joyce-cyber-vqkkn

Podcast: Emerging AI Threat Landscape

Tue, 13 Jan 2026 19:14:05 GMT

What does rapid AI advancement mean for new offense and the defense?

Nation-state cyber threats have fundamentally changed. It's no longer about espionage—it's about pre-positioning inside critical infrastructure to trigger societal panic when conflicts escalate.

In this episode of the AI Proving Ground Podcast, I join WWT's Madison Horn to discuss how AI is compressing the gap between vulnerability discovery and exploitation, why agentic AI changes the attacker's playbook, and how defenders must now leverage AI as a force multiplier just to keep pace.

Listen to the episode.
https://www.wwt.com/video/former-nsa-cyber-director-on-the-emerging-ai-threat-landscape

Infrastructure as a Strategic Target of War

Mon, 05 Jan 2026 16:04:42 GMT

The environment has changed...

Infrastructure disruption is no longer a side effect of conflict—it's a deliberate instrument of state power.

Recent U.S. government acknowledgments of cyber-enabled operations during military campaigns signal a meaningful shift: power grids, communications networks, and critical systems are now overt targets. For operators, boards, and technology providers, this changes everything.

In our latest piece with WWT, we break down what this means for threat models, resilience planning, and governance—when disruption isn't accidental, it's strategic.

Read the article I co-authored with World Wide Technology.

https://www.wwt.com/blog/infra structure-as-a-strategic-target-of-war

Navigating the cyber front line in a shifting world order

Mon, 15 Dec 2025 15:52:45 GMT

Geopolitical Risk

Cybersecurity isn't just shaped by geopolitics anymore—it is the front line where power is projected and contested.

Nation-states are embedding themselves in critical infrastructure. Hyperscalers have become strategic targets. Cybercrime has professionalized into an industry. And agentic AI is introducing risks we're only beginning to understand.

In our latest piece with PwC, we break down the four strategic shifts reshaping cyber risk—and what CISOs need to do right now to lead through it.

Read the post I co-authored with PwC here:

https://www.p wc.com/gx/en/issues/cybersecurity/navigating-the-cyber-front-line.h tml

Risky Business #808 -- Insane megabug in Entra left all tenants exposed

Wed, 24 Sep 2025 14:27:13 GMT

Risky Business Podcast

On this week’s show Patrick Gray and special guest Rob Joyce discuss the week’s cybersecurity news, including:

Secret Service raids a SIM farm in New York
MI6 launches a dark web portal
Are the 2023 Scattered Spider kids finally getting their comeuppance?
Production halt continues for Jaguar Land Rover
GitHub tightens its security after Shai-Hulud worm

This week’s episode is sponsored by Sublime Security. In this week’s sponsor interview, Sublime founder and CEO Josh Kamdjou joins host Patrick Gray to chat about the pros and cons of using agentic AI in an email security platform.

Watch on Youtube:

https://youtu.be/xn63oyBFLW4

Cyber Victim Notification Working Group

Mon, 25 Aug 2025 17:06:05 GMT

Adding detail to the concepts of the Cyber Safety Review Board

I was part of the working group on victim notification processes that was lead by Rob Knake sponsored by the Institute for Security and Technology (IST).

Timely victim notification is essential after cyber incidents, but today’s systems fall short. Companies often have only a single email address to reach victims, leaving messages distrusted or overlooked. Many recipients can’t tell a real alert from a phishing lure, and even when they do, they may lack the knowledge to act effectively.

The Cyber Safety Review Board (CSRB) recommended that cloud service providers explore an “‘amber alert’ style” system for high-impact incidents, delivered natively through mobile devices. While promising, such a system faces serious hurdles—technology integration, governance, and the need for broad industry cooperation. Given these challenges, adoption is unlikely unless the scope expands beyond narrow “high-impact” cases to cover a wider range of account compromises.

Some recommendations emerged for near-term actions while larger efforts are developed: Providers should refine current notification practices, develop middleware for private cross-platform delivery, and strengthen post-notification support.

Download the full report here:

https://securityandtechnology.org/wp-content/uploads/2025/08/Amber_Alert_Report-08-25.pdf

Managing the Cyber Risks for AI Agents

Sat, 23 Aug 2025 14:59:44 GMT

Plan for security in your sprint to deploy.

AI is advancing at an unprecedented pace and being deployed rapidly at scale. With breakthrough innovation comes new threats, evolving risks, and greater responsibilities. In this paper, we dive into how organizations can effectively harness the power of autonomous AI agents while managing cyber risk, trust, and resilience.

I was a contributing author to this PwC piece on Managing the Cyber Risks for AI Agents.

https://explore.pwc.com/autonomous-ai-in-cyber/ai-control

OpEd - HPE and Juniper Part 2

Sat, 16 Aug 2025 14:02:33 GMT

This is a subtitle for your new post

America’s contest with China isn’t just about troops, ships, and weapons—it’s also about control of digital infrastructure. The recent approval of HPE’s acquisition of Juniper Networks marks more than a corporate merger; it represents a strategic win in the battle for secure, trusted communications. For years, Huawei has dominated the global telecom market, embedding its equipment into critical networks worldwide despite the risks of espionage and disruption. By combining scale, R&D strength, and a secure supply chain, the new HPE-Juniper entity offers allies a viable American-made alternative. Every customer it draws away from Huawei is not only a market gain but a national security advantage. I wrote a follow up OpEd on why this is important merger to allow.

Full OpeEd here:

https://www.washingtonexaminer.com/restoring-america/courage-strength-optimism/3500592/strategic-win-against-china-digital-empire/

AI agents: Your next insider threat?

Mon, 11 Aug 2025 19:47:34 GMT

This is a subtitle for your new post

Autonomous AI agents are no longer theoretical. 79% of senior executives say AI agents are already being adopted in their companies. They are already shaping the cybersecurity landscape in profound ways, and I had the opportunity to contribute to PwC’s latest publication on this subject: "The Rise of Autonomous AI in Cybersecurity." In the report, we examine the emergence of AI agents that act independently, making decisions and taking action in complex environments without direct human oversight. My contribution focused on a particularly urgent dimension: AI as an insider threat. These agents are often granted extensive permissions and access to sensitive infrastructure, yet they operate without the human intuition that typically governs trust and judgment. If misaligned, misconfigured, or compromised, they could become the ultimate insider threat. Unlike human insiders, they do not tire, they do not hesitate, and they do not break protocol because they were never designed to question it. They can operate across systems with perfect recall, adapt in real time, and escalate damage with machine speed. Their ability to persist silently inside networks makes them a uniquely challenging risk class. Organizations that have matured their programs to handle traditional insider risk must now expand their thinking to include autonomous systems that could, by design or by breach, turn inward. The report provides guidance for boards, CISOs, and technology leaders on implementing AI agents with appropriate constraints, monitoring, and contingency controls. As these technologies scale, managing their potential as both protector and threat becomes central to cyber resilience.

Read the document here:

https://explore.pwc.com/autonomous-ai-in-cyber/ai-ai-agents

Agents of change: The rise of autonomous AI in cybersecurity

Tue, 08 Jul 2025 15:44:29 GMT

Agents of Change: The Rise of Autonomous AI in Cybersecurity

What happens when AI systems stop waiting for instructions—and start acting on their own?

In our new series with PwC, we explore agentic AI in cybersecurity: autonomous systems that detect threats, coordinate responses, and adapt tactics in real time. No human in the loop.

This isn't just a capability upgrade. It's a fundamental shift in how we design and lead cyber defense—and it raises urgent questions about control, accountability, and what leadership looks like when algorithms become teammates.

Read this piece that I co-authored at PwC.
https://www.pwc.com/gx/en/issues/cybersecurity/the-rise-of-autonomous-ai-in-cybersecurity.html

China’s Tech Invasion is a National Emergency

Fri, 06 Jun 2025 14:13:04 GMT

China is embedding vulnerabilities into the very technologies Americans depend on.

Originally published in the Washington Examiner — read the full piece here

China is embedding vulnerabilities into the very technologies Americans depend on. Engineers recently found “kill switches” in Chinese-made solar components—evidence of Beijing’s ability to disrupt our energy grid from within. And that’s just one example. From payment terminals to routers and logistics software, Chinese-controlled tech is laced throughout U.S. infrastructure.

This is deliberate pre-positioning. China’s government is backing hackers-for-hire, subsidizing hardware, and embedding tools that could allow them to shut down systems in a crisis. If it were missiles or troops, we’d recognize it as aggression.

What must we do? Cut CCP-linked technology out of critical sectors. Build competitive, secure American alternatives. Reward companies that design resilience into their systems. And map our digital risks as seriously as we would a battlefield.

The bottom line: in cyberspace, the first mover wins. China is already moving. America cannot afford to wait.

Offensive Cyber: NSA Cybersecurity Director Rob Joyce and CIA Director of the Center for Cyber Intelligence Andy Boyd

Thu, 15 May 2025 14:10:16 GMT

This is a subtitle for your new post

In this special edition of the Seriously Risky Business podcast Patrick Gray speaks with former NSA Cybersecurity Director Rob Joyce and former director of the CIA’s Center for Cyber Intelligence Andy Boyd.

The talk about what offensive cyber could look like under Trump 2.0, and the shake-up the intelligence community is going through under various White House initiatives.

Watch on YouTube

https://youtu.be/TUgbPlzoCcA

The AI Productivity Revolution: How I Built a Custom App in 30 Minutes

Fri, 14 Mar 2025 16:47:48 GMT

The AI Productivity Revolution: How I Built a Custom App in 30 Minutes

I had one of those mind-blowing experiences recently when you suddenly realize everything has changed. In less than 30 minutes, I created an iPhone app from scratch. Now that I understand the tools and workflow, I could do it in 15 minutes. The process was surprisingly simple.

From Programmer to Consumer

I used to be a decent programmer. As my career evolved, I spent less time coding and became more of a technology consumer. Keeping up with build processes, UI standards, APIs, new frameworks, and evolving languages became impossible since I wasn't programming daily. The scaffolding around any core concept had become more complex than the task itself.

A Simple Household Problem

My wife and I had a grocery shopping dilemma. She uses an app that "feels right" for her workflow—it remembers her favorite items and builds lists from there. The problem? The app is no longer available for me to download, and there's no synchronization between our phones. She doesn’t like to change from something that works well for her and try new things.

In our process today, she emails me the list, but I occasionally miss items or struggle when we need specific things from different stores. Scanning through a full list while shopping requires too much attention and leads to errors.

AI to the Rescue

I wanted a simple checklist app that would:

Import her emailed list
Let me cross off items as I collected them
Include a "hide checked items" option to see what I still needed at other stores

Previously, I wouldn't have attempted building this myself. The effort-to-reward ratio was too high.

The New Development Process

I’ve seen the new “vibe coding” revolution where people develop software simply by engaging AI and writing no lines of code. To start this, I described my app idea to ChatGPT o3 pro, including a sample of the email format I receive from my wife. Instead of jumping straight to coding, I used a technique I'd heard about online: letting AI create a robust specification document first.

With this detailed spec, I moved to Bolt.new—an AI-powered development platform that lets users prompt, run, edit, and deploy full-stack applications directly from a browser. Unlike standard AI coding assistants, Bolt provides a complete environment around the coding process that allowed me to run and debug the product in real-time. You interact live with your prototype in the web browser or deploy it to your phone.

The result? A working app on the first attempt. I prompted it twice more to optimize functionality and had a custom app working with zero manual coding.

Welcome to the Age of Hyper-Specific Software

We've entered an era where anyone can be their own developer for workflows nobody else wants or needs. The barrier to entry has become absurdly low, while the productivity gains from having tools custom-made for your specific problems are immeasurable.

This revolution is just beginning, and it's already astounding. The ability to quickly create personalized solutions to unique problems represents a fundamental shift in how we interact with technology. No longer are we limited to what's available in app stores or what professional developers think is worth building.

The era of AI-powered personal productivity is here, and it's changing everything.

Select Committee on the Chinese Communist Party Hearing 3/5/2025

Fri, 07 Mar 2025 02:23:31 GMT

China’s Cyber Threats to Critical Infrastructure & TP-Link Router Risk

I recently had the honor to testify before the House Select Committee on the Chinese Communist Party to address the growing cybersecurity threats posed by the People’s Republic of China (PRC). As the former Director of Cybersecurity at NSA, I have seen firsthand how Chinese state-sponsored hackers have evolved from stealing intellectual property to preparing for destructive cyberattacks against U.S. infrastructure. The hearing also featured expert testimony from Dr. Emma M. Stewart, Chief Power Grid Scientist at Idaho National Laboratory, and Ms. Laura Galante, former Director of the Cyber Threat Intelligence Integration Center at ODNI. Together, we discussed how China’s cyber operations threaten America’s security, economy, and digital resilience.

PRC Cyber Campaigns Targeting U.S. Critical Infrastructure

Chinese hackers have infiltrated vital U.S. infrastructure, including power grids, pipelines, water treatment facilities, and telecommunications networks. Intelligence reports indicate that they have implanted malware within these systems, allowing them to disrupt critical services in times of crisis. A recent campaign, Volt Typhoon, revealed China’s efforts to preposition its cyber capabilities inside U.S. infrastructure, not just for espionage but for potential physical disruption of essential services.

Beyond infrastructure attacks, Chinese cyber actors steal intellectual property from American businesses, universities, and government agencies. These thefts have fueled China’s rapid advancements in military technology and artificial intelligence, undermining U.S. innovation and economic competitiveness.

Cyber Operations Aimed at Disruption

China’s cyber strategy has expanded from intelligence gathering to creating societal panic. The FBI and U.S. intelligence community warn that China’s hackers could disable power grids, disrupt emergency services, and paralyze financial institutions to create chaos and weaken America’s ability to respond to geopolitical crises. If tensions escalate over Taiwan or other global conflicts, Beijing could exploit its digital foothold to cause widespread instability.

TP-Link Routers: A Security Concern

One overlooked risk is the technology millions of Americans unknowingly rely on. TP-Link, a Chinese manufacturer of Wi-Fi routers. TP-Link, the world’s largest manufacturer of commercial Wi-Fi and home routers has grown to at least 60% of the U.S. retail market for Wi-Fi systems and SoHo routers compared with about 10% of the market at the start of 2019. This rapid expansion, largely due to below profitable pricing and aggressive market tactics, has raised national security concerns. Chinese state-backed hackers have previously exploited TP-Link devices in cyberattacks. Worse, TP-Link—like all Chinese companies—is subject to PRC intelligence laws, meaning the Chinese government could compel it to provide backdoor access to American networks through software updates. Given its dominance in the U.S. market, this creates a significant vulnerability in both home and business networks.

Strengthening U.S. Cyber Defenses

To mitigate these threats, the U.S. must take decisive action across three key areas:

First, we must improve our tools to deter these PRC actions. Deterrence is not just about strengthening cyber defenses—it requires a comprehensive approach that makes clear to Chinese leadership that cyber aggression will have consequences. This means leveraging offensive cyber capabilities to disrupt their operations, economic sanctions, public indictments, international law enforcement actions, and diplomatic pressure. Additionally, export controls and intelligence sharing with allies and private industry must be expanded to limit China’s ability to exploit our technology for cyber operations.

Second, we need stronger defenses. The U.S. must make substantial investments in cybersecurity to protect critical infrastructure and private-sector systems. Too many organizations fail to patch known vulnerabilities, making them easy targets for PRC hackers. Regulatory measures should drive stronger security practices in software development and hardware supply chains. Additionally, the U.S. must remove high-risk PRC-controlled technologies, including TP-Link routers, from our networks to close off potential attack vectors.

Finally, assuming our adversaries still come at us, and our defenses improve, we must still plan to be resilient. Cyberattacks will happen despite our best efforts, so we must focus on limiting their impact and ensuring rapid recovery. This includes building in redundancies, strengthening incident response capabilities, and preparing the public and private sectors to operate through cyber disruptions. Reducing our exposure and improving coordination across industries and government agencies will ensure we can withstand and recover from cyberattacks quickly.

China’s cyber strategy represents a long-term, strategic challenge to U.S. security. Strengthening cyber defenses, securing infrastructure, and eliminating high-risk technologies will be critical to protecting national security.

You can read my opening statement here:

https://selectcommitteeontheccp.house.gov/media/witness-testimony/witness-testimony-end-typhoons-how-deter-beijings-cyber-actions-and-enhance

China’s drones are its greatest weapon in today’s information warfare

Thu, 20 Jun 2024 14:22:02 GMT

My OpEd for the Hill

China’s drones aren’t just airborne gadgets—they’re a strategic intelligence weapon. In my recent opinion piece for The Hill, I outline how these aerial systems have become embedded within our infrastructure and are increasingly being leveraged as tools for surveillance, data gathering, and asymmetric influence. From hogging the drone marketplace to advancing China’s informational warfare capabilities, these systems present a new kind of threat—one that requires immediate attention and decisive action.

Read the entire article here:
https://thehill.com/opinion/national-security/4730109-china-drones-intelligence-weapon/

60 minutes segment: Ransomware as a threat

Sun, 14 Apr 2024 15:14:47 GMT

It takes a hacker to defeat a hacker.

The 60 Minutes episode spotlighted the growing ransomware crisis, with a focus on the MGM and Caesars casino hacks carried out by the group Scattered Spider and their alliance with Russia’s BlackCat gang. It showed how simple social engineering calls to help desks spiraled into multimillion-dollar disruptions, and how young English-speaking hackers are now merging with veteran Russian operators to scale attacks.

I was interviewed as the former NSA Director of Cybersecurity explaining that the Colonial Pipeline attack was a wake-up call that forced the U.S. to treat ransomware as a serious foreign threat. I truly believe “it takes a hacker to defeat a hacker,” and noted how NSA’s cyber expertise and intelligence functions helped identify key perpetrators. While Russia briefly arrested Colonial Pipeline attackers in 2022, they released them once the Ukraine war began, illustrating how geopolitics shields ransomware gangs. Ransomware is no longer just a business disruption but a state-enabled security challenge . By connecting casino heists, Russian safe havens, and the alliance between Western youth hackers and Russian syndicate, you can see that ransomware has evolved into a geopolitical arms race requiring nation-state defenses.

"Sometimes it takes a hacker to defeat a hacker." See a clip here:
https://youtu.be/lEwC1tN2jb8

Full episode here:

https://youtu.be/zPodxy8zlX0?si=TQ9_fuhuav2JD0Wp

Cyber Safety Review Board - Microsoft Study

Sat, 06 Apr 2024 17:15:26 GMT

Report on the Microsoft Online Exchange Incident from Summer 2023.

I was honored to be part of the US Government Cyber Safety Review Board where we studied the Summer 2023 Microsoft Exchange Online intrusion . This review examined how a Chinese state-affiliated group, Storm-0558, was able to breach Microsoft systems and access sensitive data. The Board concluded the intrusion was preventable and pointed to Microsoft’s operational and strategic decisions that deprioritized enterprise security as a root cause. I’ve seen significant effort by Microsoft to eliminate tech debt and improve foundational security. As part of its broader strategic response, Microsoft launched the Secure Future Initiative (SFI). This framework was designed to overhaul its security model across the cloud ecosystem, prioritizing robust identity and credential protections, faster patching, and enhanced threat detection capabilities.

During this study, the CSRB gathered input from 20 organizations, experts, and affected companies. Our findings led to a set of recommendations for both industry and government aimed at strengthening cloud security, transparency, and victim notification. Among them: improving baseline cybersecurity practices for cloud providers, adopting stronger audit logging and identity standards, and updating federal security frameworks to keep pace with evolving threats.

This report, the third from the CSRB since its founding in 2022, reinforces a critical message— cloud services are core national infrastructure . Nation-state actors are targeting them aggressively, and both government and industry must raise the bar for security by design.

Read the full document here:

Report on the Microsoft Online Exchange Incident from Summer 2023.

Cyber Safety Review Board’s examination of the Lapsus$ attacks

Wed, 06 Sep 2023 20:04:45 GMT

Criminal threats to industry are significant and continue to grow

CSRB 2nd report.

I was honored to be part of the Cyber Safety Review Board’s examination of the Lapsus$ attacks. The CSRB reviews significant cyber events, bring together leaders from government and industry, and issue practical, actionable recommendations to strengthen resilience across both the private and public sectors.

As part of the Board, I had the opportunity to examine the activities of Lapsus$ and related threat groups. These loosely organized cybercriminals successfully compromised some of the world’s most well-defended companies, using surprisingly low-cost and well-known techniques to exploit weak points in our collective cyber infrastructure.

What We Found

Between 2021 and 2022, Lapsus$ carried out extortion-focused attacks against dozens of companies and government agencies worldwide. Their methods exposed critical systemic weaknesses:

Low-Cost Techniques with Big Impact – The group used simple tools and social engineering to bypass defenses that organizations believed were strong.
Multi-Factor Authentication (MFA) Weaknesses – Many implementations relied on SMS and voice-based codes, which proved vulnerable to interception and manipulation.
SIM-Swapping Risks – Criminal markets for SIM swaps enabled attackers to hijack phone numbers and gain unauthorized access, often with little resistance from telecom providers.
Exploitation of Third Parties – Business process outsourcers (BPOs) and downstream vendors were frequent weak links that attackers leveraged to reach larger targets.
Juvenile Cybercrime Dynamics – Several Lapsus$ members were minors, raising challenges for law enforcement, since lighter penalties and limited intervention programs provided little deterrence
Review Of The Attacks Associate…

Recommendations for a More Secure Future

The CSRB issued a set of recommendations designed to address these risks and drive long-term improvements across the ecosystem

Review Of The Attacks Associate…

Identity and Access Management (IAM) – Transition away from SMS/voice-based MFA and move toward phishing-resistant, passwordless authentication (e.g., FIDO2, hardware-backed solutions). Organizations should also strengthen defenses against social engineering.
Telecommunications Resilience – Treat SIM swaps as privileged actions, enforce stronger identity verification, allow consumers to lock accounts, and require carriers to harden systems and APIs. Regulators should strengthen oversight and reporting.
Managing Vendor and BPO Risk – Companies should mature vendor risk management, adopt zero trust architectures, and enshrine shared cybersecurity responsibility in contracts with BPOs.
Law Enforcement and Juvenile Crime – Expand “whole-of-society” programs for juvenile cybercrime prevention, improve international law enforcement cooperation, and strengthen protections against abuse of emergency disclosure requests (EDRs).

The Lapsus$ review underscored how even the strongest organizations can be compromised when attackers exploit human factors, weak authentication, or poorly secured third parties. These aren’t exotic zero-day attacks—they are low-cost, scalable, and repeatable techniques. The CSRB’s findings remind us that building resilience requires not just advanced defenses, but also cultural change, regulatory alignment, and collaboration across government, industry, and law enforcement.

Inagural CSRB Study - Log4j

Mon, 25 Jul 2022 19:51:38 GMT

Cyber Safety Review Board's First Report

Inaugural Cyber Safety Review Board

In February 2022, the U.S. Department of Homeland Security launched the Cyber Safety Review Board (CSRB) to examine major cyber events and provide lessons that strengthen national resilience. The CSRB is a unique public-private partnership—half senior government officials, half leading private-sector experts—created under Executive Order 14028. Its mission is to conduct independent, authoritative reviews of significant cyber incidents, distill insights, and recommend concrete steps to improve cybersecurity for both industry and government.

What Log4j Was and Why It Mattered

The CSRB’s first review examined the December 2021 disclosure of a critical vulnerability in Log4j, a ubiquitous open-source, Java-based logging library embedded in thousands of software products. The flaw, known as “Log4Shell,” allowed attackers to remotely execute code with little effort, triggering one of the most intense global cybersecurity responses in history. Because Log4j is so deeply woven into the software ecosystem, the vulnerability was not just a one-time crisis but an “endemic” risk—expected to persist in systems for years, if not a decade or more

The impact was profound: many organizations struggled to even identify where vulnerable code was running, exposing shortcomings in software transparency and asset management. The event also highlighted systemic challenges, including the under-resourcing of open-source projects and the risks created by government policies—such as Chinese vulnerability disclosure rules that could give the PRC early access to flaws for exploitation

Key Findings from the CSRB

The CSRB’s investigation, informed by nearly 80 organizations and experts, underscored several realities:

Severity: Log4j is one of the most serious software vulnerabilities ever discovered.
Endemic Risk: Unpatched versions will remain in systems for years, keeping defenders on constant watch.
Transparency Gaps: Many companies lacked the ability to quickly locate affected code.
Open-Source Fragility: The volunteer-led nature of Log4j reflected broader weaknesses in securing critical open-source projects.
Training Gaps: Many software developers have little exposure to secure coding practices as part of formal education

Recommendations for the Future

The CSRB issued 19 recommendations spanning four categories

Address Continued Risks of Log4j – Organizations must assume long-term vigilance, continue reporting exploitation, and regulators should reinforce CISA guidance.
Drive Existing Best Practices – Invest in capabilities to identify vulnerable systems, maintain accurate IT asset inventories, and strengthen vulnerability response and disclosure programs.
Build a Better Software Ecosystem – Expand training in secure software development, improve Software Bill of Materials (SBOM) tooling, increase investment in open-source security, and pilot maintenance support for critical projects.
Invest in the Future – Explore baseline transparency requirements for federal vendors, evaluate a Cyber Safety Reporting System, create a Software Security Risk Assessment Center of Excellence, and study incentives to embed security into development from the start.

The Log4j crisis was a wake-up call: a reminder that the software ecosystem we rely on daily is only as strong as its most under-resourced link. Through the CSRB’s review, we now have a blueprint to address not just Log4j, but systemic weaknesses across open-source software and software supply chains. The work ahead will require vigilance, investment, and collaboration between government and industry to make sure the next “Log4j moment” doesn’t carry the same level of risk.