On Jan. 31, FBI Director Christopher Wray testified before Congress, explaining how Chinese government hackers were trying “to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.”
These hackers, Wray continued, “are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”
Wray’s testimony offered a glimpse into the frightening possibilities attacks on U.S. critical infrastructure might unleash. But the truth is actually scarier: The American homeland has been under attack for the past two decades, with little in the way of meaningful response.
Policymakers must, then, begin to strengthen private sector and local preparedness for these ongoing attacks, as well as developing and resourcing the federal interagency for complex emergencies, with an emphasis on societal resilience.
As early as 2009, Chinese and Russian hackers infiltrated America’s electrical grid, installing malware that could be used for future attacks. One year later, Russia hacked the NASDAQ stock exchange and not only attempted to steal data but left behind what experts described as a “digital bomb” that could, when detonated, damage financial networks.
In 2013, disaster was narrowly averted after Iranian hackers infiltrated the control systems of the Bowman Avenue Dam in New York and nearly flooded a small town.
A 2017 hack of the Wolf Creek nuclear power plant in Kansas was later revealed to be the work of Russian hackers, as was a 2022 attack on an international food company, which temporarily closed all of its meatpacking plants in the United States.
China reportedly breached and surveilled the networks of the New York City subway system in 2021. Just this past May, Microsoft reported that the China-backed hacker network Volt Typhoon compromised its IT systems to access critical infrastructure on Guam.
These complex systems of critical infrastructure — which include energy, finance, food and agriculture, healthcare, municipal services, transportation, water and many more — are vulnerable, and not just to state actors. Even small groups of criminals have left thousands without electricity, cut off responders’ communications in major cities and prevented patients from receiving care at hospitals.
These known threats to civilian critical infrastructure are made worse because our national defense is dependent upon some of these very same systems. For example, the ability of the U.S. military to deploy forces overseas depends upon the civilian maritime industry, airlines, ports and railroads — all of which have been disrupted by cyberattacks from various bad actors within the past 10 years.
In 2014, the Senate Armed Services Committee reported that Chinese hackers repeatedly breached the networks of U.S. Transportation Command’s civilian contractors, upon whom the military would rely for logistical support in the event of war. As Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Agency, warned last year, a foreign adversary could choose to target U.S. infrastructure to gain an advantage in a military conflict.
Given these known threats to the U.S. homeland, policymakers from the national to the local level must act now to better prepare their communities for the impacts of critical infrastructure attacks.
Among the first things policymakers can do is improve collaboration, as most critical infrastructure is owned by the private sector and overseen by local governments. Local officials and private companies should work to improve the security of both the physical facilities they manage, as well as their networks. Both groups should also plan for emergencies collaboratively, perhaps incorporating training and exercises with first responders as well.
National decision-makers should also better evaluate different federal agencies’ ability to manage multiple crises at once. The challenges of the COVID-19 pandemic could serve as useful starting points for developing, posturing and resourcing federal departments and agencies to respond to widespread disasters created by attacks on critical infrastructure.
The final piece of preparedness does not come from policymakers, but from the rest of us, as societal resilience is critical to not making the bad effects of critical infrastructure attacks much worse. In 2021, when a ransomware attack shut down the Colonial Pipeline, gasoline shortages were caused not by the direct disruption to supply, but by widespread panic buying.
Leaders at the local level should therefore engage their communities in preparedness planning. At the national level, leaders should be cognizant of our current state of political polarization. As in any attack meant to sow disruption and division, we do our enemies’ work for them when we panic.
Instead, we may do well to remember the lessons of the last major attack on the U.S. homeland. On Sept. 11, 2001, there was little room for vitriol and prejudice. Instead, if we act with the understanding that the homeland is already under attack, everyday Americans may realize that they are their neighbors’ best hope for safety and security.
Stephen Webber is a defense analyst at RAND.