When the world's at stake,
go beyond the headlines.

The United States holds tremendous untapped leverage in the global technology competition: $774 billion in annual federal procurement spending based on 2024 numbers. This purchasing power, when applied to automated and robust security standards, could drive allies toward demonstrably superior American technology solutions over Chinese and other alternatives — not through diplomatic pressure, but through technical merit.

The White House has recognized this potential. The recent AI Action Plan emphasizes the importance of a robust AI procurement toolbox, while the June 2025 “Policy-as-Code” executive order directs federal agencies to automate security standards and compliance. By building on this foundation and prioritizing security research through continued coordination with the National Institute of Standards and Technology, the United States can leverage procurement requirements to determine and automate baseline security requirements for critical infrastructure.

As a policy lead at Dreadnode, an offensive AI company that develops offensive security tools and services for enterprise and government clients, I work at a company that could have a commercial stake in this debate. Even so, this analysis is based on my experience as technical advisor to DARPA’s Artificial Intelligence Cyber Challenge and my ongoing research into how strategic policy solutions can effectively address cybersecurity challenges at scale.

Current U.S. approaches to technological competition rely primarily on restrictions rather than innovation. In order to preserve a global order favorable to American power, Washington needs to lead by example in the emerging technology market, where technological choices are inextricably linked to geopolitical positioning. America’s competitive advantage lies in creating security standards that others choose to adopt voluntarily. By expanding Policy-as-Code beyond consumer devices to AI systems and critical infrastructure, the United States can lead through innovation rather than restriction — making security, transparency, and resilience the foundation of global technological leadership.

Why Data Control Equals Strategic Control

Spain’s recent decision to award Huawei a 12.3-million-euro ($14.2 million) intelligence collection contract reflects a calculated bet. Despite “growing unrest” among Spanish National Police and Guardia Civil over Chinese involvement in sensitive systems, Spain likely chose competitive pricing and geopolitical insurance to avoid retaliation from Chinese suppliers amidst mounting geopolitical tensions.

But this strategy directly contradicts the approach taken by NATO allies, many of whom have been building a collective security approach against Chinese technological infiltration, driven by documented Chinese–linked attacks and longstanding Western alliance structures. In fact, the European Union’s classification of Huawei as a “high-risk supplier” and its blanket blacklist against Huawei-affiliated lobbying groups have motivated most European countries to remove high-risk suppliers from their infrastructure.

When adversaries control critical infrastructure, compromised or opaque security measures create opportunities for malicious data exfiltration of real-time intelligence information. Data leaks or exposures may not hold much significance in a vacuum, but they ultimately serve as precursors for adversarial manipulation, blackmail, or harm. Gaining insights into private conversations or system security configurations could enable adversaries to conduct espionage, distribute misinformation campaigns, and even deploy successful attacks against critical infrastructure, commercial, and government networks.

This risk amplifies given Huawei’s pivot towards AI-centric infrastructure to process intercepted communications, which inherently creates multiple attack vectors. These vectors include data poisoning, where Chinese intelligence could subtly alter stored wiretap data to influence AI analysis; pattern recognition, by which access to wiretap storage systems could reveal Spanish intelligence priorities and methods; and operational disruption, through which the infrastructure could be compromised or shut down remotely.

Evidence of China-linked cyber-operations continues to mount, particularly in the United States. Chinese hackers have maintained hidden access to U.S. critical infrastructure for up to five years, prepositioning themselves to disrupt operational technology in the event of conflict. These findings prompted unprecedented international coordination in July 2024, when eight allied nations jointly warned about Chinese state-sponsored activity in their networks. Tensions reached new heights in 2025: The U.S. Justice Department charged 12 Chinese nationals in March, while China responded in April by publicly accusing three NSA hackers for the first time — a tit-for-tat escalation that many view as the groundwork for digital warfare.

The threat landscape has fundamentally shifted: Attacks now originate from anywhere, adversaries compromise systems in minutes while defenses take hours or weeks to respond, and cloud computing enables non-state actors to achieve nation-state-level impact. Chinese operations succeeded by exploiting a critical asymmetry — while China integrates state and corporate data control into unified strategic objectives, the United States relies on fragmented security approaches across agencies and contractors that create exploitable gaps. Justice Department findings reveal that Chinese hackers achieved multi-year dwell time in American software precisely because American systems have prioritized functionality over security architecture. This bilateral competition extends far beyond technology — it directly impacts global values, norms, and behaviors, while simultaneously driving countries to pursue their own technological sovereignty as insurance against potential U.S.-Chinese escalations.

Federal procurement reform offers a direct pathway to address these systemic vulnerabilities, so long as security features are prioritized and packaged as a differential advantage. This vulnerability gap highlights why the United States should leverage its greatest asset: the innovation capacity of American technology companies guided by strategic government requirements.

The Procurement Advantage: Policy-as-Code

The Trump administration’s June 2025 cybersecurity executive order represents crucial progress. Policy-as-Code essentially converts written security policies into computer code that can automatically check compliance. Instead of human auditors manually reviewing whether a system meets requirements from frameworks like the Federal Information Security Modernization Act or FedRAMP, software can instantly verify compliance and flag violations. By January 2027, agencies may purchase only consumer Internet of Things devices whose security controls can be automatically verified through machine-readable formats.

This policy shift highlights a recognition that America’s competitive advantage lies in creating security standards that scale at machine speed rather than human speed — a decisive shift toward automation-based compliance that promises faster, more accurate, and less expensive security assessments. While this initial focus on consumer Internet of Things devices marks important progress, the strategy should expand to AI systems and cloud infrastructure to match China’s comprehensive approach, with continued federal support for the National Institute of Standards and Technology’s role in developing these compliance frameworks.

The federal procurement market impact extends far beyond government contracts. When the U.S. government establishes automated security standards, it drives industry-wide adoption that strengthens the entire technology ecosystem. Any company selling software, cloud services, or connected devices to the public sector will soon need to prove that its security controls are written and enforced through machine-readable rules. Companies that move early to implement Policy-as-Code gain competitive advantages when new procurement rules shape purchasing decisions, while those that wait risk shrinking market share once manual compliance processes become obsolete.

It’s important to acknowledge a few known challenges up front. The first relates to spending power. Of the $774 billion in procurement funds, federal agencies allocated approximately $95 billion to information technology investments in fiscal year 2024, with the Department of Defense spending an additional $37 billion. This doesn’t include additional discretionary spending, though it highlights a strong investment baseline along with an opportunity for increased funding in resilient information technology. The second challenge is that these funds often flow through established contractor networks, creating barriers for innovative companies that lack the resources to navigate time-intensive manual compliance processes. By replacing manual audits with standardized machine-readable evaluations, Policy-as-Code removes the resource barriers that favor large contractors over smaller, innovative firms. Finally, open-source evaluation standards can establish minimum security baselines for low-risk applications. Coupled with clear, incremental advances in security requirements for higher-risk applications, companies will be better situated to compete on security merit than bureaucratic capacity.

The timeline is already set: Agencies must pilot Policy-as-Code by June 2026, and suppliers must attach machine-readable security labels by January 2027. To further ensure the effectiveness of this approach, Policy-as-Code should be amplified to streamline burdensome patch and remediation processes. The act of building and testing a security patch to address a vulnerability or misconfiguration often relies on manual reviews and approvals, along with ample legal considerations. This is where automated vulnerability detection and remediation research efforts, such as those pursued by DARPA’s Artificial Intelligence Cyber Challenge, deserve more investment and opportunities for operationalization.

Organizations that translate policy into executable pipelines — with continuous monitoring of patch status and automated compliance verification — will close vulnerabilities faster, reduce assessment costs, and enter procurement competitions as trusted partners. This approach addresses the core vulnerabilities like delayed patching that enabled Chinese long-term access to U.S. systems, but only if the automated standards include ongoing security hygiene requirements like timely software updates, regular vulnerability scanning, access monitoring, and data backups, rather than just point-in-time compliance checks.

Setting Global Standards Through Innovation

The U.S. government’s procurement requirements create a powerful mechanism for setting global technology standards and are that much stronger when powered by focused research and development efforts. However, security alone rarely drives competitive adoption in global markets. This mirrors how many foundational internet technologies evolved: The Internet formally operated from 1983 without robust security protocols until market opportunity drove innovation. When the Morris Worm (1988) exposed vulnerabilities in the Internet, it sparked defensive measures, security practices, and accelerated security research priorities for the digital domain. Subsequent enabling technologies of the Internet that enhance security have been largely spurred by market incentives and industry collaboration — consider the evolution of firewalls from the early 1990s, or the development of the Secure Sockets Layer in 1995 and later the Transport Layer Security in 1999. To that end, these security-first or secure-by-design models have been adopted variably depending on the degree to which security protocol adoption improved functionality or performance.

The Policy-as-Code approach can recognize this reality by embedding security requirements within clear operational use cases that offer economic benefits. Rather than asking allies to adopt technology purely for security reasons, automated compliance checking offers tangible advantages: reduced assessment costs, accelerated procurement timelines, and streamlined market access. When security becomes inseparable from operational efficiency and market competitiveness, adoption follows business logic rather than security evangelism.

The competitive advantage is sustainable precisely because it’s based on innovation rather than restriction. Rather than asking allies to reject Chinese suppliers — a strategy that failed with Spain’s recent Huawei contract — the United States can create demonstrably superior alternatives that are more secure, transparent, and adaptable to evolving threats. This approach builds what diplomatic pressure cannot: voluntary adoption of American security standards by allies who recognize their technical merit.

By focusing on security capabilities rather than country of origin, this strategy addresses concerns about trade barriers while encouraging global competition. Companies worldwide can compete by meeting American security standards, creating a race to the top that ensures security remains paramount while establishing the technological foundation for secure global digital infrastructure.

Conclusion

Spain’s 12.3-million-euro Huawei contract — awarded despite allied warnings and E.U. classifications of the company as “high-risk” — exposes the fundamental weakness of America’s restriction-based approach to technological competition. When the United States incentivizes the development of resilient systems instead, it enhances collective security with allies and partners. This strategy positions the United States to lead a coalition-based approach to cyber defense, where its soft power comes from facilitating collaborative solutions to shared security challenges.

The $774 billion U.S. federal procurement lever offers a different path forward. By implementing Policy-as-Code standards that make security inseparable from operational efficiency, the United States can create the technological foundation that allies will choose voluntarily. The race for technological dominance will be won not by those who restrict competitors, but by those who innovate solutions to shared security challenges.

This approach transforms America’s greatest vulnerability — fragmented security across agencies and contractors — into its greatest strength: the innovation capacity of American technology companies guided by strategic government requirements. When security becomes automated, scalable, and economically advantageous, the race for technological dominance shifts from who can restrict competitors to who can innovate solutions that others want to adopt. In an era where technological choices determine geopolitical positioning, leadership through innovation remains America’s most sustainable competitive advantage.

Daria Bahrami is the head of policy at Dreadnode, an offensive AI security startup, where she shapes strategic policy initiatives at the intersection of artificial intelligence and cybersecurity. She previously served as technical advisor to DARPA’s AI Cyber Challenge, lead cyber threat intelligence analyst at Deloitte Global, and program manager for Cybersecurity and Emerging Threats at the R Street Institute. Daria has a degree from Georgetown University’s School of Foreign Service with a focus on military, cyber, and space security policy.

Image: Ángel M. Felicísimo via Wikimedia Commons