Fact Sheet: 2024 Report on the Cybersecurity Posture of the United States

May 7, 2024

Read the full report here

Today, the Office of the National Cyber Director (ONCD) released the 2024 Report on the Cybersecurity Posture of the United States.  This first-of-its-kind report provides important updates on how the nation is addressing the challenges and opportunities we face in cyberspace. 

Over the past year, U.S. national cybersecurity posture improved, driven by steady progress towards the 2023 National Cybersecurity Strategy’s (NCS) vision of a defensible, resilient, and values-aligned digital ecosystem.  Achieving this vision requires two fundamental shifts in how we allocate roles, responsibilities, and resources in cyberspace by (1) rebalancing the responsibility to defend cyberspace away from end users and to the most capable and best-positioned actors in the public and private sectors, and (2) realigning incentives to favor long-term investments in future resilience. 

The Administration has successfully begun implementation of the NCS Implementation Plan (NCSIP), which coordinates actions by departments and agencies across the Federal Government to make the President’s affirmative vision a reality.  In NCSIP Version 1, the Federal Government was responsible for completing 36 initiatives by the second quarter of 2024.  33 of these 36 (92%) initiatives were completed on time and three remain underway.  An additional 33 NCSIP Version 1 initiatives have completion dates over the next two years and are on track.  Congress has provided essential support to the implementation process by empowering departments and agencies with necessary authorities and resources.

The Administration has also released Version 2 of the NCSIP, which complements the findings of this report and outlines the next phase of action necessary to implement the President’s Strategy and further improve U.S. national cybersecurity posture.

The Strategic Environment

In 2023, the strategic environment was characterized by complexity, interconnectivity, and competition.  Continued progress in digital communications, advanced computing, quantum information science, data storage and processing, and other critical and emerging technologies are rapidly increasing the complexity of our economy and society.  These technologies also connect people around the world, enable the proliferation of cyber-physical systems, and create new dependencies between critical infrastructure and essential services across every sector. 

As this landscape evolves, malicious state and non-state actors are exploiting its seams with growing capability and strategic purpose, continuing to aggressively conduct malicious cyber activity that threatens U.S. national security, public safety, and economic prosperity.  Critical infrastructure across the United States has been held at risk by the People’s Republic of China and other adversaries who threaten essential services and public safety in service of their geopolitical ambitions.  Ransomware groups have built a business model around targeting schools, hospitals, small businesses, and many others ill-equipped to defend themselves.

Five trends, in addition to enduring cybersecurity challenges, drove change in the strategic environment in 2023:

1. Evolving Risks to Critical Infrastructure: Nation-state adversaries demonstrated a growing willingness to use cyber capabilities to compromise and hold at risk critical infrastructure systems and assets with no inherent espionage value, in order to further their broader strategic objectives.
2. Ransomware: Ransomware remained a persistent threat to national security, public safety, and economic prosperity, and ransomware groups continued to develop sophisticated strategies to evade or circumvent defensive and disruptive measures designed to frustrate their activities.
3. Supply Chain Exploitation: Complex and interconnected supply chains for software and other information technology and services enabled malicious actors to compromise victims at scale.
4. Commercial Spyware: There was a growing market for sophisticated and invasive cyber-surveillance tools sold to nation-state actors by private vendors to access electronic devices remotely, monitor and extract their content, and manipulate their components without the knowledge or consent of the devices’ users.
5. Artificial Intelligence: Artificial intelligence is one of the most powerful, publicly accessible technologies of our time, and its continued evolution in 2023 presented opportunities and challenges for cyber risk management at scale.

Current Efforts

ONCD coordinates the implementation of national cyber policy and strategy, including the NCS, by driving new actions and uplifting and connecting work underway.  Actions taken by the Federal Government during the period covered by this report include:

1. Establishing and Using Cyber Requirements to Protect Critical Infrastructure, including through the development and harmonization of regulatory requirements in multiple critical infrastructure sectors.
2. Enhancing Federal Cooperation and Partnerships to better support cyber defenders, including by increasing operational collaboration, improving Sector Risk Management Agency capacity, and integrating Federal cyber defense capabilities.
3. Improving Incident Preparedness and Response by rapidly sharing threat information, prioritizing support to victims, and reviewing significant incidents and campaigns to derive lessons learned.
4. Disrupting and Degrading Adversary Activity using all tools of national power, resulting in coordinated, high-impact disruption campaigns against a wide range of malicious cyber actors.
5. Defending Federal Networks at speed and scale, including by integrating Zero Trust Architecture principles across the Federal enterprise, modernizing legacy technology systems, and expanding the use of shared services.
6. Strengthening the National Cyber Workforce, including through the promulgation of a National Cyber Workforce and Education Strategy (NCWES) and engagement with workers, employers, students, and educators across the country.
7. Advancing Software Security to Produce Safer Products and Services, including by advancing Secure by Design principles, Software Bills of Material, and memory-safe programming languages.
8. Enabling a Digital Economy that Empowers and Protects Consumers, including by launching a U.S. Cyber Trust Mark certification and labeling program and by promoting competition and accountability across the technology industry.
9. Investing in Resilient Next-Generation Technologies across the clean energy economy, issuing an executive order to guide Federal efforts related to artificial intelligence, and addressing security challenges present in the technical foundations of the Internet.
10. Managing Risks to Data Security and Privacy by enabling safe, data-rich cross-border commerce and promoting the development of privacy-enhancing technologies.
11. Enhancing Resilience Across the Globe by building coalitions of like-minded nations to provide support to victims of ransomware and other cyberattacks, align national policy, and promote secure and resilient global supply chains.
12. Advancing a Rights-Respecting Digital Ecosystem by advancing an affirmative vision of an open, free, global, interoperable, reliable, accessible, and secure Internet; combatting the proliferation and misuse of digital technologies like commercial spyware; and shaping emerging technologies to align with democratic values and human rights.

Future Outlook

In 2024 and beyond, the Federal Government will build on accomplishments of the past year, continue to implement the NCS and NCWES, and adapt its approach to address emergent challenges and opportunities presented by an evolving strategic landscape.  NCSIP Version 2 outlines 31 new initiatives that build on shared accomplishments of the past year and establish specific lines of effort to realize the vision set out in the President’s NCS.

Read the full National Cybersecurity Strategy Implementation Plan 2.0 here