Ultimately, CISA should have the operational responsibility for defending civilian government networks, just as Cyber Command does for DoD networks. The recent NDAA, which vested CISA with the authority to hunt on agencies’ networks without the explicit permission of those agencies, was a critical move in that direction. CISA will now need additional funding to build a 24/7 threat hunting operations center to fulfill the requirements of that mission. Another important step would be to create incentives for federal agencies to outsource their cybersecurity operations to CISA, turning it into a cybersecurity Shared Service Provider. Such incentives may include exceptions for agency heads from FISMA compliance and turning that responsibility over to CISA, if it is actually being given the authority to secure that agency’s network. 2. Congress should make agencies adopt speed-based metrics to measure their response to cyber threats. In cyberspace, the only way to reliably defeat an adversary is to be faster than they are. Under an assumption of breach approach, the question is not, “Can we prevent an initial compromise?” The much better question is, “How long does it take us to find and eject them?” Central to detecting adversaries is the speed with which they leverage the initial resource they have established as their beachhead within the network, move laterally across the environment, and gain access to other sensitive resources. Once adversaries are able to do that, what would have been a minor security event turns into a full breach that requires a lengthy and complex incident response process and that puts defenders’ data and operations at risk. Stop the adversary quickly, and you have prevented them from accomplishing their objectives. With this in mind, Congress should require federal agencies to adopt speed-metrics that evaluate agencies’ response to cyber threats based on the time it takes to begin and complete fundamental defensive tasks. In the private sector, I developed what I called the “1-10-60 rule” to measure response times to perceived threats: detect an intrusion on average within one minute, investigate it within 10 minutes, and isolate or remediate the problem within one hour. Through legislation, Congress could require agencies to adopt speed-based metrics by mandating that they collect data on the average time it takes to perform four fundamental defensive actions: (1) detecting an incident; (2) investigating an incident; (3) responding to an incident; and (4) fully mitigating the risk of high-impact vulnerabilities. Over time, these metrics would provide objective and diachronic measurement of an agencies’ threat response capabilities that they could report to CISA, OMB, and the relevant oversight committees in Congress. If the metrics prove effective in decreasing agencies’ response time to cyber threats, Congress should also consider models to extend their adoption by the private sector. 3. Congress should pass a comprehensive breach notification law. Such a law would require major private companies, such as those in critical infrastructure, to report technical indicators associated with breach attempts to CISA, including for breaches where no personal information is actually compromised. If there is a single overriding lesson from the recent supply chain attacks, it is that the information sharing between government and industry remains a serious challenge. Some victims have shared very little information about what took place inside their networks; others have not even publicly acknowledged that they were targeted. 5