Water, power, sewage, banking, education, you name it -- all these life essentials have something in common: they rely on information technology. Increasingly complex andinsecuretechnology. Meanwhile, threat actors have the means to launch ever-rising numbers of attacks on critical applications. The revelation this past August of the huge data breach at National Public Data of Americans Social Security numbers, and other personal data, is a stunning Exhibit A.The number of reported vulnerabilities has skyrocketed over the last 10 years. In fact, the number of new software vulnerabilities cataloged in the federal National Vulnerability Database has increased an average of 29% per year over the last seven years.Every year sets a record high, and with the introduction of malicious code-writing and security hole-finding AI models, theres no reason to think that trend will reverse.The federal government's contribution to cybersecurity has thus far been through guidance and influence or by wielding its purchasing power as a huge IT consumer. Those have some value but clearly aren't having much impact.The public is quite unaware of how low the bar is presently set in software security. Modern software is never written entirely from scratch. Instead, developers use an assembly approach that pulls together existing code packages, often using open-source software built and maintained by developers not beholden in any way to the company making the final product.Related:As security vulnerabilities and active malware become increasingly common, all companies find themselves shouldering increasing security risk. Such government organizations as the Cybersecurity and Infrastructure Security Agency (CISA) have spent a great deal of time, money, and effort over the last few years trying to convince software vendors to adopt basic security practices and Software Bills of Materials (SBOMs).A vendor's SBOM tells the customerwhatis in the software -- but not whether the contents are secure.CISAs actions have not moved the needle at stopping breaches. US cybercrime costs reached an estimated $320 billion as of last year.Between 2017 and 2023, costs grew by over $300 billion.Companiessaythey're doing more about cybersecurity, but breaches continue, and the private market is not correcting poor behavior. Stock charts barely register a blip when companies report breaches now. Congress has not yet stepped in, hampered, perhaps, by an inadequate understanding of the issue.Related:Urgent action is, consequently, needed.Government stepped in to protect our food and medicine by establishing the Food and Drug Administration, intervened to make our automobiles safer by establishing the National Highway Traffic Safety Administration, and acted to ensure job safety by establishing the Occupational Safety and Health Administration.When new technology or industrial development has threatened public health and safety, the government has created new regulatory bodies to protect that health and safety.And according to public polling, while Americans may be largely dissatisfied with the federal government in broad terms, they still desire it to help keep the populace safe, including providing protection from unsafe products.The upshot is that Congress should establish a new regulatory body to evolve the guidance currently provided by CISA and presidential executive orders, coupled with oversight powers based on an expanded definition of critical software and hardware. What specifically defines critical here will of course need to be determined, but the current definition in use by CISA simply does not provide a sufficient scope to ensure Americas cybersecurity. The current patchwork of industry self-regulation -- with each federal department doing their best to oversee their respective industry areas -- leaves too many gaps and will not even scale to the challenges we already face.The new regulatory bodys charter should establish enforceable minimum standard security practices for private companies that are deemed critical to the nation. Those standards should go beyond CISAs currently used definition of critical infrastructure, which doesnotinclude companies essential to our everyday lives, such as Microsoft, Google, payment providers, and cybersecurity firms like CrowdStrike. Related:This new regulator will also need the power to audit companies against those standards, selectively publish findings publicly, share findings with other regulators such as the SEC, establish fines, and in egregious cases, be able to pull products from the market. These powers follow the established scope of current agencies, such as the FDA and NHTSA. Without these powers of regulation over essential software, any new agency will be reduced to providing guidance and our nation will continue to be at risk.As CISA is already under the Department of Homeland Security, the above could be accomplished either through expanding their jurisdiction and giving them the above powers and responsibilities, or through the establishment of a new agency.The need for robust cybersecurity regulation and oversight has become essential if we are to protect American citizens, companies, and governments from cyberattacks. Our unpredictable technological and geopolitical environments will demand no less.