How New Cybersecurity Threats Shape Public and Private Policies

Reports of cyberattacks targeting financial or health data have become increasingly common. These are hardly the only institutions in hackers’ sights, however. In an increasingly interconnected world, attackers are striking farther afield.

Take municipal water systems, for example. In October 2024, cyber intruders targeted the largest water utility in the United States, American Water, which provides drinking water and sewer services to 14 states and 18 military installations. Hackers with ties to the Russian government hit multiple Texas towns served by the company. In the town of Muleshoe, water began to overflow, forcing utility workers to operate the water plant and water system manually.

“People haven’t traditionally thought of pieces of infrastructure such as water and wastewater service as being prone to threats, but incidents like this show how quickly problems could occur,” said Jack Danahy, vice president of strategy and innovation at NuHarbor Security in Vermont.

The American Water attackers did not attempt to contaminate any water supplies, nor did they demand ransom. Authorities believe they were simply testing the vulnerabilities of America’s public infrastructure in an era of rising digital conflict.

Such conflicts pose a threat to public health, election security, intellectual property and similar targets. Cyber risk has escalated beyond a tech issue to impact national policy, local preparedness plans and crisis coordination across sectors.

These pervasive concerns are why emergency preparedness professionals need the knowledge and insight to address cybersecurity challenges.  The right preparation — such as a Master of Arts in Homeland Security and Emergency Preparedness (HSEP) from Virginia Commonwealth University — can lead to fulfilling and lucrative careers in emergency management and homeland security while also contributing to the greater good. 

What’s Driving Today’s Cybersecurity Threat Landscape?

 Current risks fall into three main categories:

• Ransomware blocks or encrypts users’ files or systems, then demands payment in return for regaining access.
• Attacks on infrastructure, including utilities, healthcare systems, government operations and communications
• Digital threats to elections, including hacks, distributed denial of service attacks and misinformation campaigns

While IT expertise is essential for defending against and responding to cybersecurity threats, it is only one piece of the puzzle. These threats can also trigger changes in public and private policy. 

How Public Policy Is Responding to Emerging Cyber Threats 

The federal government has adopted a multifaceted approach to cybersecurity, involving state and local governments in the process. The White House introduced a National Cybersecurity Strategy in 2023 with two key components:

• Fostering public-private collaborations that would shift the burden away from individuals, small businesses, local governments and infrastructure operators
• Realigning incentives to favor long-term investments, balancing defense against urgent threats with strategic planning for the future

Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (DHS), introduced its Cybersecurity Strategic Plan. The plan’s top priorities:

• Addressing immediate threats by working to thwart attacks on American and allies’ networks
• Hardening the terrain by adopting security practices that measurably reduce the likelihood of damaging intrusions
• Driving security at scale by making cybersecurity a fundamental safety issue, building security into products and giving consumers clear guidance about potential risks

DHS also works with state and local governments to boost cybersecurity. The 2022 State and Local Cybersecurity Grant Program allocated $1 billion to be paid out over four years to protect local and regional information systems.

Key requirements for grant recipients:

• Assessments and evaluations: Applicants must show that they understand their cybersecurity approach and recognize areas for improvement.
• Cybersecurity best practices: Applicants must take action to implement best practices such as multifactor authentication, data encryption and backup systems.
• Cybersecurity plan: Applications must provide a planning document that covers a variety of elements, including delineation of responsibilities among different government entities, an outline of resources and a timeline for implementation.

These government responses to cybersecurity illustrate how the challenge has moved beyond the realm of technical cyber experts. These changes require leaders who understand both policy and preparedness. 

Faculty Research Spotlight: Dr. Christopher Whyte on Cyber Policy 

AI poses a unique challenge in terms of cybersecurity threats, according to Dr. Christopher Whyte, associate professor at VCU’s Wilder School. A leading expert in cyber policy research, Whyte is concerned about weaknesses in the response to AI-driven threats, as well as overconfidence in AI security systems.

These problems can undermine national security response strategies. Whyte has directed part of his attention to examining how the U.S. and international communities can develop governance frameworks for responsible behavior in cyberspace.

The landscape of cyber threats expands and diversifies every year, Whyte says: “Cyber threats are not the stuff of strategic calamity that punditry and Hollywood often like to convey. At the same time, the landscape of cyber threats continues to expand and diversify year-on-year. In this context, the Department of Defense just can’t cover the country with the cyber equivalent of a missile defense shield, and so must adjust its posture to be as efficient as possible as it attempts to create meaningful deterrence.”

Whyte’s perspective underscores the HSEP program’s effectiveness in preparing students to think critically about the role of cybersecurity in modern policy and emergency preparedness.

How Private-Sector Policy Is Adapting to Cyber Risk 

Governments are not the only entities that must deal with cybersecurity threats, of course. Private companies are responding in a variety of ways, including:

• Emergency and continuity plans that include risk assessment, data backup and recovery, and alternate worksites
• Risk management and Governance, Risk, and Compliance (GRC) protocols that align IT with business goals while managing risks and meeting industry and government regulations
• Public-private coordination efforts, discussing common challenges, best practices, and avenues for cooperation between government and industry
• Future-proofing against cyber attacks by such means as building a secure cloud strategy and designing resistant workloads

These responses require professionals who can effectively bridge policy, operations and crisis management. 

Careers at the Intersection of Policy, Planning and Cyber Risk 

Several roles stand at the intersection of cyber risks and public policy. They include: 

• Business continuity and resilience planners develop strategies and procedures to help organizations prepare for and respond to disruptions or emergencies.
• Cybersecurity policy advisors analyze cyber threats and create strategic frameworks to protect digital assets and guide cybersecurity efforts.
• Emergency preparedness coordinators develop plans, organize training exercises and coordinate resources to ensure communities and organizations are ready to respond to emergencies and disasters.
• Homeland security policy analysts evaluate threats and develop strategic recommendations to protect national security.
• Infrastructure risk managers identify potential threats and implement strategies to protect critical infrastructure systems, ensuring their resilience.

Why Cyber Threats Demand Policy and Preparedness Leaders 

Today’s security landscape demands professionals who understand both policy frameworks and evolving digital threats. HSEP graduates are prepared to lead in cross-sector coordination, risk strategy and public communication.

Professionals with this mix of skills have the potential to land salaries well into six figures. Information security analysts earn a median annual wage of $124,910, according to the Bureau of Labor Statistics; the top 10 percent of earners exceed $186,000. 

How VCU’s Online HSEP Program Prepares You 

The demand for versatile security analysts across the public and private sectors makes this a great time to specialize in HSEP. The Wilder School approach focuses on outcomes and alignment to current needs through:

• A curriculum that covers infrastructure, emergency response, policy strategy and cybersecurity awareness
• Preparation for professionals to lead during tech-driven crises and natural disasters
• Scheduling flexibility for working adults, veterans, and aspiring public leaders.
• Real-world application and cross-sector relevance

Be the Policy Leader the Cyber World Needs 

Cybersecurity threats are a metastasizing menace, encompassing both longstanding targets, such as financial organizations, and emerging targets, including public utilities. The evolution of cyber risks is changing the rules of emergency planning and national security, making HSEP professionals more sought-after than ever.

VCU’s online master’s degree in HSEP offers a valuable opportunity for learners who want to respond—not just react—to modern threats. If you’re ready to take on the challenge, schedule an application walkthrough or start your application today.