Note: This is a pitch for one idea and not fully thought out. I welcome feedback and criticism!

There are many ways to address the cybersecurity challenges faced by critical infrastructure providers in the United States. Below is one idea for how to do so.

The challenge

Critical infrastructure (CI) providers, such as hospitals, water systems, and electric utilities are the target of a large number of cyberattacks. These attacks are often successful because of poor cybersecurity: CI providers lack cybersecurity expertise and have a low tolerance for downtime, which is often necessary to perform cybersecurity maintenance. In 2023, for instance, hackers disabled equipment at a Pennsylvania water utility still using its factory-default password, and Chinese state-backed intruders spent nearly a year inside a small Massachusetts electric utility that had failed to update a firewall vulnerability. Because of the existing weak cybersecurity practices, if cyberattacks increase due to diffusion of advanced AI cyber capabilities, CI providers will be among the first to suffer.

The underlying problem is not technical but rather structural: budgets are constrained and competing priorities prevent CI providers from implementing protections (GAO-24-106744, pg. 22; GAO-19-332, pg. 19, 33-34). Government reports document these gaps across sectors:

• Water and wastewater providers struggle with changing default passwords and keeping operating systems updated, often because operators believe they will not be targeted (GAO-24-106744, pg. 19).

• Electric grid systems rely on legacy devices that were never meant to connect to the internet or require the use of unsupported operating systems (GAO-21-81, pg. 15).

• Hospitals and grid providers face workforce shortages because qualified professionals gravitate toward industries that pay better; small facilities often rely on part-time staff who wear multiple hats and lack specialized training (HHS 405d, pg. 13; GAO-19-332, pg. 19).

• While 89% of hospitals regularly scan for vulnerabilities, only 53% of them have a plan to address what they find; prioritization challenges and resource constraints prevent action (HHS 405d, pg. 10).

A potential solution

Code for America offers a model for addressing this problem. As a non-partisan 501(c)(3), it partners with state and local governments to provide technical assistance for digital transformation, helping states implement free online tax filing systems and building simplified applications for food benefits. By operating as a nonprofit that works alongside government rather than within it, Code for America delivers expertise without the friction of procurement or politics.

A Secure America organization could follow this model. It would partner directly with critical infrastructure providers to address their staffing and resource constraints by embedding personnel within their teams. Advances in LLMs may make this model newly viable, helping embedded staff quickly get up to speed on unfamiliar systems and architectures. Services could include advising on cost-effective security solutions, helping organizations triage and prioritize known vulnerabilities, providing direct implementation support for securing or isolating legacy systems, and running training programs that transfer knowledge to existing staff. By integrating with provider workforces rather than delivering one-off assessments, this approach would build lasting security capacity in the organizations that need it most.