prevent or mitigate the effects of cyber incidents.

Regulation can level the playing field, enabling healthy competition without sacrificing cybersecurity or operational resilience. Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector’s risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of

New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.

A collaborative process between industry and regulators will produce regulatory requirements that are operationally and commercially viable and will ensure the safe and resilient operation of critical infrastructure.

The most effective and efficient regulatory frameworks will be those put in place well before a crisis rather than through the imposition of emergency regulations after a crisis occurs.

Regulations will define minimum expected cybersecurity practices or outcomes, but the Administration encourages and will support further efforts by entities to exceed these requirements.


Different critical infrastructure sectors have varying capacities to absorb the costs of cybersecurity, ranging from low-margin sectors that cannot easily increase investment without intervention to those where the marginal costs of improving cybersecurity can be absorbed. In some sectors, regulation may be necessary to create a level playing field so that companies are not trapped in a competition to underspend their peers on cybersecurity.

In other sectors, regulators are encouraged to ensure that necessary investments in cybersecurity are incentivized through the rate-making process, tax structures, or other mechanisms. In setting new cybersecurity requirements, regulators are encouraged to consult with regulated entities to understand how those requirements will be resourced. In seeking new regulatory authority, the Administration will work with Congress to develop regulatory frameworks that take into account the resources necessary to implement them.


Internet of Things (IoT) devices, including both consumer goods like fitness trackers and baby monitors, as well as industrial control systems and sensors, introduce new sources of connectivity in our homes and businesses.

However, many of the IoT devices deployed today are not sufficiently protected against cybersecurity threats. Too often, they have been deployed with inadequate default settings, can be difficult or impossible to patch or upgrade, or come equipped with advanced—and sometimes unnecessary—capabilities that enable malicious cyber activities on critical physical and digital systems.

Recent IoT vulnerabilities have shown just how easily bad actors can exploit these devices to construct botnets and conduct surveillance. The Administration will continue to improve IoT cybersecurity through Federal research and development (R&D), procurement, and risk management efforts, as directed in the IoT Cybersecurity Improvement Act of 2020.

In addition, the Administration will continue to advance the development of IoT security labeling programs, as directed under EO 14028, “Improving the Nation’s Cybersecurity.” Through the expansion of IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.

Invest in a Resilient Future

A resilient and flourishing digital future tomorrow begins with investments made today. We can build a more secure, resilient, privacy-preserving, and equitable digital ecosystem through strategic investments and coordinated, collaborative action.

Foundational elements of our digital ecosystem, like the Internet, are products of sustained and mutually supporting investments by both public and private sector entities. However, public and private investments in cybersecurity have long trailed the threats and challenges we face. As we build a new generation of digital infrastructure, from next-generation telecommunications and IoT to distributed energy resources, and prepare for revolutionary changes in our technology landscape brought by artificial intelligence and quantum computing, the need to address this investment gap has grown more urgent.

Secure the Technical Foundation of the Internet

The Internet is critical to our future but retains the fundamental structure of its past. Many of the technical foundations of the digital ecosystem are inherently vulnerable. Every time we build something new on top of this foundation, we add new vulnerabilities and increase our collective risk exposure. We must take steps to mitigate the most urgent of these pervasive concerns such as Border Gateway Protocol vulnerabilities, unencrypted Domain Name System requests, and the slow adoption of IPv6.

Such a “clean-up” effort to reduce systemic risk requires identification of the most pressing of these security challenges, further development of effective security measures, and close collaboration between public and private sectors to reduce our risk exposure without disrupting the platforms and services built atop this infrastructure.

Prepare for the Post-Quantum Future

Strong encryption is foundational to cybersecurity and global commerce. It is the primary way we protect our data online, validate end users, authenticate signatures, and certify the accuracy of information. But quantum computing has the potential to break some of the most ubiquitous encryption standards deployed today. We must prioritize and accelerate investments in the widespread replacement of hardware, software, and services that can be easily compromised by quantum computers so that information is protected against future attacks.

Strengthen the Cyber Workforce

Today, there are hundreds of thousands of unfilled vacancies in cybersecurity positions nationwide, and this gap is growing. Both private-sector and public-sector employers face challenges in recruiting, hiring, and retaining professionals to fill these vacancies, which negatively impacts our collective cybersecurity.
To address this challenge, ONCD will lead the development and oversee the implementation of a National Cyber Workforce and Education Strategy. This strategy will take a comprehensive and coordinated approach to expanding the national cyber workforce, improving its diversity, and increasing access to cyber educational and training pathways.

It will address the need for cybersecurity expertise across all sectors of the economy, with a special focus on critical infrastructure, and will enable the American workforce to continue to innovate in secure and resilient next-generation technologies. The strategy will strengthen and diversify the Federal cyber workforce, addressing the unique challenges the public sector faces in recruiting, retaining, and developing the talent and capacity needed to protect Federal data and IT infrastructure. And, the strategy will recognize that cyber workforce challenges are not unique to the United States, expanding upon and drawing inspiration from efforts underway in other countries.”

Canada has some new cyber security legislation of its own…

Proposed Canadian Federal Cybersecurity Legislation
In excerpts from an article by JDSupra, they wrote, “On February 1, 2024, the Standing Committee on Public Safety and National Security (Committee) began its study of Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts (Bill C-26 or Bill), nearly one year after it completed its second reading in the House of Commons.

On June 14, 2022, the government tabled Bill C-26. If it passes, it would enact the Critical Cyber Systems Protection Act (CCSPA or Act). The CCSPA imposes a series of cybersecurity-related obligations on private-sector entities in four federally regulated sectors: telecommunications, finance, energy, and transportation. The Act would apply to industries providing “vital services” or “vital systems” as set out in Schedule 1 and classes of designated operators identified in Schedule 2 of the CCSPA.

The vital services and systems currently set out in Schedule 1 are:

  • Telecommunications services;
  • Interprovincial or international pipeline and power line systems;
  • Nuclear energy systems;
  • Transportation systems within the legislative authority of Parliament;
  • Banking systems; and
  • Clearing and settlement systems.

The CCSPA would provide the Governor in Council (i.e., Federal Cabinet) with powers to add or remove sector-specific services and systems from Schedule 1.

The CCSPA would impose five key cybersecurity compliance obligations on designated operators:

  1. The CCSPA requires that designated operators implement a cybersecurity program with risk mitigation measures and a governance framework to identify and manage organizational risk in respect of its critical cyber systems. Critical cyber systems are defined in the CCSPA as cyber systems that, if their confidentiality, integrity, or availability were compromised, could affect the continuity or security of one of the vital services or systems set out in Schedule 1.
  2. Designated operators would be obligated to identify cybersecurity risks in their supply chain or use of third-party products and services and take reasonable steps to mitigate that risk, including steps prescribed by future regulation.
  3. Designated operators would also be required to report a “cybersecurity incident” in a two-step process. A “cybersecurity incident” is any incident that interferes or may interfere with the continuity or security of a vital service or system or the confidentiality, integrity, or availability of the critical cyber system. First, designated operators must “immediately” report a cybersecurity incident to the Canadian Security Establishment (CSE) in the manner prescribed by future regulation. Second, a designated operator must also notify its responsible regulator, such as the Minister of Industry or the Bank of Canada, “immediately after reporting a cybersecurity incident” to the CSE.
  4. Designated operators would be required to comply with any measure to protect a critical cyber system set out in a binding direction from the Governor in Council. Designated operators cannot disclose the contents or existence of such a direction.
  5. Designated operators would be required to keep records demonstrating the implementation of their cybersecurity program and reports of any cybersecurity incident. These records must be maintained within Canada.

The CCSPA would be enforced through an administrative monetary penalty schem to be developed further in regulation. The CCSPA authorizes a maximum penalty of C$15-million for designated operators and C$1-million for directors and officers. Non-compliance with certain provisions of the CCSPA may alternatively be prosecuted as an offense punishable with criminal fines and/or imprisonment. Furthermore, industry regulators will have expanded powers to compel information, conduct inspections of the premises of designated operators, and issue notices of non-compliance to ensure compliance with the CCSPA.

For a comprehensive review of the Bill, see our Blakes Bulletin: House of Commons Introduces Bill C-26: Proposed Federal Cybersecurity Legislation

In order to become law, Bill C-26 must complete its Committee study, and pass a third reading in the House of Commons and three readings in the Senate. Although its future is uncertain, the compliance obligations required by the CCSPA represent cybersecurity best practices that most organizations should implement to strengthen their cybersecurity posture, protect critical assets, and guard against third-party risk.”


The evolving landscape of cyber threats demands a proactive and collaborative approach between governments and private entities. As the digital realm becomes increasingly intricate, the role of government in cybersecurity is paramount. The urgency is underscored by the realization that cyber threats not only jeopardize individual privacy but also pose substantial risks to national security, economic prosperity, and the smooth functioning of critical infrastructure.

The United States and Canada, recognizing the gravity of the situation, are at the forefront of formulating comprehensive policies and initiatives. The White House’s cybersecurity strategy emphasizes the necessity of robust collaboration between the public and private sectors, acknowledging that the burden of cybersecurity cannot rest solely on end-users and small organizations.

The focus is on rebalancing responsibilities, realigning incentives for long-term investments, and defending critical infrastructure through effective collaboration.
In tandem, Canada is contemplating the enactment of the Critical Cyber Systems Protection Act (CCSPA), which would impose cybersecurity obligations on designated operators in vital sectors. The proposed legislation outlines a framework for implementing cybersecurity programs, managing risks in the supply chain, reporting incidents promptly, and enforcing compliance through penalties and regulatory measures.

The global nature of cyber threats requires international cooperation, and both nations are aligning their efforts with industry stakeholders, regulators, and other governments. The emphasis is on creating a secure, resilient, and equitable digital ecosystem through strategic investments, collaborative actions, and the development of a skilled cyber workforce.

As we navigate the ever-changing cyber landscape, the imperative is clear: governments must play a pivotal role in shaping and enforcing policies that safeguard the digital infrastructure, protect sensitive information, and ensure the continuity of essential services. The commitment to long-term resilience, innovative cybersecurity measures, and international collaboration will be instrumental in addressing the dynamic challenges posed by malicious actors in the digital realm. The call to action is urgent, echoing Bob Dylan’s timeless words – “For the times, they are a-changin’.”

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every device connecting to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at