Most recently, our conflict with Iran in the wake of the killing of its top military commander, Qasem Soleimani, raised new worries about possible cyber-retaliation. That's a reasonable fear. Security analysts predict that state-backed hackers will target America's weakest link. Given that our power-transmission grids and energy utilities are underdefended, American energy security has never been at greater risk.
This is not a hypothetical vulnerability. In 2018, then-National Intelligence Director Dan Coats asserted that nearly two decades after 9/11 the "warning lights are blinking red again," adding in a report to Congress that many nation-states are capable of causing "disruptive effects … for days to weeks" to our critical infrastructure. And Karen Evans, the Department of Energy's assistant secretary for cybersecurity, questioned our ability to withstand such attacks, writing that our energy infrastructure "has become a primary target for hostile cyber actors."
Iran has flexed cyber-capabilities before. In 2012, in response to U.S. sanctions, state-backed Iranian hackers launched a series of attacks that disrupted banks and the New York Stock Exchange. And in 2013, they broke into a dam's control system.
Federal policymakers are beginning to take commendable steps, including increasing annual cybersecurity spending, creating the Cybersecurity and Infrastructure Security Agency, and even organizing a "cyber moonshot" initiative for a safe and secure Internet. But we need to do more, and state governments have an important role. Here are three things the U.S. should be doing now to prevent and defend against debilitating attacks on our key infrastructure:
• Foster public-private partnerships to raise collective understanding of current threat vectors. Federal and state energy regulators need to work more closely with the leadership of America's best cybersecurity companies to make sure we're using state-of-the-art protection. Such knowledge-sharing programs can produce best-practice guidelines and recommendations that provide more comprehensive security without governmental overreach.
• Incentivize state-level policy. States provide most of the oversight for the nation's utilities. Nearly 90 percent of these critical systems — including power generation facilities, gas pipelines, telecommunications infrastructure and water treatment plants — are for the most part under state purview. And it's important to remember that contractors are considered cybersecurity's "unprotected underbelly": The worst known hack into the nation's power system targeted a small Oregon firm that works with electric utilities. The federal government can encourage state compliance and cooperation with cybersecurity recommendations through tax incentives and penalties. Publicizing relative security standings of departments would shame laggards and foster competition for the best security.
• Cultivate a new generation of cyberdefenses. Rather than cutting overall federal research and development spending, we need to better fund basic R&D and other initiatives that will enable the next generation of American researchers and entrepreneurs to stay at the cutting edge of cybersecurity. Encouraging private-sector defense companies to build cybersecurity technologies will produce tools that bolster baseline protections on critical infrastructure.
America's enemies who cannot beat us in conventional warfare instead will fight in cyberspace. In this new theater of war, they gain an asymmetrical edge due to the low cost of debilitating and destructive cyberattacks. We need to move quickly to dial down the partisanship in government and dial up public- and private-sector cooperation to make sure that America is as well protected in this century as we were in the last.
