3,205 data breaches in 2023. 500,000+ unfilled cybersecurity jobs. Colonial Pipeline shut fuel to 17 states. Change Healthcare disrupted one-third of US claims processing. The nation's digital infrastructure is undefended.
We're a policy platform with 50 researched positions on every major issue. This page breaks down our cybersecurity plan — but there's much more to explore.
The United States experienced 3,205 data breaches in 2023, exposing over 353 million records. Ransomware attacks increased 95% year-over-year. The nation's critical infrastructure — power grids, water systems, hospitals, financial networks, election systems — is defended by a patchwork of voluntary guidelines, understaffed agencies, and outdated software.
Colonial Pipeline (2021): A single ransomware attack on Colonial Pipeline shut down fuel delivery to 17 states along the US East Coast. Gas stations ran dry. Airlines rerouted flights. Panic buying caused price spikes across the Southeast. The attack exploited a single compromised password on a legacy VPN account that lacked multi- factor authentication — a basic security measure. Colonial Pipeline paid a $4.4 million ransom to restore operations.
Change Healthcare (2024): A ransomware attack on Change Healthcare — which processes approximately one-third of all US healthcare claims — disrupted billing for hospitals, pharmacies, and clinics nationwide for weeks. Patients couldn't fill prescriptions. Small medical practices faced closure from cash flow crises. UnitedHealth Group paid a $22 million ransom. The attack demonstrated the catastrophic risk of concentrating critical infrastructure in a single company.
SolarWinds (2020): Russian state hackers compromised SolarWinds' software update mechanism, distributing malware to over 18,000 organizations including the US Treasury, Department of Homeland Security, and Department of Commerce. The breach went undetected for nine months, giving attackers persistent access to the most sensitive networks in the federal government.
These are not isolated incidents. They are symptoms of a systemic failure. Water treatment plants in Oldsmar, Florida were hacked in 2021 with an attempt to poison the water supply. Hospital systems have been shut down by ransomware mid-surgery. Election infrastructure remains inconsistently protected across 3,000+ counties. The question is not whether the next major attack will happen — it's whether the country will be ready.
The United States has over 500,000 unfilled cybersecurity positions. The global gap exceeds 3.4 million. Every hospital, power plant, water system, and government agency that lacks a cybersecurity team is an open target — and the pipeline to fill those roles is broken at every stage.
Education pipeline: Fewer than 5% of US universities offer dedicated cybersecurity degree programs. Computer science programs often treat security as an elective rather than a core requirement. Community colleges and trade schools — which could rapidly train cybersecurity technicians — are underfunded and lack updated curricula. The result is a graduation rate that cannot keep pace with demand.
Certification barriers: The industry's reliance on expensive certifications (CISSP, CEH, CompTIA Security+) creates barriers for career changers and people without four-year degrees. Many certifications cost thousands of dollars and require years of prior experience — creating a chicken-and-egg problem that locks out talent.
Pay competition with private sector: Government agencies — which defend the most critical infrastructure — cannot compete with private sector salaries. A senior cybersecurity engineer at a major tech company earns $200,000-$400,000. The same role in the federal government pays $120,000-$180,000. The people who should be defending power grids and election systems are instead securing advertising platforms and social media apps.
Security clearance bottleneck: Federal cybersecurity roles often require security clearances that take 6-18 months to process. Candidates accept private sector jobs while waiting. The clearance backlog — which has exceeded 600,000 cases — effectively bars qualified professionals from government service. The Common Good plan addresses each of these failures with specific, funded solutions. See the full cybersecurity issue page for details.
The Common Good plan treats cybersecurity as a national security priority — not a compliance checkbox. It combines mandatory standards for critical infrastructure with a workforce pipeline, supply chain security, and international cooperation to defend the nation's digital systems.
The plan is built on eight core provisions, each targeting a specific vulnerability in the current system.
For the complete plan with legislative detail, cost projections, and sourcing, see the full cybersecurity issue page.
The United States has the largest digital economy in the world — and some of the weakest mandatory protections for critical infrastructure. While other nations have built comprehensive cybersecurity strategies with mandatory standards, the US continues to rely heavily on voluntary frameworks.
| Country | Workforce Gap | Infra Standards | National Strategy | Breach Notification | Election Security |
|---|---|---|---|---|---|
| United States | 500,000+ | Mostly voluntary | Fragmented | State-by-state | Inconsistent |
| Israel | Low | Mandatory | Centralized (Unit 8200) | Mandatory | Mandatory |
| Estonia | Minimal | Mandatory (EU NIS2) | Centralized (e-governance) | Mandatory (72 hr) | Digital + audited |
| United Kingdom | ~50,000 | Mandatory (NIS) | Centralized (NCSC) | Mandatory (72 hr) | Paper-based |
| Australia | ~30,000 | Mandatory (SOCI Act) | Centralized (ASD) | Mandatory | Paper-based |
| Singapore | Low | Mandatory | Centralized (CSA) | Mandatory (72 hr) | Paper-based |
The contrast is stark. Every peer nation on this list has mandatory cybersecurity standards for critical infrastructure, centralized national cybersecurity agencies, and mandatory breach notification laws. The United States — with the most to lose — relies on voluntary compliance and a patchwork of state-level regulations. Estonia, a country of 1.3 million people, has a more coherent national cybersecurity strategy than the United States.
Sources: Global Cybersecurity Index (ITU), ENISA, CISA, national cyber agencies. See the full issue page for complete sourcing.
This is not a hypothetical. Every scenario described here has already happened — either in the United States or in allied nations. The question is not "could it happen?" but "what happens when it happens at scale?"
Colonial Pipeline proved the fuel system is fragile. A single ransomware attack shut fuel to 17 states. Now imagine a coordinated attack on multiple pipeline operators simultaneously — or an attack during a natural disaster when fuel is already scarce. The US has no strategic fuel reserve designed for cyber-induced disruptions. The Colonial Pipeline attack lasted six days. A coordinated attack could last weeks.
Change Healthcare proved the health system is fragile. One company's breach disrupted prescription fulfillment and medical billing for a third of the country. Hospitals operated on paper. Small practices nearly went bankrupt. Patients went without medications. This was a single point of failure — and the healthcare system has dozens more.
Ukraine's power grid attacks showed what state-sponsored cyber warfare looks like. In 2015 and 2016, Russian hackers shut down power to hundreds of thousands of Ukrainians in the dead of winter. The attacks were sophisticated, patient, and designed for maximum disruption. US intelligence agencies have confirmed that similar malware — including a family called PIPEDREAM — has been found pre-positioned in American power grid systems, waiting to be activated.
Cascading failures are the real danger. Modern infrastructure is interconnected. A power grid failure takes out water treatment plants. Hospital backup generators run for hours, not days. Communication networks go down. Financial systems cannot process transactions. The US government's own simulations — including the CISA "Cyber Storm" exercises — have consistently revealed that the country is not prepared for a coordinated, multi-sector cyberattack. The Common Good plan treats this as the national security emergency it is.
Cybersecurity is often treated as a niche technology issue rather than the national security crisis it actually is. These four myths help explain why the United States remains so dangerously underprepared.
Myth: "Cybersecurity is just a tech problem."
Reality: Cybersecurity is a national security problem, a public health problem, an economic problem, and a democracy problem. When a hospital is ransomed and cannot access patient records, people die. When a pipeline is shut down, the economy shudders. When election infrastructure is compromised, democracy is at risk. Treating cybersecurity as "IT's problem" is like treating national defense as "the army's problem" — it requires whole-of-government and whole-of-society engagement.
Myth: "Small targets are safe — hackers go after big companies."
Reality: Over 43% of cyberattacks target small businesses. Small and medium businesses are preferred targets because they typically have weaker defenses, less monitoring, and are more likely to pay ransoms quickly. Sixty percent of small businesses that suffer a significant cyberattack go out of business within six months. Small town water systems, rural hospitals, and local election offices are among the most vulnerable — and least protected — targets in America.
Myth: "The government can handle cybersecurity on its own."
Reality: Approximately 85% of US critical infrastructure is privately owned. The government cannot defend what it does not control. Effective cybersecurity requires public-private partnership — mandatory minimum standards for private operators of critical infrastructure, threat intelligence sharing between government and industry, and coordinated incident response. The current voluntary approach has produced Colonial Pipeline, Change Healthcare, and SolarWinds. Voluntarism has failed.
Myth: "We just need better passwords."
Reality: Passwords are the weakest link in security, which is exactly why modern cybersecurity doesn't rely on them alone. Multi- factor authentication, zero-trust architecture, endpoint detection, network segmentation, and continuous monitoring are the baseline for serious security. Colonial Pipeline was breached through a single password on a legacy VPN. Better passwords wouldn't have helped — multi-factor authentication would have. The Common Good plan mandates MFA for all critical infrastructure systems and government networks.
Click any question to expand the answer.
Have a question not answered here? Read the full cybersecurity issue page or visit our site-wide FAQ.
Check back soon for policy analysis of cybersecurity news.
500,000 cybersecurity jobs sit empty. Critical infrastructure runs on voluntary guidelines. The next Colonial Pipeline is a matter of when, not if. Read the plan to defend America's digital future.