Realigning incentives for long-term cyber resilience
As the Trump administration refines its cybersecurity, resilience, and critical infrastructure security strategies—most recently through its
June 2025 Executive Order amending EO 14144 and EO 13694—it continues to build upon the vision laid out in the 2023
National Cybersecurity Strategy (NCS), the most comprehensive articulation to date of how the U.S. government (USG) aims to secure our digital future.
The NCS introduces two foundational shifts: (1) rebalancing the responsibility to defend cyberspace, and (2) realigning incentives to favor long-term investment. These are not mere policy tweaks; they represent a strategic reorientation. The second shift, which focuses on realigning incentives for long-term investment, is especially critical as it drives the design of a future digital ecosystem that is secure by design and resilient by default.
Long-term investment incentives aren’t just important; they’re essential to national security. Digital infrastructure underpins every critical function of American life, from defense and energy to healthcare and finance. The
Chinese Communist Party (CCP) and other adversaries exploit this hyper-connectivity—America is the most connected nation on Earth—by targeting systemic vulnerabilities
in our critical infrastructure and short-term security gaps to gain a strategic advantage.
Achieving this shift demands more than a change in mindset; it requires realigning incentives across the ecosystem to reward resilience and long-term planning. A culture of deterrence by denial—one that denies adversaries strategic leverage and enables rapid recovery—cannot thrive if our economic and policy structures continue to reward short-term fixes.
Cyberattacks will inevitably succeed; in this reality,
readiness and recovery must become core elements of national cyber strategy and system design, not optional add-ons.
CVEs, KVEs, and the strategic cost of vulnerabilities
CISA tracks Known Exploited Vulnerabilities (KVEs)—also called Common Vulnerabilities and Exposures (CVEs)—because they signal
central indicators of systemic risk across both public and private digital infrastructure. Many of these
vulnerabilities remain unpatched for months or even years, leaving open fault lines in our national cyber posture. CISA’s KEV Catalog isn’t just a list of technical bugs—it’s a real-time record of how adversaries, including nation-states, exploit flaws in widely used technologies to gain access, disrupt services, and steal intelligence.
This reactive model—identify, patch, repeat—is failing and becoming unsustainable. Organizations incur both direct and indirect costs when pursuing CVEs: the manpower needed to identify, test, and deploy patches; the operational downtime that disrupts services; and the diversion of resources from long-term security investments. As the number of new CVEs continues to rise, treating every vulnerability equally becomes inefficient and costly, especially since only a small fraction is actively exploited. This treadmill of patching drains capacity and keeps defenders in a reactive posture.
The cost of CVEs is profound. A single exploited vulnerability can ripple
across systems, disrupting critical infrastructure, public trust, and stalling economic productivity. But these are not just technology failures—they reflect deeper failures of
incentive alignment and system design. One core driver is
digital consolidation.
A few hyperscalers and service providers dominate current cloud infrastructure, cybersecurity tools, and enterprise platforms. This concentration centralizes risk: a single flaw in a widely used Microsoft product or an AWS-hosted SaaS platform can instantly impact thousands of organizations, including hospitals, utilities, and government systems.
This consolidation of digital infrastructure creates predictable, easily recognizable high-value targets. A single vulnerability, replicated across multiple environments, greatly expands the threat surface and increases the potential impact of each exploited flaw.
Benefits of forging a path of resilience
Persistent vulnerabilities—such as the CVEs tracked by CISA—hinder the long-term vision outlined in the National Cybersecurity Strategy: a digital ecosystem that is resilient by design. These recurring weaknesses illustrate just how fragile today’s infrastructure remains and emphasize the need to move beyond reactive security. We cannot achieve resilience by continually patching the same flaws across millions of interconnected systems.
As the National Cybersecurity Strategy stresses, the U.S. cyber posture must be agile enough to adapt as adversaries evolve their tactics and capabilities. A resilient infrastructure—with secure dependencies, practiced coordination, and robust recovery plans—can shift us from reacting to disruption to anticipating and absorbing it. This shift also frees decision-makers to think strategically rather than operate in crisis mode. Just as importantly, it signals readiness to adversaries, raising the cost of attack, undermining their confidence in success, and strengthening deterrence.
To achieve lasting cybersecurity, the United States must confront the systemic risk posed by CVEs, which disrupt critical infrastructure and undermine the security of our communities. These vulnerabilities, intensified by digital consolidation, weaken the foundation of our digital ecosystem. As the National Cybersecurity Strategy clarifies, genuine resilience demands more than patching flaws—it requires building inherently secure, distributed systems.
But we won’t get there without changing the underlying incentives. As long as speed to market and cost efficiency take precedence over security in the digital marketplace, patching will remain our default response, and resilience will remain out of reach. Moving beyond CVE-driven defense means reengineering not only our systems but also our incentives, so that long-term security becomes the most rational, profitable, and expected outcome of innovation. That’s how we shift from managing threats to shaping the future.
