Cybersecurity — Defending the Digital Infrastructure

The United States faces escalating cyber threats from nation-state actors — China (Volt Typhoon, Salt Typhoon), Russia (SolarWinds, Colonial Pipeline), North Korea (cryptocurrency theft funding weapons programs), and Iran (critical infrastructure probes) — as well as ransomware criminal enterprises that generate billions in illicit revenue annually. These threats target energy grids, water systems, hospitals, financial networks, election infrastructure, and the defense industrial base.

Current federal cybersecurity authority is fragmented across CISA, NSA, FBI, DOD Cyber Command, SEC, HHS, DOE, EPA, and dozens of sector-specific agencies. There is no single federal standard for critical infrastructure cybersecurity — only voluntary frameworks (NIST CSF) and sector-specific regulations that vary wildly in rigor. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) mandated reporting rules, but CISA's final rule is still being implemented. Meanwhile, 50 states have 50 different breach notification laws with different timelines, definitions, and requirements.

The Colonial Pipeline attack (May 2021) shut down the largest fuel pipeline on the East Coast, affecting 17 states and causing panic buying. The company paid a $4.4 million ransom. The Change Healthcare attack (February 2024) disrupted claims processing for approximately one-third of all US healthcare transactions, affecting pharmacies, hospitals, and patients nationwide. The SolarWinds attack (2020) compromised nine federal agencies and over 100 private companies through a supply chain breach that went undetected for months.

The cybersecurity workforce gap is a national security crisis in its own right. Over 500,000 cybersecurity positions are unfilled in the United States. Federal agencies compete with the private sector for talent and routinely lose. The pipeline from education to cybersecurity careers is inadequate — community college programs are underfunded, scholarship-for-service programs are undersized, and diversity in the cybersecurity workforce lags far behind the broader tech sector.

For critical infrastructure operators, mandatory standards with federal compliance assistance replace the current patchwork of voluntary frameworks that leave the most vulnerable systems — small water utilities, rural hospitals, municipal governments — completely unprotected. Israel's National Cyber Directorate model demonstrates that centralized authority with public-private partnership produces both stronger security and a thriving cybersecurity industry.

For businesses and consumers, a single federal breach notification standard within 72 hours replaces 50 inconsistent state laws. Companies know exactly what they must do. Consumers learn about breaches quickly enough to take protective action. The EU's NIS2 Directive and Australia's Critical Infrastructure Act prove that mandatory notification is workable and improves both corporate behavior and consumer protection.

For national security, empowering CISA as the lead civilian agency — with real funding, real authority, and competitive salaries — creates a unified defense posture instead of the current fragmented response across dozens of agencies. When the next SolarWinds or Colonial Pipeline happens, there is one agency in charge, one set of standards, and one response protocol. Estonia rebuilt its entire digital government after the 2007 Russian cyberattacks — with a population of 1.3 million. The United States can do this at scale.

For the workforce, filling 500,000 cybersecurity positions is both a national security imperative and an economic opportunity. Federal scholarship-for-service programs, community college cybersecurity tracks, and diversity pipeline initiatives create well-paying career paths in every state. Cybersecurity jobs pay a median of $120,000 — these are middle-class careers that do not require a four-year degree for many entry-level positions.