The Navy can’t protect us from these attacks on the water.
Chinese military strategists have long emphasized that the most effective way to weaken an adversary is to disrupt its critical infrastructure without firing a shot. The discovery that Volt Typhoon, a Chinese military cyber group, has successfully attacked and compromised access to American water utilities suggests that this theory is now an operational reality.
According to CISA and FBI briefings to Congress, Volt Typhoon has maintained persistent access to water utilities across many U.S. states for years. In a sad irony, American analysts have suggested the foreign attackers are using “living off the land” by using techniques to hide within our water systems while retaining the capability to cause physical damage at any time of their choosing (1). They have established long-term persistence by using valid credentials, exploiting legitimate tools, and avoiding malware that would trigger alarms.
Our national defense strategy has traditionally meant protecting ships, planes, and bases. However, the next National Defense Authorization Act will need to recognize that defending our digital infrastructure is now part of that same mission. This represents a new evolution in cyber warfare: foreign states not just attacking systems, but inhabiting them, and waiting for the optimal timing to exploit the strategic advantage they have created.
Iranian actors also currently maintain administrative access to water systems serving millions of Americans, exploiting programmable logic controllers (PLCs) that manage chemical treatment processes (2). Russian operatives have tested their ability to manipulate chemical controls in multiple states (2)(3).
This isn’t preparation for war. If “war,” in essence, is when one nation-state attacks another, notwithstanding traditional definitions, we are at war. Our national defense strategy needs to appreciate this reality. This would include adapting our governance process to create a fully integrated “whole of nation” defense that incorporates our traditional defense methods and tools with privately or locally owned structures that require better protection. These systems are not capable of defending themselves, relying on outdated structural and economic models.
The owners and operators of these systems are doing what they can to ensure the safety of their users. For example, they have intensified their coordination of utilities through multi-state cybersecurity exercises, emergency interagency briefings, and the rapid deployment of monitoring and intrusion-detection systems (2)(4). Yet no individual utility—or even a coalition of regional operators—can withstand a nation-state adversary acting with strategic intent and virtually unlimited budgets. As federal investigators warned, foreign cyber actors targeting U.S. water systems are willing to exploit “any vulnerability, at any time, and at any scale” to gain footholds inside operational technology environments (1).
Glass Half Empty: Cyber defenses of our water systems
Although our water infrastructure doesn’t have the same profile as our financial system or our telecommunication system, the impacts of a strategic attack are potentially catastrophic. A coordinated cyberattack causing a multi-day water disruption would trigger financial losses, estimated in the hundreds of billions, potentially reaching near-trillion-dollar impact depending on region and duration.
In addition to the economic damage, the strategic value for adversaries comes not just from the immediate disruption—it’s demonstrating America’s cyber vulnerability. When Iranian hackers compromised the Municipal Water Authority of Aliquippa, Pennsylvania, and publicly claimed credit on social media, they signaled to adversaries that America’s critical infrastructure can be penetrated (2)(3).
This vulnerability stems partly from our fragmented approach to cybersecurity. Water utilities navigate a maze of conflicting cyber requirements from the EPA, state regulators, and multiple federal agencies—each demanding different standards, reporting requirements, and compliance frameworks. The Government Accountability Office (GAO) concludes that EPA lacks a coherent strategy to address these cybersecurity risks, leaving utilities without clear direction (4). A small utility often spends more money on cyber compliance paperwork than on actual cyber defense. Meanwhile, adversaries need only find a single vulnerability to compromise the entire system.
The workforce compounds the cyber crisis. A large proportion of water operators are approaching retirement, and many have minimal cybersecurity training—a point repeatedly highlighted by sector workforce reports and congressional briefings. These operators manage systems initially designed in the pre-Internet era, which are now facing AI-driven cyberattacks from nation-state adversaries. This is an asymmetric battle made worse by regulatory confusion that diverts resources from defense to paperwork (4).
Most disturbing is how cyberattacks on water reveal our detection blindness. Many utilities rely on weekly water-quality sampling instead of continuous online monitoring. The EPA’s own technical guidance warns that online monitoring systems are critical for early detection of contamination events (5). Cyber-manipulation of chemical dosing could poison thousands of Americans before any anomaly is detected. The same vulnerabilities that enable remote access to operational technology allow adversaries to delete logs, alter readings, and conceal their actions, potentially leading to catastrophic failure. We are not just vulnerable—we are blind to ongoing compromises.
The February 2021 Oldsmar, Florida, incident offers a preview of this threat. A remote attacker accessed the city’s water treatment system and attempted to increase sodium hydroxide levels to dangerous levels—enough to cause harm to 15,000 residents (6). Only manual intervention by a plant operator prevented a mass casualty incident. This attack demonstrated how cyber vulnerabilities can transform essential infrastructure into a weapon.
The water sector’s cyber crisis illuminates three critical truths about national security in 2025:
First, the battlefield has undergone a fundamental shift.
Adversaries achieve strategic effects through cyber operations that would be impossible through conventional means. Iran cannot challenge our Navy directly, but through cyber, they can control or disrupt the water systems that Navy personnel and bases depend on (2).
Second, our regulatory approach actively weakens cyber defense.
Overlapping, duplicative requirements drain resources from security to compliance. The GAO’s findings show that the EPA lacks a unified strategy, leaving utilities scrambling (4). The water sector exemplifies how a fractured regulatory model creates an illusion of security—perfect paperwork, while adversaries walk through our networks.
Third, we lack basic economic visibility into the cost of cyber warfare.
We do not systematically measure the impact of cyber on GDP, cannot quantify sector-specific exposure, and fail to account for the real economic cost of inadequate cybersecurity. The water sector’s vulnerabilities likely contribute to billions of dollars of unmeasured risk exposure.
The water sector demonstrates that cybersecurity is not merely a technical issue or a compliance burden—it is the battlefield where modern warfare is waged. Every industry faces similar vulnerabilities, similar adversaries, and similar regulatory dysfunction. Water is one of the most visceral examples of what’s at stake.
For defense leaders and policymakers, the water sector’s cyber vulnerabilities present a clear lesson: national defense cannot be separated from cybersecurity. The same adversaries developing hypersonic missiles are inside our water systems (1)(2). The same military competitors building naval fleets are mapping our critical infrastructure. The same nations we deter with conventional forces are achieving strategic advantage through cyberspace.
The question is no longer whether cyber threats constitute national security threats—the water sector proves they are. The real question is whether our national security apparatus will evolve to defend the domain where conflict actually occurs or continue preparing for conventional warfare. At the same time, adversaries win the cyber war by default.
Water is only the beginning. Every critical sector tells this same story. The cyber war is not coming—it is here, and we are losing.
Every projection of American military power—every carrier group, fighter wing, and Army base—depends on a resource most people never think about: water. From Fort Bragg to Naval Station Norfolk, the foundations of U.S. defense rely on civilian water systems that were never built to withstand cyber warfare.
Endnotes
- CISA, NSA, FBI, and partner agencies. PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Advisory AA24-038A. Feb 7, 2024.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a - CISA. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities. Advisory AA23-335A. Dec 1, 2023.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a - Associated Press. “Rural Texas towns report cyberattacks that caused one water system to overflow.” April 19, 2024.
- U.S. Government Accountability Office (GAO). Critical Infrastructure Protection: EPA Urgently Needs a Strategy to Address Cybersecurity Risks to Water and Wastewater Systems. GAO-24-106744. Aug 1, 2024. https://www.gao.gov/products/gao-24-106744
- U.S. Environmental Protection Agency (EPA). Online Water Quality Monitoring in Distribution Systems. EPA 817-B-18-001. April 2018.
https://www.epa.gov/waterqualitysurveillance/online-water-quality-monitoring-resources - CISA. Compromise of the U.S. Water Treatment Facility. Advisory AA21-042A. Feb 11, 2021.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-042a
