When cyberattacks disrupt healthcare, schools and transit, women absorb the heaviest burdens—yet policy still treats these impacts as gender-neutral.
Cyberattacks on critical infrastructure have increased in frequency, sophistication and real-world impact, affecting not only technical systems but the basic services on which communities depend.
Yet despite the growing recognition that cybersecurity is no longer confined to the digital realm, the gendered consequences of cyber incidents remain largely unexamined in national policy discussions. As a result, the United States continues to design and implement cybersecurity strategies that assume impacts are evenly distributed across society.
In reality, disruptions to healthcare, education, transportation and public services disproportionately affect women—not because women are inherently more vulnerable, but because they occupy structural roles, both in the formal workforce and in unpaid care labor, that make them central to a society’s capacity to absorb and recover from crisis.
This omission has significant implications. When cyber incidents interrupt essential services, it is often women who bear the immediate operational effects, the intensified care burdens and the long-term social and economic consequences. The absence of gender-disaggregated data in cybersecurity planning does more than obscure inequality; it weakens our understanding of systemic risk and resilience.
Ignoring gender in cybersecurity threat modeling and incident response undermines national safety, distorts risk assessments and hinders effective recovery. Integrating gender-intentional analysis into cybersecurity is therefore essential for accurate policy design, equitable protection and a more resilient society.
Healthcare: The Gendered Consequences of System Disruption
When digital systems fail, it is predominantly women who absorb the increased physical and emotional labor required to maintain patient care. … When power or communication systems fail, maternal mortality increases due to delayed or obstructed access to obstetric services.
Healthcare is among the most heavily targeted sectors for ransomware and other forms of cyber intrusion, with incidents increasing in both scale and severity.
The 2024 ransomware attack on Change Healthcare, the largest healthcare data breach in U.S. history, halted claims processing for weeks and caused cascading disruptions across the national healthcare system.
The subsequent attack on Ascension hospitals further illustrated how cyber events compromise clinical operations, delay access to electronic health records and force medical staff to revert to manual processes that strain already overburdened institutions.
These incidents are typically framed as technical outages or financial disruptions, yet their impacts are deeply gendered. Approximately 80 percent of the U.S. healthcare workforce is composed of women, particularly in nursing and frontline care roles. When digital systems fail, it is predominantly women who absorb the increased physical and emotional labor required to maintain patient care. Nurses must manually transcribe medication orders, track patients without electronic alerts and navigate heightened safety risks associated with delayed diagnostics and record inaccuracies. These burdens materialize immediately and disproportionately in women’s work conditions, yet they seldom appear in post-incident assessments.
Cyberattacks on healthcare systems also intersect with women’s health outcomes. Disruptions to electronic fetal monitoring, delays in prenatal or reproductive care and reduced access to skilled birth attendance during outages have measurable effects on maternal health. Historical research on blackout events demonstrates that when power or communication systems fail, maternal mortality increases due to delayed or obstructed access to obstetric services.
Cyber-induced outages reproduce these patterns, but current national incident-reporting frameworks do not capture these consequences. The absence of gender-disaggregated data makes it difficult to assess the scale of reproductive and maternal health risks posed by cyberattacks, leaving policymakers with an incomplete understanding of the full spectrum of harm.
Secondary consequences also follow predictable gendered lines. When healthcare systems are paralyzed, caregiving responsibilities shift back to households. In the U.S., women continue to perform the majority of unpaid care work, including caring for children, elderly relatives and individuals with chronic health conditions. The intensification of this labor during cyber-related disruptions is well documented anecdotally but structurally invisible, as no federal or state-level data collection mechanisms track the gendered redistribution of care during cyber incidents. As a result, cyber harm remains undercounted, and resilience planning overlooks the social infrastructure required for recovery.
Education: Cyberattacks and the Reallocation of Care Labor
Teachers manage disrupted curricula, communication breakdowns and the emotional needs of students who may experience anxiety or instability as a result of outages. … School closures and disruptions immediately reassign childcare responsibilities to families [where] women perform the majority of caregiving labor.
The education sector has become a prominent target for ransomware attacks, with more than four-fifths of U.S. K-12 schools experiencing a cyber incident between mid-2023 and late 2024.
High-profile attacks on the Los Angeles Unified School District, the Tucson Unified School District and numerous rural and under-resourced districts have led to school closures, compromised records and significant financial strain. These incidents are generally described through the lenses of student achievement, data privacy or district budgets. However, the gendered consequences of educational disruptions are substantial and insufficiently recognized.
Women comprise 77 percent of K-12 educators and nearly 90 percent of elementary school teachers. When schools shift to manual processes, cancel classes or struggle to restore digital infrastructure, the operational burden falls overwhelmingly on women. Teachers manage disrupted curricula, communication breakdowns and the emotional needs of students who may experience anxiety or instability as a result of outages. School staff also face heightened workloads during recovery as they reconstruct lost data, reorganize schedules and restore classroom continuity under constrained conditions.
Beyond the classroom, the gendered implications become even more pronounced. School closures and disruptions immediately reassign childcare responsibilities to families. Because women perform the majority of caregiving labor in the United States, they disproportionately absorb the consequences: lost work time, reduced income, increased stress and heightened domestic responsibilities.
During the COVID-19 pandemic, school and childcare closures contributed to a marked decline in women’s labor-force participation. Cyber-induced closures replicate similar dynamics, albeit at smaller scales.
Yet cybersecurity incident reports rarely, if ever, document gendered workforce impacts or caregiving burdens.
The education sector is not designated as its own “critical infrastructure” under U.S. federal definitions, despite its foundational role in enabling economic productivity, workforce stability, and community functioning. This classification gap itself reflects a gendered blind spot: Sectors heavily staffed by women and central to caregiving are often undervalued in national risk frameworks, making the invisible labor of recovery even less likely to be resourced.
Transportation: The Gendered Implications of Mobility Disruptions
Cyberattacks on transportation systems have intensified in recent years, affecting rail, bus, maritime and aviation networks.
Incidents involving Pittsburgh Regional Transit, the Kansas City Transportation Authority and Oahu Transit Services demonstrate how ransomware can disrupt payment systems, interrupt service and prevent riders from accessing essential mobility.
Transportation disruptions are typically assessed in terms of economic loss or technical vulnerability. Yet mobility itself is gendered. Nationally, women constitute a majority of public transit users and tend to rely on transit systems more heavily for short, multi-stop trips associated with caregiving, household management and service-sector employment.
When transit outages occur, women face greater challenges in accessing medical care, workplaces, grocery stores, childcare centers and eldercare facilities. These disruptions have immediate effects on women’s safety and economic stability, particularly for those with limited access to private vehicles or those living in transit-dependent urban or rural areas.
Despite these predictable patterns, transportation-sector cyber incident analyses rarely include gender-based assessments. As with healthcare and education, the absence of gender-disaggregated data obscures the compounded burdens women experience when mobility systems falter and limits the effectiveness of resilience planning.
Interconnected Systems: Cascading Impacts and Unmeasured Gendered Harm
Critical infrastructure sectors are deeply interconnected, and disruptions in one system often cascade into others.
State-sponsored groups such as Volt Typhoon have positioned themselves within U.S. communications, energy, water and transportation networks with the apparent intention of conducting disruptive operations that would have wide-ranging societal effects. Cybercriminal groups have similarly exploited vulnerabilities across multiple sectors simultaneously, as seen in incidents affecting healthcare, finance and municipal services.
… Disruptions to healthcare, education, transportation and public services disproportionately affect women … because they occupy structural roles … that make them central to a society’s capacity to absorb and recover from crisis.
When infrastructure fails, the gendered consequences compound. For example, healthcare disruptions increase caregiving needs at home; school closures intensify childcare demands; transportation outages reduce access to essential services; water or power interruptions amplify domestic labor such as cooking, cleaning and sanitation. Each of these burdens disproportionately falls on women. The cumulative effect is not merely increased individual strain but reduced societal resilience, as the same population responsible for absorbing shocks becomes overwhelmed.
Yet cybersecurity policy frameworks remain largely focused on technical interdependencies rather than social ones. Current threat modeling does not account for the gendered distribution of labor that underpins system recovery, nor does it track the compounding effects of overlapping outages on populations already carrying substantial care responsibilities. This blind spot limits our ability to prepare for or respond to complex, multi-sector cyber events.
Why Gender-Blind Cybersecurity Undermines National Security
The recurring theme across these sectors is not simply that women experience disproportionate harm but that women’s roles are structurally central to the resilience of society. When cyber incidents disrupt essential services, women’s paid and unpaid labor becomes the buffer that compensates for system weaknesses. Yet this labor remains largely invisible to policymakers, unmeasured in incident reporting and unaccounted for in resilience strategies.
Gender neutrality in cybersecurity is thus not a neutral position but an analytically inaccurate one. It yields incomplete risk assessments, inadequate resource allocation and resilience planning that does not reflect the actual distribution of responsibilities during crises. A risk model that does not account for gender is a risk model that cannot accurately predict societal impact, nor its recovery and resilience.
… Women’s roles are structurally central to the resilience of society.
The Role of Software Safety and Policy Reform
Importantly, many of the harms described above originate not from uniquely sophisticated adversaries but from insecure and misconfigured software. A substantial proportion of cyber incidents exploit preventable software defects, including memory-safety vulnerabilities, authentication bypasses and misconfigurations. Software manufacturers face limited incentives to prioritize secure development, as end-user license agreements often shield them from liability when their products fail.
The consequences of insecure software are not evenly distributed. Because women disproportionately rely on public services and constitute the majority of workers in female-dominated sectors, they are more likely to experience harm when digital infrastructure collapses. Addressing the root causes of cyber insecurity—through secure-by-design standards, regulatory frameworks, liability reform and more robust institutional oversight—would therefore have meaningful gender-equity implications as well as broader societal benefits.
Toward a Gender-Intentional Cybersecurity Framework
Designing cybersecurity as if all users experience technology in the same way has never worked, and the evidence is no longer debatable. Across sectors, women carry disproportionate operational burdens when systems fail, absorb increased care responsibilities during outages, and navigate digital environments shaped by structural inequities. This reality distorts threat modeling, hides cascading social impacts and slows recovery during major cyber incidents
While some may dismiss this as an abstract equity issue, we prefer to frame it as a risk-intelligence issue. We learned this the hard way in product design.
One of the catalysts for Google’s Product Inclusion work was the recognition that women’s needs, perspectives and everyday use patterns were missing from the development cycle. Once teams dug into how women actually interacted with the technology, products became more intuitive, safer and more widely adopted. Better understanding of cultural, gendered and identity-linked nuance didn’t lead to niche features. It led to better products, full stop.
Cybersecurity deserves that same rigor. We cannot protect what we do not understand.
A gender-intentional approach forces security teams to see the real operating environment: who relies on critical systems, who holds the care labor that keeps households and communities functioning during outages, who is disproportionately exposed to mobility failures or healthcare disruptions, and whose digital footprints make them targets for harassment, disinformation or identity-based abuse. These dynamics shape risk exposure and resilience, and ignoring them produces controls that look good on paper but fail in practice.
A smarter cybersecurity framework starts with three commitments:
1. Center real users, not idealized ones.
Threat modeling must include how women (and other demographics) actually engage with technology across work, caregiving, transit and community life. Overlooking this produces blind spots that adversaries already exploit.
2. Measure what matters.
Gender-disaggregated data on service disruptions, digital harms and recovery patterns gives policymakers a more accurate view of systemic risk and resilience demands. Without it, response efforts consistently underestimate consequences.
3. Design through a human-centered security lens.
Security policy is strengthened when it reflects how people actually interact with technology. Incorporating empirical insight into user behavior and socio-technical context produces more usable controls, more legitimate communication and more realistic incident-response planning and resilience strategies that align with how societies absorb disruption. A human-centered lens thus enhances both the effectiveness and equity of cybersecurity governance.
The aim is not to create a separate cybersecurity track for women, but to build a security ecosystem grounded in empirical realities rather than inherited assumptions. Gender-intentional analysis sharpens risk assessment, strengthens institutional decision-making and supports national resilience. As digital systems shape access to healthcare, education, mobility and economic opportunity, such analytical clarity becomes essential—a prerequisite for effective and equitable cybersecurity governance.
Making Tech Work for All of Us
Human-centered security is foundational to building systems that withstand failure, recover quickly and protect the people who keep critical infrastructure running.
Cybersecurity fails when it treats people as an afterthought.
The gendered impacts documented in the 2023 “Safer Together” report make clear that disruptions to healthcare, education, transportation and critical services are never experienced evenly. Women disproportionately absorb the immediate operational fallout and the long tail of recovery, and those lived realities shape the true dimensions of national resilience.
Within this broader rethinking of digital resilience, we must work together to redesign how we make tech work for us.
The work of our newly formed Foundation Layer is situated in an effort to reconceptualize how society governs and relies upon technology. Rather than treating cybersecurity, software security and digital policy as purely technical domains, Foundation Layer approaches them as social systems whose impacts are mediated by human behavior, institutional capacity and unequal distributions of labor and risk.
Its focus on placing people at the center reflects a recognition that the stability of digital infrastructure ultimately depends on the stability of the communities and individuals who interact with it.
This people-centered approach was also adopted by Critical Cyber, a new impact-driven initiative mapping the real-world consequences of cyberattacks against critical services through first-hand accounts of those who have lived through or defended against these events. These efforts help to examine how public services, local governments and civil society organizations can better anticipate and mitigate the social consequences of cyber disruptions, and how software design and regulatory frameworks might evolve to reduce harm before it occurs.
But no single institution can address these challenges alone.
Building a safer and more equitable digital future will require a shared recognition that our current structures are insufficient, and a collective effort to redesign them so that technological systems reinforce, rather than undermine, the resilience and well-being of the people they are meant to serve. Human-centered security is foundational to building systems that withstand failure, recover quickly and protect the people who keep critical infrastructure running.
We must integrate gender-intentional analysis into our decision-making to move cybersecurity from theoretical preparedness to real-world effectiveness. Such a shift is essential for any nation serious about safety, stability and resilience in an era of cascading, high-impact digital disruptions.
