Critical infrastructure refers to assets, systems, and networks essential for maintaining everyday life, including electrical grids, communication networks, water treatment facilities, healthcare systems, and transportation networks. These systems remain dangerously unprotected in the United States because of a fragmented regulatory landscape. When adversaries can damage, disable, or steal sensitive information from these decentralized systems, they gain immense power and directly affect real lives. To address these vulnerabilities, Congress should enact standardized federal legislation that transforms voluntary cybersecurity guidelines into enforceable requirements, mandates regular security testing, and establishes comprehensive workforce training programs across all critical infrastructure sectors.
The consequences of cyberattacks extend far beyond financial losses, as they threaten public safety and national security. In 2024, approximately 70% of all cyberattacks targeted critical infrastructure sectors. When Colonial Pipeline suffered a ransomware attack in 2021, it forced the shutdown of 5,500 miles of pipeline that supplies 45% of the East Coast’s fuel. The attack caused panic buying, price surges, flight cancellations, and delays in transporting essential medical supplies. Countless incidents like this demonstrate the devastating ripple effects that one vulnerability can have.
Attacks targeting medical services pose an even more direct danger to human life. In 2024, 72% of U.S. healthcare organizations experienced a cyberattack that impacted patient care. Ransomware attacks against hospitals, which have increased by 300% since 2015, force IT systems offline and prevent access to electronic health records and medication systems. In a study of hospitalized Medicare patients between 2016 and 2021, mortality rates increased by approximately 33% during an attack, resulting in 42-67 deaths. Until these critical systems are properly secured, cyberattacks will continue to injure and kill.
Water infrastructure faces similar threats. In February 2021, hackers infiltrated a Florida water treatment facility and attempted to increase sodium hydroxide levels from 100 parts per million to 11,100 parts per million, which would have poisoned the drinking water supply and caused severe harm to residents if consumed. These incidents demonstrate that critical infrastructure cyberattacks are not merely technical problems but direct threats to human life and public safety.
While infrastructure remains vulnerable to targeted attacks, the Cybersecurity and Infrastructure Security Agency (CISA) claims over 85% are preventable. Many flaws stem from simple configuration issues, such as the use of outdated components, with 95% of websites running outdated software. Despite abundant best-practice guidelines from agencies like CISA and the National Institute of Standards and Technology (NIST), the overlap among guidelines and lack of enforceable standards leave adoption inconsistent and incomplete across sectors. Understanding how this regulatory fragmentation developed reveals why voluntary compliance has failed and what must change.
Policy Background
The legal framework governing critical infrastructure cybersecurity suffers from contradictory mandates and inconsistent enforcement mechanisms across sectors. Enforceable standards would establish clear, legally binding requirements with consequences for non-compliance, replacing the current patchwork of voluntary guidelines that organizations can ignore without penalty. Such standards would mandate specific security practices, require regular audits, and impose financial penalties or operational restrictions for violations, ensuring consistent protection across all critical infrastructure regardless of sector or organizational size.
Policymakers initially preferred voluntary frameworks to preserve industry flexibility, avoid stifling innovation with prescriptive rules, and respect the boundary between federal authority and private-sector decision-making. While these concerns have merit, they assume that market forces incentivize investments in cybersecurity. However, when cyberattacks can disable electric grids affecting millions or compromise healthcare systems endangering lives, the consequences extend far beyond individual organizations to threaten national security and public safety, creating outcomes too severe to leave unregulated.
Currently, cybersecurity rules are scattered across different agencies and industries with no unified standard. For example, the North American Electric Reliability Corporation publishes cybersecurity rules that only apply to large electric providers, leaving smaller energy companies unregulated. This means a hacker could target a smaller utility service that falls outside these rules, potentially disrupting power for thousands of customers.
However, Congress has attempted to address coordination gaps with CISA. The Cybersecurity and Infrastructure Security Agency Act of 2018 established the agency to serve as the national coordinator for defending American technology. Following the agency’s guidance is largely voluntary for non-federal entities, making requirements unenforceable for most private companies and state agencies. The voluntary nature of CISA’s framework means that even organizations recognizing the value of these standards face no consequences for choosing not to implement them, particularly when cybersecurity investments compete with other business priorities.
Following the catastrophic Colonial Pipeline hack in 2021, Congress enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires that cybersecurity incidents and ransomware payments be reported to CISA so the agency can respond promptly. In addition, Congress recently cut CISA’s funding by $135 million for the next fiscal year, further undermining its ability to face current threats while increasing its responsibilities. Furthermore, various agencies still follow their own internal guidance rather than the CISA’s, creating conflicts between requirements and inconsistency in standards across different sectors.
This fragmentation has consequences on productivity. A 2020 Government Accountability Office (GAO) testimony found that four federal agencies established conflicting cybersecurity requirements for states on password policies. Between 49% and 79% of these requirements contained conflicting parameters, and more than half of the state government employees surveyed reported that reconciling these differences led to a large increase in the time required to comply. When the GAO asked 14 agencies about information sharing on cybersecurity challenges, all responded that they had not fully resolved this problem. Decentralized requirements lead to wasteful spending when streamlined regulations would allow for a clear-cut pathway to increased security and information sharing.
Understanding the threats facing American infrastructure does not require technical expertise. The core problem is simple: foreign governments and criminal groups are actively trying to breach the computer systems that run our power plants, hospitals, and water treatment facilities, and too often, they succeed.
Some argue that no regulation can fully protect against determined foreign government hackers and that mandating specific security practices may become outdated as attack methods evolve. While sophisticated attackers will always discover new vulnerabilities, research shows that most successful breaches exploit well-known, preventable flaws rather than novel techniques. Addressing these weaknesses through enforceable standards would eliminate the readily exploitable vulnerabilities that currently enable both sophisticated and unsophisticated attackers to compromise critical systems.
Every day there’s a new report of a company, government agency, or major organization suffering from a cyberattack, each a damaging and costly crisis. A data breach in the United States costs $9.36 million on average, and cyberattacks cost the global economy $10.5 trillion per year. Making matters worse, organizations take an average of 258 days to even realize they have been hacked, giving attackers months to steal data or cause damage before anyone notices. These extended detection periods increase the operational and financial damage that organizations suffer.
These implementation measures are urgent given that foreign governments have systematically investigated and exploited weaknesses in American critical infrastructure. Testifying before Congress, FBI Director Christopher Wray warned that China’s hackers are positioning themselves inside American infrastructure systems, waiting for the right moment to cause harm to American citizens. Chinese government-backed hackers have already assessed our electrical grid for weaknesses and breached the Department of the Treasury. Russian hackers have demonstrated similar capabilities, interfering in the 2016 presidential election and compromising thousands of organizations through the 2020 SolarWinds attack. Collectively, America faces skilled, well-funded adversaries whose full potential for disruption has not yet been realized.
The biggest security weakness in any organization is not computers; it is its people. According to Yale, deception-based attacks account for 98% of successful cyberattacks, highlighting the risk that trickery poses to unsuspecting employees. These attacks typically involve fake emails designed to lure employees into clicking on malicious links or revealing passwords. Last year, 94% of businesses reported receiving these deceptive emails, with the majority feeling negative effects. Around 75% of these attacks began with a deceptive email, and about 2.7% of employees unknowingly fell for them. That may sound small, but with over 1 million such attacks in just the last quarter of last year, an increase of 100,000 from the previous quarter, even a small success rate translates to thousands of breaches.
The rise of artificial intelligence has made these deceptive emails even more convincing, increasing the likelihood that employees unknowingly hand over sensitive information or compromise system security. This demonstrates that cybersecurity is not just about building better computer defenses. It requires training people to recognize and avoid threats, emphasizing the need for a comprehensive plan that addresses both system design and workplace training.
Proposal
To address inconsistencies across industries and enhance the protection of critical infrastructure vital to national security, Congress should enact new standardized federal legislation with four core components.
Currently, many organizations treat cybersecurity as an afterthought, only adding protections after a system is already built or, in some cases, neglecting them entirely. Congress should require critical infrastructure operators to consider security from the very beginning of any project, identifying potential weaknesses during design rather than trying to patch them later.
Organizations should be required to hire independent experts to test their defenses at least once per year by attempting to break in, just as a real attacker would. Currently, 18% of companies do not conduct these penetration tests, leaving vulnerabilities undiscovered until attackers find them first. Following a security audit, results would require executive acknowledgement and a documented plan to address identified weaknesses.
The federal government should turn CISA’s cybersecurity recommendations from voluntary suggestions into legal requirements, standardizing compliance across the public and private sectors. This would establish a clear set of rules for all critical infrastructure, replacing the current patchwork system where different industries follow different standards, or none at all. Additionally, it would expand resource sharing for collective national defense and improve programs such as the Joint Cyber Defense Collaborative and the Joint Ransomware Task Force.
Organizations must train all employees to recognize and avoid cyberattacks. According to the World Economic Forum, only 14% of organizations feel confident that their staff can handle cybersecurity threats. Many academic institutions do not require Computer Science students to take cybersecurity classes before graduation, and CISA argues that software developers should be considered part of the cybersecurity defense force. Additionally, most Americans lack basic knowledge of how to spot fake emails or understand online security. Training programs would require quarterly refresher courses to cover emerging threats, simulated deceptive email exercises with individualized feedback, and role-specific modules to address unique security responsibilities across different organizational levels.
Implementation and Feasibility
The practical implementation is demonstrably feasible given existing technical capacity and regulatory infrastructure. The proposed standards leverage proven frameworks already freely available through governmental and private sources, and the cybersecurity services industry’s 14.4% compound annual growth rate demonstrates capacity to support widespread testing requirements. Additionally, 78% of large operators already implementing robust programs agree that cybersecurity and privacy regulations are effective in reducing risk.
Implementation would occur in phases, targeting energy, healthcare, and financial services first before extending to all critical infrastructure over three years, with financial penalties and operational restrictions scaled to organizational size. While mandatory standards raise concerns about economic burden, compliance costs are modest compared to the risks of inaction: security testing ranges from $5,000 to $50,000 annually and employee training costs $10-$72 per person per year; expenses that pale in comparison to the average $4.44 million data breach cost.
The voluntary approach to critical infrastructure cybersecurity has failed. Foreign adversaries continue to exploit the fragmented regulatory landscape, and preventable attacks keep happening because organizations face no consequences for ignoring best practices.
Congress must establish mandatory federal cybersecurity standards that apply across all critical infrastructure sectors. This means codifying CISA guidance into enforceable law, requiring regular independent security testing, mandating secure-by-design development practices, and ensuring comprehensive workforce training. These measures would replace the current patchwork system with clear, consistent requirements and real accountability for non-compliance. The frameworks already exist, the industry capacity is there, and the cost of action is far less than the cost of continued inaction.
