American factories do not regulate emissions voluntarily. Our food processors do not follow safety protocols out of the goodness of their hearts. Yet that is exactly the approach we’ve taken with some of our nation’s most critical infrastructure.

For 30 years, the federal government has asked private infrastructure operators to defend themselves voluntarily against threats that now include the cyber units of hostile foreign governments. Not only is this dangerous in its own right, it leaves security decisions to a diffuse range of institutions who are ill-equipped to carry them out even if they were mandatory.

There are more than 50,000 community water systems in the United States, along with 2,000 municipal electric utilities and 6,000 hospitals. Many of these hyperlocal entities cannot afford one information technology staffer, let alone an entire cybersecurity program. These entities now find themselves on the front line against foreign cyber adversaries.

For just one example, look at the small town of Aliquippa, Pennsylvania, a community of 9,200 located 20 miles northwest of Pittsburgh. On November 25, 2023, Aliquippa became a war target. CyberAv3ngers, an organization linked to the Islamic Revolutionary Guard Corps of Iran, compromised the town’s water system by taking over the controllers that monitor and regulate water pressure. It did so because they were manufactured by the Israeli-owned company Unitronics.

The attack was mostly limited to cyber-vandalism, with the criminals posting, “you have been hacked. Every equipment ‘Made in Israel’ is CyberAv3ngers legal target.” But it revealed that these controllers, which also regulate water contaminants, can be penetrated in ways that reach far beyond simple vandalism. When adversaries breach our water systems in the future, they can expose everyday people to contaminants—or cut them off from water entirely.

The most important things for us in the physical world, including power, health care, and water, are all connected to the digital world as well. The integration of the two is both a great benefit and great risk, as digital attacks can now cause just as much destruction as physical ones.

Geopolitical conflicts have exposed the weakness of U.S. infrastructure security. Much of our water, electricity, and health care infrastructure is operated by private entities lacking both the capabilities and the incentives to prioritize security. While the big decisions are made in executive offices, the costs are paid by towns like Aliquippa. When a hospital fails to prioritize security, it doesn’t just hurt the hospital’s bottom line; it hurts patients. When a water company does the same, it doesn’t just hurt the company’s finances, it puts at risk the men, women, and children who drink, bathe, and clean using the water.

The wars of the next decade will be fought not just against American troops but also against American civilians. What bombs and missiles cannot reach, digital disruption will. Cybersecurity cannot be a line item that operators cut to protect their profit margins. The federal government must shift from the predominantly voluntary approach to cybersecurity to one that holds private owners accountable.

Defining “Critical”

The modern federal approach to critical infrastructure cybersecurity was born with the Clinton administration’s Executive Order 13010 in 1996 and Presidential Policy Directive 63 in 1998, the first of which defined critical infrastructure as that which is “so vital that [its] incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.”

These documents established the voluntary public-private partnership as the standard operating model of security. That model was expanded in 2013 with the Obama administration’s PPD-21 and EO 13636, which divided critical infrastructure into 16 sectors; a framework we use today.

In practice, being designated critical infrastructure by the federal government provides the owners of infrastructure with three tools. The first is access to the federal Sector Risk Management Agency, the second is information sharing through the Cybersecurity and Infrastructure Security Agency, and the third consists of various forms of technical assistance. The designation does not provide any binding security requirement, any enforcement mechanism, or any positive incentive for the owner to absorb the costs of defense.

Of the 16 designated sectors, just three carry mandatory federal cybersecurity standards—bulk power systems, pipelines and surface transportation, and nuclear reactors. In each case, standards were implemented in direct response to a specific crisis: the 2003 Northeast blackout, the 2021 Colonial Pipeline attack, and post-9/11 nuclear concerns, respectively. Even within the energy sector, federal standards apply only to high-voltage bulk systems. The local distribution networks that actually deliver electricity to homes, hospitals, and water plants remain outside federal cybersecurity authority.

For the remaining sectors, including water, health care, food and agriculture, and communications, federal engagement is mostly done on a voluntary basis. Any exceptions tend to be both narrow and contested. For example, in March 2023, the Environmental Protection Agency tried to mandate cybersecurity assessments for water utilities under the 1974 Safe Drinking Water Act. The rule was challenged in court by state governments and water associations, leading the EPA to withdraw it that October—just one month before the CyberAv3ngers hacked the water system in Aliquippa. This is sadly what cyber regulation often looks like in practice: agencies reach back into ancient statutory authorities for powers they were never intended to confer, produce second- or third-best solutions, and hope the courts will let them stand.

This unproductive cycle continued even after the Aliquippa attack. The Biden administration’s National Security Memorandum 22, issued in April 2024, acknowledged that voluntary approaches have reached their limits and directed federal agencies to establish mandatory requirements. But as with other efforts, NSM-22 is not actually binding, and the federal government has continued publishing voluntary frameworks even after its issuance.

The only cross-cutting attempt at legislation, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), was passed in March 2022, but its implementation was delayed until at least May 2026. Due to shutdowns and other resource constraints, the rule is likely to be delayed further, and even when finalized it will require only that operators report incidents within 72 hours. It will not require them to do anything that could prevent the incidents from happening in the first place.

Share

Stepping Up

If these issues were market failures or simply a coordination problem stemming from a knowledge gap among operators, then federal efforts to convene industry and provide technical assistance would likely be enough to correct the problem.

The past three decades show that the problems facing infrastructure are something different. The EPA’s 2024 Inspector General report found that 97 drinking water systems—serving more than 25 million Americans—had critical or high-risk vulnerabilities. The same report found that the EPA itself has no incident reporting system; it relies on CISA. And, per the enforcement data, more than 70% of inspected utilities are in violation of basic security practices, often using default passwords, single shared logins, and active credentials for former employees.

The health care sector is no better. A 2024 ransomware attack against a UnitedHealth subsidiary compromised the protected health information of over 190 million Americans, disrupting $6.3 billion in health care claims in just three weeks. This is not an isolated incident: according to one survey, 67% of health care organizations were hit by at least one ransomware attack in 2024, and affected facilities have seen in-hospital mortality rise 33%. Underinvestment in cybersecurity hurts both the wealth and the health of the American people.

Some threats emanate from lone cyber-criminals, but many others come from much larger and better-funded organizations. The People’s Republic of China (PRC) has been infiltrating U.S. critical infrastructure for years. A 2024 CISA advisory found that a PRC-affiliated group known as Volt Typhoon has been positioning itself in U.S. communications, energy, transportation, and water systems for years. As FBI Director Christopher Wray told the House Select Committee on the CCP, China is preparing to “wreak havoc and cause real-world harm to American citizens and communities” if and when it decides to strike.

These are all symptoms of an underlying problem—operators lack both the will and the means to secure their critical infrastructure to the level necessary to protect the national interest.

Taking Action

Poor infrastructure cybersecurity is a standard negative externality. The operator who under-invests captures the savings, but the costs of failure are paid by everyone. The 2024 attack led to UnitedHealth paying out $3 billion (against annual revenues of roughly $400 billion), but it cost the rest of the health care system more than double that amount in disrupted claims. The Aliquippa water system’s annual operating budget is a fraction of the damages a community could incur if their water supply is poisoned. In no other area of policy would this be acceptable. We are applying a naive approach to our highest-risk industries.

To rectify the problem, we should take three actions at the federal level.

First, implement mandatory minimum cybersecurity standards across all 16 sectors, ideally enforced by a central organization that can cut through duplication and conflict. Yes, regulation imposes a cost, but in this case it will not be a new cost. It is a transfer from the families and patients who currently bear it back to the operators who externalize it.

Second, increase funding to the State and Local Cybersecurity Grant Program, which provides state and local governments with money to fix critical infrastructure, but with broader flexibility to re-allocate funds to privately owned infrastructure when needed. The fragmentation problem is one of resources, and the SLCGP provides aid to local actors who can use their insights to make improvements.

Third, Congress must act. Creative regulatory interpretation—such as the EPA’s 2023 attempt to mandate water system cybersecurity using a 1974 statute—produces ill-fitting solutions that are often struck down in court. Only Congress can authorize new requirements reflecting today’s challenges, and appropriate the funding needed to support them. In short, cybersecurity is national security, and it’s time for a policy vision that takes it seriously.

Leave a comment