Report: Offense Is the New Defense in National Cyber Strategies

Summary

Oct. 9, 2025 – NCC Group has published the fourth edition of its Global Cyber Policy Radar, offering fresh insights into the fast-evolving landscape of cyber security regulation and government policy worldwide. 
 
As geopolitical tensions reshape the digital domain, Edition 4 of the Radar provides a strategic overview of the cyber laws and regulatory trends that will define the next phase of global cyber governance. From the rise of offensive cyber capabilities; to the tightening of supply chain oversight; and the transition to post-quantum cryptography; the report equips business leaders with the foresight needed to navigate regulatory complexity and build future-proof cyber programs. 
 
The latest edition also highlights the growing role of cyber security as an enabler of economic growth, with governments investing over $6 billion in cyber defenses while placing increasing responsibility on the private sector to secure their own digital environments. Putting this investment into context, the $6 billion in committed government spending on cyber security is equivalent to: 62 F35C fighter jets; or 630 M1 Abrams tanks; or 1,670 MQ-1 Predator drones. 
 
As policymakers look towards the challenges of post-quantum cryptography (PQC), the report includes a spotlight interview with Microsoft Director for Cybersecurity Policy, Kevin Reifsteck and NCC Group Practice Director for Cryptography Services, Javed Samuel, exploring the key highlights from government action and how organizations should prepare for PQC. 
 
Kat Sommer, associate director of Government Affairs at NCC Group commented: “Cyber rules are no longer just a compliance issue, they’re a strategic imperative. This edition of the Radar helps organizations understand not just what’s coming, but what it means for their business, and how to respond in a way that builds resilience and competitive advantage.” 
 
“Cyber security programs must adapt to a new era of geopolitics. Across governments worldwide, national security, sovereignty and interventionism are dominating cyber policy and regulatory agendas. Investment in offensive cyber capabilities is on the up, while government-mandated rules and regulations are increasingly likely to affect organizations at multiple touchpoints.” 
 
“The impact on business leaders overseeing cyber security programs is significant. Reactive rule-by-rule compliance will no longer suffice. Cyber governance must be long-term, global and account for – and be flexible to–governments’ fast-moving and shifting priorities.” 
 
And Verona Johnstone-Hulse, government affairs lead at NCC Group said: “2025 has been a year of unprecedented turbulence in the cyber landscape, with governments and organizations across all sectors facing increasingly sophisticated attacks. Major supply chain attacks have caused months-long disruptions, highlighting how intertwined cyber security is with economic and national security. Governments are now reevaluating their role in protecting organizations from attacks, mitigating damage and strengthening their own defense capabilities.
 
“Amid an unpredictable geopolitical environment, we are continuing to see a pivot away from globalization. Heightened concerns over foreign influence in critical infrastructure, data and technologies are driving a renewed emphasis on the reshoring of essential supply chains–particularly in areas like AI. Governments are also making moves to enhance the security of key supply chains–both through enhanced regulations and strengthened procurement rules. Businesses need to understand what new protocols and due diligence are required to satisfy evolving sovereignty requirements.
 
“On a national level, cyber security no longer just plays a defensive role. Governments are investing in offensive capabilities to deter attacks and protect critical infrastructure, such as President Trump's commitment to invest $1billion in offensive cyber operations. This increased focus is also driving debate about the role of the private sector. In the future, operators of critical infrastructure could be expected to implement proactive measures, such as honeypots and other active cyber defense initiatives, to strengthen overall resilience.”

Key themes explored in Edition 4 include: 

• The shift from reactive compliance to strategic cyber governance 
• The implications of ransomware payment bans and incident reporting mandates 
• The global race to secure supply chains and critical infrastructure 
• The urgency of preparing for PCQ transitions, expert insight from Microsoft  

The report draws on NCC Group’s work as a trusted advisor to governments and regulators, offering expert analysis and actionable guidance for CISOs, legal teams and policy professionals.