Earlier this year in Texas, Russian cyberterrorists reportedly breached the computer systems of Muleshoe’s water treatment facility, causing the water tank, which supplies drinking water to the town’s 5,000 residents, to flood. This incident was one of three attacks on small water providers in rural Texas this year, with at least one reportedly linked to Russian hackers. Fortunately, these older systems could switch to manual operations, averting disaster.
Even with limited imagination, the potential harm to Americans if cyberattacks from Russians, Iranians, and Chinese increase is staggering.
These recent attacks in Texas and elsewhere highlight an ongoing national crisis. As detailed in a new research paper, the history of policy for critical infrastructure cybersecurity is marked by a reactionary and fragmented governance system.
It took the Russian cybercriminal group DarkSide’s successful attack on the Colonial Pipeline and their $4.4 million ransom payment for the federal government to take substantial action to protect our pipelines’ digital security. While progress has been made in securing our grid, healthcare, and nuclear sectors, these areas have received more federal attention due to significant harms from successful cyberattacks both domestic and international.
Attacks on water systems, such as draining a small town’s supply, are just the beginning. Legislative action should not wait until a major urban area’s water supply is poisoned by cyberterrorists.
The federal government’s efforts in addressing this issue are misguided and out of touch, exacerbating the problem. CISA, the Cybersecurity and Infrastructure Security Agency, is tasked with coordinating cybersecurity for critical infrastructure. Ideally, it supports towns like Muleshoe, which lack the resources and technical capabilities to fend off sophisticated cyberattacks. Additionally, CISA should be taking proactive measures to bolster defenses of water systems in places like rural East Texas to prevent enemies from infiltrating digital systems.
However, a report from the House Committee on the Judiciary’s weaponization subcommittee titled “The Weaponization of CISA: How a ‘Cybersecurity’ Agency Colluded with Big Tech and ‘Disinformation’ Partners to Censor Americans” suggests that CISA prioritizes conservative speech censorship over threats like China targeting our electric grid or Russia endangering lives near water treatment facilities.
No one disputes the government’s role in protecting digital infrastructure from foreign adversaries. Cybersecurity for critical sectors is one of the least partisan issues. However, with the current administration’s focus on stifling domestic political opposition instead of countering external threats gathering intelligence and capabilities, states like Texas are taking the lead.
This week, I testified before the Texas Legislature’s Committee on Water, Agriculture, and Rural Affairs about enhancing state critical water infrastructure cybersecurity. Despite the disheartening status quo, Texas is ready to prevent future attacks like the one in Muleshoe. My policy recommendations included investing in career technical education to boost the number and quality of IT and OT professionals, making “voluntary” cybersecurity standards mandatory for water providers, conducting more regular critical water infrastructure cybersecurity audits, and more.
Innovation brings new efficiencies and conveniences to every sector of critical infrastructure. However, digitizing water treatment facilities, incorporating smart meters, and automating once-manual processes introduce unfathomable complexity. Rogue nation-states exploit this, using small water facilities to refine their attacks, preparing for a significant strike equivalent to the Colonial Pipeline incident in the water sector.
We are constantly at war with these cyberterrorists, and public policy must reflect this reality.