Earlier this year, in my home state of Texas, Russian cyberterrorists reportedly hacked into the city of Muleshoe’s water treatment facility computer systems, flooding the water tank that supplies drinking water for this small town of 5,000 people. This was one of three attacks levied on small water providers in rural Texas this year — at least one of which has been reportedly linked to Russian hackers — which narrowly avoided cataclysm thanks to these older systems possessing the ability to “pull the plug” and resume operations manually.
Even with a blunted imagination, the harm that could befall Americans if Russians, Iranians, and the Chinese further ratchet up the frequency of cyberattacks on our water systems is astounding.
The recent attacks on Texas and elsewhere underscore a national crisis that is silently transpiring. As I outlined in a new research paper, the history of public policy for critical infrastructure cybersecurity is punctuated by a reactionary, fragmented system of governance.
When the Russian cybercriminal group DarkSide successfully brought down the Colonial Pipeline and received $4.4 million in ransom payments to reward their efforts, then and only then did it drive the federal government to take substantive action to protect the digital security of our pipelines. And while there is still tremendous work needed to harden our grid, health care, and nuclear digital targets, these sectors have received more federal attention than water due to palpable harms that have ensued from successful cyberattacks here and abroad.
When it comes to water, draining the supply of a small town is just the start. We need not wait for cyberterrorists to poison the water supply of a large urban area before legislative action is taken.
The federal government is doing something to address this issue, but alas, its efforts are misguided and out of touch, which just makes matters worse. CISA, the Cybersecurity and Infrastructure Security Agency, is empowered to coordinate cybersecurity efforts for critical infrastructure security and resilience. In theory, it is responsible for providing resources and assistance to towns like Muleshoe, which lack the resources and technical capabilities to recover from highly sophisticated foreign cyberterrorists. Even more theoretical still, CISA is responsible for taking proactive actions to bolster the defenses of water systems like those in rural East Texas to prevent enemies from infiltrating digital systems.
However, as was made clear in a report from the House Committee on the Judiciary’s weaponization subcommittee, “The Weaponization of CISA: How a ‘Cybersecurity’ Agency Colluded with Big Tech and ‘Disinformation’ Partners to Censor Americans,” CISA views conservative speech online as a greater threat than China disabling our electric grid or Russia killing residents in proximity of a water treatment facility.
No one is debating whether it is the proper role of government to protect our digital infrastructure from foreign adversaries. In fact, you would be hard-pressed to find a more nonpartisan issue than basic cybersecurity for our most precious sectors of infrastructure. But given this administration’s myopic focus on squelching domestic political speech that doesn’t align with its agenda over combating enemies that are gathering new intel and capabilities daily that bring them one step closer to deactivating our country’s lifelines, states like Texas are stepping up.
This week, I was invited to testify before the Texas Legislature’s Committee on Water, Agriculture, and Rural Affairs on steps the state can take to enhance its critical water infrastructure cybersecurity. Disheartening as the status quo is, Texas is poised to take action to prevent attacks like that which befell Muleshoe. Some of the policy recommendations I outlined include prudent investments in career technical education to increase the number and quality of IT and OT professionals, making “voluntary” cybersecurity standards for water providers mandatory, more regular critical water infrastructure cybersecurity audits, and more.
Innovation has unleashed new efficiencies and conveniences in every sector of critical infrastructure. But the trade-off to digitalizing water treatment facilities, incorporating smart water meters, and automating what were once manual processes is the introduction of unfathomable complexity. Rogue nation-states are using this to their advantage, using small water facilities as practice to refine their attacks for the big one — the Colonial Pipeline equivalent for our water sector.
Every second of every day we’re at war with these cyberterrorists, and it’s time public policy reflected this.
