A recent story from Florida should direct policymakers’ attention to a glaring strategic problem in American defense. In the city of Oldsmar, a small community in the Tampa metro area, an unknown hacker gained access to the chemical controls of the municipal water treatment system. Fortunately, an operator at the facility observed the breach in real time, watching as the intruder set the level of sodium hydroxide, commonly known as lye, to 100 times its normal level. The operator was able to immediately undo the change, so no one was harmed.
But what if that instant detection hadn’t happened? As of this writing, nothing is known about the source of the attack. And it wasn’t “just 'Oh, we're putting a little bit of chlorine or a little bit of fluoride, or a little bit of something,'” said Pinellas County Sheriff Bob Gualtieri.
“We're basically talking about lye that you are taking from 100 parts per million to 11,100."
Florida Sen. Marco Rubio says he’s calling in the FBI for assistance in investigating the incident, which he believes “should be treated as a matter of national security.” Rubio is not wrong, but the federal government’s cybersecurity efforts are a strategic wreck. Protecting basic utilities from this sort of remote attack should be central to U.S. cybersecurity plans. Instead, our government spends nearly all its cybersecurity resources on offense. Rather than keeping key American infrastructure safe, Washington is off playing the digital highwayman.
The extent of this imbalance can be communicated with a single statistic. As Reuters reports: “Across the U.S. federal government, fully 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure.” Nine dollars of every 10 spent on cybersecurity are put toward attacking other nations’ digital territory, instead of defending our own.
That is not because our online space is already amply defended. On the contrary, Pentagon investigations between 2012 and 2017 “routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,” the Government Accountability Office reports. These internal hackers, known as white-hat hackers, take over the weapons systems using relatively simple tools and techniques, according to the GAO, and were able to do so without detection.
If our weapons systems are so inadequately guarded, how risky and numerous are our other vulnerabilities? Digital attacks don’t require the resources of more familiar tactics of war. This is their exact appeal to poor, weak, fearful actors like North Korea, which a United Nations report revealed last week is using virtual theft to fund its conventional and nuclear weapons development.
Nor is Washington’s focus on digital offense justified because other nations do not pose a threat. Beyond North Korea, rival great powers such as Russia and China have repeatedly showed their interest in infiltrating U.S. government targets. December’s news of a large-scale hack of federal departments including Treasury, Commerce, and Homeland Security — which national security agencies think Moscow backed — is but the latest and most prominent example.
The reforms cyber policy needs
We don’t know yet whether the hacker in Oldsmar, Florida, was a foreign adversary. The perpetrator may have been an American. Regardless, this system should not have been accessible. Had the increased lye levels gone undetected, thousands could have been poisoned. (Lye is caustic base, a main ingredient in drain cleaners.) This situation should be one more impetus to reform U.S. cybersecurity policy so it actually keeps Americans safe.
That project has two primary tasks. First, we should curtail U.S. cyberattacks, which are conducted far too easily and recklessly, without adequate constitutional restraints. The Trump administration inappropriately loosened guidelines for American digital strikes, allowing spy agencies to attack foreign nations with little oversight and insufficient guard against harm to civilians. This displays an outdated view of cyberattacks that fails to comprehend their potential to fuel open conflict, including between nuclear powers.
Second, the balance of federal cybersecurity resources should be inverted, with nine dollars in 10 apportioned to defense. That means hardening digital targets, as the Cato Institute’s Brandon Valeriano and Benjamin Jensen detail in a 2019 analysis on restraint in cyberwarfare. We need to reduce vulnerabilities and make hacking U.S. targets too difficult and resource-intensive to be worthwhile for our adversaries. For crucial utilities infrastructure like the Oldsmar water treatment facility, we should also weigh whether the advantages of internet connectivity are worth the growing risks. Air-gapped systems, though not impregnable, can be useful in guaranteeing the safety of life-sustaining utilities like water and power distribution, as well as other obvious targets like nuclear plants or dams.
What happened in Oldsmar, like too many federal hacks before it, should be a wake-up call. Cyberwarfare is an increasingly serious theater of national security, and our government must spend less time meddling in other people’s internet and more time protecting our own.
Bonnie Kristian is a fellow at Defense Priorities, contributing editor at The Week, and columnist at Christianity Today. Her writing has also appeared at CNN, NBC, USA Today, the Los Angeles Times, and Defense One, among other outlets. The views expressed are the author's own.