2026: The Cyber Threat has Changed – Congress Needs to Change Too
The very nature of cyber-attacks has changed dramatically, and the US Congress will need structural reform to keep up with the evolved threat to our national security.
The US action against Venezuela this past weekend was a blended operation, apparently including the use of cyber methods to successfully compromise weaknesses in Venezuelan electric infrastructure. The fact that US military cyber expertise is at world world-class level, and the US energy grid is far better protected than the Venezuelan defenses, should not obscure the fact that US critical infrastructure is also extremely vulnerable to cyber-attack.
Prudence demands that we recognize a new era of conflict and take additional steps to secure our own privately owned critical infrastructure.
We know that China, also a world-class cyber power, has already compromised the US infrastructure. And it is not just the power grid that has been compromised. Today, the Internet Security Alliance (ISA) will begin widely circulating a series of reports — one a day— that document that virtually every critical infrastructure sector — from agriculture to water services — is already being subjected to successful, strategic nation-state cyber-attacks. We have known our adversaries are in our critical infrastructure for some time, and we have been unable to get them out.
Of course, we have had state-affiliated cyberattacks for years. However, in goal of early cyber-attacks was generally theft of personal data, credit cards, and health data, etc. That is no longer the major threat. We are now seeing nation-state cyber-attacks designed not to steal our personal data but to strategically compromise the infrastructure itself with apparently military objectives.
In a speech at the 250th Marine Corps Birthday Ball last month, Vice President JD Vance chronicled how technological change has fundamentally altered the nature of nation-state conflict. “The battlefield has changed incredibly and profoundly. We’ve got technology that would have been inconceivable even when I was a kid — we’ve got cybersecurity, satellites in space, we’ve got artificial intelligence, and all this incredible technology.”
Nasrin Rezai, Chief Information Security Officer for Verizon—one of America’s largest and most sophisticated companies—described what our privately-owned critical infrastructures are already experiencing in Politico last month, saying, “We’re now dealing with an extremely sophisticated nation-state threat actor that will do anything and everything at any price to get a foothold into our critical infrastructure.” The “at any price” comment is important to note
In this new reality, nation states such as China, Russia, Iran, and North Korea are using cyber-attacks to insert themselves into our critical infrastructure, enabling them to disable its function at a time of their choosing – similar to what the US did in its action against Venezuela. The threat is not Venezuela retaliating against us. It is major nation states using similar techniques against our privately owned critical infrastructures that cannot defend themselves, cannot defend us, successfully, while relying on commercial defenses. This evolved threat seriously impairs our national security.
A Different Cyber Threat Demands a Different Model of Cyber Defense
In our historic cybersecurity model, the government supports cyber defense in traditional military domains and leaves privately owned critical infrastructure to provide defense using commercial funding.
This model is no longer sustainable. The evolved threat fundamentally alters the economics of our cyber defense structure.
No private entity can successfully defend itself against nation-state actors seeking strategic control over US infrastructure and operating with literally no budget. It is not just the smaller companies that lack the financing to properly defend themselves against nation-state attacks. Compared to China, every company is a small company.
The Congress needs to work collaboratively among multiple committees with cybersecurity jurisdiction to create a new model addressing the gap between commercially funded cybersecurity and the national security needs to protect our critical infrastructure. This needs to begin with aligning existing regulations to focus on metrics that maximize the effectiveness of our cybersecurity spending and are capable of addressing this evolved — and quickly advancing — cyber threat.
We Can Make Progress Quickly and Effectively at Low Cost
Fortunately, major steps toward rebalancing the economics of American cybersecurity can be quickly and effectively enacted without major federal spending and on a bipartisan basis.
Step one is to simply eliminate the massively duplicative cybersecurity regulatory system, which is a product of multiple entities attempting, all in good faith, to address the previous cyber threat in an uncoordinated fashion.
There is already bipartisan consensus to address the overly complex cyber regulatory system. Sean Cairncross, the Trump Administration’s new National Cybersecurity Director, has frequently called for eliminating duplicative cyber regulation. Objective 1.1 in the Biden Administration’s National Cybersecurity Strategy was to “establish an initiative on cybersecurity regulatory harmonization.” Earlier this year, the Chairs of the House Oversight and Reform Committee and the Homeland Security Committees, and several sub-committee Chairs, wrote to OMB Director Vought, urging him to “act now” because “eliminating the duplicative framework of cybersecurity regulation is the fastest and most cost-effective way to improve our nation’s cybersecurity materially.”
Multiple studies have documented that simply eliminating the existing duplication in cyber regulation will immediately free up between 40%-78% existing cybersecurity resources (varying by sector) currently being occupied with redundant compliance requirements.
Moreover, an ISA analysis relying on multiple AI tools suggests that eliminating the duplicative requirements would save the industry as much as $50 billion a year – the government would save about $5 billion. Notwithstanding the precision of these estimates, a more streamlined regulatory system – eliminating the duplication, not the core regulations—will save large amounts of money, which can be rechanneled into more effective cyber defense of private companies operating our critical infrastructure.
AI Technology Can Quickly Address the Modern Threat
Perhaps the best news is that using existing AI technology to create this modernized regulatory model can be accomplished very quickly. Whereas historically identifying duplicative regulations across agencies would’ve been a laborious process, now multiple AI tools can accomplish this task almost immediately. Once the duplicative regs are identified using the AI models, creating a streamlined process becomes far easier. Several cyber-related trade groups have proposed a joint process involving SRMAs and regulators to create non-duplicative substitute regulations by a certain date. The new streamlined regulations would be assessed regularly on a cost-benefit basis (as is required in most federal regulations) under OMB guidance and enforcement. This shifts the focus of the regulation from compliance to effectiveness
Congress Must Collaborate to Create a Different Model of Cyber Defense
There is a real urgency to get this new model operational. Congress needs to work collaboratively with all the committees of jurisdiction to create this new model, aligning regulation to focus on metrics, maximizing the effectiveness of our cybersecurity spend, and capable of addressing this evolving— and quickly escalating — threat. This can be done either through Executive action or legislatively
Using Congress to create this new model will require a degree of collaboration across congressional committees that has not previously been the norm. A variation of the Solarium Commission approach to the NDAA could be a model that would establish a baseline, eliminate duplication, and require regulations to be cost-effective. OMB can use existing authority to do essentially the same thing. By providing the overarching structure, ensuring non-duplication and cost benefit analysis, the individual committees of jurisdiction and sector-specific agencies will retain the ability to create sector-specific regulations operating within that model.
Either through legislation such as NDAA, or direct administrative action through OMB, a new approach is required urgently if we are to maintain a whole of nation security posture in the face of ever aggressive and increasingly technologically sophisticated threats.
By Larry Clinton, President/CEO
Internet Security Alliance
