In 2018, Andrew Grotto wrote, “Cyber Security Derailed? Recommendations for Smarter Investments in Infrastructure,” where he argued that as the United States modernizes its infrastructure and transportation networks, cybersecurity measures to protect them must be front and center. Seven years later, amidst a changing security landscape, we asked Andrew to revisit his argument.Image: Ben Schumin via Wikimedia CommonsIn your article, “Cyber Security Derailed? Recommendations for Smarter Investments in Infrastructure,” published in 2018, you argued that the U.S. must take cybersecurity readiness and resilience as seriously as it does traditional threats. Since 2018, cybersecurity and the role technology plays in everyday life has jumped in scale and proportion. What is the state of America’s cyber risk management in 2025? Surveys of business leaders show high levels of concern about cyber risks, but surveys from a decade ago show the same thing, and this long-standing concern hasn’t generated obvious results.For example, the prevalence of zero-day vulnerabilities in popular software has gotten much worse. I interpret this as a sign that many vendors aren’t getting stronger signals from the marketplace to build more secure software. Another indicator is the trend of year-over-year increases in ransomware attacks. If organizations were getting materially better at security, we ought to be seeing fewer successful attacks.To be sure, measurement is tricky for cyber security. The data isn’t great and indicators like the ones above are noisy. For example, the ever-increasing complexity of software and the high value of possessing new exploits could be factors behind the proliferation of zero-days. On the other hand, some vendors seem more prone to zero-days than others, so vendors clearly have some agency over this problem.Security is costly. For information technology vendors, it’s a speed bump for cool new products or features. For their customers in critical infrastructure and beyond, security is typically
Members-Only Content
This article is reserved for War on the Rocks members. Join our community to unlock exclusive insights and analysis.
In 2018, Andrew Grotto wrote, “Cyber Security Derailed? Recommendations for Smarter Investments in Infrastructure,” where he argued that as the United States modernizes its infrastructure and transportation networks, cybersecurity measures to protect them must be front and center. Seven years later, amidst a changing security landscape, we asked Andrew to revisit his argument.Image: Ben Schumin via Wikimedia CommonsIn your article, “Cyber Security Derailed? Recommendations for Smarter Investments in Infrastructure,” published in 2018, you argued that the U.S. must take cybersecurity readiness and resilience as seriously as it does traditional threats. Since 2018, cybersecurity and the role technology plays in everyday life
