Imagine a time without access to the technology you use on a daily basis. A time when you are not able to use the electricity in your house, purchase food at the grocery store, or access your health records. If the United States’ critical infrastructure suffered a significant cyberattack, this nightmare could become a reality. In 2021, the Colonial Pipeline faced such a cyberattack. The attack resulted in mass fuel shortages along the East Coast. A cyberattack can deliver the same debilitating consequences as a kinetic attack. We need to do a better job protecting our infrastructure.

The first step is a formal study to determine private and public ownership of the nation’s critical infrastructure. Without proper knowledge of ownership, it becomes too difficult to create and implement successful cybersecurity and cyber incident response policies.

The United States hosts sixteen critical infrastructure sectors whose assets are vital to the nation’s daily function. Interference or destruction of these sectors would have a debilitating effect on national security, public health, and economic stability. Without these sectors, many daily tasks would become impossible.

The United States should conduct a formal study of each of these sixteen sectors. Such a study, in collaboration with private partners, would determine what share of critical infrastructure is owned by the government and what share is privately owned. A full analysis of each sector and subsector would spell out the cyber threats posed to each.

A formal study would allow policymakers to better assess needs and cyber incident response. It would enable policymakers to create a mandatory cybersecurity policy that is shared across both public and private critical infrastructure sectors, encourage information sharing, and improve the security of our critical infrastructure.

A formal study would amplify the Biden administration’s current efforts. It has proposed the “Industrial Control Systems Cybersecurity Initiative,” a voluntary collaborative effort between the federal government and the critical infrastructure community. Yet, without proper knowledge of the public-private ownership split, it is hard to see how it will work.

A formal study would lead to targeted policy recommendations. The ability to tether policy towards the weaknesses of each sector, versus a general overall policy, increases the stability and security of each sector.

An annual policy implementation report should follow. It would provide policymakers insight into whether cybersecurity policy is effective within each sector, and whether additional measures are necessary.

Some would say that this study would cost too much and take too long. In a public-private partnership, the cost of this study could be shared. It is also possible to recruit the help of think tanks and university students to complete this task and speed it to a conclusion. Moreover, the benefits of such a study for cybersecurity protection far exceed the costs of response to cyber-attacks.

The threat of cyber-attacks against critical infrastructure is ongoing and imminent. The completion of a formal study of who owns and is responsible for critical infrastructure will enable the United States government and private partners to defend it, based on each sector’s specific needs. A full understanding of our nation’s critical infrastructure and how best to protect it will help keep our nation safe.