Cyber economics and the risk to critical infrastructure

By Heidi Crebo-Rediker, Senior Fellow for Geoeconomics, Council on Foreign Relations

In debates on economic security, cyber economics is too often overlooked. Many still frame cyber threats as company-level problems, where firms worry about ransomware, retailers fear stolen data, and banks focus on hacked payment systems. However, the more consequential danger is collective: cyberattacks on critical infrastructure with the power to unleash cascading disruptions across entire economies. This systemic risk remains under-appreciated, even as attacks grow in scope, sophistication, and geopolitical consequence.

From corporate risk to macroeconomic shock

The greatest danger lies not in a single server, but in the complex systems that underpin modern commerce. Electricity grids, water utilities, transportation networks, ports, airports, and undersea cables carry the weight of global connectivity. While automation and software increase efficiency, they also multiply vulnerabilities.

A prolonged disruption to any one of these systems can paralyze thousands of businesses. Multiple disruptions at once could be catastrophic. The 2021 winter storm in Texas, though caused by weather rather than malware, is a sobering example. The blackout cost up to $130 billion and crippled supply chains, health services, and agriculture. Imagine a hostile actor triggering similar failures via cyberattack, deliberately timed for maximum damage. The result would not only devastate individual entities but also generate a macroeconomic shock—akin to a natural disaster colliding with a financial crisis.

The growing threat landscape

State-backed hackers and criminal groups are already probing these vulnerabilities. The Colonial Pipeline ransomware attack in 2021 exposed how fragile logistics networks can be, while the more recent Volt Typhoon campaign embedded malware inside U.S. critical infrastructure. Unlike espionage, such intrusions appear designed to disrupt the civilian economy at scale, undermining both national resilience and military readiness.

The threat is also global. Attacks on undersea cables—vital arteries of the digital economy—are no longer hypothetical. With artificial intelligence accelerating offensive capabilities, adversaries can now identify weaknesses faster and automate attacks at scale. As a result, the risk curve is steepening, placing both advanced and developing economies in danger.

The field of cyber economics

Traditional economics treats cyber risk as a minor externality to be covered by insurance. In contrast, cyber economics reframes these risks as systemic. The more integrated and digitized an economy becomes, the more vulnerable it is to disruption. Elevating cyber threats from technical concerns to macroeconomic risks sharpens the case for sustained investment in resilience.

Without realistic, economy-wide accounting of costs, both governments and markets will continue to underinvest in defense and the skilled workforce required. Initiatives such as the Global Cybersecurity Forum–World Economic Forum Center for Cyber Economics, particularly when joined by institutions like the IMF, World Bank, and OECD, represent important first steps.

Who polices, who pays?

The governance dilemma complicates the picture. In the United States, most critical infrastructure is privately owned, meaning investment decisions often follow commercial incentives rather than national resilience. Large utilities may field advanced defenses, while smaller authorities lack the means to keep pace. Even the best-prepared firms cannot realistically deter state-backed attackers without government coordination and international collaboration.

Meanwhile, state-led economies often mandate cybersecurity standards and assume direct responsibility for protecting infrastructure. Liberal democracies, however, struggle to enforce baselines or require immediate reporting. Legal restrictions and fragmented oversight create uneven defenses, leaving the broader economy exposed to “weakest link” failures. The unresolved question of who ultimately pays—federal taxpayers, private firms, or local governments—further delays progress.

The allied dimension

Because cyber threats transcend borders, national strategies alone are insufficient. Attacks on shared assets such as undersea cables, power grids, or data networks ripple across continents. Therefore, allies must elevate cyber resilience as a shared economic security priority. Intelligence sharing, collaborative monitoring, and joint investment in defensive infrastructure can help close gaps that no single nation can address on its own.

A call to action

What is needed now is a paradigm shift. Policymakers, investors, and regulators must recognize that cyber threats to critical infrastructure represent potential macroeconomic shocks, not isolated corporate challenges. The rise of cyber economics highlights that in an interconnected world, cyber defense is economic defense. Ignoring this reality risks overlooking one of the defining macroeconomic threats of our time.

Read our previous post, H-1B visa fee hike rattles tech and global markets