Protection of Critical Infrastructure from Cyber and Physical Attacks
The nation’s critical infrastructure—including energy, telecommunications, healthcare, transportation, financial systems, aviation, maritime, water supply, public transportation systems, data centers, disaster recovery centers, and smart city systems—is the backbone of national security and economic stability. These sectors are increasingly vulnerable to both cyber and physical attacks, necessitating a robust, coordinated defense strategy that upholds the privacy rights of individuals. I recommend the following measures to enhance infrastructure security while ensuring that privacy is protected:
- Comprehensive Cybersecurity Framework: All organizations responsible for critical infrastructure must adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework should include federal supply chain security standards, which require vendors and suppliers to follow strict cybersecurity protocols. Federal procurement requirements should prioritize vendors with strong security credentials to prevent attacks that exploit supply chain vulnerabilities. The framework must also cover emerging sectors such as aviation, maritime, and water supply infrastructure, ensuring that all critical systems are protected without infringing on individuals’ privacy rights. Legal safeguards should be implemented to ensure that data collected for security purposes is not misused or shared without consent.
- Redundant Systems and Backup Capabilities: Critical infrastructure—including aviation systems, maritime operations, data centers, and disaster recovery centers like Iron Mountain—must have redundant systems in place to ensure continuity of operations in the event of a cyberattack or physical disruption. Redundancy should also be implemented for smart city technologies, which connect public services like utilities, transportation, and waste management to digital networks. Privacy protection measures must be in place to ensure that personal data collected during backup and recovery processes is encrypted and kept secure, and that individuals are informed about how their data may be affected in such scenarios.
- Physical Security Enhancements with Privacy Considerations: Alongside cyber defenses, physical security measures must be enforced at facilities such as airports, ports, data centers, disaster recovery centers, and critical infrastructure sites. These facilities should have advanced surveillance, access control, and integration with local law enforcement to prevent unauthorized access and physical sabotage. To protect individual privacy, surveillance laws should require that clearly visible signage is posted at all surveillance points, notifying the public that monitoring is in place. These notices will serve as a legal safeguard, ensuring that individuals are aware of surveillance and that their rights are not infringed upon by covert monitoring. Additionally, surveillance data should be subject to strict controls, with access limited to authorized personnel and data retention policies that ensure deletion after a reasonable period unless legally required.
- Real-Time Threat Intelligence Sharing with Privacy Protections: The federal government must foster public-private partnerships for real-time sharing of threat intelligence between agencies and critical infrastructure entities. This should include aviation and maritime sectors, data centers, cloud service providers, public transportation operators, and smart city systems to coordinate defensive responses to emerging threats effectively. Privacy safeguards must be embedded in these partnerships, with clear boundaries regarding the sharing of personal information and regular audits to ensure compliance with privacy laws. Individuals whose data may be included in these systems must be notified about what data is shared and how it is used, with the option to dispute or inquire about the data.
- Cybersecurity Audits and Penetration Testing with Privacy Reviews: Regular cybersecurity audits and penetration tests should be mandatory for all critical infrastructure operators, including airports, ports, cloud service providers, data centers, and disaster recovery centers. Privacy audits should be incorporated into these cybersecurity assessments to ensure that no personal data is compromised during testing or ongoing operations. Water treatment facilities and public transportation systems should also be subject to rigorous testing to ensure they are resilient against cyber threats, with special attention to how user data is handled securely in these environments.
- Incident Response and Recovery Plans with Data Privacy Safeguards: Every critical infrastructure organization must have a comprehensive Incident Response Plan (IRP) that includes both cyber and physical scenarios. These plans must include provisions for coordinating with aviation and maritime authorities, cloud providers, and disaster recovery centers to ensure the quick restoration of systems after any breach. Privacy must be protected during incident response by ensuring that any personal data affected by a breach is handled according to strict legal and ethical standards. Federal agencies should also require smart city systems, public transportation networks, and water utilities to conduct regular simulations to test the effectiveness of their response strategies, ensuring minimal downtime and risk to public safety while safeguarding personal information.
- Strengthening Supply Chain Security with Privacy Compliance: Supply chain security must be prioritized across critical infrastructure sectors, with specific regulations requiring vendors to adhere to federal cybersecurity and privacy standards. This ensures that attackers cannot exploit supply chain vulnerabilities to target critical systems indirectly, and that personal data managed by third-party vendors is protected. Vendor risk management must include regular audits, background checks, and strict security protocols, especially for industries such as aviation, energy, maritime, and financial services. Vendors must be required to comply with privacy laws when handling any personal data, and organizations should have data sharing agreements that clearly define privacy obligations.
- International Collaboration on Infrastructure Security and Privacy: Cyber threats to critical infrastructure often originate from foreign actors. The U.S. must enhance collaboration with international allies to share intelligence, best practices, and defensive strategies. Collaborative efforts should extend to aviation, maritime, smart city technologies, cloud security, and securing the global supply chain. Additionally, international privacy standards should be enforced to ensure that cross-border data sharing respects privacy rights. These agreements should include privacy protections that prevent the misuse of personal data, ensuring that individuals’ rights are upheld even in global cybersecurity operations.