Published by The Lawfare Institute
in Cooperation With
The infrastructure was essential, ubiquitous and providing basic functionality for everything in daily life from water to heat and transportation. And in an instant it was gone, plunging tens of thousands of residents into a life-threatening crisis. This is, of course, the narrative of the recent debacle in Texas, where a winter storm overwhelmed the state’s electrical grid and brought the state to a near-total blackout. But it should also be interpreted as a preemptive warning of what Americans will face from the next generation of the internet and the new realm of cybersecurity risk it will dramatically amplify.
Both forms of infrastructure—a state-run electrical grid and the 5G and “internet of things” future to which we are rapidly hurtling—share three attributes. First, their construction reflects a lack of imagination about the danger that can quickly coalesce when seemingly remote threat scenarios become real. Second, compounding a lack of analytic imagination is an absence of preparedness. Third, for both the Texas electrical grid and the emerging internet, public policy protections are either meager or completely absent.
In planning for the resilience of its electrical grid, public officials in Texas discounted the potentially devastating disruption that could occur from unpredictable events—whether related to climate change or just a once-a-century anomaly. They also eschewed precautions other states take seriously by allowing for the interconnection of electrical grid supply chains across their borders, ostensibly because of their ideological rejection of federal regulatory oversight governing such arrangements.
As the United States builds out a new national 5G cyber-physical communications network through private service providers, Americans similarly discount the risks—myriad in their diversity and severity—that are orders of magnitude more significant than what Texas confronted recently. More physical things than people are already connected. The super empowered internet of tomorrow, known among some in the field as the “internet of everything,” will exceed by tens of billions of devices the number of connections between individuals simply communicating via social media or digital screens.
This confronts policymakers with an imminent threat: A cyber outage is no longer about losing digital communications but about losing basic societal functioning and even human life. The failure of imagination is to think of the SolarWinds attack on U.S. federal agencies and tech companies as a worst-case scenario. The failure of imagination is to think of cybersecurity through a content-centric lens rather than as possible attacks on the material world. The emergence of internet-connected cardiac devices, digitally dependent cars, and internet-connected agriculture systems portend the stakes of a cyberattack to health care, economic and social functioning, and food security.
The United States should be prepared for, and certainly not be caught by surprise by, such cyberattacks. Yet, the internet of everything is notoriously insecure. Internet-connected physical objects are not necessarily upgradeable. Nor do they come with adequate default security and encryption. The 5G infrastructure that helps connect digital objects has been at the center of debates over Chinese espionage. Industrial cyber-physical systems are based on technical standards that have not been collaboratively vetted for security and interoperability. One of the most infamous cyberattacks—the so-called Mirai botnet that took down major media sites and corporations—hijacked these insecure objects in homes to carry out the assault. The United States is not yet prepared.
Finally, in the race to conceive and deploy effective public policy responses, the U.S. government as a whole is hardly more anticipatory or synthesized in its response to potential calamity than the state of Texas. The focus of U.S. cyber policy remains on information policy issues such as disinformation, manipulation and violent speech rather than securing the digital world that now powers our material day-to-day lives. The Biden administration confronts an enormous challenge in crafting a comprehensive strategy to the cybersecurity risks foreshadowed by the ruinous experience in Texas and its management of vital infrastructure. While the digital world has leapt from two-dimensional to three-dimensional space, cyber policy has not at all jumped from 2D to 3D.
This failure of imagination, preparedness and policy protection must not be America’s cyber future; the stakes are far too high and the costs are far too great. The Texas disaster is a potent illustration of what has always been true: Our digital society and economy are extremely vulnerable and grow more porous and subject to penetration day by day. As digital sensors and cyber control systems become further embedded in physical infrastructure like energy systems, agriculture and transportation, there is no longer a separation between security of the “real” world and security of the online world. They are entangled and increasingly enmeshed—and policy has yet to catch up to either envisioning or mitigating the looming threats the U.S. confronts.
If the energy grid cannot weather a winter storm, how can it be expected to withstand a major cyberattack? What other vital forms of national infrastructure—ranging from water, bridges, highways and roads, and ultimately our day-to-day financial system—are comparably at risk? As Texas dramatizes, it is neither hyperbolic nor exaggerated to assert that our survival could now depend on securing the inevitable cyber-physical future that is accelerating with stunning rapidity.