Hours before President Trump announced a two-week ceasefire with Iran last Tuesday, the Cybersecurity and Infrastructure Security Agency released an advisory warning that Iranian-backed hackers were attacking critical infrastructure in the United States homeland, causing “operational disruption and financial loss” across several key sectors. These intrusions follow Iran-linked hacker group Handala’s attacks on American medical technology company Stryker, which knocked its services offline in March. Such breaches are a worrying sign that even if the ceasefire holds, the war is likely to have a long asymmetric tail for which the United States is ill-prepared.
Iran has a long history of targeting critical infrastructure in the United States. In 2013, Iranian hackers quietly infiltrated the command and control system of a water dam located 20 miles from New York City, seeking to sow later disruption at time of their choosing. In 2023, IRGC-affiliated actors conducted even more widespread intrusions—on water and wastewater facilities—that came to light in 2024. Since the United States-Israel military operations began in Iran on February 28, Iran has also successfully hit critical infrastructure in US-aligned Middle Eastern countries. On March 3, Iranian drones struck Amazon data centers in the United Arab Emirates and Bahrain, causing banking and other payment services to go offline for days.
In addition to Iran, much more cyber-capable adversaries, namely China and Russia, are also likely looking to take advantage of the current moment. When asked if Americans should be concerned about attacks on the United States homeland, President Trump replied on March 6 with a concerning, “I guess.”
These developments are especially worrying because critical infrastructure in the United States lacks real resilience: the ability to withstand, fight through, and recover quickly from adversary attacks. A host of weaknesses plague many of the systems that provide the plumbing of everyday life that Americans depend on. These vulnerabilities include thin cyber staffing, aging operational technology, uneven standards, fragmented incident response, a rotating leadership roster at the National Security Agency (NSA), and a disconnect between federal, state, and local authorities and capacities.
Ongoing attacks could sow real discord and cause serious disruption, cascading from one critical sector to another. This was seen in the wake of the Colonial Pipeline incident in 2021 where a ransomware cyberattack disrupted oil pipeline operations that then caused downstream disarray in food deliveries, healthcare logistics, and airlines.
Since most of America’s infrastructure—such as phone lines, oil pipelines, and water utilities—is not owned and operated by the federal government, Washington cannot simply “order” critical infrastructure resilience into existence. And the gap between public responsibility and private ownership is exactly what adversaries exploit. Even before the recent United States-Israel war in Iran, adversaries were continually probing, pre-positioning, and aiming to disrupt the American homeland. Hackers such as China-backed Volt Typhoon have been able to quietly and consistently compromise US systems, confident that America’s response would be improvised, delayed, and inconsistent.
While fully preventing these types of attacks is near impossible, the United States can better mitigate the effects of these intrusions by adopting a resilience-based homeland defense strategy that allows America to take a punch and recover quickly. Resilience is deterrence-by-denial at home: If disruption yields only short, contained effects, attacks stop looking “worth it.”
What would this look like in practice? It would mean building pre-planned “response packages” that can be executed quickly across agencies and in partnership with American allies. These can include offensive cyber programs, financial penalties, law-enforcement operations, and diplomatic measures. The point is speed and predictability: Adversaries should know that crossing certain lines reliably triggers a fast, integrated response—both raising the cost—and diminishing the likelihood—of enduring success in their actions.
While many large private companies have information, access, and speed, the government has intelligence, authorities, and the power to impose costs. In a crisis, both need each other, yet trust and workflow are uneven, and information sharing is episodic. Indeed, the majority of adversary cyberattacks on critical infrastructure go unreported.
Congress has been trying to revive and extend a cyber information-sharing law precisely because the public-private link is brittle. That effort matters, but “sharing” should be the floor, not the strategy. What is needed is an operating model: Who shares what, how fast, under what protections, and with what pre-delegated actions when indicators move from warning to active incident.
America should move quickly to fix these vulnerabilities and harden its critical infrastructure against cyberattack. First, minimum operational expectations that are practical and fundable must be created —especially for small and rural utilities.
Second, two-way, time-bound intelligence exchanges should be established: The government must push actionable indicators fast, and companies must be able to share incident data without fearing that cooperation means facing legal exposure or reputational ruin.
Third, joint rehearsals must be run consistently: sector-specific playbooks that clarify who does what in the first 24, 72, and 168 hours of a disruptive incident. This should include the surging of government technical teams to work with private operator leads. Joint public-private messaging will also be important to prevent panic and deny adversaries’ psychological impact.
Finally, continuity and resilience by design is needed, including manual workarounds. “Cloud down” cannot equal “country down.” Think of recent incidents where AWS outages caused significant flight delays—but realizing that Iran could attack on a much larger scale.
Iran’s recent hybrid attacks in the United States and Middle East should serve as a warning for how modern critical infrastructure actually fails: Cloud, telecom, power, logistics, and financial rails are tightly coupled, so localized shocks can cascade quickly across borders and sectors. That interdependence creates a homeland vulnerability that classic deterrence language does not fully capture.
The core policy question is therefore not whether officials can prevent every intrusion or strike. It is whether the United States can absorb disruption, keep essential functions running in degraded mode, and restore services fast enough that adversary attacks will yield diminishing returns.
The United States does not need to be invulnerable to be secure. It needs to be hard to paralyze, resistant to panic, and fast to recover. In an era where a drone strike or cyber intrusion can ripple into payment, fuel, shipping, and hospital systems, resilience is homeland defense. Policymakers must act before it’s too late.