In fact, cyber operations may represent one of the few domains in which Iran could perceive relative parity — or potentially even advantage — against privately held U.S. infrastructure. As documented in the series of reports we ISA published last month, virtually every privately owned critical infrastructure sector has already been compromised by nation-state cyberattacks. Iran specifically has a long history of using cyber means to attack US critical infrastructure.
In the face of an enhanced threat environment, US critical infrastructure remains hampered by an uncoordinated regulatory system that diverts vast amounts of the scarce cybersecurity resources. Numerous studies have repeatedly documented that, depending on which sector is analyzed, 40-80% of scarce cybersecurity resources are being occupied by redundant regulatory mandates.
The fact that the existing regulatory structure undermines effective cybersecurity is no longer a matter of serious debate. Streaming the cyber regulatory was object of 1.1 in the Biden Administration’s National Cybersecurity Strategy.
Last spring, the Chairs of both the House Homeland Security Committee and the Oversight and Government Reform Committee wrote to OMB, instructing them to “act now” to eliminate duplicative cybersecurity regulations, concluding that “eliminating the duplicative framework of cybersecurity regulations is the fastest and most cost-effective way to materially improve our nation’s security.”
The real beauty of this reform is that it can be accomplished almost immediately. The Congressional letter cited above details explicitly that OMB has the authority to eliminate the duplicative structure of cyber regulations. Whereas in previous years an elongated process for lawyers in various agencies to debate what regulations are duplicative, we now have technology 9actually multiple technologies) that can empirically and quickly identify where regulations – even across agencies – are duplicative, and OMB can establish a date certain to create a non-duplicative core regulation.
The blessing of speed is critical in a time of war. Although the initial strikes on Iran have no doubt disrupted their ability to respond kinetically vs the US, Iran has a long history of using cyber means against the most vulnerable targets – privately owned critical infrastructure.
Because the US maintains overwhelming conventional military superiority, cyber operations offer Iran a comparatively low-cost, high impact means of retaliation. Cyber operations allow Iran to impose disruption without triggering conventional escalation thresholds. U.S. interagency guidance has explicitly warned that Iranian-affiliated cyber actors may target U.S. critical infrastructure and other vulnerable U.S. networks (Cybersecurity and Infrastructure Security Agency [CISA] et al., 2025).
The Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) Bulletin on June 22, 2025, stating that low-level cyberattacks by pro-Iranian hacktivists are likely and that Iranian government-affiliated actors may conduct attacks against U.S. networks (Department of Homeland Security [DHS], 2025). This bulletin places Iranian cyber activity within a broader retaliatory and geopolitical context.
The bulletin contained a joint CISA, FBI, NSA, and DC3 fact sheet warning of potential targeted cyber activity against U.S. critical infrastructure (CISA et al., 2025). The agencies documented that Iranian-affiliated actors routinely target poorly secured, internet-connected systems and commonly exploit:
The same advisory documents a campaign (November 2023–January 2024) in which IRGC-affiliated cyber actors targeted and compromised internet-connected programmable logic controllers (PLCs) and human-machine interfaces (HMIs), including victims within the United States (CISA et al., 2025). The advisory states that the actors exploited publicly accessible ICS devices using factory-default passwords or no passwords at all.
This is particularly significant because U.S. critical infrastructure is predominantly privately owned and frequently includes legacy or lightly managed OT systems. The documented exploitation pathway—public internet exposure plus default credentials—requires relatively modest technical sophistication compared to advanced zero-day exploitation.
These are just some of the attack methods Iran has already used against US critical infrastructure – and that was before we went to war against them.
We have endured massive losses in the trillions of dollars from cyber attacks which we ham-strung ourselves with an ill-conceived regulatory structure. Now that we are at war with a cyber sophisticated and extremely dangerous and desperate foe, we need to finally allow our cyber defenses to operate efficiently and effectively by simply eliminating the duplications.
]]>The White House Director for Cybersecurity, Sean Cairncross, has already signaled that the upcoming new national strategy for cybersecurity will have workforce development as one of its key components. The Director has also indicated that the White House will look for input from the private sector as to how to implement the new plan.
For several years, the Internet Security Alliance has been promoting the virtues of creating a national virtual cybersecurity academy to address the ever-evolving workforce security needs we confront in the digital age. Now is the time to push the start button on this idea.
The virtual academy, which builds on several existing and successful models, has multiple advantages, including:
The essence of the academy model is that, just as with the traditional service academies, the government would provide free tuition for those who enlist in the academy and in return, academy graduates are obligated to a period of government service upon completion of their program.
The virtual cyber academy differs in several key respects from the existing service academies. To begin with, the virtual academy would not have a physical campus similar to West Point or Annapolis. Instead, institutions, including colleges, universities, community colleges, and smaller certification programs, would be able to “opt-in” to the program, entitling their “students” to receive free tuition for completing an academy-approved curriculum.
When fully operational, there would be multiple specific curricula that could qualify for academy funding based on a national cyber workforce needs assessment, which would be part of the academy’s program.
The virtual nature of the academy solves multiple practical issues with gearing up an adequate workforce under the time pressures generated by an ever-increasing cyber threat. The academy classes could be taught using modern virtual technology and already existing distance learning protocols. This eliminates geographic limitations for both prospective students as well as vastly broadening access to the limited qualified teachers/trainers, and of course, it saves the cost of building a physical campus.
There are already a variety of similar, small government programs that use a version of this model. While these programs provide a useful beta-test of the model, they simply do not operate at the scale needed to address current and future workforce needs.
For years, estimates of the size of the workforce gap in the US have hovered between 500,000 and 750,000 available cyber jobs, with estimates of up to 35,000 of those jobs in the federal government alone – far more in states and localities that cannot hope to compete in the open market for skilled digital personnel.
Earlier in this Congress, the House Homeland Security Committee passed the PIVOTT Act, which is a variation on the virtual academy model. PIVOTT is, by far, the most aggressive proposal to address the cyber workforce gap. PIVOTT envisions ramping up to serving 10,000 students a year. While that number is aggressive compared to the status quo, even at PIVOTT’s aggressive target, it would take 50 years to meet the currently estimated gap.
Nothing characterizes the digital age more than speed. Like everything else in the digital world workforce needs to change with the advancement in technology. We are already seeing this with respect to the impact artificial intelligence (AI) is having on the workforce issue.
AI is already enabling many larger organizations to relieve previous workforce gaps by substituting AI solutions. However, just as advanced technology solves one problem, advanced technology creates a new one. See the rise of the “Q-Monster.
Quantum computing research is advancing quickly, with many experts forecasting that “Q-day” will arrive before the end of the decade. “Q-Day” refers to the day when quantum computers will be able to use multi-state qubits (aka quantum bits) to break the encryption algorithms at the heart of digital security technologies we currently use to secure the internet and digital devices.
When Q-Day arrives, critical data, including intellectual property, banking information, personally identifiable information, personal health information, and other “secrets,” will be susceptible to decryption by quantum computers, making all current information vulnerable to exposure.
Many experts are advising that organizations start planning for the coming quantum transition now. However, current research suggests that is not generally the case. A 2026 Bain & Company analysis found that 90 percent of companies are unprepared for quantum security threats. In 2025, an ISACA study found that only 4 percent of organizations have a defined quantum strategy despite growing concern about the durability of existing encryption.
Lack of planning could make a timely transition impractical due to the lack of qualified technical staff. Multiple studies indicate that quantum risk is widely recognized, yet workforce planning for post-quantum transition has barely begun. In practice, post-quantum cryptography has moved beyond a research challenge to an execution challenge—and execution depends on people (ISC2, 2025).
The switch forms the cyber personnel gap to the quantum personnel gap is indicative of the need for a national digital workforce needs assessment which we currently do not have, and which ought to be a core feature of a cyber academy program.
One of the most promising features of the anticipated new cyber strategy is the focus on economic incentives. No where is this more apparent than in the workforce space. Notwithstanding the happy evolution of AI to address some baseline cyber workforce gaps the core problem with cyber workforce for years – and likely will be for quantum– is that simply not enough people have chosen to go into these fields.
The virtual academy offers a tool begin to address a range of integrated issues. There is a growing awareness that Gen-Z, and to a lesser degree millennials, are deeply concerned about the job market they face and their longer-term prospects to achieve the American dream. In an aligned case, there is barely a family in the country with a child between the ages of 5 and 15 that isn’t concerned as to how to send their child to college or even if it’s worth the expense, despite compelling evidence that a college degree is still the best pathway to a more secure financial future. And, we have a current and evolving workforce issue.
The virtual academy offers a new pathway for tens of thousands of individuals to get a free education in a growth, if ever-changing, field with the promise of – indeed obligation – of employment following their education/training, all while serving a critical national security need.
A key feature of the virtual academy model is that graduates must “pay off” their free education/training with government service tied to the extent of the government’s investment (a two-year certification program might require 2-year service whereas a 4 your college program would trigger a longer service obligation).
Using the PIVOTT proposal already passed by the House Homeland Security Committee as an example of the virtual academy model, tuition higher-end 4-year model for 10,000 students a year, adding 20% administration cost — would cost the federal government approximately $1 billion a year.
However, currently the federal government is paying independent contractors to perform the functions required for its own cybersecurity at a cost of approximately $1 billion. The savings from hiring the academy graduates, assuming payment scales equivalent to that of a traditional academy graduate, to do the jobs the federal government is hiring the independent contractors for would save the government approximately $1 billion. In essence, the academy program not only solves a significant government problem but does so on a cost-neutral basis.
]]>
In an AP article yesterday Lepassaar was quoted telling Politico. “We are losing this game, “We are not catching up, we’re losing this game, and we’re losing massively.”
ISA has been using this exact same terminology for several years. Three years ago, ISA won three national Reed Awards for our public awareness campaign “RE-Thinking Cybersecurity.” Lepassaar seems to be among the recently converted, telling Politico that despite recent upgrades in the EU cyber program ““We just don’t need an upgrade. We need a rethink.”
We welcome Mr. Lepassaar to the choir.
One of the most fundamental elements of the needed rethinking of cybersecurity is the realization that the economics of cybersecurity are upside down. All the incentives favor the attackers. Virtually none of the major governmental initiatives – EU and US — regarding cybersecurity addresses the need to rebalance the economics of cybersecurity. Cybersecurity policy has been almost entirely built on the narrow band of technology and regulation. As Lepassaar points out in the AP article many of the “reforms” the EU is undertaking are just warmed over versions of the traditional, failed model.
We need to realize the core approach we have taken to cyber defense is fundamentally flawed. It’s not working. In never really has. As Lepassaar points out the EU, one of the most heavily cyber-regulated areas on the globe, has continually been pummeled by successful attacks on their airports, their banks, their electric grid, their hospitals. Their critical infrastructure cannot defend itself from nation-state attacks which are essentially unbudgeted.
Things aren’t any better over here. Over the past 2 months the ISA has produced a series of reports documenting that virtually every aspect of US critical infrastructure is now under attack from nation-state actors operating without budget constraints — essentially Volt Typhoon for everyone. Privately owned critical infrastructure, bounded by commercial economics, cannot adequately defend itself regardless of what government regulations prescribe.
As Nasrin Rezai, Chief Information Security Officer for Verizon, recently put it
“We’re really dealing with an extremely sophisticated nation-state threat actor that will do anything and everything at any price to get a foothold into our critical infrastructure.”
Moreover, these recent attacks are fixated on not simply stealing data but strategically compromising the infrastructure itself. This changes the purview of cyber-attacks from the traditional consumer protection construct most cyber regulation has focused on, into a straight-forward national security issue. The modern cyber threat is different and needs to be addressed differently.
The historic strategy for critical infrastructure cybersecurity is ever-expansive government regulatory mandates. There is no evidence these mandates enhance security – indeed all evidence is to the contrary. Moreover, the regulatory schema in the US – and far more so in the EU — is massively redundant uncoordinated and lacking in any cost benefit analysis. The regulations themselves may undermine effective security.
These are all facts that are uncontested. The overall approach needs to be “re-thought”
Fortunately for Mr. Lepassaar there are several people who have been busily rethinking the current outdated model of cybersecurity, and they have come up with a variety of practical, low cost, steps that can be undertaken fairly quickly and which will create material improvements almost immediately
While we are under almost constant, and ever more sophisticated, cyber-attacks we are wasting our most precious resources. Whereas once identifying and eliminating redundancies would have been a timely and labor-intensive process, modern technology can identify these redundancies efficiently and effectively even when the regulations are written in different languages.
The goal here is simply to eliminate duplication, not the core regulation. Just eliminating duplication would free up significant amounts of cybersecurity resources and save billions of dollars for both industry and government which can be put to more effective cybersecurity initiatives. A recent letter from House Oversight and Government Reform Chairman, cosigned by several other congressional committee chairs stated that “eliminating the duplicative landscape of cyber regulations is the fastest, most cost-effective way to materially improve the nation’s cybersecurity.”
The Bible tells us that Paul got back on his horse and proceeded with enlightenment and spread the word that made life better for millions. One hopes Mr. Lepassaar will now get on his horse and help lead the EU to a more productive and secure cyber world.
]]>
American cybersecurity faces a significant and immediate challenge. Chinese state-sponsored hackers have embedded themselves in our critical electric utility infrastructure—positioning themselves to potentially disrupt both our economy and our operational national defense capability.
In November, Politico quoted the Chief Information Security Officer of a major critical infrastructure company, stating, “we’re really dealing with an extremely sophisticated nation-state threat actor that will do anything and everything at any price to get a foothold into our critical infrastructure” [1]. As Bennie G. Thompson, Ranking Member of the House Homeland Security Committee, has starkly warned: “These threats are very real. The CCP is looking for every opportunity to undermine our security and get the upper hand on the U.S. globally.” [14]
This is not about electric utility outages. Bad weather and other natural causes knock out our electric systems all the time. Typically, utility companies can repair and restore service in a matter of hours. Our process for addressing these outages generally works well. This is not about that.
This is about the national defense implications of nation-state attacks on our systems that are happening right now. The FBI has testified before Congress that Chinese hackers are positioning themselves in American infrastructure, preparing to cause real and extended harm at times and locations China decides is the “right” to strike [2]. Former House Select Committee on the Chinese Communist Party Chairman Mike Gallagher described these intrusions as the “cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants” [2].
Chinese military strategists believe that disrupting critical infrastructure can be more effective than conventional kinetic strikes in modern warfare. Chinese-manufactured transformers with known disruption capabilities have been identified as targeting operational systems that can be undermined to degrade an opponent’s capabilities or coerce political decision-making [7]. This potentially affects the U.S. military’s ability to defend the homeland, support allies, and project power globally. Chinese cyber operations targeting U.S. grid systems are designed to disrupt military supply lines, hinder U.S. response capabilities, and degrade military readiness—particularly in conflict scenarios involving Taiwan [7].
Federal cybersecurity officials have repeatedly warned that these adversaries are willing to “use every tool available, at any cost” to establish persistent access within U.S. critical infrastructure (10).
From January to August 2024 alone, there were 1,162 cyberattacks on U.S. utilities—nearly five attacks per day on the infrastructure that powers America [3]. And these represent only the attacks we detected. According to Crown Strike’s 2025 Global Threat Report, Chinese-related cyber operations have increased by 150% across all sectors [7].
The Chinese threat actor known as Volt Typhoon penetrated a Massachusetts power utility and remained undetected in the network for over 300 days—from February 2023 to November 2023 [4]. During that time, they systematically collected data on operational technology systems, learning how our grid functions and identifying potential vulnerabilities.
The McCrary Institute for Cyber and Critical Infrastructure Security reported on November 6, 2025, that state-aligned hacking groups have ramped up espionage, sabotage, and cybercrime operations over the past six months, with activity linked to Russia, China, Iran, and North Korea evolving in scope and technique [6]. CrowdStrike’s 2025 Global Threat Report documents a 150% increase in Chinese-related attacks across all sectors.
The response by grid operators to the evolving cyber threat has accelerated dramatically. They have instituted cross-country resilience exercises, real-time intelligence sharing with federal partners, and the rapid deployment of next-generation threat-detection technologies (12)(13).
However, no private utility — nor even the entire electric power industry — can withstand a determined nation-state adversary on its own. As senior DOE cyber officials have warned, these threat actors will “pursue any vector and exploit any weakness, at any cost,” to gain persistent access to U.S. infrastructure (12). This structural vulnerability has been clearly articulated by Frank Pallone, Ranking Member of the House Energy and Commerce Committee, who has warned: “As with all connected technologies, strong cybersecurity is essential. One weak point can compromise an entire system and put lives at risk.” [15]
Chinese military strategists have recognized that in modern warfare, disrupting power infrastructure can be as effective as conventional military strikes against installations.
Consider a potential scenario involving conflict over Taiwan. Rather than launching conventional military strikes against U.S. bases, adversaries could activate malware already planted in our power grid. Military installations would lose power. Communications would be disrupted. Supply chains would face interruptions. Naval vessels might face challenges leaving port because the systems controlling the harbors are offline. Command centers would operate with degraded capabilities.
While the U.S. military works to restore power and re-establish communications, adversaries could pursue their military objectives. By the time systems are fully restored, the strategic situation could be significantly altered.
When we discuss threats to our energy and utility sector, we’re addressing the foundation of our national defense capability.
The Department of Defense operates over 500,000 buildings and structures across the United States and around the world. The vast majority of these installations—our military bases, naval shipyards, command centers, and communications hubs—depend almost entirely on the same commercial power grid that foreign adversaries have already penetrated.
Without reliable electricity, critical military functions are compromised. Our shipyards face challenges in building and maintaining the vessels that project American power worldwide. Our command-and-control systems are at risk. Our communications networks become vulnerable. Our advanced missile defense systems require uninterrupted power to function. Our bunkers, designed to withstand direct attack, require operational systems inside them.
The connection is direct: our energy infrastructure doesn’t just support our military—it is an integral part of our military infrastructure. It’s time to reassess what constitutes our national defense and whether the traditional military focus is too narrow. This needs to begin with the next National Defense Authorization Act.
Behind this national security crisis lies an even more fundamental problem: the economics of cybersecurity are structurally unsustainable and favor our adversaries.
Today, nation-state attackers and cybercriminals operate with a staggering asymmetric advantage. Cyber-attack methods are comparatively inexpensive and easy to access – cyber-crime-as-a-service eliminates the need for attackers to have sophisticated technical knowledge. Nation-state operations have access to the most advanced technology, including AI, and have virtually no budget constraints. Meanwhile, defenders—particularly critical infrastructure operators like utilities—face an inverted equation that borders on impossible: they must invest massive sums to defend against every conceivable attack vector, achieve near-perfect success rates, and absorb these escalating costs as operational overhead rather than recognized national security investments.
Consider what we’re asking of a regional utility: detect and defend against nation-state attackers with billion-dollar cyber programs, do so while facing a workforce shortage exceeding 500,000 cybersecurity professionals, navigate duplicative and sometimes contradictory regulations that consume resources better spent on actual defense, and somehow remain economically viable while competitors who underinvest in security gain cost advantages. This challenge has been recognized at the highest levels of government. Objective 1.1 in the Biden Administration’s National Cybersecurity Strategy was to “establish an initiative on cybersecurity regulatory harmonization.” [16] Yet despite this acknowledgment, critical infrastructure operators continue to face overlapping and inconsistent cyber requirements that divert scarce resources away from actual defense. This is not a sustainable model—it’s a recipe for systemic failure.
The current approach subsidizes attackers while penalizing defenders. Nation-state adversaries operate essentially without budget constraints. Meanwhile, utilities shoulder the full economic burden of defense without corresponding support or recognition that their cybersecurity spending directly protects national security. Until we fundamentally restructure these economics, create liability frameworks that properly allocate risk, and eliminate regulatory redundancies that waste defensive resources, we’re simply asking defenders to win an economically unwinnable fight.
The energy sector needs a sustainable economic model for cybersecurity; one built on the recognition that protecting our power grid is not a utility cost center—it’s a national defense imperative that requires commensurate policy and financial support. This needs to begin with the next version of the National Defense Authorization Act (NDAA).
We face a sophisticated nation-state adversary with substantial resources and a long-term strategic approach. They’ve already demonstrated their ability to penetrate critical systems and remain undetected for extended periods.
The situation has reached an important inflection point. We need to be realistic about an adversary that has already established a presence in our infrastructure and may be waiting for an opportune moment to act.
Foreign adversaries have already established footholds in our energy infrastructure—which means they have access to systems that support our defense infrastructure. The question is whether we’ll take comprehensive action to address this vulnerability.
Each day we delay addressing this challenge allows adversaries to maintain and potentially expand their presence in our systems, map additional vulnerabilities, and position themselves to cause significant disruption to both our economy and our military readiness.
The time to act is now.
ENDNOTES
Two weeks ago, the Congressional Budget Office (CBO) confirmed it was suffering an ongoing hack perpetrated by Chinese state-backed agents. The attack potentially exposed CBO’s communications with lawmakers’ offices and access to cost estimates and analysis of legislation—information that could be of significant interest to foreign intelligence services tracking U.S. economic and defense policy [4].
This is just the latest in a long line – a very long line – of successful attacks by foreign governments on the U.S. government. As Ranking Member of the House Oversight and Government Reform Committee Robert Garcia has stated, “Every company, every government faces serious threats from hackers from foreign intelligence services. We all know that Russia and China and other countries are trying to steal secrets, steal technology, steal patents—not just within one company, but across our nation.” [18] We have been aware of these successful attacks for over a decade, and there is little evidence to suggest that we have made progress in mitigating this risk.
In December 2024, the U.S. Treasury Department disclosed that Chinese state-sponsored actors had infiltrated its network, accessing workstations and over 3,000 unclassified files. The breach targeted the Office of Foreign Assets Control and the Office of the Treasury Secretary—entities directly involved in administering sanctions against Chinese companies and individuals [5].
Federal agencies are experiencing systematic targeting. In July 2025, three Chinese-associated threat actors—Storm-2603, Linen Typhoon, and Violet Typhoon—compromised more than 400 organizations, including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services [6]. The Department of Justice identified these actors as part of APT27 (also known as Silk Typhoon), which has conducted multi-year computer intrusion campaigns dating back to at least 2013 [7].
State and local governments face even more acute vulnerabilities. As of 2025, at least 44 U.S. states have reported cyber incidents affecting government systems. Communities from St. Paul, Minnesota, to Mission, Texas, declared states of emergency following significant intrusions. The Interlock ransomware group attacked St. Paul’s local government, forcing the city to shut down its networks for over a month. After officials refused to pay ransom, attackers publicly posted 43 gigabytes of stolen data [8].
The scale of government targeting has intensified dramatically. According to CrowdStrike, China’s cyber espionage efforts increased by 150% in 2024 compared to the previous year, with targeted attacks on government sectors rising by 300% [9]. The Center for Internet Security documented a 148% surge in malware attacks and a 313% rise in endpoint security incidents against government agencies [10].
The fact is that Federal, state, and local government systems face unprecedented cyber threats from state-sponsored actors, with direct implications for national security and defense operations. These attacks need to be understood not merely as attacks on administrative functions, but as strategic efforts to compromise the institutions underpinning American military and economic power. These are national defense issues, not administrative ones.
Government facilities and networks are integral components of national defense infrastructure. The Department of Defense relies on federal civilian agencies for essential services, including financial management and personnel security. Compromise of these systems can directly impact military readiness and operations.
This interdependence means that weaknesses in civilian government systems can cascade directly into defense vulnerabilities. As Frank Pallone, the Ranking Member of the House Energy and Commerce Committee, has warned, “As with all connected technologies, strong cybersecurity is essential. When systems work together, one weak point can affect the whole network.”[19]
Just as with the private sector, traditional sector-specific agency oversight is, obviously and empirically, not adequately effective in providing the degree of security that modern attack methods demand. Cybersecurity is not a matter of administrative practice. It is a matter of national defense and needs to be addressed as such.
The Treasury Department breach illustrates the problem. By targeting the Office of Foreign Assets Control, adversaries gained insight into sanctions against entities supplying them with weapons and conducting cyber operations against U.S. infrastructure. This intelligence provides foreign governments with strategic advantages in circumventing U.S. economic statecraft tools, which are essential to national security [11].
The Congressional Budget Office hack illustrates how adversaries target legislative processes that affect defense policy. CBO provides lawmakers with cost estimates for defense legislation and long-term budget projections. Access to this information enables foreign intelligence services to anticipate U.S. defense spending priorities, force-structure decisions, and strategic resource allocation [12].
The electronic case filing system, managed by the Administrative Office of the U.S. Courts, was reportedly breached in July 2025 by Russia-affiliated hackers. Such intrusions compromise sensitive legal proceedings, including those involving national security matters and classified information [13].
Adversaries understand that compromising government systems provides strategic intelligence and operational advantages. The Justice Department charges against twelve Chinese contract hackers and law enforcement officers revealed that victims included U.S. federal and state government agencies, foreign ministries of multiple Asian governments, and U.S.-based critics of the Chinese government. The Chinese Ministry of Public Security and Ministry of State Security paid contractors for stolen data, creating a profit-driven ecosystem of indiscriminate targeting [14]. As Raja Krishnamoorthi, Ranking Member of the House Select Committee on the Chinese Communist Party, has warned, “…we’re essentially an open book for Chinese intelligence agencies. [20]” While it is indeed laudable that the DOJ has taken action against these 12 individuals, estimates suggest that China has roughly 60,000 such agents operating, and that’s just in China. China is only one of many nations engaging continuously in these attacks on American organizations, government, and industry.
This approach maximizes intelligence collection while providing deniability. Operating through contractors and front companies, state actors cast a wide net to identify vulnerable systems, exploit them, and sell information either to the government or third parties. The result is an increase in worldwide intrusions, more systems left vulnerable to future exploitation, and more stolen information circulating through criminal networks [15].
In many ways, federal, state, and local governments face many of the same problems that plague the private sector. Simply mandating security without providing the proper infrastructure and resources to make reasonable management possible is a proven recipe for failure.
The response from federal, state, and local government agencies has accelerated significantly in recent years, with emergency cyber directives, expanded hunt operations, and unprecedented interagency coordination across CISA, the FBI, and the intelligence community [1][2]. Yet even with these efforts, no individual agency — or even coalition of agencies — can independently defend against nation-state adversaries conducting long-term, multi-vector campaigns. Senior officials have repeatedly warned that foreign intelligence services are willing to invest unlimited time, resources, and personnel to penetrate U.S. government networks, operating with a level of persistence that traditional defensive models were never designed to withstand [3].
The Government Accountability Office reports that since 2010, it has made over 4,000 recommendations to federal agencies to address cybersecurity shortcomings. However, more than 850 remained unimplemented as of February 2023. Until these shortcomings are addressed, federal and critical infrastructure IT systems will be increasingly susceptible to cyber threats [16].
The most fundamental element of a secure infrastructure is having an adequately trained staff to implement the security protocols. Nationally, there are an estimated 500,000 cybersecurity jobs for which there are not sufficiently trained professionals to fill—including 35,000 positions in the federal government itself. The reality is that the federal government cannot adequately compete with the private sector in the marketplace for high-level cybersecurity talent across its numerous agencies. The situation is far worse in state and local governments, which have virtually no chance of attracting an adequate supply of adequately trained cyber personnel.
In addition, the lapse of arguably the most successful piece of cybersecurity legislation ever enacted — the Cybersecurity Information Sharing Act of 2015, which needs to be reauthorized and updated — has substantially reduced the government’s ability to coordinate with industry and execute critical information sharing. This creates blind spots in networks precisely when threats are escalating [17].
Under the Constitution, the federal government is explicitly established to “provide for the common defense.” The Armed Services Committees are charged explicitly with addressing national defense “generally.”
Addressing these challenges requires honest recognition that government cybersecurity is fundamentally a national defense issue. This understanding needs to be extended to include recognition that national defense in the digital age cannot be limited to simply supplying the armed forces, critical though that obviously is. The economic and military power of the United States depends on secure government operations working in partnership with the private sector in entirely new ways than were contemplated when the current structure was created after World War II, 80 years ago. Our adversaries understand this reality and are systematically exploiting it. The question is whether our policy responses will match the scale and urgency of the threat.
Chinese military strategists have long emphasized that the most effective way to weaken an adversary is to disrupt its critical infrastructure without firing a shot. The discovery that Volt Typhoon, a Chinese military cyber group, has successfully attacked and compromised access to American water utilities suggests that this theory is now an operational reality.
According to CISA and FBI briefings to Congress, Volt Typhoon has maintained persistent access to water utilities across many U.S. states for years. In a sad irony, American analysts have suggested the foreign attackers are using “living off the land” by using techniques to hide within our water systems while retaining the capability to cause physical damage at any time of their choosing (1). They have established long-term persistence by using valid credentials, exploiting legitimate tools, and avoiding malware that would trigger alarms.
Our national defense strategy has traditionally meant protecting ships, planes, and bases. However, the next National Defense Authorization Act will need to recognize that defending our digital infrastructure is now part of that same mission. This represents a new evolution in cyber warfare: foreign states not just attacking systems, but inhabiting them, and waiting for the optimal timing to exploit the strategic advantage they have created. As the Ranking Member of the House Homeland Security Committee, Bennie G. Thompson has warned, “We face new kinds of dangers that may come for us at any time from any corner of the globe. Destruction can be delivered with a keystroke.”[7]
Iranian actors also currently maintain administrative access to water systems serving millions of Americans, exploiting programmable logic controllers (PLCs) that manage chemical treatment processes (2). Russian operatives have tested their ability to manipulate chemical controls in multiple states (2)(3).
This isn’t preparation for war. If “war,” in essence, is when one nation-state attacks another, notwithstanding traditional definitions, we are at war. Our national defense strategy needs to appreciate this reality. This would include adapting our governance process to create a fully integrated “whole of nation” defense that incorporates our traditional defense methods and tools with privately or locally owned structures that require better protection. These systems are not capable of defending themselves, relying on outdated structural and economic models.
The owners and operators of these systems are doing what they can to ensure the safety of their users. For example, they have intensified their coordination of utilities through multi-state cybersecurity exercises, emergency interagency briefings, and the rapid deployment of monitoring and intrusion-detection systems (2)(4). Yet no individual utility—or even a coalition of regional operators—can withstand a nation-state adversary acting with strategic intent and virtually unlimited budgets. The Ranking Member of the House Oversight and Government Reform Committee, Robert Garcia has noted, “There are so many small cities and towns that don’t have the capacity to actually deal with some of these cyber threats. Municipalities and smaller governments face real challenges responding effectively.”[8] As federal investigators warned, foreign cyber actors targeting U.S. water systems are willing to exploit “any vulnerability, at any time, and at any scale” to gain footholds inside operational technology environments (1).
Although our water infrastructure doesn’t have the same profile as our financial system or our telecommunication system, the impacts of a strategic attack are potentially catastrophic. A coordinated cyberattack causing a multi-day water disruption would trigger financial losses, estimated in the hundreds of billions, potentially reaching near-trillion-dollar impact depending on region and duration.
In addition to the economic damage, the strategic value for adversaries comes not just from the immediate disruption—it’s demonstrating America’s cyber vulnerability. When Iranian hackers compromised the Municipal Water Authority of Aliquippa, Pennsylvania, and publicly claimed credit on social media, they signaled to adversaries that America’s critical infrastructure can be penetrated (2)(3).
This vulnerability stems partly from our fragmented approach to cybersecurity. Water utilities navigate a maze of conflicting cyber requirements from the EPA, state regulators, and multiple federal agencies—each demanding different standards, reporting requirements, and compliance frameworks. Recognizing this dysfunction, Objective 1.1 in the Biden Administration’s National Cybersecurity Strategy was to “establish an initiative on cybersecurity regulatory harmonization.” [9] The Government Accountability Office (GAO) concludes that EPA lacks a coherent strategy to address these cybersecurity risks, leaving utilities without clear direction (4). A small utility often spends more money on cyber compliance paperwork than on actual cyber defense. Meanwhile, adversaries need only find a single vulnerability to compromise the entire system.
The workforce compounds the cyber crisis. A large proportion of water operators are approaching retirement, and many have minimal cybersecurity training—a point repeatedly highlighted by sector workforce reports and congressional briefings. These operators manage systems initially designed in the pre-Internet era, which are now facing AI-driven cyberattacks from nation-state adversaries. This is an asymmetric battle made worse by regulatory confusion that diverts resources from defense to paperwork (4).
Most disturbing is how cyberattacks on water reveal our detection blindness. Many utilities rely on weekly water-quality sampling instead of continuous online monitoring. The EPA’s own technical guidance warns that online monitoring systems are critical for early detection of contamination events (5). Cyber-manipulation of chemical dosing could poison thousands of Americans before any anomaly is detected. The same vulnerabilities that enable remote access to operational technology allow adversaries to delete logs, alter readings, and conceal their actions, potentially leading to catastrophic failure. We are not just vulnerable—we are blind to ongoing compromises.
The February 2021 Oldsmar, Florida, incident offers a preview of this threat. A remote attacker accessed the city’s water treatment system and attempted to increase sodium hydroxide levels to dangerous levels—enough to cause harm to 15,000 residents (6). Only manual intervention by a plant operator prevented a mass casualty incident. This attack demonstrated how cyber vulnerabilities can transform essential infrastructure into a weapon.
The water sector’s cyber crisis illuminates three critical truths about national security in 2025:
First, the battlefield has undergone a fundamental shift.
Adversaries achieve strategic effects through cyber operations that would be impossible through conventional means. Iran cannot challenge our Navy directly, but through cyber, they can control or disrupt the water systems that Navy personnel and bases depend on (2).
Second, our regulatory approach actively weakens cyber defense.
Overlapping, duplicative requirements drain resources from security to compliance. The GAO’s findings show that the EPA lacks a unified strategy, leaving utilities scrambling (4). The water sector exemplifies how a fractured regulatory model creates an illusion of security—perfect paperwork, while adversaries walk through our networks.
Third, we lack basic economic visibility into the cost of cyber warfare.
We do not systematically measure the impact of cyber on GDP, cannot quantify sector-specific exposure, and fail to account for the real economic cost of inadequate cybersecurity. The water sector’s vulnerabilities likely contribute to billions of dollars of unmeasured risk exposure.
The water sector demonstrates that cybersecurity is not merely a technical issue or a compliance burden—it is the battlefield where modern warfare is waged. Every industry faces similar vulnerabilities, similar adversaries, and similar regulatory dysfunction. Water is one of the most visceral examples of what’s at stake.
For defense leaders and policymakers, the water sector’s cyber vulnerabilities present a clear lesson: national defense cannot be separated from cybersecurity. The same adversaries developing hypersonic missiles are inside our water systems (1)(2). The same military competitors building naval fleets are mapping our critical infrastructure. The same nations we deter with conventional forces are achieving strategic advantage through cyberspace.
The question is no longer whether cyber threats constitute national security threats—the water sector proves they are. The real question is whether our national security apparatus will evolve to defend the domain where conflict actually occurs or continue preparing for conventional warfare. At the same time, adversaries win the cyber war by default.
Water is only the beginning. Every critical sector tells this same story. The cyber war is not coming—it is here, and we are losing.
Every projection of American military power—every carrier group, fighter wing, and Army base—depends on a resource most people never think about: water. From Fort Bragg to Naval Station Norfolk, the foundations of U.S. defense rely on civilian water systems that were never built to withstand cyber warfare.
Endnotes
Food is on the Front Line of Nation-State Cyber Attacks
Agriculture is one of the nation’s most essential and least protected infrastructures. Rapid digitization of precision farming, automated processing, and just-in-time logistics has created an attack surface that has expanded far more quickly than cybersecurity investment. USDA officials and sector leaders warned in 2024 that modernization has outpaced security controls, leaving legacy industrial systems vulnerable [4].
Recent federal briefings emphasize that foreign cyber operators targeting agriculture have demonstrated a willingness to probe deeply into food-production systems and exploit vulnerabilities at any cost [13][14]. These are not hypothetical scenarios—they represent an ongoing conflict in which digital intrusions can create strategic effects comparable to physical attacks. As Bennie G. Thompson, Ranking Member of the House Homeland Security Committee, has warned, “Destruction can be delivered with a keystroke.” [17]
Both Chinese and Russian military doctrines explicitly identify food-system disruption as a component of hybrid warfare [9][10]. Chinese state-linked actors have already accessed U.S. agriculture-related systems and pre-positioned themselves across critical infrastructure supporting food production and distribution [1][8]. Russian agents have demonstrated the ability to disrupt fertilizer logistics, grain cooperatives, and precision agriculture systems as part of broader strategies targeting food supply chains [7][9]. Iranian operators have targeted programmable logic controllers (PLCs) and industrial control systems supporting water, irrigation, and agricultural environments [3].
The 2021 ransomware attack on JBS Foods is a case study in the vulnerabilities of digitized food systems and the impact a cyberattack can have. The JBS attack halted nearly one-fifth of U.S. beef production [5]. The incident exposed systemic weaknesses in an industry heavily dependent on interconnected industrial controls, narrow margins, and centralized processing infrastructure. As Ranking Member of the House Appropriations Committee Rosa DeLauro (D-CT) has warned, “If one event like the cyberattacks can shut down almost 25 percent of beef-processing capacity, we have a really big problem. We have such a consolidated industry that any one separate event can cause this big of a disruption.” [15]
The FBI has warned that adversaries increasingly time their attacks for maximum impact—particularly during planting, harvest, and peak processing seasons [6]. Russian ransomware groups have employed these tactics, as seen in the attack on an Iowa grain cooperative [7]. As Ranking Member Thompson has emphasized, “Russia remains a safe haven for ransomware actors that threaten Americans on a daily basis.” [18] Meanwhile, Chinese state-sponsored actors have mapped U.S. agricultural and food supply-chain dependencies to identify chokepoints [8].
A coordinated campaign could disrupt production, processing, and distribution across multiple states in a matter of weeks.
Economically, a cyberattack on fertilizer systems, seed distribution platforms, or logistics networks during planting season could reduce agricultural yields by double-digit percentages, tightening markets already strained by climate impacts and geopolitical instability [2]. With modern supply chains operating on minimal reserve capacity, even short-term disruptions could trigger price spikes and shortages.
Some risks extend beyond economics. Agricultural facilities store chemicals—such as anhydrous ammonia and pesticides—that could cause environmental contamination or hazardous releases if digitally manipulated. While no evidence of intentional weaponization exists, the potential consequences highlight the need for improved digital safeguards.
In response, the agriculture sector has intensified its cybersecurity efforts. Food and agriculture companies, state agriculture departments, and sector ISACs are participating in coordinated cyber-incident exercises, national security briefings, and expanded deployment of monitoring and threat intelligence tools [11][12].
However, expecting individual farmers or small cooperatives to defend against nation-state cyber units is unrealistic. Smaller producers operate on margins too thin to support enterprise-grade cybersecurity investments. Large multinational agribusinesses are deploying mature cybersecurity programs, but the agricultural system is heavily interconnected, leaving even large providers vulnerable. To date, no comprehensive federal modeling exists to determine the level of investment required to make the agricultural sector defensible against nation-state threats.
Additionally, agricultural entities face overlapping cybersecurity mandates from USDA, FDA, EPA, and state agencies—creating duplicative compliance burdens that waste scarce cyber resources without providing proportional increases in security. Objective 1.1 in the Biden Administration’s National Cybersecurity Strategy was to “establish an initiative on cybersecurity regulatory harmonization.” This objective directly acknowledged that fragmented and overlapping cybersecurity requirements weaken national resilience, particularly in sectors like agriculture, where compliance complexity diverts resources away from real risk reduction.
Despite significant efforts, defensive capabilities remain uneven—particularly among small- and mid-sized producers that are interconnected with larger companies but lack the resources to implement advanced cybersecurity programs. Ultimately, no farm, cooperative, or agribusiness consortium can realistically defend against nation-state actors operating with strategic intent and global reach.
The United States military and broader economy depend on American agriculture to sustain operations and stability. Every base, deployment, and supply chain relies on a secure and functioning food system. A coordinated cyberattack on the food supply could strike at the core of the nation’s confidence in its ability to provide for the common defense. As Ranking Member DeLauro (D-CT) has emphasized, “Now more than ever, the risks we face from cyberattacks threaten both our economic and our national security.” [16] Foreign adversaries have already demonstrated their capability to compromise agricultural systems and related infrastructure through targeted cyber operations [1][2].
We must reconsider what constitutes the defense industrial base in the 21st century and establish legislation that enables the nation to defend nontraditional systems—including agriculture—as essential components of national defense. A unified, outcomes-focused, risk-based regulatory framework is required to allocate cybersecurity resources effectively.
Feeding the nation is the first layer of national defense—and cybersecurity must be treated accordingly. Policy fragmentation and regulatory overlap create complexity without generating measurable improvements in resilience. A more coherent system is needed—one that focuses on outcomes rather than documentation. Fortunately, there are practical, low-cost steps the government can take to significantly enhance sector-wide cyber resilience, even in systems historically outside the defense framework.
The question is not whether threats exist—they do. The question is whether the United States will act before a major agricultural cyber disruption forces crisis-driven policymaking.
Strengthening digital defenses is an act of foresight—not fear.
In today’s hearing—“Defense through Offense: Examining U.S. Cyber Capabilities to Deter and Disrupt Malign Foreign Activity Targeting the Homeland”—Chairman Andy Ogles put it plainly: the United States must figure out how to change the cost-benefit analysis for our adversaries, because currently the math still works in their favor.1
The Internet Security Alliance (ISA) agrees. As long as malicious state and criminal actors can impose low-cost attacks that deliver outsized strategic and economic gains, they will keep coming.
But deterrence has a second side—one Washington too often treats as an afterthought because it’s less dramatic than offensive operations: we also have to change the cost-benefit calculus for the defenders. You can raise the attacker’s costs at the margins and still lose if the defender’s costs rise relentlessly, through a regulatory system that consumes scarce cyber talent without measurably reducing risk.
Here is the quiet scandal in American cyber policy: we can count compliance, but we rarely prove effectiveness. When regulation rewards documentation over demonstrated risk reduction, it doesn’t just waste money; it drains the time, attention, and capital we need to harden systems and respond to real threats.
The United States is not short on cyber policy. We have frameworks, checklists, audits, reporting regimes, and an endless supply of well-intentioned requirements. What we lack is the discipline to separate what reduces risk from what merely produces paperwork, and to stop treating activity as a proxy for security.
The Government Accountability Office (GAO) captured the frustration in a sentence that should stop any policymaker cold:
“We are spending money on compliance that would better be spent on cybersecurity.”2
That isn’t anti-regulatory rhetoric. It’s an operational warning. Time spent reconciling inconsistent definitions, meeting different reporting thresholds, and feeding multiple compliance calendars is time not spent on detection engineering, segmentation, patching, incident response readiness, or hardening the systems adversaries actually target.2
And the stakes are not abstract. The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) reported $16.6 billion in losses in 2024, based on recorded complaints.3 Global information security spending continues to climb into the hundreds of billions.4 In other words, we are spending enormous sums in the name of cybersecurity while still struggling to answer the most straightforward question Congress should ask: are our cybersecurity regulations enhancing security?
Chairman Ogles’ focus on offense is timely. Offensive capabilities can impose costs, disrupt campaigns, and inject uncertainty into an adversary’s planning. Those are real tools.
But offense cannot compensate for a domestic defense posture that burns resources without reliably improving resilience. A deterrence strategy that only raises the attacker’s costs, while allowing the defender’s cost base to inflate, creates a vicious loop: the attacker adapts, the defender gets stretched, and everyone congratulates themselves on “doing something” while the underlying return on attack remains stubbornly attractive.
That is why ISA’s position is the complementary half of deterrence: lower the cost of effective defense and increase the return on every dollar spent on security. Not by wishing it into existence, and not by asking for blank checks, but by applying a discipline the federal government already uses in virtually every other serious area of regulation.
For major federal regulations, cost-benefit analysis is the default, not the exception. The Office of Management and Budget (OMB) calls benefit-cost analysis “the primary analytical tool” for regulatory analysis and directs agencies to evaluate both quantifiable and qualitative costs and benefits.5 Congress has summarized the same expectation: identify likely costs and benefits where possible, and compare alternatives rather than treating a mandate as self-justifying.6
When agencies impose cybersecurity obligations without rigorous cost-benefit analysis, three predictable things happen—each of which weakens defense.
First, we never define success clearly enough to measure it. “Compliance achieved” is not a security outcome. A binder of policies is not resilience. A reporting pipeline is not risk reduction. Without a requirement to specify benefits in defensible terms, mandates drift toward what is easiest to audit—not what is most effective to defend.
Second, we push scarce talent toward low-return work. Cybersecurity labor is finite. Every hour spent assembling attestations, mapping controls to overlapping rules, and chasing inconsistencies is an hour not spent reducing exposure or improving response.2
Third, we accumulate legacy obligations that no one can justify, but no one can unwind. Cyber threats evolve; rules calcify. Without structured retrospective review, mandates pile up, paperwork grows, and defense costs more in precisely the wrong places.
If Congress wants deterrence that lasts, it should treat cost-benefit analysis as a security instrument—not a bureaucratic nicety.
Cost-benefit analysis is not some imported ideology. The federal government has long relied on it, and this Administration has a particularly relevant connection: the National Cyber Director, Sean Cairncross, previously served as the Millennium Challenge Corporation (MCC) ‘s Chief Executive Officer.7
MCC is not a cybersecurity agency, and that’s the point. It is a governing model built around measurable returns: it uses cost-benefit analysis to evaluate investments. It publishes economic rates of return as an accountability tool, including a hurdle rate used to decide whether projects merit investment.8
One clean conclusion is enough: if the federal government expects quantified returns before funding major development projects, it can expect quantified security returns before imposing major cyber mandates on the systems Americans depend on every day.
ISA supports legislation that would require cost-benefit analysis for cybersecurity-related regulation, not only going forward but also for the stock of existing cyber regulatory requirements. Done correctly, that approach would deliver practical, immediate gains:
1) Force clarity. Agencies would have to define the intended security benefit of a requirement and explain why the chosen approach produces the best return relative to alternatives.
2) Reduce waste without reducing security. The point is not to relax standards; it is to stop spending disproportionately on compliance activity that does not produce measurable risk reduction.
3) Modernize the rulebook. A retrospective review would create a structured way to update, consolidate, or sunset requirements that cannot justify their costs relative to security benefits, without waiting for the next crisis to expose the problem.
Deterrence is not a slogan. It is a balance sheet. The attacker’s balance sheet matters—but so does ours. If we want adversaries to think twice, we should absolutely impose costs where we can. But we should stop imposing costs on ourselves through mandates that can’t demonstrate they improve security.
A cybersecurity rule that can’t show results isn’t neutral. In a resource-constrained environment, it becomes a security liability.
This can be cited as ISA’s official comment on the January 13 hearing before the House Homeland Cybersecurity Subcommittee hearing
For more information contact Larry Clinton, President CEO Internet Security Alliance ([email protected])
]]>
The People’s Republic of China has forecast its intent to move against Taiwan as early as 2027. Such a move creates extensive strategic concerns for the United States and could generate the need for a physical show of force. However, if, for example, the U.S. decided that moving troops into the region was necessary, could we get those troops onto our ships?
As Ranking Member of the House Homeland Security Committee Bennie Thompson has warned, “the threats [from the Chinese Communist Party] are very real. The CCP is looking for every opportunity to undermine our security and get the upper hand on the U.S. globally” (22).
A 2025 report by the House Homeland Security Committee found:
“The U.S. maritime sector is dangerously reliant on equipment and technology that has been produced, manufactured, assembled, or installed in the PRC, including ship-to-shore cranes, container handling equipment, and various other critical maritime infrastructure components…. In the event of a future conflict in the Indo-Pacific region, Communist China would undoubtedly seek to limit the U.S. military’s response by targeting or exploiting vulnerabilities in the very same U.S.-based maritime equipment and technology that they produced, manufactured, assembled, or installed” (11).
China’s success in infiltrating U.S. infrastructure—as well as similar infrastructure around the world—is the result of a well-conceived cyber strategy known as the Digital Silk Road (DSR). The DSR links together Chinese institutions—technology, financial, military, educational, and others—to cross-subsidize Chinese products, enabling them to win contracts that facilitate China’s digital access to these infrastructures whenever it serves China’s interests (FAC – ISA). The House Committee report specifically notes that vulnerabilities within maritime infrastructure, and the resulting reliance on China for even basic operational functionality, are “due in large part to noncompetitive pricing that favors PRC SOEs, technological disparities, and the lack of domestic manufacturer alternatives.” This strategy aligns with Ranking Member Thompson’s warning that “China is carrying out cyberattacks for espionage and to position itself for attacks against our critical infrastructure in the event of a future conflict” (22).
Testimony from the Paladin Group before the House Committee in January pinpointed how the piecemeal approach U.S. policy has taken toward cybersecurity places the nation at a competitive disadvantage relative to adversaries that do not allow outdated structures to impede their national interests. “Working often through creative investment vehicles, the PRC took a strategic approach to eventually holding our infrastructure at risk, while the United States took a tactical approach to blocking transactions that raised national security concerns.” Cyberattacks on port systems have grown by 900% over the past three years. Naval cybersecurity experts warn that adversaries could plant malware on port systems and activate it at a critical moment—such as during a naval confrontation—thereby crippling military resupply operations (5).
Chinese hackers have penetrated communications infrastructure and naval ports over a five-year period, targeting systems that connect the United States to Asia as well as cyber systems within Taiwan. This activity gives China the potential capability to hinder U.S. military mobilization during a crisis (15). In a Taiwan conflict scenario, adversaries could activate pre-positioned malware to disrupt port operations critical to military sea lift, interfere with air traffic control systems, compromise rail systems transporting military equipment, and create cascading failures across transportation networks. Such disruptions could delay U.S. military response during critical initial phases of conflict. The time has come—long past—for the United States to develop a true digital strategy, including reforming the antiquated congressional process that blocks speedy and effective updates to cybersecurity laws and policy.
American transportation systems—including maritime ports, rail networks, and aviation infrastructure—face persistent cyber threats from state-sponsored actors, with direct implications for military readiness and national defense capabilities.
The National Security Agency, working with security services from nine nations, has documented large-scale cyberattacks by Chinese state-sponsored actors against transportation sectors worldwide since at least 2021 (1). The FBI has testified that the Chinese government is preparing “bold and unrelenting” attacks on U.S. infrastructure, explicitly naming transportation among its primary targets (2).
A congressional report revealed that 80% of ship-to-shore cranes at U.S. ports are manufactured in China.
Cyberattacks in the aviation sector increased by 74% since 2020, threatening an industry that contributes $1.9 trillion to U.S. GDP (6). In September 2024, Seattle-Tacoma International Airport fell victim to a ransomware attack that disrupted critical systems for more than a week (7). Aerospace company Thales documented a 600% increase in aviation cyberattacks in 2024 alone (8).
Congressional leaders have noted that Volt Typhoon, a Chinese state-sponsored actor, maintained access to U.S. transportation infrastructure for at least five years. FBI Director Wray stated that “Volt Typhoon malware enabled China to hide as they targeted our communications, energy, transportation, and water sectors” (9). Intelligence Community assessments note that China is “almost certainly capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including rail systems” (10).
America’s transportation systems constitute essential components of national defense capability. Adversaries understand that targeting transportation infrastructure could significantly hinder America’s capacity to deploy, supply, and sustain military forces (14).
The national cybersecurity workforce shortage—estimated at more than 500,000 professionals—significantly impacts the transportation sector’s defensive capabilities (16). This shortage is particularly acute in maritime and rail operations requiring specialized operational technology knowledge.
Transportation infrastructure operators must balance security investments against competitive economic pressures. Legacy systems throughout the sector were not designed with modern cybersecurity threats in mind, making them particularly vulnerable (17). Modern ports blend legacy and modern systems that were never designed to operate securely together, making them vulnerable to lateral movement and disruptive attacks (18).
Attempts to address these challenges through traditional regulatory models have proven unsuccessful and may be counterproductive. Regulatory overlap between agencies distracts trained cyber personnel by forcing them to focus on compliance rather than security. The FAA and TSA share aviation cybersecurity responsibility, but overlapping mandates blur authority, resulting in fragmented oversight and inconsistent regulations (21). The Government Accountability Office found that TSA directives did not align with leading ransomware practices and, as of November 2024, its recommendations remained unimplemented (22).
Given the clear connection between transportation infrastructure security and military readiness, future National Defense Authorization Act legislation could address these challenges by:
America’s transportation infrastructure faces persistent cybersecurity challenges from nation-state adversaries who view these systems as both economic and military targets. The documented presence of Chinese, Russian, and Iranian threat actors within maritime, aviation, and rail networks represents a clear threat to commercial operations and military readiness. Addressing these challenges requires coordination among federal agencies, infrastructure operators, and the cybersecurity community. It also requires honest recognition that transportation infrastructure security is fundamentally a national defense issue, not merely a commercial concern. The economic and military power of the United States depends on the secure and reliable operation of its transportation networks. Our adversaries understand this reality and are positioning themselves to exploit it. The question is whether our policy responses will match the scale and urgency of the threat.
Before World War II, the United States viewed warfare as occurring in two primary domains: land, overseen by the Army, and sea, managed by the Navy. The attack on Pearl Harbor revealed a third essential domain—the air—forcing the U.S. to rethink its defense posture. After the war, one of the U.S. government’s first major initiatives was the creation of the Air Force Academy to ensure the nation had a sufficient supply of trained personnel to defend this new theater of conflict.
Today, the United States faces a nearly identical deficiency—this time in the domain of digital conflict. The nation, including every critical infrastructure sector, is under constant cyberattack from well-financed nation-state actors, yet it lacks an adequate number of trained personnel to defend both government and private-sector systems. As Representative Bennie Thompson has warned, “Make no mistake, addressing cyber workforce challenges is a critical security priority” (13). The United States urgently needs a virtual cybersecurity academy to train the cyber defenders that national security now demands.
The threat environment is severe. Ranking Member of the House Oversight and Government Reform Committee Robert Garcia has stated, “Every company, every government faces serious threats from hackers from foreign intelligence services. We all know that Russia and China and other countries are trying to steal secrets, steal technology, steal patents—not just within one company, but across our nation” (14). The nation endures millions of cyberattacks daily, with total annual losses measured in the trillions of dollars. Intelligence reporting confirms that nation-state actors—including China—have infiltrated U.S. energy and telecommunications infrastructure and are “living off the land,” using our own administrative tools, credentials, and infrastructure against us (1).
The response from the IT community has been aggressive. Massive investment, innovative product development, AI deployment accompanied by surge staffing during national-level incidents, coordinated threat intelligence exchanges, and the rapid deployment of advanced monitoring and detection capabilities across public and private networks have all expanded significantly (11)(12). Yet even with these accelerated defensive measures, no technology company—or coalition of companies—can independently withstand a determined nation-state adversary.
Despite high investment in cybersecurity, the workforce deficit is overwhelming: an estimated 500,000 to 750,000 cybersecurity vacancies nationwide, including 35,000 unfilled positions within the federal government. Technology itself is complicating the workforce challenge, as AI is automating many roles once considered adequately staffed, while demand shifts toward next-level training and specialization. State and local staffing conditions are even worse. Even relatively affluent states and municipalities cannot compete in today’s tight and highly sophisticated IT security labor market. As Ranking Member Garcia has noted, “There are so many small cities and towns that don’t have the capacity to actually deal with some of these cyber threats. Municipalities and smaller governments face real challenges responding effectively” (14). Compounding the problem, many trained cybersecurity professionals are leaving the field due to stress, regulatory pressure, and burnout.
A major driver of burnout is regulatory escalation. In July 2023, the Securities and Exchange Commission implemented sweeping cybersecurity disclosure rules requiring:
These requirements appear under new Form 8-K Item 1.05 and Regulation S-K Item 106.
These rules significantly increase personal liability for chief information security officers (CISOs) and senior cyber leaders, raising the consequences of misjudgment or delayed reporting. Analysts warn of a growing “CISO liability crisis,” with burnout now compounded by legal exposure (9). AuditBoard similarly observes that these rules require formalized board oversight, more transparent materiality determinations, and documented cyber-governance frameworks (10).
Cyber and IT personnel shoulder intense operational burdens. They confront escalating threats, highly complex systems, and expectations of flawless performance in a domain where any failure can have catastrophic consequences.
The combined effects of workforce shortages, alert fatigue, and expanding regulatory demands increase operational risk across every sector of the economy.
The IT sector is not merely a support function—it is a core component of national security. Skilled cybersecurity professionals defend:
When defender capacity collapses—through burnout, attrition, or regulatory pressure—national exposure escalates rapidly. Untriaged alerts, delayed incident response, and leadership turnover create exploitable conditions for nation-state adversaries.
National defense is inseparable from cyber and IT resilience. Cyber professionals responsible for defending critical systems are under unprecedented operational stress and increasing personal liability. Their role now resembles that of national-security commanders, yet they face shrinking staff levels, rising burnout, and overwhelming expectations. Meanwhile, highly sophisticated nation-state actors are aggressively seeking footholds in U.S. critical infrastructure (1).
The United States must respond with the same urgency demonstrated after World War II. While some government programs promote cybersecurity training in exchange for public service, including proposals for a virtual academy, these efforts remain far too limited in scale. The challenge must be addressed systemically.
The PIVOTT Act, recently passed by the House Homeland Security Committee, represents the first program designed to address this challenge at scale, with a goal of training 10,000 recruits for government service annually. Academy graduates would be compensated at levels comparable to those of West Point and Naval Academy graduates during their required service—far below the cost of the independent contractors currently performing these roles. The resulting savings would effectively offset the full cost of training, making this approach functionally cost-neutral for the federal government. Moreover, after completing their government service, academy graduates are likely to transition into private-sector cybersecurity roles, where they will continue defending the nation against state-sponsored cyber threats.
However, recruitment alone is insufficient. It is equally critical to reduce the extreme pressure under which IT professionals operate. Extensive documentation shows that the fragmented, duplicative regulatory system—combined with the practice of assigning personal liability to chief security officers for breaches caused even by sophisticated nation-state attacks, such as SolarWinds—has accelerated the loss of experienced personnel. Cybersecurity requirements are necessary, but when they are uncoordinated and lack cost-benefit discipline, they ultimately undermine security rather than strengthen it. The National Defense Authorization Act can and should address these issues immediately. We do not have time to waste—we are already under continuous nation-state attack.