Americans have come to view warfare as a distant event occurring on some faraway battlefield. Cyberspace, however, shatters that perception and brings to America’s doorstep the very real effects of wars being fought across the globe.
Attacks are no longer limited to some far-off battlefield but strike when and where they might be least expected. Recent cyberattacks on water utilities in Pennsylvania, Texas and Indiana are examples of how adversarial nations are exploiting technology to bring the battlefield directly to American civilians and private[1] sector organizations. Traditional defense mechanisms are proving to be insufficient as network vulnerabilities across our most critical infrastructure have threatened to prevent infrastructure suppliers from providing fundamental resources necessary to sustain ordinary American daily lifestyles.
To protect America and Americans, entities providing critical infrastructure services should promptly assess how they conceive security, what methods they are using to achieve it and who they entrust to provide it. Though federal and state governments are vital to this effort, the burden of ensuring services remains uninterrupted to protect customer and shareholders’ interests falls upon the entities that are supplying the services.
While businesses may be motivated by their own self-interests, prudent security steps taken now will also serve to benefit many who rely upon these services and the overall stability underlying national security.
Unlike most national security threats, private sector entities cannot expect the U.S. military, law enforcement organizations or other government agencies to provide adequate defense in cyberspace. The scale of American cybersecurity needs and restrictions on government action make it nearly impossible for government organizations to defend private sector cyberspace.
Constitutional prohibitions on searching private property extend to privately owned systems, and government institutions can rarely access them without the owner’s consent. Even with authorization, cyberspace is so vast that the U.S. Government’s wealth and power are dwarfed in comparison.
Not long ago, only U.S. soldiers, spies, and officials stationed abroad were at risk of attack from adversarial nations. Geographic advantages and deterrence strategies kept America safe from attack. Now, our military strength and geographic separation provide scant protection against cyberattacks in our increasingly interconnected society — America’s adversaries have innumerable vulnerabilities to exploit.
What’s more, the protection of the vast majority of those vulnerable networks are not the responsibility of federal or state governments. When these vulnerabilities present themselves in networks supporting critical infrastructure, such as energy or water, the risk of substantial harm from nation-states significantly increases.
China, Russia and Iran have taken advantage of technology to shape international competition in their favor. China’s Volt Typhoon hacking group has infiltrated multiple aspects of U.S. critical infrastructure, likely to enable sabotage should hostilities arise over Taiwan’s independence. Similarly, following Hamas’ October attack on Israel, Iranian hackers breached an unknown number of water utilities in the U.S., including the Municipal Water Authority of Aliquippa, Pennsylvania. And, in the weeks before and after Congress voted to send aid to Ukraine and other U.S. allies, Russian hackers caused a Texas town’s water system to overflow and targeted a wastewater treatment plant in Indiana.
While motives behind specific cyberattacks may not be known, U.S. adversaries’ ability to affect and damage water, electricity, fuel, air and other resources in the U.S. has become a powerful tool of those seeking to wreak international havoc. This peril is now a significant foreign policy consideration. As adversaries demonstrate the capacity and willingness to sabotage the essential provision of services sustaining human survival, America’s long-established methods of protecting against international threats may be inapplicable, ineffective, or too costly to pursue.
Although in the pre-digital age the protection of most utility operators in the U.S. was not a government responsibility, there was still low risk because adversaries were incapable of reaching and harming these organizations. Now, every business in the U.S. that offers a critical piece of the infrastructure has become a valuable target to America’s adversaries, and these businesses must consider themselves to be part of broader conflicts being influenced by larger geopolitical contexts. As such they should now consider defending themselves not only from criminals and business competitors but from nation-states as well.
These post-digital era threats should prompt businesses in the U.S. to consider new variables to their risk calculus. Because foreign adversaries are targeting businesses with strategic significance, from the smallest water utilities to the largest energy providers, those business must become more cognizant of ongoing issues related to geopolitics, national security, cybersecurity and international relations. Business leaders must keenly understand how geopolitical drivers directly place their organization at risk.
American lives depend on the continuing operation of its infrastructure services as delivered by many different businesses. America’s adversaries, aware of the critical nature of these services, are seeking to gain leverage or advantage by exploiting vulnerabilities. Wrongdoers who threaten to or actually shut down the provision of critical services can create fear in the citizenry as a means to compel government leaders to yield to their desires. Understanding these risks and designing defense and resilience plans to mitigate those risks can be critical tools to ensure an organizations’ survival.
Michael McLaughlin co-leads the Cybersecurity and Data Privacy Practice Group at the law firm of Buchanan Ingersoll & Rooney, PC. He previously served as Senior Counterintelligence Advisor for United States Cyber Command and as Chief of Counterintelligence and Human Intelligence for the Cyber National Mission Force. His published works include Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security (Prometheus 2023).
Kurt Sanger is Counsel at Buchanan Ingersoll & Rooney. He counsels clients on cybersecurity, data privacy, and national security matters. For 23 years he served as a Judge Advocate in the U.S. Marine Corps. His final post on active duty was Deputy General Counsel for United States Cyber Command.
[1] We refer to water utilities and similar entities as “private” in this article, but realize they may be structured as purely private, pseudo-public or public.