Digital Infrastructure and Security (DDIS): A Cost-Benefit and Policy Analysis

The digital systems that run American life — the power grid, water utilities, hospitals, banks, telecommunications, and the internet itself — are defended today by a patchwork of agencies, voluntary standards, and private operators each making their own decisions. No single institution owns the mission of keeping the nation's digital backbone secure, current, and trustworthy. The Digital Infrastructure and Security Act proposes a new cabinet-level Department of Digital Infrastructure and Security (DDIS) to consolidate that fragmented oversight and to take responsibility for four converging frontiers: cybersecurity of critical infrastructure, the safety of advanced artificial intelligence, the transition to quantum-resistant and quantum-networked communications, and stewardship of the core protocols on which the open web depends. This page analyzes the case for such a department, what it would cost, and the serious objections to creating it.

The Problem: A Fragmented Defense

American cybersecurity is, by design and by accident, fragmented. The Cybersecurity and Infrastructure Security Agency (CISA) coordinates; the National Security Agency and U.S. Cyber Command handle signals intelligence and military operations; the FBI investigates; sector-specific regulators set rules for finance, energy, and health; and the vast majority of critical infrastructure is owned and operated by private companies that participate in federal programs largely voluntarily. Analysts at the Center for Strategic and International Studies describe U.S. critical-infrastructure cyber defense as "voluntary and fragmented," rooted in voluntary compliance and inconsistent standards, with heavy reliance on individual operators to defend themselves against nation-state adversaries.

The 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires covered entities to report significant cyber incidents to CISA within 72 hours — a genuine advance — but it focuses on after-the-fact reporting and sets no minimum security requirements for operators. In other words, the country has built a smoke-detector network without a building code.

The threat is not hypothetical. CISA's 2024 Year in Review reports that its Joint Cyber Defense Collaborative issued roughly 1,300 cyber-defense alerts and products during the year, and that CISA delivered more than 2,100 pre-ransomware notifications in 2024 — nearly double the prior year. Critical infrastructure faced what observers called an unprecedented surge in attacks, from nation-state intrusions into telecommunications and energy networks to ransomware crippling hospitals and financial firms, causing billions of dollars in economic losses.

The Mechanism: What DDIS Would Do

DDIS would consolidate the civilian functions of digital defense and modernization into one accountable department, while leaving intelligence and military cyber operations where they belong, at NSA and Cyber Command. Its four mandates:

Cybersecurity and resilience. DDIS would set enforceable minimum security standards for designated critical-infrastructure sectors — the "building code" that voluntary frameworks lack — and serve as the operational hub for threat intelligence sharing, incident response, and recovery. This builds on CISA rather than discarding it; CISA would be the department's core.

AI safety. As advanced AI systems are embedded in infrastructure, finance, and defense, DDIS would house the technical capacity to evaluate frontier models for security and safety risks, set standards for high-stakes deployments, and coordinate the government's response to AI-enabled threats. This extends the standards-setting work begun at the National Institute of Standards and Technology.

Quantum readiness. Cryptographically relevant quantum computers, when they arrive, will break much of today's public-key encryption. DDIS would drive the migration of federal and critical-infrastructure systems to post-quantum cryptography (the algorithms NIST has begun standardizing) and steward early quantum-networking research.

Core protocols and the open web. DDIS would represent U.S. public interest in the governance of the protocols underpinning the internet — domain names, routing security, and encryption standards — defending an open, interoperable web against both fragmentation and capture.

Projected Impact and Figures

The benefit case rests on avoided losses and on the value of coherence. Ransomware alone imposes billions in direct and recovery costs annually across U.S. organizations, and the costs of a successful attack on a power grid, water system, or hospital network can be measured in lives as well as dollars. A department that converts the current voluntary patchwork into a baseline standard, with faster shared response, would reduce both the frequency and the blast radius of incidents. The CISA pre-ransomware notification program is instructive: simply warning organizations before encryption occurs prevented an unknown but plausibly large number of damaging attacks at modest cost — a high-leverage activity that a dedicated department could scale.

The honest caveat is that cybersecurity benefits are hard to quantify precisely, because the counterfactual — the attacks that did not happen — is unobservable. The case is therefore partly about risk reduction against tail events whose expected cost is enormous even if their timing is uncertain.

Administrative and Implementation Considerations

Standing up a new cabinet department is a major undertaking, and the cautionary example is the Department of Homeland Security, whose post-9/11 creation by merging 22 agencies produced years of integration pain, morale problems, and persistent management challenges that GAO tracked for more than a decade. DDIS should be designed to avoid repeating that history: build around an existing, functional core (CISA) rather than bolting together dozens of unrelated bodies; recruit and retain scarce technical talent by paying competitive, specialized salaries outside the standard civil-service scale; and define jurisdiction crisply to avoid turf wars with NSA, the FBI, and sector regulators. Mandatory minimum security standards must be paired with technical assistance and reasonable timelines, especially for smaller utilities and hospitals that lack in-house expertise, or the rules will go unmet. Independent oversight and a clear privacy framework are essential, because a powerful digital-security department necessarily touches sensitive data and surveillance-adjacent capabilities.

International Comparisons and Precedent

Several allies have moved toward consolidated digital-security institutions. The United Kingdom's National Cyber Security Centre, established in 2016 as part of GCHQ, is widely cited as a successful model of a single authoritative national hub for cyber defense and public-facing guidance. The European Union has built ENISA as its cybersecurity agency and, through the NIS2 Directive, imposed binding security obligations on critical sectors — precisely the "building code" approach DDIS would adopt. On AI, the EU's AI Act and the network of national AI safety institutes provide templates for risk-based oversight of advanced systems. On quantum, NIST's post-quantum cryptography standards (finalized beginning in 2024) already give the U.S. a technical head start that a dedicated department could drive into deployment.

Comparison to the Status Quo and Alternatives

The status quo's defenders argue, with some force, that distributing cyber authority across many agencies provides resilience and avoids a single point of failure. But the cost of fragmentation is incoherence: gaps where no one is responsible, duplicated effort where many are, and a voluntary-standards regime that adversaries exploit. The main alternative to a new department is to keep strengthening CISA within DHS and to legislate sector-by-sector security mandates without reorganizing. That path is lower-risk and could capture much of the benefit — and it is a legitimate competing proposal. A second alternative is a coordinating "cyber czar" in the White House with convening power but no operational authority; experience suggests coordinators without budgets and statutory mandates struggle to compel action. DDIS chooses consolidation precisely to fix accountability, accepting the transition risk in exchange for clear ownership of the mission.

Risks, Trade-offs, and Counterarguments

The strongest objection is the DHS precedent: creating a department is disruptive, slow, and may worsen performance for years before improving it, and the very fragmentation problem it aims to solve can be recreated inside a poorly integrated new bureaucracy. A second is concentration of power: a single department overseeing cybersecurity, AI, encryption standards, and internet governance would wield significant authority over technology and data, raising real civil-liberties and surveillance concerns that demand strong oversight and privacy guardrails. A third is the risk of regulatory rigidity: government-set security standards can lag fast-moving threats and lock in yesterday's defenses; standards must be outcome-based and frequently updated. A fourth is the talent problem — the federal government already struggles to compete with private-sector salaries for elite security and AI engineers, and a new department succeeds or fails on whether it can hire them. A fifth is mission creep: combining AI safety, quantum, cybersecurity, and protocol governance under one roof risks a department that does many things adequately and none excellently. Each of these is a design constraint, not a fatal flaw, but together they argue for a narrow, well-governed launch built on a functional core rather than a sprawling new empire.

Conclusion

The systems that run modern American life are under sustained attack and are governed by a patchwork that no longer matches the threat. A Department of Digital Infrastructure and Security would replace voluntary fragmentation with a clear owner of the mission, a real security baseline for critical sectors, and dedicated capacity for the AI and quantum challenges already arriving. The benefits are genuine and the threat is real, documented in CISA's own surge of ransomware warnings and the analysts who call the current approach dangerously incoherent. The risks are equally real — the ghost of DHS's troubled creation, the concentration of digital power, the perennial talent gap. The prudent path is to build DDIS deliberately, around CISA, with binding but flexible standards, strong privacy oversight, and a tightly defined mandate. Done that way, it would be one of the highest-leverage investments in national resilience available.

Sources

• Center for Strategic and International Studies, "Securing U.S. Critical Infrastructure against Evolving Cyber Threats": https://www.csis.org/blogs/strategic-technologies-blog/securing-us-critical-infrastructure-against-evolving-cyber
• CISA, "2024 Year in Review": https://www.cisa.gov/about/2024YIR
• Cybersecurity Dive, "CISA's pre-ransomware alerts nearly doubled in 2024": https://www.cybersecuritydive.com/news/cisa-pre-ransomware-alerts-double/735785/
• The White House (archived), "2024 Report on the Cybersecurity Posture of the United States" (May 2024): https://bidenwhitehouse.archives.gov/wp-content/uploads/2024/05/2024-Report-on-the-Cybersecurity-Posture-of-the-United-States.pdf
• Industrial Cyber, "CISA's 2024 Year in Review document details cyber defense, infrastructure protection milestones": https://industrialcyber.co/cisa/cisas-2024-year-in-review-document-details-cyber-defense-infrastructure-protection-milestones/