Balancing cyber innovation and regulation: Insights from RSAC 2025

Our General Partner Ted Schlein led a powerful and candid conversation on the future of tech policy at the 2025 RSA Conference last week. Ted was joined by two of the most prominent figures in cybersecurity: the former Director of the NSA and U.S. Cyber Command, General Paul Nakasone, who is a Strategic Advisor to Ballistic and an OpenAI board member, and Chris Krebs, the first director of the Cybersecurity and Infrastructure Security Agency (CISA).

The discussion tackled some of the most pressing questions facing the intersection of national security and emerging tech, particularly AI, and explored how the public and private sectors must work together to defend against cyber threats without stifling innovation.

Regulating the Chinese threat
Chris opened with a sobering truth: cybersecurity is not about winning or losing – it’s an ongoing battle. Gen. Nakasone echoed the sentiment, emphasizing the need for persistence in the face of evolving threats. “The environment is dynamic right now,” said the General, especially when it comes to adversaries like China. We have to “stay persistent with our adversaries,” he went on, noting that that requires both defensive and offensive security.

Chris pointed to threats like Volt Typhoon, Salt Typhoon, and Flax Typhoon, which are China-linked campaigns aimed at cyber espionage and critical infrastructure. The concern is kinetic action, he said. In a conflict, he stressed that they’ll hit us here first to cause chaos and take us out of the fight – including attacks on everything from local water to municipal power systems. Regulatory action is needed, he emphasized, but advised that it “requires implementation.” Passing a rule or regulation will not be enough. It must also be put into practice through specific actions, systems, or enforcement mechanisms.

Enforcing a Hygiene Act for better defense
Ted raised the idea of a “Hygiene Act” – a policy where companies meeting certain security baselines would be protected from lawsuits, such as by the SEC. The response? It depends on synchronization across sectors. However, “all sectors aren’t created equal,” noted Chris. “Financial services are way ahead, but it’s not like that across the board. Healthcare is getting crushed.” 

The panelists agreed, we can’t just throw money at the problem without explaining what to do with it. The General added, “This is an opportunity for all of us to look at our resiliency,” ensuring organizations have a plan for who will take care of what when it comes to breaches and attacks. 

Public-private partnerships to play defense and offense
The conversation turned to 2018, when the U.S. dramatically changed its cyber defense posture during midterm elections. The General, who was leading the NSA and U.S. Cyber Command at the time, described it as a shift driven by a need to protect democracy and involve the private sector through data-sharing.

Could that effort be “put on steroids” today, asked Ted? Both experts said yes – with the caveat that we must act with persistence. “We have to prioritize adversaries,” said the General. “Let them know their behavior won’t be tolerated. We’ll hunt to find and expose you… and if necessary, we’ll take action against you.”

Chris cautioned against involving the private sector in offensive cyber operations, particularly given the global implications. “What if the actor is sitting in Germany, for example, an ally? That puts our partners more at risk… Everything going forward is more complex.”

AI: Opportunity and urgency
When the conversation turned to AI, the panelists agreed on the importance for the U.S. to lead the world in advancements – but also stressed the need to move quickly and thoughtfully. 

Innovation is critical, but implementation matters, too, advised the General, noting the importance of chips, data, and talent. Chris framed the Biden Administration’s Executive Order on AI as a step in the right direction – not overly restrictive, but a place to start. He added there’s a need to “figure out the harms we want to avoid, then put guardrails in place there.”

Software vendor liability, cloud, and a call for policy
The panel didn’t shy away from controversial issues. Ted asked: Should software vendors be held liable for security flaws? “We need to have oversight,” said the General, adding that “so much of our software is part of our national security.” Chris noted that the status quo – where software is sold with few consequences – must evolve. “We need to pivot to something more defensible,” he said.

As for cloud computing, the group agreed that hyperscale providers are becoming more like utilities. “So should they be regulated?” Ted asked. “It begins with transparency,” said the General. “Mistakes shouldn’t be hidden.”

Chris emphasized that harmonizing tech policy across regions isn’t realistic. He pointed to TikTok as an example, noting that China’s version is totally different in terms of the tech stack compared to the version that’s used in the U.S. We’re using the same internet, but the rules and stakes are different.

Final takeaways
In closing, Ted asked what policies are most needed going forward. The General pointed to the importance of an industrial policy around AI, likening the challenge to the early days of the space race. He emphasized the importance of aligning government, academia, and industry. “This is more difficult than our early space policy to safely put a man on the moon.” Chris urged the cybersecurity community to stay engaged, especially when it comes to the federal government. He pointed out the need for more threat hunters, red teamers, and people doing the basics. Ted wrapped the conversation with a call to action: “Cybersecurity is national security. It’s all interlinked – and it requires great leadership.”

At Ballistic, we believe real progress in cybersecurity policy happens when leaders from across the ecosystem – government, startups, enterprises – come together with urgency and clarity. This panel underscored that protecting innovation doesn’t mean slowing it down. It means getting smarter, faster, and more united in the face of increasingly complex threats. The future of tech policy isn’t just about balancing innovation, security, and regulation – it’s about synchronizing them.