America’s Next War Begins at Home
The Future of War, Energy, and Private Industry
Suddenly, the lights go out. So does the heat. It’s not a localized disruption – all of DC is down. So are New York, Denver, and parts of Hawaii and Texas. It lasts for hours, then days. It becomes clear this was intentional, a massive cyber-attack by China. Businesses can’t function. Wall Street halts trading. Mass looting breaks out. Societal panic sets in.
While the scenario may sound extreme, the threat is very real. Many across the defense and national security community and pockets of private industry use shorthand to refer to it: Volt Typhoon (VT). It is the name of a Chinese hacking group tasked with sabotaging U.S. critical infrastructure to keep America distracted and cowed during a Chinese military invasion of Taiwan. The scenario is changing how members of both the government and private sector think about war, energy, and their respective roles maintaining a safe, secure, and economically prosperous United States.
A catastrophic VT attack is still hypothetical, but its precursors are all too real. During Russia’s three-year war in Ukraine, we’ve witnessed repeated cyberattacks on civilian energy infrastructure, often coordinated with missile strikes to maximize impact on the Ukrainian populace. Here at home, the Colonial Pipeline cyber-attack of 2021 provided a tiny preview of what VT could look like. Spikes in gas prices. Fuel shortages up and down the east coast. Bubbling alarm.
As VT and similar destructive cyber operations have become increasingly central to our adversaries’ theories of military victory against the United States, the U.S. Department of Defense (DoD) – in concert with civilian agencies – must take on a larger role to protect energy infrastructure here in the homeland.
Modern Warfare Pushes DoD into New Territory
The emerging challenge for DoD is stated clearly in a little-known August 2024 Defense Science Board (DSB) report on the DoD’s dependencies on critical infrastructure. The report notes that military installations in the homeland – which would be used to project power out to the front in the event of a war with China – rely in many cases on civilian power. As a result, any interruption of that power supply, say via a cyber-attack on the privately owned utility or gas pipeline, would have direct impacts on the DoD’s ability to mobilize forces. In contemplating a VT scenario’s impact on the U.S. military, the report states, “Significant disruptions in force projection infrastructure most certainly will doom a ‘short war.’ But a ‘long war’ is equally fraught—persistent attacks on infrastructure could sap the nation’s will to fight.”
The DSB report makes several recommendations, including that the DoD stand up a permanent mission infrastructure resilience organization, which “is structured and resourced to support long-term partnerships across key sectors in the interagency and with civilian infrastructure owners.” The report envisions this new permanent DoD entity would play a major role in mitigating the risks to DoD of an adversarial attack on civilian energy infrastructure (as well as transportation, communications, water, and other critical infrastructure) through ongoing analysis, intelligence and threat assessment, and gaming and exercises.
For those who have been watching the critical infrastructure security and resilience space for years, the idea of a major DoD role is somewhat novel. The Department of Homeland Security (DHS), including the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have historically been the leaders in working with private industry to protect critical infrastructure from major cyber-attacks. These civilian agencies operate under established frameworks and authorities dating back more than a decade, and re-codified as recently as last year in the Biden administration’s National Security Memorandum-22. The DSB report emphasizes, however, that DoD can play a much more effective role than it has to date by organizing to better participate with civilian agencies and civilian infrastructure owners.
DoD’s attention in recent decades has been focused abroad: in fighting, supporting, or preparing for wars in Afghanistan, Iraq, Syria, Ukraine, Israel/Gaza, the Taiwan strait, and other swaths of the Middle East and Africa. DoD activity in the homeland quickly bumps up against legal, jurisdiction, and precedential questions. The Posse Comitatus Act, for example, prohibits the use of federal military forces for domestic law enforcement without explicit congressional authorization. As a result of this and related laws and norms, DoD has historically been quite careful to cede leadership on homeland security issues to the civilian agencies.
However, now that attacks on homeland critical infrastructure are central to near-peer adversaries’ war plans, it is only natural that DoD’s interest would gravitate in that direction. Beyond the DSB report, several indicators point to potential focus from the Trump administration in a larger role for DoD in homeland security. Secretary of Defense Hegseth noted a focus on homeland defense in his first message to the force, has reportedly prioritized funding to support U.S. Northern Command while de-emphasizing all other geographic combatant commands except Indo-Pacific Command, and is rapidly working to implement two major homeland defense missions ordered by the President: securing the southern border and building a homeland missile defense shield.
The administration’s focus on readiness for a potential conflict with China may also contribute to a growing DoD role on critical infrastructure vulnerabilities. Concepts like U.S. Army North’s Multi-Domain Resiliency Zone (MDRZ), which calls for “all-domain protection of assets an adversary may target when they want to disrupt our mission” are still nascent, but could be scaled up quickly to deepen DoD’s security collaboration with civilian energy infrastructure partners here in the homeland. At the same time, CISA is facing significant staff reductions and the dissolution of long-established mechanisms for public-private information sharing, which could limit its ability to set the agenda on private sector engagement and cede ground to influence from DoD.
Private Sector Enters the Fight
With all that said, DoD’s ability to mitigate a VT scenario – just like that of DHS, CISA, and FBI – will run headlong into a decades-old fundamental constraint: the willingness and capability of individual utilities, oil, gas, renewables, and other energy companies to protect their infrastructure from national security threats on their own dime. There are certain regulatory security requirements for the energy sector, including the North American Reliability Corporation-Critical Infrastructure Protection (NERC-CIP) standards for the utilities industry and the more recent Transportation Security Administration (TSA) cybersecurity requirements for pipelines. However, strategic collaboration between the government and private sector on critical infrastructure protection and national security issues has always been voluntary and, ultimately, has yielded an environment still highly vulnerable to VT and similar threats and risks.
Fortunately, some infrastructure owners and operators in the energy sector are leaning forward and choosing to work proactively with the U.S. government, including with the DoD, beyond what is required by regulation. Dominion Energy, a Fortune 500 energy company which is responsible for power across several states has welcomed a full-time Marine Corps detailee into their security operations center. The Marine Corps pays the officer’s salary through a military fellowship program. The detailee learns the latest private sector methods of securing corporate networks and Dominion receives a highly qualified expert who can ensure tight coordination between Dominion’s defensive cyber operations and those of the DoD. Adam Lee, vice president and chief security officer at Dominion, notes, “It would be difficult to have a closer relationship with DoD on these issues than we have at Dominion.” However, Dominion is still the exception rather than the norm. Investment across the industry is uneven and there is a lack of standardization among companies on how to work with federal agencies.
Beyond infrastructure owners and operators, other parts of the energy sector are increasingly engaged in defense and national security issues like VT. Startups and growing companies that specialize in microgrids, small modular reactor nuclear technology, geothermal energy, and other energy resilience solutions have found a willing partner and funder in the DoD. Recently, DoD announced the selection of 11 companies as potential partners for rapid deployment of geothermal energy technologies at military bases, which could hypothetically make these installations less dependent on the civilian grid and more resilient in a VT scenario. Rob Klenner, President of GreenFire Energy, one of the companies selected, said in an interview that “GreenFire is prioritizing its work with the DoD and is eager to be the first company to provide geothermal power on a base here in the homeland, ensuring resilient power to the military in any scenario.”
Speeding Up, Scaling Up
Ongoing efforts in both the government and private sector, therefore, are promising. A growing DoD role – if managed carefully in coordination with civilian agencies – could also be a force multiplier that injects resources and attention into a perennially thorny challenge. The question is whether planning efforts are moving at sufficient speed and scale to prevent or mitigate the worst of a VT scenario and ensure the United States maintains an advantage in any future war. To increase our readiness, key actions must be taken both by the government and the private sector.
The Trump administration should move rapidly to implement the recommendations in last year’s DSB report, aligning these efforts with its recent EO on streamlining existing federal policy on resilience and critical infrastructure security. This would contribute to the administration’s priorities to defend the homeland and deter Chinese aggression. It would also provide DoD with the framework and resources to attack the critical infrastructure vulnerability problem set in a way we’ve never seen from the U.S. military. When facing the threat we see from VT, that mission for the military is appropriate as long as it is conducted in partnership with civilian agencies and in accordance with law and the Constitution.
To incentivize private sector collaboration with DoD, DHS, and FBI, the administration should also develop a proposal for Congress to financially incentivize critical infrastructure companies to implement stronger security and engage more proactively with the federal government. A purely voluntary approach to these challenges has yielded limited results. Regulations have a place but often have the unintended consequence of forcing private sector companies into compliance-based rather than risk-based cultures and sapping them of the creativity we need to see on such challenging issues. Financial incentives, such as a tax credit for developing a corporate strategy to contribute to national security, would have a better chance of achieving the desired results.
Energy infrastructure owners, operators, and technology developers shouldn’t wait for further signals from the government to lean forward. Proactive companies are already reaping the benefits: reduced risk to their assets, improved reputation, and in the case of some, free labor or new contracts with the DoD and other federal agencies. As the government’s attention on critical infrastructure security continues to grow in coming years, the companies already engaged are likely to see significant cost savings and efficiencies, whether in the form of quicker compliance, fewer additional investments, or even government funding or incentives.
The path for energy companies who want to jump into this space is straightforward: invest, build, and engage. Invest in analytical capabilities to understand and monitor the national security, defense, and critical infrastructure protection issues likely to impact your business. Build a whole-of-business strategy that outlines corporate efforts to support U.S. national security objectives, including by protecting assets from VT-style attacks and being responsive to U.S. policy priorities. And engage proactively with the DoD, national security agencies, state and local governments, industry peers, the public, and the media on these critical issues.
Conclusion
The nature of warfare is changing. With it, we are seeing major shifts in U.S. defense priorities and the expectations of private sector critical infrastructure companies, especially in the energy sector. Luckily, many capable and driven individuals across the government and private sector are already working assiduously on preventing VT-style catastrophic scenarios. But more must be done. The fight is just getting started.
Mark Freedman is Principal and CEO of Rebel Global Security. He previously served at the U.S. Department of State, including as Chief of Staff for the Bureau of Counterterrorism and as a strategic planner in the Bureau of Political-Military Affairs. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
This article was originally published by RealClearDefense and made available via RealClearWire.
