A bipartisan pair of senators have introduced legislation that would provide Federal funding to bolster community water systems against cyber threats and extend an existing program to boost resilience of water systems.
The Water Cybersecurity Enhancement Act introduced May 1 by Sens. Tom Cotton, R-Ark., and Ruben Gallego, D-Ariz., aims to protect water-related critical infrastructure against cyber threats and to respond to cyberattacks.
Attacks against the 152,000 public drinking water systems in the United States have been on the rise, with at least 97 of those systems – serving more than 26 million people – flagged by the Environmental Protection Agency’s (EPA) Inspector General for critical or high-risk cyber vulnerabilities in late 2024.
“Cyberattacks on public infrastructure are a growing threat, and our water systems are no exception,” said Sen. Cotton in a statement. “This bipartisan bill will strengthen our ability to protect essential services and support local water utilities in building stronger cyber defenses.”
The bill would extend the Safe Drinking Water Act – also known as the Drinking Water Infrastructure Risk and Resilience Program – to provide grants and technical assistance to community water systems that can be used to support cybersecurity training programs and guidance.
The Drinking Water Infrastructure Risk and Resilience Program, created under the 2018 America’s Water Infrastructure Act, requires community water systems to assess and improve their vulnerabilities to natural and human-made threats.
That program is currently authorized through fiscal year 2026 and is set to expire after that without further action from Congress. The newly introduced legislation would extend the program through 2031.
“In Arizona, we know better than most the importance of safe and secure access to water. But adversaries also understand the importance and are increasingly trying to undermine our water security,” said Sen. Gallego in a statement.
The legislation comes as U.S. officials have sounded the alarm that recent attacks on critical infrastructure from China-affiliated actors should serve as a turning point for the United States’ approach to cybersecurity.