Lawfare Daily: Grading the Trump Administration's Cybersecurity Efforts, with Rear Admiral (Ret.) Mark Montgomery

Podcast Summary

Podcast: The Lawfare Podcast
Episode: Lawfare Daily: Grading the Trump Administration’s Cybersecurity Efforts, with Rear Admiral (Ret.) Mark Montgomery
Date: December 1, 2025
Host: Jonathan Sederbaum, Lawfare’s Book Review Editor
Guest: Rear Admiral (Ret.) Mark Montgomery, Senior Director, Center on Cyber and Technology Innovation, Foundation for the Defense of Democracies

Main Theme

The episode centers on evaluating the Trump administration’s early cybersecurity policy moves, as reflected in the fifth Annual Implementation Report of the Cyberspace Solarium Commission 2.0. Rear Admiral (Ret.) Mark Montgomery, a key member of the original and follow-up commissions, breaks down where U.S. efforts are stalling, what's improved, and what critical issues are emerging for U.S. cybersecurity strategy and policy. The conversation critically assesses the strengths and weaknesses in current federal cyber defense, workforce, funding, regulatory posture, and the future challenges posed by adversaries and technology.

Key Discussion Points & Insights

1. The Solarium Commission: Origins and Purpose

Established in 2018 to devise a strategy for protecting U.S. critical infrastructure in cyberspace ([03:03]).
Found "the government wasn’t properly organized," private sector control over critical infrastructure was a unique challenge, and public-private collaboration was lacking ([03:55]).
Led to dozens of recommendations for legislative and executive action.

2. Layered Cyber Deterrence

The necessity of a multifaceted approach involving all elements of national power—legal, defensive, and offensive measures—to deter adversaries ([06:16]).
- “Deterrence by entanglement”—law enforcement and sanctions
- “Deterrence by denial”—robust defense
- “Deterrence by cost/imposition”—the willingness and capability to retaliate
U.S. is still not deterring adversaries effectively in cyberspace ([06:46]).
- "We are not equipped to deter the adversary in cyberspace... we are not preventing them from taking the actions they want to take." —Montgomery ([06:45])

3. 2025 Annual Implementation Report: Troubling Trends

Main Finding: “Our nation’s ability to protect itself and its allies from cyber threats is stalling and in some cases even slipping.” ([09:08])
- Prior annual reports saw improvement, but current findings reflect backsliding.
- Delays in confirming key officials and turbulence after administration changes have lasted longer than the typical 3–5 months, now stretching over eight months ([09:18]).
Staffing and Budget Cuts ([10:57]):
- CISA: Loss of one-third of the workforce, including probationary (future leaders) and senior talent:
  - "No leader ever came up to me and said... the key to my success is cutting one third of my workforce randomly. Come on." —Montgomery ([13:24])
- NIST: Mounting responsibilities without matching funding; subjected to further cuts under the Trump 47 administration ([14:02]).

4. More Concerns: State Department Reorganization

Mishandling of the Bureau for Cyberspace and Digital Diplomacy, violating the Cyber Diplomacy Act ([16:51], [17:01]):
- "They reorganized it in violation of the law... it's... kind of insulting that you reorganize something without reading the law. We are a nation of laws." —Montgomery ([18:10])
Lack of leadership and clarity harming U.S. policy, engagement, and international standard-setting ([19:10]).

5. Positive Steps by the Administration

Recognition that some sectors (e.g., water utilities) require a state and local/regional approach, supporting grant programs and capacity-building ([28:00]).
NSC Cybersecurity Directorate shifting focus to offense and global partnerships; National Cyber Director designated as lead for national cyber defense ([31:10]).
- “They have drawn a line in the right direction… there’s hope, there’s potential… Next year they’ll be good grades.” —Montgomery ([31:56])

6. Looking Forward: Major Challenges and Priorities

Understanding Chinese “Operational Preparation of the Battlefield”:
- China's "Volt Typhoon" campaign: prepositioning for possible future disruption or destruction of U.S. infrastructure ([33:22]).
- Public and policymakers must grasp the gravity of this threat.
- “This operational preparation of the battlefield has gone unremarked.” ([35:29])
Improving Recovery Capabilities:
- With attacks inevitable, rapid recovery is crucial, especially for small and medium enterprises ([35:58]).
- “The real value is speed of recovery. How fast can you be up and running again?” ([36:15])
Cyber Workforce Modernization:
- U.S. cyber operating forces have only grown ~3% since 2012; China’s numbers possibly increased by ~1000% ([37:41]).
- Need for new recruitment, training, and retention models focused on cyber skills ([37:55]).

7. AI and the Future of Cybersecurity

Offense vs Defense: Both sides will benefit from AI, but U.S. investment lags ([39:23]).
- “The conviction rate on cyber crimes is... in the 1 or 2%, if that.”
AI-powered Influence Operations: Enhanced risks of disinformation and manipulation, especially as AI enables highly convincing forgeries ([40:18]).
- “AI tools are going to make influence operations look more and more like a text or an email from your spouse or your... child, and have a much higher likelihood of success.” —Montgomery ([40:38])
Concern: Trump administration is dismantling disinformation-fighting initiatives across agencies ([41:36]).
- “That worries me the most. So I guess that's a bad, pessimistic line to end on, Jonathan, but that's where I sit.” —Montgomery ([42:22])

Notable Quotes & Memorable Moments

On organizational missteps:

"This was an absolute own goal." —Montgomery, on State Department's mishandling of cyber diplomacy office ([21:09])
On staffing cuts:

"No leader ever came up to me and said... the key to my success is cutting one third of my workforce randomly. Come on." —Montgomery ([13:24])
On differences between sectors:

“I would tell you there’s three sectors that I don’t lose sleep over at night. Financial services, energy, and the defense industrial base... water being one of them [of concern].” —Montgomery ([30:25])
On public indifference to major threats:

“People like me are still spun up about it. 99.9% of America came out of warble a day later, right. And they're fine with it.” —Montgomery, on Volt Typhoon’s ongoing risk ([34:28])
On the need for new cyber force structure:

“The people I need to be a Ranger don't look like the people I need to be cyber. There can be one or two that look the same, but the vast majority I'm okay with. Overweight face, tattoo, a little bit extra weed usage, that's okay, but the Rangers are not.” —Montgomery ([37:55])
On AI-driven influence:

“AI tools are going to make influence operations look more and more like a text or an email from your spouse or your... child, and have a much higher likelihood of success.” —Montgomery ([40:38])

Timestamps for Key Segments

[03:03] — Solarium Commission origins and findings
[06:16] — Definition and need for layered cyber deterrence
[09:08] — Top-line findings of 2025 report: "slippage"
[10:57] — CISA and NIST in crisis: budget/staffing cuts
[16:51] — State Department's cyber diplomacy mismanagement
[28:00] — Positive steps: support for state/local cyber capacity, right direction in NSC/NCD roles
[33:22] — Top forward-looking risks: China’s “preparation of the battlefield,” need for resilience, workforce overhaul
[39:23] — AI’s promise and peril: defense/offense balance, influence operations concerns
[42:22] — Closing thoughts and concerns about U.S. cyber posture

Tone and Flow

Rear Admiral (Ret.) Montgomery maintains a frank, occasionally critical but ultimately constructive tone, mixing policy insights, strategic assessments, and a touch of wit. Host Jonathan Sederbaum moderates a mostly technical but accessible discussion, weaving in policy, law, and technical capability questions, and consistently pressing for actionable recommendations and forward-looking views.

Conclusion

This conversation offers a candid, expert-driven review of the Trump administration’s early record on federal cybersecurity efforts. It identifies clear warning signs—especially in workforce and funding slippages—and shines light on both the importance and the fragility of forward momentum in U.S. cyber policy. The discussion bridges criticism with practical ideas for improvement and a sober assessment of adversary and technology trends, making this episode essential listening for anyone interested in national security, policy, and cyber threats.

Podcast Summary

Main Theme

Key Discussion Points & Insights

1. The Solarium Commission: Origins and Purpose

Established in 2018 to devise a strategy for protecting U.S. critical infrastructure in cyberspace ([03:03]).
Found "the government wasn’t properly organized," private sector control over critical infrastructure was a unique challenge, and public-private collaboration was lacking ([03:55]).
Led to dozens of recommendations for legislative and executive action.

2. Layered Cyber Deterrence

The necessity of a multifaceted approach involving all elements of national power—legal, defensive, and offensive measures—to deter adversaries ([06:16]).
- “Deterrence by entanglement”—law enforcement and sanctions
- “Deterrence by denial”—robust defense
- “Deterrence by cost/imposition”—the willingness and capability to retaliate
U.S. is still not deterring adversaries effectively in cyberspace ([06:46]).
- "We are not equipped to deter the adversary in cyberspace... we are not preventing them from taking the actions they want to take." —Montgomery ([06:45])

3. 2025 Annual Implementation Report: Troubling Trends

Main Finding: “Our nation’s ability to protect itself and its allies from cyber threats is stalling and in some cases even slipping.” ([09:08])
- Prior annual reports saw improvement, but current findings reflect backsliding.
- Delays in confirming key officials and turbulence after administration changes have lasted longer than the typical 3–5 months, now stretching over eight months ([09:18]).
Staffing and Budget Cuts ([10:57]):
- CISA: Loss of one-third of the workforce, including probationary (future leaders) and senior talent:
  - "No leader ever came up to me and said... the key to my success is cutting one third of my workforce randomly. Come on." —Montgomery ([13:24])
- NIST: Mounting responsibilities without matching funding; subjected to further cuts under the Trump 47 administration ([14:02]).

4. More Concerns: State Department Reorganization

Mishandling of the Bureau for Cyberspace and Digital Diplomacy, violating the Cyber Diplomacy Act ([16:51], [17:01]):
- "They reorganized it in violation of the law... it's... kind of insulting that you reorganize something without reading the law. We are a nation of laws." —Montgomery ([18:10])
Lack of leadership and clarity harming U.S. policy, engagement, and international standard-setting ([19:10]).

5. Positive Steps by the Administration

Recognition that some sectors (e.g., water utilities) require a state and local/regional approach, supporting grant programs and capacity-building ([28:00]).
NSC Cybersecurity Directorate shifting focus to offense and global partnerships; National Cyber Director designated as lead for national cyber defense ([31:10]).
- “They have drawn a line in the right direction… there’s hope, there’s potential… Next year they’ll be good grades.” —Montgomery ([31:56])

6. Looking Forward: Major Challenges and Priorities

Understanding Chinese “Operational Preparation of the Battlefield”:
- China's "Volt Typhoon" campaign: prepositioning for possible future disruption or destruction of U.S. infrastructure ([33:22]).
- Public and policymakers must grasp the gravity of this threat.
- “This operational preparation of the battlefield has gone unremarked.” ([35:29])
Improving Recovery Capabilities:
- With attacks inevitable, rapid recovery is crucial, especially for small and medium enterprises ([35:58]).
- “The real value is speed of recovery. How fast can you be up and running again?” ([36:15])
Cyber Workforce Modernization:
- U.S. cyber operating forces have only grown ~3% since 2012; China’s numbers possibly increased by ~1000% ([37:41]).
- Need for new recruitment, training, and retention models focused on cyber skills ([37:55]).

7. AI and the Future of Cybersecurity

Offense vs Defense: Both sides will benefit from AI, but U.S. investment lags ([39:23]).
- “The conviction rate on cyber crimes is... in the 1 or 2%, if that.”
AI-powered Influence Operations: Enhanced risks of disinformation and manipulation, especially as AI enables highly convincing forgeries ([40:18]).
- “AI tools are going to make influence operations look more and more like a text or an email from your spouse or your... child, and have a much higher likelihood of success.” —Montgomery ([40:38])
Concern: Trump administration is dismantling disinformation-fighting initiatives across agencies ([41:36]).
- “That worries me the most. So I guess that's a bad, pessimistic line to end on, Jonathan, but that's where I sit.” —Montgomery ([42:22])

Notable Quotes & Memorable Moments

On organizational missteps:

"This was an absolute own goal." —Montgomery, on State Department's mishandling of cyber diplomacy office ([21:09])
On staffing cuts:

"No leader ever came up to me and said... the key to my success is cutting one third of my workforce randomly. Come on." —Montgomery ([13:24])
On differences between sectors:

“I would tell you there’s three sectors that I don’t lose sleep over at night. Financial services, energy, and the defense industrial base... water being one of them [of concern].” —Montgomery ([30:25])
On public indifference to major threats:

“People like me are still spun up about it. 99.9% of America came out of warble a day later, right. And they're fine with it.” —Montgomery, on Volt Typhoon’s ongoing risk ([34:28])
On the need for new cyber force structure:

“The people I need to be a Ranger don't look like the people I need to be cyber. There can be one or two that look the same, but the vast majority I'm okay with. Overweight face, tattoo, a little bit extra weed usage, that's okay, but the Rangers are not.” —Montgomery ([37:55])
On AI-driven influence:

“AI tools are going to make influence operations look more and more like a text or an email from your spouse or your... child, and have a much higher likelihood of success.” —Montgomery ([40:38])

Timestamps for Key Segments

[03:03] — Solarium Commission origins and findings
[06:16] — Definition and need for layered cyber deterrence
[09:08] — Top-line findings of 2025 report: "slippage"
[10:57] — CISA and NIST in crisis: budget/staffing cuts
[16:51] — State Department's cyber diplomacy mismanagement
[28:00] — Positive steps: support for state/local cyber capacity, right direction in NSC/NCD roles
[33:22] — Top forward-looking risks: China’s “preparation of the battlefield,” need for resilience, workforce overhaul
[39:23] — AI’s promise and peril: defense/offense balance, influence operations concerns
[42:22] — Closing thoughts and concerns about U.S. cyber posture

wavePod

Powered by Wave AI

Summary

Podcast Summary

Main Theme

Key Discussion Points & Insights

1. The Solarium Commission: Origins and Purpose

2. Layered Cyber Deterrence

3. 2025 Annual Implementation Report: Troubling Trends

4. More Concerns: State Department Reorganization

5. Positive Steps by the Administration

6. Looking Forward: Major Challenges and Priorities

7. AI and the Future of Cybersecurity

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone and Flow

Conclusion

Summary

Podcast Summary

Main Theme

Key Discussion Points & Insights

1. The Solarium Commission: Origins and Purpose

2. Layered Cyber Deterrence

3. 2025 Annual Implementation Report: Troubling Trends

4. More Concerns: State Department Reorganization

5. Positive Steps by the Administration

6. Looking Forward: Major Challenges and Priorities

7. AI and the Future of Cybersecurity

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone and Flow

Conclusion