Security by Design: Why We Need a Department of Cyber Infrastructure
08/15/25
By The Security Nexus
The Case for a Cyber-Focused Cabinet Agency
The cyber threats facing the United States are no longer limited to isolated incidents or technical nuisances—they are systemic, strategic, and increasingly existential. The Colonial Pipeline ransomware attack in 2021 halted fuel distribution across the East Coast. The SolarWinds breach infiltrated over 100 companies and nine U.S. federal agencies. These are not mere cybersecurity failures—they are national infrastructure attacks, and they represent a paradigm shift that our government structure has not yet caught up with (Carroll 2024).
While agencies like CISA, DOE, FERC, and NSA play essential roles in cybersecurity, responsibility is scattered across a bureaucratic patchwork of mandates and authorities. There is no single executive body tasked with cyber infrastructure security as a unified whole.
This fragmentation is dangerous.
⸻
Why Fragmentation Fails
The Department of Homeland Security, despite housing CISA, was initially built for physical homeland threats—terrorism, border security, and disaster response. CISA is a relatively new subcomponent (established in 2018) and lacks the operational authority or funding to mandate cybersecurity reforms across critical sectors (CISA, 2023a). Meanwhile, NIST, NSA, FBI, ODNI, DOE, and even the White House’s Office of the National Cyber Director (ONCD) each address cyber threats from their respective areas of responsibility.
The result is stovepiped policy, inconsistent standards, duplicated efforts, and vulnerable supply chains (Carroll 2024). According to the Energy Infrastructure Security report, current federal efforts span DOE software tools, FERC reliability mandates, and DHS risk evaluations—but coordination remains voluntary and sector-specific (Cai 2018).
⸻
A Department of Cyber Infrastructure: What It Would Do
A cabinet-level Department of Cyber Infrastructure (DCI) would consolidate overlapping missions, authorities, and capabilities under one roof. It would have five core functions:
1. Critical Infrastructure Security: Unified protection for energy, telecom, transportation, health, finance, and manufacturing cyber systems.
2. National Cyber Supply Chain Risk Management (C-SCRM): Lifecycle tracking of software, hardware, and firmware with SBOMs and memory-safe language adoption (NSA 2023).
3. Incident Response & Recovery: Rapid, coordinated response with clear authority during major cyber events (not unlike FEMA’s role in natural disasters).
4. Security by Design Mandates: Regulatory authority to enforce security-by-design standards on vendors through procurement, SDLC controls, and SBOM implementation.
5. Interagency & International Cyber Norms: Elevating international engagement and interoperability as cyber infrastructure is inherently global.
⸻
Learning from 9/11: DHS as a Precedent
After the September 11 attacks, the U.S. consolidated 22 agencies into the Department of Homeland Security—because the threat landscape had changed. Air travel, emergency response, and border control required central coordination. We are now at a similar inflection point in cyber.
The threat is not just to government agencies, but to hospitals, utilities, pipelines, schools, food suppliers, water treatment plants, and more (Carroll 2024). Cyber is no longer just an IT issue—it is civil infrastructure. It demands a dedicated executive entity with both strategic vision and operational authority.
⸻
The Geopolitical Imperative
China’s Ministry of State Security and Russia’s FSB/GRU have long fused state cyber capabilities with military and economic statecraft. The PLA treats digital networks as battlefield terrain. The U.S., meanwhile, remains hamstrung by decentralized governance (Choucri & Agarwal 2019).
By failing to elevate digital infrastructure to national strategic infrastructure, we are ceding the initiative in cyberspace to authoritarian regimes that treat cyber as a domain of war and coercion.
⸻
From Optional to Operational: Embedding Security by Design
“Security by Design” must become a regulatory baseline—not a voluntary best practice. CISA and its international partners have already published guidance like Shifting the Balance of Cybersecurity Risk and The Case for Memory Safe Roadmaps—but compliance is unenforced (CISA 2023b; NSA 2022b).
A Department of Cyber Infrastructure would codify Secure Software Development Frameworks (SSDFs), enforce Zero Trust Architecture (ZTA) across public-private partnerships, and embed DevSecOps into every federal procurement pipeline.
⸻
Conclusion: Strategic Infrastructure Requires Strategic Governance
The U.S. must stop treating cybersecurity as a back-office IT function and start governing digital infrastructure the way we govern roads, bridges, and airspace. The same rigor we apply to nuclear command-and-control or air traffic safety must now apply to server patching, router firmware, and DNS architecture.
We have departments for energy, defense, health, and homeland security. It’s time we had one for cyber infrastructure.
The future of national power depends on it.
⸻
Sources
• Carroll, Jami M. 2024. The U.S. National Cybersecurity Strategy: A Vehicle with an International Journey. Proceedings of the 23rd European Conference on Cyber Warfare and Security.
• Cai, Tianxing. 2018. “Energy Infrastructure Security in the Digital Age.” International Journal of Public Administration in the Digital Age 5(2).
• Choucri, Nazli, and Tarek Z. Agarwal. 2019. “Securing the Long Chain of Cyber-Physical Global Communication Infrastructure.” MIT Political Science Department.
• Khan, Muhammad Jamshid. 2023. “Securing Network Infrastructure with Cyber Security.” World Journal of Advanced Research and Reviews 17(2): 803–813.
• NSA. 2022. Securing the Software Supply Chain: Recommended Practices. National Security Agency.
