Water Hacks Aff - Gonzaga 2021

Water Hacks Affirmative – Scholars GDI21
Contents
Water Hacks Affirmative – Scholars GDI21..................................................................................................1
On-Case.......................................................................................................................................................2
1AC..........................................................................................................................................................3
Contention 1 – Risk Assessment..........................................................................................................4
Contention 2 – Scenarios.....................................................................................................................9
Plan....................................................................................................................................................10
Contention 3 – Solvency....................................................................................................................11
Background............................................................................................................................................16
Water Sector Actors..........................................................................................................................17
EPA Has Regulatory Authority...........................................................................................................18
Inherency...............................................................................................................................................20
Fed Role Limited Now........................................................................................................................21
EPA Not Acting...................................................................................................................................22
Risk High................................................................................................................................................24
Water Infrastructure Vulnerable.......................................................................................................25
Framing..............................................................................................................................................33
Cyber Threats High Risk.....................................................................................................................34
Russian Cyber Attacks High Risk........................................................................................................36
Water Terrorism High Risk.................................................................................................................38
AT – Water Not Key/Alt Causes.........................................................................................................39
AT – Hype..........................................................................................................................................41
AT – Fear Turn...................................................................................................................................45
Generic Infrastructure Vulnerable.....................................................................................................46
Water Attacks Scenario.........................................................................................................................49
Scenario – Water Attacks...............................................................................................................50
Attacks Impact – Poisoning................................................................................................................53
Attacks Impact – System Integrity.....................................................................................................55
Attacks Impact – Flooding, Shortages................................................................................................56
Attacks Impact – Disease...................................................................................................................57
Attacks Impact – Everyday Life..........................................................................................................59
Water Scarcity Brink..........................................................................................................................61
Water Scarcity Impacts – Disease, Food, Energy, Econ......................................................................63
Waterborne Diseases Impact – Antibiotic Resistance........................................................................65
Superbugs Impact – Extinction..........................................................................................................67
Economy Scenario.................................................................................................................................69
Scenario – Economy......................................................................................................................70
Internal Link – Control Systems.........................................................................................................75
Economic Impact – Ripple Effect.......................................................................................................76
Economic Impact – Company Collapse..............................................................................................77
Smart Cities Scenario.............................................................................................................................78
Scenario – Smart Cities...................................................................................................................79
Water Key to Smart Cities..................................................................................................................84
Smart Cities - Climate Change............................................................................................................87
Impact---Climate Change...................................................................................................................96
Smart Cities Impact – Social Problems...............................................................................................98
Smart Cities Impact – Crime............................................................................................................100
AT: No Smart Cities..........................................................................................................................102
Infrastructure Scenario........................................................................................................................105
Scenario – Infrastructure.............................................................................................................106
Internal Link---Health & Econ..........................................................................................................108
Infrastructure Impact – Irrigation, Flooding, Drinking Water..........................................................111
Black Sky Add-on.............................................................................................................................112
Terrorism & Cyber War Scenarios.......................................................................................................114
Scenario – Terrorism....................................................................................................................115
Scenario – Cyber War with Russia................................................................................................120
Scenario – Cyber War...................................................................................................................124
Internal Link – Panic.........................................................................................................................127
Internal Link – Vulnerability – Bio, Chemical, Cyber Attacks............................................................130
Internal Link – Espionage.................................................................................................................131
Internal Link – Ransomware............................................................................................................134
Cyber Impact Magnifiers/Laundry Lists...........................................................................................136
Cyber War Brink – Retaliation Brink................................................................................................138
Cyber War Impact – Nuclear Retaliation..........................................................................................139
Cyber War Impact – Miscalculation.................................................................................................141
Cyber War Impact – Russia..............................................................................................................143
Cyber War Impact – China...............................................................................................................146
Terrorism Impact – Securitization....................................................................................................149
Terrorism Impact – Authoritarianism Impacts.................................................................................154
AT — Risk Overblown......................................................................................................................157
Solvency...............................................................................................................................................158
Regulation and Resources...............................................................................................................159
Requirements Key............................................................................................................................160
Regulatory Frameworks...................................................................................................................162
Fed Key............................................................................................................................................164
Multiple Barrier Approach...............................................................................................................165
Risk Assessment Solvency................................................................................................................166
Cybersecurity Countermeasures......................................................................................................168
Secure Network...............................................................................................................................170
Culture Solvency..............................................................................................................................176
AT – Regulations Now......................................................................................................................179
Federal Incentives Solvency.............................................................................................................181
Resources Key..................................................................................................................................183
Revolving Funds Solvency................................................................................................................185
AT – No Enforcement.......................................................................................................................186
Off-Case Answers....................................................................................................................................187
Federalism Answers.............................................................................................................................188
Link Answer – Cyber Is Federal Authority........................................................................................189
Link Answer – EPA authority............................................................................................................190
AT – State/Local Reject Federal Action Link.....................................................................................191
Politics Answers...................................................................................................................................192
Link Uniqueness Answer – Federal Action Now...............................................................................193
Bipartisan Support...........................................................................................................................195
Counterplan Answers..........................................................................................................................197
States CP – Solvency Answers..........................................................................................................198
States CP – Permutation Solvency...................................................................................................200
Voluntary CP – Solvency Answers....................................................................................................202
On-Case
1AC
Contention 1 – Risk Assessment
The risk of cyber-attacks on water systems high – it’s not a question of if, it’s a
question of when
Sobczak, Energywire Deputy Editor, 19
[Blake, 3-28-19, Environment & Energy News, “Hackers force water utilities to sink or swim,”
https://www.eenews.net/stories/1060131769, accessed: 6-27-21, AHP]
Last month, hackers tied computers into knots at a small Colorado water utility.
It wasn't the first time the Fort Collins-Loveland Water District and its wastewater counterpart had been
hit by "ransomware," a type of malware that encrypts victims' computer files and demands online
payment to unlock them.
While operations weren't harmed, the infection prompted the water district to switch out its
information technology service provider and call in the FBI. The case, first reported by the Coloradoan,
remains under active investigation. FCLWD and the South Fort Collins Sanitation District treat and
distribute water to 45,000 customers in northern Colorado.
Colorado water officials aren't alone in their cybersecurity woes. The nation's nearly 70,000 water and
wastewater utilities are struggling to keep their heads above a rising tide of online threats, based on
interviews with security experts and water company operators.
As one IT manager at a midsize water utility put it, "It's not a question of if, it's a question of when"
hackers disrupt vital U.S. water systems. "Most small and midsize utilities are overstressed," said the
manager, who requested anonymity.
Some larger utilities are well-positioned to thwart an attack by hackers backed by a foreign government,
said Michael Arceneaux, managing director for the Water Information Sharing and Analysis Center, the
industry's clearinghouse for getting the word out about the latest hacking threats and vulnerabilities.
But in a sector that encompasses tens of thousands of local water systems, securing America's vast and
disparate drinking water supply remains a significant challenge.
"Drinking water utilities run the gamut in terms of cybersecurity preparedness," Arceneaux said. "What
we try to do to compensate for that is make sure people are aware of the threats, so they have some
motivation to invest the resources that should be invested."
He said the ISAC and its membership recently reached the level of maturity needed to start partnering
with other sharing and analysis centers, including the multistate government ISAC and the electric
power sector's E-ISAC.
Water utilities and power distributors share similar industrial control systems, rely on many of the same
equipment providers and can encounter similar cyberthreats.
While the water system is inherently not as interconnected as the U.S. electricity system, "it's very
plausible that the water sector is less prepared than the power sector for dealing with cybersecurity
threats," Arceneaux said. "We are so fractured, so the water sector as a whole is at a little bit of a
disadvantage."
What keeps you up at night?
The decentralized nature of the U.S. water industry has left policymakers with a dilemma. Cybersecurity
for water treatment and supply networks is only loosely monitored at the federal level and is often
ignored by state utility commissions that may have limited cybersecurity expertise and tend to focus on
water quality.
"Water cybersecurity is not on everyone's — or certainly not every commissioner's — radar screen,
although I've tried to make it that way," said Mary-Anna Holden, a commissioner on the New Jersey
Board of Public Utilities.
In many emergency planning exercises, it isn't the lack of electricity that triggers chaos and widespread
casualties. It's the lack of clean water that forces people from their homes.
"Nobody thinks about wastewater systems until they break," said Holden, who chairs the Committee on
Water at the National Association of Regulatory Utility Commissioners.
Water infrastructure protections are inadequate – the majority of water systems are
vulnerable. Expanded federal protections are necessary to ensure the support and
resources to prevent cyber attacks.
Krebs, investigative reporter and former Washington Post Security Fix reporter, 21
[Brian, 06-21-2021, Krebs on Security, “How Cyber Safe is Your Drinking Water Supply?,”
https://krebsonsecurity.com/2021/06/how-cyber-safe-is-your-drinking-water-supply/, accessed 06-30-
2021, HSP]
Amid multiple recent reports of hackers breaking into and tampering with drinking water treatment
systems comes a new industry survey with some sobering findings: A majority of the 52,000 separate
drinking water systems in the United States still haven’t inventoried some or any of their information
technology systems — a basic first step in protecting networks from cyberattacks.
The Water Sector Coordinating Council surveyed roughly 600 employees of water and wastewater
treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked
assets, with an additional 21.7 percent working toward that goal.
The Council found when it comes to IT systems tied to “operational technology” (OT) — systems
responsible for monitoring and controlling the industrial operation of these utilities and their safety
features — just 30.5 percent had identified all OT-networked assets, with an additional 22.5 percent
working to do so.
“Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An
organization cannot protect what it cannot see.”
It’s also hard to see threats you’re not looking for: 67.9 percent of water systems reported no IT security
incidents in the last 12 months, a somewhat unlikely scenario.
Michael Arceneaux, managing director of the WaterISAC — an industry group that tries to facilitate
information sharing and the adoption of best practices among utilities in the water sector — said the
survey shows much room for improvement and a need for support and resources.
“Threats are increasing, and the sector, EPA, CISA and USDA need to collaborate to help utilities prevent
and recover from compromises,” Arceneaux said on Twitter.
While documenting each device that needs protection is a necessary first step, a number of recent
cyberattacks on water treatment systems have been blamed on a failure to properly secure water
treatment employee accounts that can be used for remote access.
In April, federal prosecutors unsealed an indictment against a 22-year-old from Kansas who’s accused of
hacking into a public water system in 2019. The defendant in that case is a former employee of the
water district he allegedly hacked.
In February, we learned that someone hacked into the water treatment plan in Oldsmar, Fla. and briefly
increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times
the normal level. That incident stemmed from stolen or leaked employee credentials for TeamViewer, a
popular program that lets users remotely control their computers.
In January, a hacker tried to poison a water treatment plant that served parts of the San Francisco Bay
Area, reports Kevin Collier for NBCNews. The hacker in that case also had the username and password
for a former employee’s TeamViewer account.
Andrew Hildick-Smith is a consultant who served more than 15 years managing remote access systems
for the Massachusetts Water Resources Authority. He said the percentage of companies that reported
already having inventoried all of their IT systems is roughly equal to the number of larger water utilities
(greater than 50,000 population) that recently had to certify to the Environmental Protection Agency
(EPA) that they are compliant with the Water Infrastructure Act of 2018.
The water act gives utilities serving between 3,300 and 50,000 residents until the end of this month to
complete a cybersecurity risk and resiliency assessment.
But Hildick-Smith said the vast majority of the nation’s water utilities — tens of thousands of them —
serve fewer than 3,300 residents, and those utilities currently do not have to report to the EPA about
their cybersecurity practices (or the lack thereof).
“A large number of utilities — probably close to 40,000 of them — are small enough that they haven’t
been asked to do anything,” he said. “But some of those utilities are kind of doing cybersecurity based
on self motivation rather than any requirement.”
According to the water sector report, a great many of the nation’s water utilities are subject to
economic disadvantages typical of rural and urban communities.
“Others do not have access to a cybersecurity workforce,” the report explains. “Operating in the
background is that these utilities are struggling to maintain and replace infrastructure, maintain
revenues while addressing issues of affordability, and comply with safe and clean water regulations.”
The report makes the case for federal funding of state and local systems to provide cybersecurity
training, tools and services for those in charge of maintaining IT systems, noting that 38 percent of water
systems allocate less than 1 percent of their annual budgets to cybersecurity.
As the recent hacking incidents above can attest, enabling some form of multi-factor authentication for
remote access can blunt many of these attacks.
However, the sharing of remote access credentials among water sector employees may be a
contributing factor in these recent incidents, since organizations that let multiple employees use the
same account also are less likely to have any form of multi-factor enabled.
Federal policy stops short of requiring water utilities report crucial assessment data –
complicating efforts to assess just how vulnerable the nation’s water systems are
Risk and resilience
Federal lawmakers have started to take note.
Last fall, Congress passed the America's Water Infrastructure Act of 2018, sponsored by Sen. Amy
Klobuchar (D-Minn.) and signed into law by President Trump on Oct. 23.
Any water utility serving 3,300 or more people is now expected to carry out a "risk and resilience"
assessment of its networks, including a review of cyber defenses. The nation's biggest water providers
have until next March to comply, while smaller companies can wait to act until June 2021.
EPA is now the go-to agency for water cybersecurity. It's tasked with issuing guidance to utilities on
implementation of the new law and following up on compliance. "EPA is very aware that cyberattacks
are a significant threat to critical infrastructure sectors, including water and wastewater systems," an
EPA spokesperson said in an email. "EPA works through a voluntary partnership approach to help water
utilities enhance the cybersecurity of their water systems."
The voluntary approach signed off by Congress means utilities are not required to hand over data to the
federal government that could help it assess how vulnerable the nation's water systems are. That
contrasts to electric utilities, which are required to report major cybersecurity incidents and gaps
through both the Department of Energy and Federal Energy Regulatory Commission.
Robert Powelson, a former FERC commissioner who's now CEO of the National Association of Water
Companies, said the federal push to ramp up cybersecurity guidance and regulation includes water.
"Looking at the posture with DHS and the Department of Energy's new cyber office, everyone's like,
'We've got to bring water into this conversation.' I think it's healthy; I think it's a great opportunity."
Industry groups like the National Rural Water Association and American Water Works Association have
released some of their own assessment tools and cybersecurity resources, warning members to ignore
cybersecurity at their peril.
'Perfect target'
News of a few water-sector cyber intrusions has trickled out publicly, including an attack on a North
Carolina water utility in the aftermath of Hurricane Florence last year.
Jeffrey Hudson, CEO of the Onslow Water and Sewer Authority in southeastern North Carolina,
announced on Oct. 15, 2018, that "a sophisticated ransomware attack" had effectively wiped out many
of the small utility's computers. He emphasized that the safety of the water supply and the environment
was never jeopardized.
"ONWASA will undertake the painstaking process of rebuilding its databases and computer systems
from the ground up," Hudson said, rather than pay off the digital hostage-takers.
Cybersecurity experts project that targeted ransomware attacks are set to rise. In a recent threat
outlook, analysts at Booz Allen Hamilton predicted "a plausible uptick in state-sponsored attacks and
intrusions at water utilities," citing a March 2018 alert from DHS that claimed Russian hackers had
already targeted U.S. water networks.
Booz Allen described the water sector as a "perfect target" for hackers.
So far, the U.S. water utilities hit hardest by hackers have been "collateral damage," explained Booz
Allen chief technologist Kyle Miller, falling prey to common threats like ransomware.
"Most water utilities have less robust, less mature network security than a lot of the other
[infrastructure] verticals," Miller said. "A lot of that comes down to size and funding. It's hard to
compare a county water system to a Fortune 100 oil and gas company."
Miller said he's most concerned about targeted threats, as water companies follow global trends in
industrial automation and digital connectivity.
Even if supply interruptions or chemical releases don't become a full-blown crisis, a hack that causes
people to lose faith in the quality of their water is "certainly within the realm of possibility" for nation-
state hackers, he said.
The stakes are high. "Nearly every facet of life relies on clean and reliable water to function," he said.
Contention 2 – Scenarios
Plan
Draft 1:
The United States federal government should substantially increase its protection of water resources in
the United States by providing necessary resources to require water infrastructure systems to assess
and report cyber threats and vulnerabilities, and to adopt proper cyber security measures and
responses.
Draft 2:
The United States federal government should substantially increase its protection of water resources in
the United States by providing necessary resources to require water infrastructure systems to:
 assess and report cyber threats and vulnerabilities

 adopt proper cyber security measures and responses.
Contention 3 – Solvency
Current policy is insufficient – strong federal regulatory and resource role is key
Holland & Magill, Bloomberg Law, 21
[Jake & Bobby, 02-10-2021, Bloomberg Law, “Water Plant Cyberattack Is Wake Up Call, 20 Years in the
Making,” https://news.bloomberglaw.com/us-law-week/water-plant-cyberattack-raises-critical-
infrastructure-concerns, accessed 06-24-2021, CBM]
A cyberattack on a Florida water treatment plant underscores the need for strong security protections at
the municipal level, attorneys and industry professionals say.
A hacker gained access to an Oldsmar, Fla. city computer on Feb. 5 and changed the level of sodium
hydroxide, also known as lye, local authorities said. It isn’t yet known whether the breach originated
from the U.S. or from outside the country. The Federal Bureau of Investigation is working with local
authorities.
There’s been a “marked increase” in the last couple of years in cyber incidents against state and local
government entities, said David Springer, a cybersecurity attorney at Bracewell LLP in Austin, Texas.
“A number of people have been calling this incident a wake-up call, but there have been reported
attacks like this for 20 years now,” Springer said. “I’m glad it’s bringing attention to the security of
industrial and municipal control systems.”
Water Systems Vulnerable
Vulnerability to cyberattacks varies across the 51,000 community water systems nationwide, said J. Alan
Roberson, executive director of the Association of State Drinking Water Administrators.
“This needs to be elevated within the water sector,” because systems are too critical to be allowed to go
down due to a cyberattack, he said.
The country’s largest water systems are the best prepared for cyberattacks because they’ve heavily
invested in addressing security threats, Roberson noted.
One of the largest is American Water Works Company Inc., which said Tuesday that it acknowledges the
severity of cyber threats and is working with state and federal agencies to prepare for them, spokesman
Joseph Szafran said.
“American Water has a dedicated team of certified professionals who help maintain the cybersecurity of
our informational and operational technology systems; safeguard the physical security of our staff,
facilities and assets; and provide emergency response and business continuity activities,” Szafran said in
an email.
Critical Infrastructure Risk

Guarding people’s privacy and protecting their personal information remains a top priority, but cyber
hits to critical infrastructure should serve as reminders that bad actors can inflict real-world physical
harm, said Paul Luehr, co-leader of Faegre Drinker Biddle & Reath LLP’s privacy and cybersecurity team.
“The Florida event shows cybersecurity isn’t always about personal data—it’s also about personal
safety,” he said.
That a plant worker was able to quickly lower the chemical levels back to normal and prevent public
harm reinforces how administrative, physical, and technical controls—including employee training—are
vital to keeping systems secure, he said.
Critical infrastructure such as dams, power plants, and hospitals are attractive targets for bad actors and
have increasingly been targeted in ransomware hits, said Greg Szewczyk, a privacy and cybersecurity
partner at Ballard Spahr LLP in Denver.
It’s common for those types of entities to be targeted by nation-state actors, he said, but regardless of
attacker type, businesses and municipal entities alike need to think about operational and organizational
responsibilities, he said.
“They need to consider data security beyond the mere confines of guarding personal information,”
Szewczyk said. “They should be regularly assessing cyber threats, identifying individual vulnerabilities,
and adopting proper security measures.”
Tools Available
A cyberattack against a drinking water system emphasizes the need for water utilities to implement
existing best practices, said Kevin Morley, manager of federal relations for the American Water Works
Association.
The association provides its members with cybersecurity assessment tools that they should use
following the Feb. 5 attack, Morley said.
“We would encourage those utilities to go do that assessment,” he said. “We are one of the many
targets that various adversaries are seeking to take advantage of.”
The federal government through the Environmental Protection Agency and the Cybersecurity and
Infrastructure Security Agency provides some tools water systems can use to assess their vulnerability,
Roberson said.
But Roberson said EPA’s guidance is limited. The EPA provides an online vulnerability self-assessment
tool that addresses cybersecurity and natural hazards, and a four-page brief on how states can address
cybersecurity, he said.
The brief outlines how drinking water and wastewater systems can benefit from adopting a
cybersecurity program.
“EPA has tools to assist water and wastewater utilities in preparing for, identifying, responding to, and
recovering from cyber-attacks,” the EPA said in a statement provided by spokesman Nick Conger.
“To provide utilities with the most current resources, EPA has developed a website that utilities can
reference to find the most updated alerts, information, and tools that may be used to improve cyber
resilience,” the statement said.
CISA didn’t immediately respond to a request for comment Tuesday.
Compliance Insufficient
The Florida attack showed that a more sophisticated breach may go unnoticed, said Jerry Ray, chief
operating officer of the security firm SecureAge Technology.
“Current regulations aren’t addressing real security threats that they’re faced with, this one being so
low-level, so ham-fisted,” Ray said. “If this were a foreign adversary—someone with a real intent—those
tracks wouldn’t be visible.”
Regulatory compliance and security safeguards most water utilities have in place are insufficient to
protect them against future breaches, he said.
“Everything we’ve got in place is not enough,” Ray said. “Regulatory compliance is where you start.”
Municipalities should lean on state and federal resources to better their security systems, Springer said.
Getting training and financial support from larger organizations can help them beef up their
cybersecurity defenses, he said.
“There’s a very real risk of malicious actors getting into systems that control vital functions,” Springer
said. “That’s not new—but it’s always a good time to refocus attention on it.”
The Biden administration has an opportunity in the wake of this attack to evaluate the nation’s collective
defense model, said Evan Wolff, co-chair of Crowell & Moring LLP’s privacy and cybersecurity group.
“It’s going to take a coordinated and proactive response of organizations, the federal government, and
the security community working together,” Wolff said.
Now is key – Passive approach risks disaster – strengthening protections key to

prevent catastrophic attacks
Chertoff, former Homeland Security secretary, 21
[Michael, 04-26-2021, Homeland Security Today, “Now Is the Time to Invest in the Security of Our Public
Water Infrastructure,” https://www.hstoday.us/subject-matter-areas/infrastructure-security/column-
now-is-the-time-to-invest-in-the-security-of-our-public-water-infrastructure/, accessed 06-26-2021,
HSP]
In late March, President Biden announced a massive infrastructure spending proposal with broad
impacts on a variety of infrastructure types across the country. Included in the proposal was at least
$111 billion in spending on water infrastructure improvements, much of it focused on eliminating
pollutants and ensuring that the water that reaches individuals’ homes is safe to drink. However, this
initial proposal did not include dedicated funding to secure the nation’s water supply from emerging
cyber threats or to strengthen the cybersecurity requirements for water treatment facilities, which are
desperately needed to protect our water supply from potential cyber threats.
In just the past few months, authorities have uncovered attempts by bad actors to tamper with public
water supplies in Oldsmar, Florida, and in Ellsworth County, Kansas. In both instances, attackers illegally
leveraged remote access capabilities in an attempt to alter the balance of chemicals used to treat public
drinking water – changes that could poison or kill thousands of people.
In the Oldsmar case, an unknown intruder attempted to poison the public water supply by drastically
increasing the amount of sodium hydroxide used in the water treatment process. The chemical,
commonly known as lye, is used in small doses to safely treat drinking water but is deadly in larger
concentrations. The attempt to poison Oldsmar’s drinking water was thwarted by timely intervention of
an observant operator, who quickly corrected the chemical balance and alerted supervisors, while
automated systems would have prevented the release of the poisoned water.
In Kansas, a former employee remotely accessed the computer systems that manage the county’s water
treatment plant, shutting down the water cleaning and disinfecting processes to render the water
undrinkable and perhaps dangerous to residents. Fortunately, the disgruntled former employee was
unable to achieve meaningful damage, as no untreated water was released from the plant.
While the timely intervention of authorities prevented public harm in these cases, both demonstrate the
significant threat posed by cyber-attacks to our vulnerable public water infrastructure. The reality is that
the more than 50,000 community water systems in the United States do not have to meet any sort of
national cybersecurity standard and are not resourced to implement and maintain existing best
practices, such as those from the Water Information Sharing and Analysis Center. In the case of
Ellsworth County, Kansas, the investigation into the cyber intrusion of the facility found that the
treatment plant used outdated, unsupported software, allowed for remote access to the facility via the
open internet, and permitted staff to share passwords and user accounts. The country can, and must, do
better by building on existing efforts to secure our water infrastructure.
The security of water treatment systems in the United States did not become a major focus in the
country until after the 9/11 attacks, when concerns over the security of our water supplies largely
pertained to the threat of bioweapons. The 2002 Bioterrorism Act, passed as part of the flurry of
domestic security-focused legislation, required the largest community water systems to assess
vulnerabilities and prepare emergency response plans. However, those requirements were focused on
physical threats to the water supply, such as the introduction of a pathogen either within a water
reservoir or at a water treatment plant. The Act and its supporters did not envisage the types of remote
attacks or the usage of the treatment process itself as a weapon to poison our water.
The criticality of our water infrastructure was also acknowledged in Homeland Security Presidential
Directive 7 (HSPD-7), which designated the water sector as critical infrastructure and directed the
Environmental Protection Agency, the governmental lead for water system protection, as well as the
Department of Homeland Security to develop a sector-specific security plan. These efforts, bolstered by
the creation of the National Infrastructure Protection Plan in 2013, allow DHS and the EPA to coordinate
sector security efforts and help utilities with the conduct of vulnerability assessments and development
of emergency response plans. While the EPA and DHS do provide utilities, public or private, with limited
technical and, more importantly, financial assistance, the reality is that these resources are a drop in the
bucket relative to the scale of investment likely needed to address cyber risks.
The America’s Water Infrastructure Act, signed into law in 2018, expanded past security efforts by
requiring the country’s largest water systems to conduct security-risk reviews, including for
cybersecurity threats. While the reviews for larger providers have been completed, smaller suppliers
have either yet to complete their reviews or are exempt. The Act also stopped short of creating specific
national standards or requirements for the cybersecurity of water treatment facilities.
These recent attacks on our public water infrastructure highlight the urgency for action. Many systems
are well positioned to leverage the findings of their congressionally mandated security-risk reviews to
make the cybersecurity investments needed to secure our public water supplies. The administration’s
proposed infrastructure bill and ongoing negotiations in Congress offer an opportunity for the United
States to dedicate resources to properly secure our water treatment facilities from cyber threats for the
first time. The recent events in Kansas and Florida only highlight the dangers posed by passivity.
Background
Water Sector Actors
Water sector partners include EPA, Department of Homeland Security, NIST, AWWA,
and other water associations, educational institutions, labs, foundations, public water
supplies and state and local agencies
Clark, Environmental Engineering and Public Health Consultant, et al., 18
[Robert M., also former EPA Office of Research and Development Municipal Environmental Research
Laboratory Water Supply Research Division, Simon Hakim, Professor of Economics, and Director of the
Center for Competitive Government at the Fox School, Temple University & Srinivas Panguluri,
Independent Cyber-Security Consultant, August 2018, Water and Environment Journal, “Protecting
water and wastewater utilities from cyber-physical threats,” Volume 32, Issue 3,
https://doi.org/10.1111/wej.12340, p. 386, accessed 6-23-21, AFB]
Sector-specific partners include: the EPA, DHS, the National Institute for Science and Technology (NIST),
the American Water Works Association (AWWA), the Water Research Foundation, the Water
Environment Research Foundation and other water associations, educational institutions, national
research laboratories, public and private research foundations, states/local agencies, PWSs and related
organizations.
[Note – PWSs = public water supplies]

EPA Has Regulatory Authority
The EPA has the authority to establish cyber security requirements for water
infrastructure
Clark, Former Consultant in Environmental Engineering for the EPA, & Hakim, Temple
University Professor of Economics, 17
(Simon, PhD in Regional Science from the University of Pennsylvania, Director of the Center for
Competitive Government at Temple University, Erwin Blackstone, Professor of Economics at Temple
University, PhD in economics from the University of Michigan, Robert Clark, Former Consultant in
Environmental Engineering for the EPA, PhD in Civil Engineering from Cornell University, 2017, Cyber-
Physical Security: Protecting Critical Infrastructure at the State and Local Level, pg. 136, MLiao)
While U.S. Environmental Protection Agency (EPA) is the Sector-Specific Agency (SSA) lead for protecting
the critical infrastructure in the Water Sector, it works collaboratively with the DHS, the utility owners,
and operators, as well as representatives from industry associations to ensure that Water Sector cyber-
protection and resilience strategies are effective and practical. The DHS serves as the cyber security lead
SSA for the 16 critical infrastructure sectors and has cross-sector experience that is leveraged by EPA.
This SSA lead-position was clarified in response to section 10(a) of the Presidential Executive Order (EO)
13636 (Federal Register 2013) titled, “Improving Critical Infrastructure Cybersecurity,” where the EPA
reported that the Agency had the authority to establish cyber security requirements for the public water
systems (PWSs) under the Safe Drinking Water Act (SDWA) section 1401; and the publicly owned
treatment works (POTWs) i.e., the wastewater systems under the Clean Water Act (CWA) sections 304,
308, 402, and 501. Furthermore, for the purposes of cyber security, the EPA defines the Water Sector to
include both water and wastewater utilities. However, there are some major differences in how the
individual utilities operate because of differences in: size, population, finances, and regulatory focus.
Water plant regulation must come from the EPA

Hendricks and Sessler, Crowe & Dunlevy’s Cybersecurity and Data Privacy Group
Attorneys, ‘21
(Anthony, Health Alliance for the Uninsured board vice president, JD from Harvard Law School, Jordan,
former Eastern District of Arkansas US District Court Law Clerk, The Dallas Morning News, “New
cybersecurity rules for pipelines are good. Now let’s secure all the other critical infrastructure”,
https://www.dallasnews.com/opinion/commentary/2021/05/31/new-cybersecurity-rules-for-pipelines-
are-good-now-lets-secure-all-the-other-critical-infrastructure/, Accessed 6/30/21, MLiao)
Under sector-specific regulation, regulations for a certain sector of America’s infrastructure must be
implemented by the specific agency that oversees that industry. For example, while DHS may regulate
pipelines, the Department of Energy must regulate power plants, the Federal Aviation Administration
must regulate aircraft, and the Environmental Protection Agency must regulate water plants.
Inherency
Fed Role Limited Now
The federal role has been limited, but the importance of water justifies expanding
federal protections against cyber threats
Even though cyber-threats pose a major threat to CI, in the United States, the Federal role in cyber-
security has been debated for more than a decade. Action at the Federal level for protecting CI is limited
because of the political structure of the United States. In the United States, State and local governments
have been the major institutions responsible for providing services to their populations. However, the
US Constitution provides for a separation of powers between the States and the Federal government. In
order to bridge this gap, the National Governors Association (NGA 2015), a non-partisan organisation
representing the interests of the fifty states and trust territories, has begun taking action in this
important area (NGA 2015). Governments in countries that do not have the political separation of power
that exists in the United States, may therefore be able to adopt a more integrated approach to cyber-
security (Tabansky 2016).
From a public health and an economic perspective, public water supply (PWS) and wastewater systems
represent a CI that needs protection. After September 11, 2001, the federal government directed efforts
to secure the nation’s CI and initiated programs such as the National Strategy to Secure Cyberspace
(Bush 2003). This program addresses the vulnerabilities of Supervisory Control and Data Acquisition
(SCADA) systems and Information Control Systems (ICSs) and calls for the public and private sectors to
work together to foster trusted control systems (Dakin et al. 2009; Edwards 2010).
This paper discusses the vulnerability of water supply and wastewater to cyber-threats and suggests
actions for dealing with these threats.
EPA Not Acting
The EPA has no plans to increase cybersecurity regulations for water infrastructure
The US Environmental Protection Agency (EPA), is the sector-specific agency lead for protecting the CI in
the Water Sector. EPA works collaboratively with the DHS, utility owners and operators and
representatives from industry associations to ensure that cyber-protection and resilience strategies are
effective and practical (EO 13636 2016). EPA has determined that current cybersecurity regulatory
requirements in the Water Sector are sufficient and contemplates no regulatory action.
The EPA does not require submission of risk assessments

Katz, FCW Cybersecurity Reporter, 21
[Justin, 03-01-2021, FCW, “When water utilities get hacked, who should they call?,”
https://fcw.com/articles/2021/03/01/water-cyber-cisa-epa-breach.aspx, accessed 06-26-2021, HSP]
Cybersecurity regulations for different industries vary because the rules are set by whichever
government agency or panel is responsible for that sector. For water treatment facilities like the one in
Oldsmar, Fla., the Environmental Protection Agency is responsible.
That designation comes from an Obama-era policy directive that stated the EPA is the sector-specific
agency for water and wastewater systems. In the event of a compromise, such as what happened Feb. 5,
EPA partners with the FBI and the Cybersecurity and Infrastructure Security Agency to investigate.
EPA is also charged with administering requirements in America's Water Infrastructure Act, according to
an agency spokesman. Any plant serving more than 3,300 people has to plan for "malevolent acts" such
as a cybersecurity threat and maintain risk assessments as well as emergency response plans. Those
efforts are managed by the water security division which assists facilities in "preparing for, identifying,
responding to, and recovering from" cybersecurity threats," according to the spokesman.
While the EPA requires that water utilities certify their response plans and risk assessments are
completed, the agency does not receive copies of those documents, the spokesman added.
EPA provides limited guidance for cybersecurity breaches.
Holland & Magill, Bloomberg Law, 21
[Jake & Bobby, 02-10-2021, Bloomberg Law, “Water Plant Cyberattack Is Wake Up Call, 20 Years in the
Making,” https://news.bloomberglaw.com/us-law-week/water-plant-cyberattack-raises-critical-
infrastructure-concerns, accessed 06-24-2021, CBM]
A cyberattack against a drinking water system emphasizes the need for water utilities to implement
existing best practices, said Kevin Morley, manager of federal relations for the American Water Works
Association.
The association provides its members with cybersecurity assessment tools that they should use
following the Feb. 5 attack, Morley said.
“We would encourage those utilities to go do that assessment,” he said. “We are one of the many
targets that various adversaries are seeking to take advantage of.”
The federal government through the Environmental Protection Agency and the Cybersecurity and
Infrastructure Security Agency provides some tools water systems can use to assess their vulnerability,
Roberson said.
But Roberson said EPA’s guidance is limited. The EPA provides an online vulnerability self-assessment
tool that addresses cybersecurity and natural hazards, and a four-page brief on how states can address
cybersecurity, he said.
The brief outlines how drinking water and wastewater systems can benefit from adopting a
cybersecurity program.
“EPA has tools to assist water and wastewater utilities in preparing for, identifying, responding to, and
recovering from cyber-attacks,” the EPA said in a statement provided by spokesman Nick Conger.
“To provide utilities with the most current resources, EPA has developed a website that utilities can
reference to find the most updated alerts, information, and tools that may be used to improve cyber
resilience,” the statement said.
[Note – Roberson = J. Alan Roberson, executive director of the Association of State Drinking Water
Administrators.]
Risk High
Water Infrastructure Vulnerable
There are numerous challenges to managing water cybersecurity risks

Germano, Center for Cybersecurity and NYU Center on Law and Security fellow, 19
[Judith, PhD and Adjunct Professor of Law at NYU School of Law, 2019, AWWA, "Cybersecurity Risk &
Responsibility in the Water Sector”,
https://www.awwa.org/Portals/0/AWWA/Government/AWWACybersecurityRiskandResponsibility.pdf,
accessed 6-27-2021, CG]
CHALLENGES TO MANAGING CYBER RISK
For many utilities and other public infrastructure entities, the resources and capabilities for preventing,
detecting and mitigating cyber risk fall short, particularly given the significance of the threat and
potential harm. Challenges to managing cyber risk in the water sector are organizational, physical and
technological. The water sector presents diverse challenges due to its varying drinking water and
wastewater infrastructure, and the fact it is comprised of entities of vastly different sizes, capabilities,
resources and types of ownership. Multiple governing authorities, on a federal and state level, oversee
water and wastewater concerns regarding public health, environmental protection and security, among
others.43 Fractured organizational structure, often embedded within a multifaceted municipality,
shared infrastructure with different levels of risk, and a prevalence of legacy—sometimes antiquated—
systems increase the challenges of managing cyber risk. Some of these challenges are not unique to the
water sector; according to the Brookings Institute, the vast majority of public agencies lack a clear
cybersecurity plan.44
Large organizations often say it is hard to defend against cyber attacks due to their size and multi-
faceted systems, underscored by the concern that one point of compromise across a global network
with thousands of employees could cause harm. Smaller organizations often claim inadequate financial
and personnel resources, and lack of the time and knowledge, needed to address cybersecurity issues.
In either case, where to start and how best to prioritize cybersecurity defenses are challenging.
Regardless of the size of the entity, executives, managers and boards are haunted by (or at least should
be asking) key questions, including:
Have we identified and adequately secured our critical data and systems?
Are we doing enough to anticipate threats and prevent, detect and quickly respond to cyber attacks?
Have we done a recent risk assessment and developed a plan to address known risks?
Are we ensuring patches are up to date and employing encryption and access limitations?
Are we addressing vulnerabilities caused by legacy, or outdated systems, and working with vendors to
develop a priority-based plan, timeline and budget for adopting cybersecurity upgrades (and, if
necessary, overhauls) to improve cybersecurity?
Will we have a good explanation to give our clients, constituents, customers, regulators and
shareholders when attacks do happen?
Water sector utility owners and operators tend to be advanced in emergency response and resilience
planning based on their preparations for natural disasters; similar redundancy and recovery methods
and structures to ensure continuity of operations and protect public health and the environment also
must be applied in the cybersecurity context.45 Although replacing legacy systems and networks can be
extremely costly, it is essential to work with vendors and cybersecurity experts to implement updates
and, if necessary, overhauls of outdated systems. Invoke the help of internal or external advisors to
prioritize risk and develop a realistic approach and plan for enhancing cybersecurity. At a minimum,
comply with basic standards including restricted physical and technical access, firewalls, logging and
encryption.
Water systems are extremely vulnerable—government aid is needed.

Associated Press 21
[6-12-21, PennLive, “Water, power systems in US are shockingly vulnerable to cyber attacks,”
https://www.pennlive.com/news/2021/06/water-power-systems-in-us-are-shockingly-vulnerable-to-
cyber-attacks.html, accessed 6-30-21, CBM]
When the Los Angeles Department of Water and Power was hacked in 2018, it took a mere six hours.
Early this year, an intruder lurked in hundreds of computers related to water systems across the U.S. In
Portland, Oregon, burglars installed malicious computers onto a grid providing power to a chunk of the
Northwest.
Two of those cases — L.A. and Portland — were tests. The water threat was real, discovered by
cybersecurity firm Dragos.
All three drive home a point long known but, until recently, little appreciated: the digital security of U.S.
computer networks controlling the machines that produce and distribute water and power is woefully
inadequate, a low priority for operators and regulators, posing a terrifying national threat.
“If we have a new world war tomorrow and have to worry about protecting infrastructure against a
cyberattack from Russia or China, then no, I don’t think we’re where we’d like to be,” said Andrea
Carcano, co-founder of Nozomi Networks, a control system security company.
Hackers working for profit and espionage have long threatened American information systems. But in
the last six months, they’ve targeted companies running operational networks like the Colonial Pipeline
fuel system, with greater persistence. These are the systems where water can be contaminated, a gas
line can spring a leak or a substation can explode.
The threat has been around for at least a decade — and fears about it for a generation — but cost and
indifference posed obstacles to action.
It isn’t entirely clear why ransomware hackers — those who use malicious software to block access to a
computer system until a sum of money has been paid — have recently moved from small-scale
universities, banks and local governments to energy companies, meatpacking plants and utilities.
Experts suspect increased competition and bigger payouts as well as foreign government involvement.
The shift is finally drawing serious attention to the problem.
The U.S. government began taking small steps to defend cybersecurity in 1998 when the Clinton
administration identified 14 private sectors as critical infrastructure, including chemicals, defense,
energy and financial services. This triggered regulation in finance and power. Other industries were
slower to protect their computers, including the oil and gas sector, said Rob Lee, the founder of Dragos.
One of the reasons is the operational and financial burden of pausing production and installing new
tools.
Much of the infrastructure running technology systems is too old for sophisticated cybersecurity tools.
Ripping and replacing hardware is costly as are service outages. Network administrators fear doing the
job piecemeal may be worse because it can increase a network’s exposure to hackers, said Nozomi’s
Carcano.
Although the Biden administration’s budget includes $20 billion to upgrade the country’s grid, this
comes after a history of shoulder shrugging from federal and local authorities. Even where companies in
under-regulated sectors like oil and gas have prioritized cybersecurity, they’ve been met with little
support.
Take the case of ONE Gas Inc. in Tulsa, Oklahoma.
Niyo Little Thunder Pearson was overseeing cybersecurity there in January 2020 when his team was
alerted to malware trying to enter its operational system — the side that controls natural gas traffic
across Oklahoma, Kansas and Texas.
For two days, his team was in a dogfight with the hackers who moved laterally across the network.
Ultimately, Pearson’s team managed to expel the intruders.
When Richard Robinson at Cynalytica fed the corrupted files into his own identification program, ONE
Gas learned it was dealing with malware capable of executing ransomware, exploiting industrial control
systems and harvesting user credentials. At its core were digital footprints found in some of the most
malicious code of the last decade.
Pearson tried to bring the data to the Federal Bureau of Investigation but it would only accept it on a
compact disc, he said. His system couldn’t burn the data onto a CD. When he alerted the Department of
Homeland Security and sent it through a secure portal, he never heard back.
Robinson, of Cynalytica, was convinced a nation-state operator had just attacked a regional natural gas
provider. So he gave a presentation to DHS, the Departments of Energy and Defense and the intelligence
community on a conference call. He never heard back either.
“We got zero, and that was what was really surprising,” he said. “Not a single individual reached back
out to find out more about what happened to ONE Gas.”
The agencies didn’t respond to requests for comment.
Such official indifference — even hostility — hasn’t been uncommon.
The 2018 break-in to the L.A. water and power system is another example.
These weren’t criminals but hackers-for-hire paid to break into the system to help it improve security.
After the initial intrusion, the city’s security team asked the hackers to assume the original source of
compromise had been fixed (it hadn’t) while hunting for a new one. They found many.
Between the end of 2018 and most of 2019, the hired hackers discovered 33 compromised paths,
according to a person familiar with the test who wasn’t authorized to speak publicly. Bloomberg News
reviewed a report produced by the hackers for Mayor Eric Garcetti’s office.
It described 10 vulnerabilities found during their own test, along with 23 problems researchers had
discovered as early as 2008. (Bloomberg News won’t publish information that hackers could use to
attack the utility.) The person familiar with the operation discovered that few, if any, of the 33 security
gaps have been fixed since the report’s submission in September 2019.
It gets worse.
Soon after the hackers produced the report, Garcetti terminated their contract, according to a
preliminary legal claim filed by the hackers hired from Ardent Technology Solutions in March 2020. The
company alleges the mayor fired the hackers as a “retaliatory measure” for the scathing report.
Ellen Cheng, a utility spokeswoman, acknowledged that Ardent’s contract was terminated but said it had
nothing to do with the report’s substance. She said the utility frequently partners with public agencies to
improve security, including scanning for potential cyber threats.
“We want to assure our customers and stakeholders that cybersecurity is of the utmost importance to
LADWP and that appropriate steps have been taken to ensure that our cybersecurity is compliant with
all applicable laws and security standards,” Cheng said in a statement.
Garcetti’s office didn’t respond to a request for comment.
The case of the Oregon network — the Bonneville Power Administration — is no more encouraging.
The testing went on for years beginning in 2014 and involved an almost shocking level of intrusion
followed by a pair of public reports. One published in 2017 admonished the agency for repeatedly failing
to take action.
By 2020, two-thirds of the more than 100 flaws identified by the Department of Energy and the utility’s
own security team hadn’t been resolved, according to interviews with more than a dozen former and
current Bonneville security personnel and contractors and former members of the Department of
Energy cyber team, in addition to documents, some accessed via Freedom of Information Act request.
Doug Johnson, a spokesperson for Bonneville, didn’t respond to requests for comment on whether the
vulnerabilities have been resolved, including some detailed in documents reviewed by Bloomberg in
2020.
Dragos estimated in its 2020 cybersecurity report that 90% of its new customers had “ extremely limited
to no visibility” inside their industrial control systems. That means that once inside, hackers have free
rein to collect sensitive data, investigate system configurations and choose the right time to wage an
attack.
The industry is finally focused on fighting back.

“If the bad guys come after us, there has to be an eye-for-an-eye, or better,” observed Tom Fanning,
chief executive officer of Southern Co., at a conference this week. “We’ve got to make sure the bad guys
understand there will be consequences.”
Cyber threats to water infrastructure rising – putting national security, economy, and
water supply at increased risk
https://doi.org/10.1111/wej.12340, p. 385-6, accessed 6-23-21, AFB]
Cyber-security challenges in the United States
The US GAO has conducted a number of comprehensive studies on the vulnerability of US governmental
and societal functions to cyber-threats. According to these studies advanced persistent threats (APTs)
pose increasing risks in the United States and throughout the world (US GAO 2011). APTs occur where
adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives
repeatedly over an extended period of time. Some of these adversaries may be foreign militaries or
organized international crime. Growing and evolving threats can potentially affect all segments of
society, including individuals, private businesses, government agencies and other entities.
National threats to security include those aimed against governmental systems and networks including
military systems, as well as against private companies that support government activities or control CI
(US GAO 2011). Cyberthreats may target commerce and intellectual property. These threats may include
obtaining confidential intellectual property of private companies and governments, or individuals with
the objective of using that intellectual property for economic gain. Threats to individuals could lead to
the unauthorised disclosure of personally identifiable information, such as taxpayer data, Social Security
numbers, credit and debit card information or medical records. The disclosure of such information could
cause harm to individuals, including identity theft, financial loss and embarrassment. Cyber-attacks can
result in the loss of sensitive information and damage to economic and national security, the loss of
privacy, identity theft or the compromise of proprietary information or intellectual property. According
to the US Computer Emergency Readiness Team (US-CERT), between 2006 and 2012, the incidents have
increased from 5 503 to 48 562; an increase of 782% (US GAO 2013).
The following examples illustrate the potential for attacking CI in the United States:
• In Eastern Ukraine in late December, 2015 power was cut to more than 600 000 homes and Russia was
identified as the likely source of the attack. Ukraine’s security service and the Ukraine government
blamed Russia for the attack. The US including experts at the CIA, National Security Agency and the DHS
are investigating whether samples of malware recovered from the company’s network indicate that the
blackout was caused by hacking and whether it can be traced back to Russia. Researchers from a private
global security company claimed they had samples of the malicious code that affected three of the
region’s power companies, causing ‘destructive events’. The group behind the attack has been identified
as the ‘the Sandworm gang’, which is believed to have targeted NATO, Ukraine, Poland and European
industries in 2014 (Russian Hackers 2016).
• A city within the Australian state of Queensland found that a computer technician rejected for a job
with local government decided to seek revenge by hacking into the city’s wastewater management
system. During a 2-month period, he directed computers to spill hundreds of thousands of gallons of
raw sewage into local rivers, parks, and public areas before authorities were able to identify him as the
perpetrator (Janke et al. 2014).
• A major cyber-security problem occurred in the City of Bacon Raton, Florida, a medium sized water
and wastewater facility. The utility experienced a series of cyber-security incidents resulting in plant
shutdowns. Eventually the SCADA system locked-up and caused the water plant to shut down and it
took 8 h to re-establish control of the system. There was no monitoring system for the network traffic so
it was difficult to diagnose the source of the problem. Ultimately it was concluded that the network had
experienced a data storm. Eventually the utility was able to update the SCADA system without losing any
of the systems functionality (Horta 2007).
Protecting water and wastewater systems in the United States SCADA/ICS systems are an essential
component for the effective operation of most water and wastewater utilities in the US. In the
Homeland Security Presidential Directive 7 (HSPD–7 2002) and its successor, the Presidential Policy
Directive issued in 2013 (PPD-21 2013), the Water Sector has been identified as one of the 16 CI sectors
that must be protected.
Figure 1 shows that, in 2015, the DHS responded to 245 incidents. The Water sector reported the fourth
largest number of incidents resulting in DHS incident response support (DHS 2016). The Energy sector
reported the second largest number of reported incidents. Clearly these incidents could have a direct
impact on water supply systems.
Outdated water control systems are at increasing risk of attack whether from a
disgruntled employee or a terrorist organization
Williams, Water World, 17
[Andrew, 01-01-2017, Water World, “The threat of cyber security breaches has emerged as a growing
risk for water utilities. Earlier this year hackers linked to Syria breached the security of an American
water utility and tampered with critical systems to control water flow. What practical steps can utilities
take to safeguard facilities and customer details from cyber security risks?,”
https://www.waterworld.com/international/utilities/article/16201183/cyber-security-how-water-
utilities-can-protect-against-threats, Accessed 06-28-2021, CBM]
A recent PwC study concludes that the average utilities company holds data worth in excess of £50
million to a cyber criminal seeking to exploit that information. Customers are also far more aware of
their personal information security than they were even ten years ago.
As a result, the instigators of cyber security threats have evolved at an alarming rate over the last 10-15
years, according to Barry Searle, director of training at intqual-pro. Although once considered to be a
state sponsored activity, or restricted to highly capable criminal hackers, the primary skill sets required
to conduct cyber crime, espionage or even terrorism can now be “self taught utilising platforms such as
YouTube”, he says.
While the traditional, financially motivated cyber criminal is arguably still the most common, there is
now also a far greater chance of a disgruntled employee, customer or even competitor, having the
capability to disrupt operations through a cyber attack. Furthermore, cyber ‘hacktivism’ continues to
grow, particularly in areas such as data leaks and denial of service attacks.
“For the first time we also face terrorist organisations with a legitimate offensive cyber capability, for
which critical national infrastructure such as water and wastewater [facilities] would be primary
targets,” says Searle.
In his view, the water sector faces two separate threats in relation to cyber security. The first is a threat
against assets critical to national infrastructure, such as treatment works and dams, which represent “an
appealing target for those criminal actors seeking to cause mass disruption or worse”.
For Searle, the fact that many companies have linked critical and sensitive SCADA systems to broader
external networks is “probably the greatest vulnerability” and the fact that SCADA systems are often not
on isolated networks, means that many of them “could in theory be accessed as a result malware
introduced to primary networks through a technique known as spear phishing”.
Over 90% of attacks were attributed to some form of human error in the last quarter of 2015 and tactics
such as spear phishing through social engineering rise year on year, due to the success and ease in which
the human being can be manipulated.
“I certainly find that while the technical infrastructure may be suitable within the water and wastewater
industry, cyber security culture is years behind that of financial sector, which has more experience in
dealing with cyber criminality,” he adds.
SCADA makes water infrastructure uniquely vulnerable to cyberattacks

Shermer, District of Columbia Offices, Boards and Divisions General Attorney, ‘6
(Steven D., 14 cumulative years as general attorney of the district of Columbia, JD from Case Western
Reserve University School of Law, LL.M from George Washington University School of Law, UCLA Journal
of Environmental Law & Policy, 2016, “The Drinking Water Security and Safety Amendments of 2002: Is
America’s Drinking Water Infrastructure Safer Four Years Later?”, Volume 24, Issue 2,
https://doi.org/10.5070/L5242019532, pg. 377-8, Accessed 6/29/30, MLiao)
Drinking water utilities' increasing reliance upon computerized Supervisory Command and Data
Acquisition ("SCADA") systems for managing key facility operations is consequently another prominent
vulnerability. 137 "SCADA systems allow utility companies and municipalities to monitor and direct
equipment at unmanned facilities from a central location. ' 138 Dedicated communications channels
provide control centers with electronic access to hundreds of 'remote terminal units' that control such
diverse operations as water pumping and storage, water treatment operations, and water transmission.
139 A hacker breaking into a SCADA system could therefore hypothetically modify water quality
detection systems, steal sensitive information, and prevent or disrupt water deliveries. 140 "Although
[the automated] operations are backed up by manual controls, "great damage could be done if the
control of these systems was lost for a period of time due to cyber attack. 141
SCADA systems have been recognized for some time as ... highly vulnerable to cyber attack. 1 42
Unfortunately, according to the FBI, terrorists have sought information about SCADA networks for
drinking water facilities. 143 A primary reason for their vulnerability is that drinking water SCADA
systems were "generally... designed and installed with little attention to security."144 Existing drinking
water facilities were commonly designed with "[p]hysical and electronic single points of failure [that]
can easily lead to complete disabling of a SCADA system. ' 145 Oftentimes, even ". . .new systems are
not designed with security in mind. '146 "As a result, many of these networks may be susceptible to
attacks and misuses...,,147
As the trend toward downsizing and automation of drinking water facilities accelerates, ". . .SCADA
systems will increasingly be exposed to cyber threats."'' 48 Because the internet is being used more
frequently as the means to control SCADA systems, "...water systems are more likely to encounter denial
of service attacks, viruses, and other malicious programs, which could severely disrupt the operation of
these systems.' 4 9 Consequently, the threat of cyber attacks on drinking water infrastructure SCADA
systems is a top security concern. 50
Framing
Prioritize water infrastructure---potential consequences are catastrophic

The potentially devastating consequences of a successful attack on our drinking water infrastructure also
dictate that we cannot afford to overlook even unlikely threats.341 "If there is one lesson to be learned
from September 11... it is that even the most unlikely events can occur with devastating results. ' 342
Accordingly, "... we should be doing everything we can both to prevent such an action and to prepare
for its consequences. '343 Although it is unlikely that an intentional attack on a drinking water supply
could be cause widespread contamination, as discussed above in Section I, the human health
consequences of a successful attack ". . .are potentially severe. '34 4 Furthermore, current
environmental and public health monitoring capabilities are likely too slow to evaluate whether a
potential threat warrants a response action before significant harm occurs. 345 Therefore, it is
appropriate to make conservative assumptions regarding our need for enhanced drinking water
infrastructure security measures. 346 The potentially catastrophic consequences of successfully
attacking a drinking water system, even if highly unlikely, factor into the need to protect against that
possibility.
Cyber Threats High Risk
Cyber threats are on the rise now.

Jones, Cybersecurity Dive financial reporter, 21
[David, 6-21-21, Cybersecurity Dive, “Critical infrastructure sites face greater cyberthreat amid remote
connectivity: Moody's,” https://www.utilitydive.com/news/critical-infrastructure-threats/602089/,
accessed 6-30-21, CBM]
The ransomware attack on Colonial Pipeline, rather than an isolated attack by an emboldened adversary,
represented an escalation of an existing global trend where malicious threat actors target critical
infrastructure sites.
Colonial paid $4.4 million in ransom to a Russia-linked threat actor called DarkSide, after the attackers
exploited a legacy VPN profile and compromised the company's IT environment.
"When it came to Colonial Pipeline shutting down, I think that was a big wakeup call for a lot of sectors
in terms of what was originally a cyber issue on the information technology side, can disrupt operations,
which is something that we've been focused on for a number of years now," Jim Hempstead, managing
director in Moody's Global Project and Infrastructure Finance Group.
Moody's cited data from Claroty, an industrial cybersecurity specialist, which showed 297 cyber
vulnerabilities across the energy, water and wastewater sectors during the second half of 2020. The
figures represented an increase of 23% from the 2019 period and 66% from the 2018 period.
Moody's also noted a series of high-profile ransomware attacks on energy and other utilities around the
world in recent months, including the June 2020 attack on Enel Group by the Snake ransomware
organization and the February 2020 attack on a U.S. natural gas facility that had to halt pipeline
operations for two days.
The Oldsmar water treatment facility in Florida was also the target of a threat actor that gained remote
access by exploiting the operator's supervisory control and data access system through TeamViewer.
Some industries have taken steps to boost cybersecurity practices and regulatory oversight in recent
months.
Ransomware risk high

Northey, Environment and Energy News Reporter, 21
[Hannah, 05-21-2021, Environment and Energy Publishing, LLC, "CYBERSECURITY: Colonial hack reveals
major threats to water sector”, https://www.eenews.net/stories/1063733231, accessed 6-27-2021, CG]
Experts say it's a sign of widespread, nascent vulnerability that reaches across all sectors. "What Colonial
tells us is that everybody's susceptible to these types of attacks," said Michael Arceneaux, chief
operating officer of the Association of Metropolitan Water Agencies and managing director of
WaterISAC, the sector's threat sharing organization.
Hackers are increasingly using ransomware, a type of malware, to steal and encrypt data from
companies and then threaten to leak that information or block access until a ransom is paid, said Marty
Edwards, vice president of OT security at cybersecurity firm Tenable and a former Department of
Homeland Security official.
When it comes to energy and water systems, hackers force companies to halt operations or go offline
and then demand payments to unlock computers and get plants back up and running, he said, adding
that it's a growing and lucrative business. Edwards said it all comes down to how good the backup and
disaster recovery plans are for individual companies, plants or facilities.
"Right now ransomware is probably the most prevalent cyber risk to an organization ," he said.
"Criminal organizations have pivoted toward it in a big way."
Kevin Morley, manager of federal relations for the American Water Works Association, a trade
association for about 4,300 water utilities, agreed the Colonial hack exposes weaknesses that reach far
beyond the pipeline or oil and gas industries.
"It demonstrates the reality of the threat environment: There are entities out there that have criminal
intent and there's financial incentive," said Morley.
"Assuming they continue to be successful," he said, "they're going to continue going back and doing
what they just did."
A growing threat
The energy and power sectors have long been vulnerable to cyberattacks and ransomware given their
use of aging operational systems that can be outdated and unsecure, said Edwards.
What's changed is that hackers are increasingly taking advantage of those weaknesses and growing
more sophisticated, surgical and persistent in their attacks, he said.
Whereas in the past hackers used a "spray and pray" method of sending out ransomware across a host
of organizations, Edwards said, threats are now more organized and targeted.
"You can go on the dark web and buy a ransomware tool kit or you can be a multilevel-marketer type
person and be an affiliate that uses ransomware from a particular company," he said. "These are run
almost like corporations."
At the same time, companies at the receiving end of those attacks are becoming more transparent and
sharing information with stockholders or local utility boards, he said.
Last year, for example, the Cybersecurity and Infrastructure Security Agency said an attack using the
Ryuk ransomware hit a natural gas company, forcing the shutdown of a pipeline for two days
(Energywire, May 10).
Russian Cyber Attacks High Risk
Russian cyberattacks against critical infrastructure are likely now---it aligns with their
strategic objectives.
Koehler, Georgetown Security Studies Program M.A. Candidate, 19
[R. Kekoa Koehler, M.A. Candidate in the Security Studies Program at Georgetown University,
concentrating in U.S. National Security Policy. Kekoa currently works as an adjunct research assistant for
the RAND Corporation’s Homeland Security and Operational Analysis Center and previously worked as a
Special Assistant to the Assistant Secretary for Strategy, Plans, Analysis, and Risk—Office of Policy at the
Department of Homeland Security. He graduated from Hawaii Pacific University with a B.A. in
International Relations, January 2019, Georgetown Security Studies Review, “When the Lights Go Out:
Vulnerabilities to US Critical Infrastructure, the Russian Cyber Threat, and a New Way Forward,” Vol 7,
Issue 1, pg. 29-30, https://georgetownsecuritystudiesreview.org/wp-content/uploads/2019/01/GSSR-
7.1-final-text-updated.pdf#page=27]JMK
The Threat Actor: Offensive Intent and a Ukrainian Test-Bed
The Russian Federation possesses advanced offensive cyber intrusion and intelligence capabilities that
were developed to infiltrate the crucial energy generation and water systems of their strategic
adversaries. As the nature of US strategic competition with the Russian Federation changes, the USG
faces a significant national security challenge from Russian cyber operations targeting US CIKR
systems.
Russian hacking operations are integral toward achieving Russia’s broader national, regional, and global
strategic objectives. The Russian government sees its national security objectives tied to global and
regional threats that seek to contain and constrain Russia’s development as a major power.21 The
enlargement of NATO and the location of its military infrastructure led by US efforts in Estonia and
Poland create an inherent threat to Russian national security from the perspective of the Russian
government.22 Additionally, Russia identifies post-revolutionary Ukraine as an immediate security
threat on its western border and a sign of US attempts to surround Russia with adversarial states. To
combat this strategic threat, Russia turned to improving its offensive cyber operation capabilities. The
Russian government recognizes its disadvantage in the conventional military realm which drove it to
pursue below-threshold cyber operations and other gray-zone capabilities that provide attribution
deniability, political and civil-society confusion, and drawn out response times for Russia’s
adversaries.23
Following the ousting of Ukrainian President and Russian ally Viktor Yanukovych in 2014, Russian
intelligence and military cyber operators have honed their capabilities in targeted CIKR operations using
Ukraine’s systems as a test-bed.24 In 2015, Russian cyber teams breached the ICS of three Ukrainian
power distribution stations, locked controllers out of their substation control systems, and disabled 60
Ukrainian substations resulting in over 225,000 people losing access to power .25 The attackers then
disabled backup power supplies to two of the three distribution centers, leaving Ukrainian operators
stumbling in the dark as they attempted to bring the substations back online.26 Successful Russian cyber
operations on Ukraine’s CIKR systems portends similar attacks for power generation plants and
distribution centers in the United States. The control systems in Ukraine were surprisingly more secure
than some in the United States as they were well-segmented from the control center’s business
networks with robust firewalls.27 Disturbingly, the USG reported in 2014 that unattributed hackers
planted similar versions of malware found in the Ukrainian power grid attacks on the networks of US
power and water utilities systems.28 While the Ukrainian grid attack may have only lasted a few hours,
US electrical grids are more extensively interconnected to key sectors that enable the US economy
and provide crucial utilities services to US metropolitan areas with far larger populations than in
Ukraine.
Water Terrorism High Risk
Water terrorism rising now—263% increase in attacks since 1970

Veilleux, Florida International University Steven J Green School postdoctoral associate
and Dinar Florida International University Steven J Green School Associate Dean, 18
[Jennifer and Shlomi, 5-8-2018, New Security Beat, "New Global Analysis Finds Water-Related Terrorism
Is On the Rise," https://www.newsecuritybeat.org/2018/05/global-analysis-finds-water-related-
terrorism-rise/, accessed 6-28-2021, CG]
In 2014, after losing a number of Somalian cities it had captured to African Union and Somali troops, the
terrorist group Al-Shabaab changed its tactics. To demonstrate its continued power and presence, Al-
Shabaab cut off water supplies to its formerly held cities. Residents from these cut-off cities were forced
to fetch water from nearby towns, many of which Al-Shabaab controlled. But the terror group
prevented anyone living in government-controlled territory from entering, which increased people’s
frustration with the government.
Attacking water is not a new terror tactic. Three decades earlier, in the midst of Peru’s economic crisis
and failed agrarian reforms, the leftist group Shining Path destroyed precious water infrastructure , along
with bridges and electrical systems. More recently, the Islamic State of Iraq and the Levant (ISIL) took
control of Tabqa (2013) and Mosul (2014) dams, spurring fears the dams would fail and disrupt water
flows and hydropower generation.
To better understand incidents like these, we launched a study to codify, quantify, and conduct a
geospatial analysis of water-related terrorism. Using the Global Terrorism Database, which includes
more than 170,000 terrorism incidents from 1970-2016, we developed a method to codify types of
water-related terrorism. Using this method, we found 675 water-related incidents in 71 countries,
conducted by 124 known terrorist organizations, and resulting in approximately 3,400 dead or wounded
people. Contrary to the belief that terrorists typically use water as a weapon, we found that the most
common target of water-related terrorism was water infrastructure: the pipes, dams, weirs, levees, and
treatment plants associated with water storage, treatment, and delivery. Terrorists target infrastructure
to inconvenience government authorities, influence populations, and cripple corporations.
On the Rise, But Not Everywhere
While water-related terrorism is not new, it is on the rise, increasing 263 percent from 1970 to 2016,
according to our analysis. The highest concentration of incidents—68 percent—occurred in the post-
9/11 era, while 18 percent took place during the Cold War period and 13 percent in the post-Cold War
period.
AT – Water Not Key/Alt Causes
Water infrastructure uniquely vulnerable due to outdated protocols

Common vulnerabilities in the water supply industry
Historically, business and SCADA networks were separate. Even if a utility owner recognised the value of
integrating SCADA data into their strategic decision-making support systems, limitations in network
topologies made integration difficult. Older SCADA systems relied heavily on serial connectivity and very
low frequency radio communications that could provide enhanced range and partial line-of-sight
connectivity, none of which supported standard internet protocol (IP) connectivity desired by business
networks (Panguluri et al. 2011). This virtual isolation has led to a false sense of security by many SCADA
system administrators. Increasingly, however, SCADA and business networks of most medium-to large-
scale PWSs are inter-connected to provide integrated operation. If such integration is not secured, it will
generally lead to greater vulnerability; this is very important to the water sector because it is thought to
lag behind most other CIs in securing its control systems (Baker et al. 2010; Weiss 2014). The top five
areas of common security gaps in water supply are: (1) network configurations, (2) media protection, (3)
remote access, (4) documented policies and procedures, and (5) trained staff.
[Note – SCADA = Supervisory Control and Data Acquisition, PWSs = public water supplies]
Operational technology and industrial control systems are uniquely vulnerable

Culafi, TechTarget security news writer, 21
[Alexander, 03-09-2021, TechTarget, “After Oldsmar: How vulnerable is US critical infrastructure?,”
https://searchsecurity.techtarget.com/feature/After-Oldsmar-How-vulnerable-is-US-critical-
infrastructure, Accessed 06-28-2021, CBM]
Critical infrastructure and cybersecurity
Oldsmar's water treatment plant falls under the umbrella of critical infrastructure, a term that refers to
assets and systems necessary for the proper functioning of a society. Critical infrastructure facilitates the
economy, public safety and public health; it can account for water, power, internet, heating, military,
transportation and much more.
In terms of cybersecurity, specialized technology is used to support critical infrastructure -- both

hardware and software. Some of this technology is connected to the internet and, as such, attacks
against critical infrastructure occur with sometimes far-reaching results.
While industrial cybersecurity and critical infrastructure are technically separate spaces, there is
significant overlap between the two because of the amount of industrial technology used by critical
infrastructure organizations.
Common terms used here are operational technology, the overall category of technology that regulates
the performance of kinetically operating machinery; industrial control systems (ICS), a segment of OT
that includes individual systems that support specific industrial and critical functions; and SCADA,
software used primarily for process control and data collection in OT environments such as Oldsmar's
water treatment facility.
The physical equipment that falls under the OT umbrella is extremely diverse. It can include the SCADA
system used to change the chemical levels at Oldsmar's water treatment plant, industrial manufacturing
automation systems and the equipment responsible for an electrical grid's power distribution, to name a
few.
All of these systems are vulnerable to cyber attacks and, unfortunately, the nature of expensive
industrial systems -- where hardware is often purchased to last for decades rather than years -- results in
difficult-to-eliminate security issues.
Grant Geyer, chief product officer at industrial cybersecurity vendor Claroty, called this problem one of
two fundamental issues in OT security. The other, he said, is a culture used to having air-gapped
environments that are completely disconnected from the internet.
"With continued digital transformation initiatives, what we see happening is that these highly vulnerable
components that were never secured by design are both at risk technologically and also at risk because
personnel don't know how to secure them," Geyer said. "And so, while organizations are certainly
catching up, they're far behind where their counterparts are within IT."
Ben Miller, vice president of professional services and R&D at industrial cybersecurity vendor Dragos,
said that while the overall security posture in ICS/OT is getting better, it's nowhere near traditional IT.
"They still have a long way to go. Are they getting better? Yes. They are also positioning security so
there's a lot of different angles -- there's a lot of investment and improvement -- but there's a long way
to go. I think it's fair to say they're a good 10 to 15 years behind where the traditional IT security
community is," he said.
It's perhaps because of these issues and the increasing sophistication of threat actors that ICS/OT
attacks are increasing. According to Dragos' "2020 Year in Review" report, ICS threats grew threefold in
2020.
AT – Hype
Can’t take the risk – resiliency planning like the aff prevents authoritarian state
responses to terrorism
Kerttunen, Tallinn University of Technology Centre for Digital Forensics and Cyber
Defence Senior Research Scientist, 20 (Mika, Chapter 12 CYBERTERRORISM A Schrodinger s cat in
ROUTLEDGE HANDBOOK OF INTERNATIONAL CYBERSECURITY Edited by Eneken Tikk and Mika
Kerttunen, p. 170-71, sbl-gdi21)
Cyberterrorism is a conceptual construction. We have fortunately not yet witnessed death and physical
destruction through digital means. Intimidating people and influencing opinion is as yet a reality beyond
the usual accounting of inter alia recruitment, communication, and training. Therefore, we should not
wait for death and destruction to occur before taking action. Most importantly, we should better
acknowledge the public and political influence on-line terrorism has upon us.
Cyberterrorism can indirectly threaten international peace and security. By inciting hatred and harsh
responses, it deteriorates bilateral relations, regional stability, and domestic peaceful conditions. It
escalates in-built tensions and latent and on-going conflicts. When cyberterrorism is attributable to a
foreign government, it is likely to threaten international peace and security without such conditioning
public factors.
Measures to counter cyberterrorism are primarily designed to solve technical, societal, and national
challenges. These measures indirectly strengthen international peace and security. Normative,
organizational, and technical measures reduce vulnerabilities against several types of threat actors,
vectors, and vulnerabilities, including unintentional incidents and insider threats.
As the UN Security Council (2014) has reaffirmed, universal adherence to and implementation of the
rule of law, as well as emphasis on the vital importance it attaches to promoting justice and the rule of
law as an indispensable element for peaceful coexistence and the prevention of armed conflict.
Strengthening international peace and security, adherence to rule of law, respecting human rights and
supporting sustainable development goals help to prevent and root out terrorism. Enhancing domestic
resilience and improving incident management and forensic and attribution capabilities, prevents
terrorism from achieving its destructive and transformative objectives and avoid false attribution,
thus reducing the most probable causes of terrorism threatening international peace and security.
Export controls created to prevent the acquisition of weapons of mass destruction and advanced
conventional armament need to include ICT systems, equipment, and software but also capability
elements that help design cybertools to penetrate, weaken or defeat governmental, corporate and
individual information security.
Imposing intrusive restrictions and law enforcement measures may appear a good option for many
governments. However, since terrorism tries to provoke the hardening of political and social attitudes,
harsh measures should be applied with caution. Export controls can be seen as unjust and increase
national insecurity. Terrorizing on-line messaging and incitement needs to be disrupted but mainly to
prevent societal radicalization and a cycle of revenge.
The Baader-Meinhof/Rofe Armee Fraktion was a group that tried to provoke the Federal Republic of
Germany into class struggle and revolution in the 1970s. With the help and exploitation of social media,
contemporary terrorists are far more successful in manipulating domestic and global attitudes — often
harshly reactionary rather than supportive of terrorism. Extraordinary powers and non-transparent
security measures degrade the liberal order and modern way of life that terrorists of all colour despise.
By restricting our preferred way of life, and by limiting individual freedoms, we are polarizing our
societies. We are also fos- tering a world order of difference and intolerance, a world order of fear and
hatred, where international peace and security easily becomes exposed, vulnerable, and breached.
It’s mostly sheer luck that the worst-case scenarios haven’t happened yet
Wedell, USA Today investigative reporter and Meyer, USA Today domestic security
respondent '21
[Katie Wedell is an investigative reporter for USA today and Josh Meyer is a veteran correspondent
focusing on domestic, national and global security issues, including terrorism, extremism, cybersecurity
and transnational criminal organizations, 6-22-2021, USA Today, "Dam releases, bank failures and
poisoned water: Cyber pros warn worst cases are possible," https://www.usatoday.com/in-
depth/news/2021/06/22/colonial-pipeline-jbs-ransomware-attacks-cybersecurity-fears/7547655002/,
Rather than risk a spill or other pipeline disaster after a ransomware attack last month, operators of an
East Coast pipeline shut it down, leaving millions waiting in long fuel lines.
Such close calls ratchet up fears about how vulnerable the nation's infrastructure is to cyberattacks.
Experts said there are more to come and the attacks could be far more devastating unless the United
States girds its critical systems against an onslaught of digital intrusion.
That worst-case scenarios haven't played out already, experts said, comes down to a combination of
luck and the fact that hackers have focused on making quick money using relatively unsophisticated
attacks.
The U.S. Department of Homeland Security identifies 16 "critical infrastructure sectors," vital parts of
everyday life, such as transportation and drinking water, at risk of disruptions that would hurt the
nation's security, health or safety. Last week, President Joe Biden handed a list of the sectors to Russian
President Vladimir Putin and told him they're off limits for cyberattacks.
Think of all the automated systems that people rely on every day, said Paul Rosenzweig, who formerly
worked on cybersecurity policy for Homeland Security: "Traffic lights for our cars, natural gas for our
houses, water for our homes, clean water and sewage, electricity to power our houses, our metro rail
systems that many of us use."
All of those systems can be hacked, he said.

Therein lie the worst-case scenarios, said Tatyana Bolton, a former Homeland Security official who led
development of strategies for strengthening U.S. cybersecurity.
"If any of (these industries) are attacked and taken offline, it would create massive repercussions across
the United States," she said.
Despite repeated warnings, she said, cybersecurity in these critical sectors hasn't improved much.
"You can look back at videos and events and papers from 10 years ago," Bolton said. "And the
arguments that we were making then are the arguments we're trying to make now, which shows you
how little focus we've gotten from Congress and support from the administration in terms of resources
and funding and people."
Cybercrime has changed---now is key

Fitch Wire, Press Release, ‘21
(Fitch Ratings, provider of credit ratings, commentary, and research, 6/9/21, FitchRatings, “Public
Infrastructure Cyberattacks May Pose Broad Financial Risk”, https://www.fitchratings.com/research/us-
public-finance/public-infrastructure-cyberattacks-may-pose-broad-financial-risk-09-06-2021, Accessed
6/30/21, MLiao)
The trend of global cybercrime has been undergoing a metamorphosis in the past two years. Criminals
are now more focused on pivoting from the direct theft of data to disrupting critical operations using
ransomware and exfiltrating information. Making systems more resilient to evolving cyberattacks
requires ongoing and robust capital investment in digital defenses to ensure operational security and
physical safety. Employee and management vigilance remains an important guard against cybercrime.
Remote work and the use of technology in the operation of public critical infrastructure has created new
cyber challenges and vulnerabilities. Service and safety were not jeopardized in the recent attacks on
the Metropolitan Transportation Authority of New York (transportation revenue bonds rated
'A-'/Negative) and the Massachusetts Steamship Authority (not rated by Fitch), but the breaches pointed
to the need for robust digital security.
Water infrastructure cyber high risk and uniquely vulnerable

Alabi, Federal University of Technology Senior Researcher, et al., 20
(Michael, Arnesh Telukdarie, Professor of Engineering Management at the University of Johannesburg,
Nickey Jansen Van Rensburg, Researcher in Mechanical Engineering Science Department at the
University of Johannesburg, American Society for Engineering Management, “CYBERSECURITY AND
WATER UTILITIES: FACTORS FOR INFLUENCING EFFECTIVE CYBERSECURITY IMPLEMENTATION IN WATER
SECTOR”, pg. 2, https://www.researchgate.net/profile/Alabi-Omotayo-
2/publication/349849423_CYBERSECURITY_AND_WATER_UTILITIES_FACTORS_FOR_INFLUENCING_EFFE
CTIVE_CYBERSECURITY_IMPLEMENTATION_IN_WATER_SECTOR/links/6043c4fca6fdcc9c781ac923/CYBE
RSECURITY-AND-WATER-UTILITIES-FACTORS-FOR-INFLUENCING-EFFECTIVE-CYBERSECURITY-
IMPLEMENTATION-IN-WATER-SECTOR.pdf
It is obvious that cybersecurity challenges have the potential to become one of the defining issues of the
21st century. Of recent, many water industries are increasingly incorporating emerging digital
technology into their day-to-day routine operations and as a result of this, there is an increase in water
utilities vulnerability to cyberthreats (Clark et al, 2016.). One of the challenges of cybersecurity in the
water utilities is the potentials of the cyber criminals exploiting antiquated computer systems to have
access to the water valve and flow operations and manipulate the flow of water and amount of
chemicals used for water treatment. The cyber attackers gain access to customer data through the
water company’s online payment system. The cyber attackers gained administrator credentials and find
their ways laterally through the water network (Germano, 2019). There are many unique challenges
facing the water industry in the area of cybersecurity and implementation of security countermeasures.
Some of the key challenges of cybersecurity in the water utilities are (Panguluri et al, 201 la.): 1)
Exponential increase of interconnected business operations and control system networks; 2.) Multitude
of cross-sectors cybersecurity standards; 3). Substantial variation of proprietary industrial control
equipment and; 4). The differences in the equipment vendor’s approaches to meet the security
standards. The various challenges mentioned can be met through voluntarily choosing and adopting
appropriate security standards, performing a gap analysis and conducting vulnerability or risk analysis,
and ensuring necessary countermeasures that meets the security and the water industry requirements
(Panguluri et al, 2011a).
AT – Fear Turn
Communicating about cyberterrorism in forums like debate reduces fear, alongside

advocating for resiliency solves militancy
Gross, University of Haifa political science professor, et al, 17 (Michael L., Daphna Canetti
and Dana R. Vashdi, School of Political Science, The University of Haifa, Mt. Carmel, Haifa, Israel,
“Cyberterrorism: its effects on psychological well-being, public confidence and political attitudes”,
Journal of Cybersecurity, 3(1), 2017,49-58, doi: 10.l093/cybsec/tyw018,
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5370589/, accessed 7/2/21, sbl-gdi21)
Lessons gleaned from successful (and unsuccessful) efforts to improve disaster preparedness [49-53]
suggest that the government, the private sector and the academic community should effectively
communicate the risks of cyberterrorism and take steps that will help instill effective cybersecurity
practices. Furthermore, if individuals feel they can communicate their concerns to their government
and the authorities are attentive (i.e. citizens have a sense of political efficacy) then threat perceptions
may be reduced (Canetti et al., un- published work [54]). These efforts are intertwined. Providing
cybersecurity depends, in part, upon securing compliance with cybersecurity measures. Compliance, in
turn, depends upon how accurately the public assesses the risk of cyberattacks and upon how
successfully government and private agencies communicate cyber risks and the precautions that
individuals must take.
To secure computer systems, we draw attention to the many programmes in schools and businesses to
impart the knowledge and skills individuals need to maintain personal cybersecurity. Currently, it is our
impression that the only evaluation tool is per- formative, i.e. how well end-users master and adopt the
necessary skills to protect their online assets (e.g. recognizing malware, changing passwords, updating
firewalls). To fully assess the benefits of these tools, further research is required to understand how
these educational and intervention programmes might impart the fear/ stress reducing skills to cope
with cyberterrorism and to improve resiliency, i.e. withstand adverse psychological effects of
cyberterrorism, overcome feelings of vulnerability and regain a sense of control. Experience with
kinetic terrorism also points to the benefits of psychological intervention [55], Mitigating the
deleterious effects of cyberterrorism and strengthening resilience may diminish the impact of
cyberterrorism and the chance it will spill over into militancy, kinetic war and protracted conflict.
Generic Infrastructure Vulnerable
Critical infrastructure is at significant risk of attack

Schaffer, Washington Post technology and cybersecurity policy researcher, 21
[Aaron, 6-25-21, The Washington Post, “The Cybersecurity 202: U.S. cybersecurity agency has global
ambitions,” https://www.washingtonpost.com/politics/2021/06/25/cybersecurity-202-us-cybersecurity-
agency-has-global-ambitions/, accessed 6-27-21, AHP]
The document also describes expanding cyber threats targeting U.S. networks with potentially dire
consequences.
“Nation-state adversaries are increasingly looking at critical infrastructure as a battlespace,” the

document warns.
“With adversary threats growing in sophistication and the growing ubiquity and power of tools that can
create significant degradation or possible destruction of American networks and systems, the Nation
faces increased risk and future costs,” it notes.
Cyber protections, meanwhile, haven’t kept up.
“Presently, the Nation has limited capability to assess the degree to which adversaries have successfully
penetrated and exploited U.S. critical infrastructure,” the document warns. “At the same time, we lack
broad visibility into threat activity targeting specific entities, including early and advanced stage activity
where adversary efforts could put critical assets at risk.”
Physical infrastructure is significantly outdated, and digitization poses unique risks.

Culafi, TechTarget security reporter, 21
infrastructure, accessed 06-28-2021, CBM]
The physical equipment that falls under the OT umbrella is extremely diverse. It can include the SCADA
system used to change the chemical levels at Oldsmar's water treatment plant, industrial manufacturing
automation systems and the equipment responsible for an electrical grid's power distribution, to name a
few.
All of these systems are vulnerable to cyber attacks and, unfortunately, the nature of expensive
industrial systems -- where hardware is often purchased to last for decades rather than years -- results in
difficult-to-eliminate security issues.
Grant Geyer, chief product officer at industrial cybersecurity vendor Claroty, called this problem one of
two fundamental issues in OT security. The other, he said, is a culture used to having air-gapped
environments that are completely disconnected from the internet.
"With continued digital transformation initiatives, what we see happening is that these highly vulnerable
components that were never secured by design are both at risk technologically and also at risk because
personnel don't know how to secure them," Geyer said. "And so, while organizations are certainly
catching up, they're far behind where their counterparts are within IT."
Ben Miller, vice president of professional services and R&D at industrial cybersecurity vendor Dragos,
said that while the overall security posture in ICS/OT is getting better, it's nowhere near traditional IT.
Critical infrastructure is in desperate need of protection.

Critical infrastructure companies, including oil and gas, electric power and water, are vulnerable to
cyberattacks due to the rising dependence on automation and remote connectivity in their technology
environments, according to Moody's Investors Service.
These critical infrastructure firms have become a more frequent target of ransomware attacks, as
criminal threat actors see the essential services they provide as leverage for quick financial payouts,
according to the report. Critical infrastructure providers can little afford to face prolonged disruption, as
witnessed by the disruption following the Colonial Pipeline attack.
Critical institutions like government and healthcare are at a high risk for cyber-attacks.
Scherbina, Brandeis University Finance professor, 06-21-21
[Anna, 06-21-2021, American Enterprise Institute, “Americans need to know the economic truth about
cyber threats,” https://www.aei.org/articles/americans-need-to-know-the-economic-truth-about-cyber-
threats/?
mkt_tok=NDc1LVBCUS05NzEAAAF98QmhpFeTJsLNntRrXN_gqms0piFLqZ5vSEkr8wMrJHzCkxb0tIL6zndAZ
uu0OvRaaS4sQu3QlVyBTCcvMH8lheg6GrJ46QGmEujQrl1PjQ, accessed 06-28-2021, CBM]
As the U.S. economy is becoming increasingly reliant on information technologies, it faces growing
threats from malicious cyber actors. The public was recently reminded of the scope of the threat by the
brazen ransomware attacks against Colonial Pipeline and JBS SA, the world’s largest meat processing
company, with both attacks raising prices and affecting consumers. It is no surprise that these particular
companies were chosen as ransomware targets. In addition to having cash for sizable ransoms, these
types of businesses value operational continuity. Healthcare, government and services sectors, where
disruptions are either life-threatening or critical or both, are more likely to be hit by ransomware
attacks than, say, real estate developers.
COVID makes ransomware attacks more likely—102% increase
Rishi Iyengar, CNN Business India editor and Clare Duffy, CNN Business writer '21
[Rishi Iyengar is the India editor for CNN Business in New Delhi, tasked with covering the country's
rapidly growing economy and the companies looking to cash in on it and Clare Duffy is a CNN Business
writer covering the business of technology and the strategies of Big Tech companies, 6-4-2021, CNN,
"Hackers have a devastating new target," https://www.cnn.com/2021/06/03/tech/ransomware-
cyberattack-jbs-colonial-pipeline/index.html, 6-29-2021, CG]
A major gas pipeline. Dozens of government agencies. A Florida city's water supply. And now, one of
the world's top meat producers.
The last few months have seen a sharp rise in cyberattacks, often disrupting products and services that
are key to our everyday lives. Many of those attacks have used ransomware, a set of tools that lets
hackers gain access to computer systems and disrupt or lock them until they get paid.
Ransomware is not new. But there is a growing trend of hackers targeting critical infrastructure and
physical business operations, which makes the attacks more lucrative for bad actors and more
devastating for victims. And with the rise of remote work during the pandemic, significant vulnerabilities
have been revealed that only make it easier to carry out such attacks.
The US Department of Justice in April created a ransomware task force, after declaring 2020 the "worst
year ever" for extortion-related cyberattacks. The issue only seems to be getting worse: The first half of
2021 has already seen a 102% increase in ransomware attacks compared to the beginning of last year,
according to a report from cybersecurity firm Check Point Software. That doesn't even factor in the most
recent events, including the announcement Wednesday from a ferry operator in Martha's Vineyard,
Cape Cod and Nantucket that it was hit by a ransomware attack.
The US government is now ratcheting up efforts to address the threat of ransomware, but experts warn
that without significant cooperation and investment from the private sector, these attacks are likely
here to stay.
Water Attacks Scenario
Scenario – Water Attacks
An attack on the water supply risks contamination and disruption – wreaking havoc on
public health and services
Maiolo, University of Calabria Professor of Hydraulic Constructions, et al., 18
[Mario, Daniella Pantusa, Environmental Engineering PhD, Hamidi Aziz, Professor of Environmental
Engineering, 04-01-2018, Cogent Engineering, “Infrastructure Vulnerability Index of drinking water
systems to terrorist attacks,” https://www.tandfonline.com/doi/full/10.1080/23311916.2018.1456710,
accessed 06-27-2021, HSP]
Regarding water systems they are vulnerable to both manmade and natural threats including, e.g.
earthquakes, flood, droughts, terrorist attacks. Safe drinking water is central to the life of an individual
and of society; a drinking water contamination incident or the denial of drinking water services would
have far-reaching public health, economic, environmental, and psychological impacts. Other critical
services such as fire protection, healthcare, and heating and cooling processes would also be disrupted
by the interruption or cessation of drinking water service, resulting in significant consequences to the
national or regional economies (Department of Homeland Security & US EPA, 2015). Therefore, the issue
of the security and risk assessment of such systems is of increasing importance. In this context,
numerous definitions exist for the variables of interest in a risk assessment study. These variables
include: event or threat, outcome, scenario, exposure, vulnerability, consequences, risk.
Regarding vulnerability, Ezell (2007) argues that a relationship emerges from the literature between
vulnerability and risk. Vulnerability highlights the notion of susceptibility to a scenario whereas risk
focuses on the severity of consequences to a scenario. As described in Thomas (2006), the National
Water Resource Association, NWRA (2002) defines a vulnerability assessment as the identification of
weaknesses in security, focusing on defined threats that could compromise the ability to provide a
service, while National Oceanic and Atmospheric Administration (2002), defines vulnerability as the
susceptibility of resources/assets to negative impacts from threat events. Hence, a vulnerability
assessment accounts for the assets that could deter or defray unwanted outcomes from an event and
for their susceptibility to failure. Vulnerability is defined by Haimes and Horowitz (2004) to be the
manifestation of the inherent states of a system (e.g. physical, technical, organizational, and cultural)
that can be exploited by an adversary to cause harm or damage. Copeland (2010) identifies the most
likely “vulnerable” water systems to be the relatively small number of water systems serving the largest
populated cities in the country.
The terrorist events of recent years have increased the attention on the safety aspects of water
infrastructure. In the United States, just after September 11, 2001, the United States Congress approved
a series of acts pertaining to vulnerability assessments to assess potential threats to such systems and to
identify corrective actions. Over the years various vulnerability assessment methodologies and tools
were developed and several studies were conducted on this issue by various institutions not only in USA
but worldwide (APWA, AMWA, NACWA, & WEF, 2007; Centre for European Reform [CER], 2005; HSPDs,
2002; Istituto Superiore di Sanità, 2005; US EPA, 2003, 2007, 2009, 2010).
Water systems are vulnerable to a range of intentional threats including contamination, damaged or
sabotaged through physical destruction and cyber attack.
Consequences of a water contamination can be significant. A contamination event in a water system can
adversely affect the people, the businesses, and the community it serves due to fear, loss of water
service, significant economic costs for decontamination and recovery, and the magnitude of adverse
public health effects (Clark & Hakim, 2014).
Physical damage has consequences mainly related to the interruption of service and may also cause
large economic harms. Vulnerable characteristics of water systems include their physical attributes, e.g.
reservoirs, tanks, and pump stations. In addition to physical attributes, a water utility’s SCADA could be
vulnerable to cyber attack, for example, turning pumps on or off, filling or emptying tanks
inappropriately, or causing water hammer events (Clark & Hakim, 2014).
Contamination risks poisoning millions

Weddell, USA Today investigative reporter, & Meyer, USA Today veteran
correspondent, 21
[Katie Wedell is an investigative reporter for USA today and Josh Meyer is a veteran correspondent
focusing on domestic, national and global security issues, including terrorism, extremism, cybersecurity
and transnational criminal organizations, 06-23-2021, USA Today, “How vulnerable is US to hacks?;
Worst-case scenarios could be devastating,” Nexis, accessed 06-26-2021, HSP]
Experts said the scariest scenarios involve a hacker either purposefully or inadvertently changing the
operations of an industrial control system, such as that for a pipeline, a dam or a water works.
Such an intrusion could lead to prolonged outages, destroy infrastructure and even kill.
When Iranian hackers broke into the computer system that controls the Bowman Avenue Dam in Rye
Brook, New York, in 2013, they snooped on passwords and usernames but didn't seize control of the
computerized floodgates, which were disconnected for maintenance.
They proved they could sneak into critical infrastructure systems and hijack any one of hundreds of
flood control systems in the USA, sending potentially fatal floods toward downriver cities, or wipe out
hydro-electric power and water supplies to millions.
Sen. Chuck Schumer, D-N.Y., called it a wake-up call in 2015 when revelations about the breach became
public. The nation's critical infrastructure is vulnerable to criminals and needs to be strengthened, he
said.
"This cyberattack surely serves as a bucket of ice water to the face," Schumer said.
But it didn't.
Colonial shut down its pipeline out of an abundance of caution. Hackers locked up the company's
corporate computer system - possibly affecting email, billing and payroll. The criminals did not access
the computer system that controls the flow of fuel through more than 5,000 miles of pipeline, but the
company was worried that system might not be completely separate, experts said.
"Imagine loss of control of the pipeline itself and what could have resulted," said Mark Ostrowski, head
of engineering for the East Coast at Check Point Software Technologies.
Water
An intrusion into the Oldsmar, Florida, water system in February highlighted vulnerabilities in the water
treatment industry.
A hacker broke in through remote access software and briefly increased the amount of sodium
hydroxide from 100 parts per million to 11,100 parts per million. Sodium hydroxide, also called lye, can
cause irritation, burns and other complications in too large quantities.
A supervisor noticed the tampering - he could see the intruder moving a cursor across the screen,
changing settings - and intervened immediately to reverse it. The city said sensors and other safeguards
would have caught the problem. Oldsmar, a city of 15,000 residents, is about 15 miles northwest of
Tampa.
In March, the Justice Department accused a former Kansas utility worker of remotely tampering with a
public water system's cleaning procedures. Last week, NBC News reported that a hacker in January tried
to poison an unnamed water treatment plant serving parts of the San Francisco Bay Area.
"If you're a state actor or a highly integrated or networked group of hackers, Black Hat hackers, you can
mess with the chlorine levels in your water or the arsenic levels in your water and poison the entire New
York City water supply overnight," Bolton said. "New York City wakes up, everyone has a glass of water
in the morning or cooks something with water in the morning - and you poison millions of people."
Attacks Impact – Poisoning
Cyberattacks on water infrastructure risk water poisoning

Boerner, Chemical & Engineering News associate editor 21
[Leigh Krietsch Boerner is a associate editor at C&EN who has a BS in Biology, a BA in Chemistry, and a
Ph.D. in Inorganic Chemistry, all from Indiana University, 2-12-2021, Chemical & Engineering News,
"How a water treatment plant hack could have affected a Florida town’s water,"
https://cen.acs.org/environment/water/water-treatment-plant-hack-affected/99/web/2021/02,
Last Friday, an employee at a small water treatment plant in Oldsmar, Florida witnessed an attempted
cyber attack, in which an unknown person gained access to the plant’s computer system and increased
the concentration of sodium hydroxide—also called lye—in the city’s drinking water supply to
potentially dangerous levels, Pinellas County Sheriff Bob Gualtieri said in a press conference. The
operator at the plant immediately noticed the change and returned the levels of the caustic substance
to normal. The FBI is investigating the attack. No suspects have yet been named. C&EN asked experts to
explain the potential consequences of high lye concentrations in drinking water.
The strong base sodium hydroxide (NaOH) is commonly used in water treatment plants to keep the pH
of drinking water in check, since acidic water can corrode pipes and leach toxic chemicals, such as lead,
out of the pipes and into the water, says Susan Masten, a civil and environmental engineer at Michigan
State University. NaOH is caustic and in high concentrations can cause chemical burns to the skin or
internal corrosive damage if ingested. It’s uncertain that the water would have been harmful to the
public had it been released, says Haizhou Liu, a chemical and environmental engineer at the University
of California, Riverside. There are multiple steps to treating water so it’s safe to drink, and NaOH can
potentially be used at a number of points in the process, he says, including right before the water is
released for distribution. Gualtieri said in the statement that had the operator not noticed the change,
the tainted water would not have reached the public, since the pH of the water is checked multiple
times before being released.
Gualtieri said that the hacker changed the NaOH level from 100 ppm to 11,100 ppm. But all three water
experts that spoke to C&EN say it’s impossible to calculate what the pH of the water would have been
after that increase, as they don’t know the stage of treatment where the increase was applied, the flow
rate of the water at that stage, the release rate of the NaOH, or if the 11,100 ppm NaOH concentration
reported by Gualtieri refers to the concentration of the solution being added or the target concentration
for the drinking water. Because of the ongoing FBI investigation, Oldsmar assistant city manager Felicia
Donnelly would not answer questions about the town’s water treatment process or the stage of
treatment the hacker targeted.
Most municipal drinking water has a pH around 7.5, Liu says, although Masten points out it can be as
high as 9. Up to a pH of around 10 or 11, it’s unlikely that people turning on the tap would have noticed
a difference, Liu says. “It still looks like clean water. There’s no color in it,” although it might taste
somewhat different, he says. Two past incidents of accidental NaOH release into drinking water resulted
in drinking water with a pH of around 12. In both cases, people exposed suffered skin burns and
gastrointestinal distress. However, exposure to lower NaOH concentrations may have effects after
repeated or prolongued exposure, according to the Agency for Toxic Substances and Disease Registry.
Increasing the water’s pH could also cause the chlorine disinfectants added at the plant to be less
effective, Masten says. And it could lead to contamination beyond metal leaching, says Susan
Richardson, analytical environmental chemist at the University of South Carolina. A high pH could cause
bacterial biofilms that build up inside the pipes to release into water. Most of the harmful
microorganisms in biofilms are killed when the water is disinfected, she says, but biofilm breakdown
could increase microbial concentrations, and if disinfection effectiveness is reduced, harmful microbe
levels might increase in the water supply.
Attacks Impact – System Integrity
Water infrastructure hacks risk multiple impacts – including shutdowns and other
threats to system integrity
Common vulnerabilities in the water supply industry
Historically, business and SCADA networks were separate. Even if a utility owner recognised the value of
integrating SCADA data into their strategic decision-making support systems, limitations in network
topologies made integration difficult. Older SCADA systems relied heavily on serial connectivity and very
low frequency radio communications that could provide enhanced range and partial line-of-sight
connectivity, none of which supported standard internet protocol (IP) connectivity desired by business
networks (Panguluri et al. 2011). This virtual isolation has led to a false sense of security by many SCADA
system administrators. Increasingly, however, SCADA and business networks of most medium-to large-
scale PWSs are inter-connected to provide integrated operation. If such integration is not secured, it will
generally lead to greater vulnerability; this is very important to the water sector because it is thought to
lag behind most other CIs in securing its control systems (Baker et al. 2010; Weiss 2014). The top five
areas of common security gaps in water supply are: (1) network configurations, (2) media protection, (3)
remote access, (4) documented policies and procedures, and (5) trained staff.
A hacker, depending on motive and objectives, may try to extract information (data) to further develop
attacks or sell the information for gain. In terms of water systems, an objective may be to cause public
distrust or fear, the hacker may attempt to deny access to the system and/or destroy equipment.
Hackers will often change files to cover their tracks to be undetectable. Cyber-impacts may also have
process impacts depending on the process and system design. For instance, if attackers change database
parameters in the real-time database (impacts system integrity), they could turn on pumps potentially
causing a tank to overflow as illustrated by the successful attack against the wastewater treatment plant
in the Maroochy Shire in Queensland, Australia (Panguluri et al. 2004; Janke et al. 2014; Weiss 2014).
[Note – SCADA = Supervisory Control and Data Acquisition, PWSs = public water supplies]
Attacks Impact – Flooding, Shortages
Damage to water infrastructure results in catastrophic flooding and less drinking

water.
America’s Drinking Water Infrastructure Safer Four Years Later?”, Volume 24, Issue 2, pg. 364, MLiao)
A successful terrorist attack on drinking water supplies could cause dramatic public health and safety
consequences. 30 Approximately 265 million Americans rely upon public water systems regulated under
the SDWA to provide a safe, reliable, and affordable source of drinking water everyday. 31 Significant
numbers of people could be exposed initially, and perhaps secondarily, before an attack on drinking
water supplies involving clandestine biological (or certain chemical) contaminants is even suspected.32
In addition, destruction of or damage to water infrastructure components could result in catastrophic
flooding, loss of life, damage to the natural environment, and less availability of water for consumers
and essential services. 33 Both water quality and quantity could be put in serious jeopardy from a
terrorist attack on water infrastructure systems. 34 Thus, public health could be severely impacted by
contaminating or disrupting this country's flow of drinking water.
Attacks Impact – Disease
Hacking water utilities can control chlorination and cause cholera or dysentery
downstream
What keeps you up at night?
The decentralized nature of the U.S. water industry has left policymakers with a dilemma. Cybersecurity
for water treatment and supply networks is only loosely monitored at the federal level and is often
ignored by state utility commissions that may have limited cybersecurity expertise and tend to focus on
water quality.
"Water cybersecurity is not on everyone's — or certainly not every commissioner's — radar screen,
although I've tried to make it that way," said Mary-Anna Holden, a commissioner on the New Jersey
Board of Public Utilities.
In many emergency planning exercises, it isn't the lack of electricity that triggers chaos and widespread
casualties. It's the lack of clean water that forces people from their homes.
"Nobody thinks about wastewater systems until they break," said Holden, who chairs the Committee on
Water at the National Association of Regulatory Utility Commissioners.
New Jersey is one of the few states to have taken any regulatory action on the issue of water security.
It's required utilities to report cyber events to state environmental officials and directed regulated
utilities to include cybersecurity in risk management plans.
"If someone's hacked into the operational network and can control chlorination, do something to the
[wastewater] digesters or can get control of the wastewater plant, that's the thing that keeps me up at
night," Holden said. "You could cause cholera or dysentery downstream, which could be a major city.
How do you counteract that?"
In New York, staff members from the Department of Public Service conduct "frequent and regular audits
of company defenses" against emerging cyberthreats, according to a spokesman. The agency conducts
annual reviews of water companies' cybersecurity plans and is weighing data security requirements for
certain firms that receive sensitive personal and billing information from water, electric and gas utilities.
Water attacks lead to disease spread

UNICEF, UN agency, 21
[UNICEF, 05-21-2021, UNICEF, “New UNICEF Report Highlights Scale and Impact of Attacks on Water and
Sanitation Facilities on Children in Conflict-Affected Countries,” Nexis, accessed 06-26-2021, HSP]
Attacks on water and sanitation facilities and workers in conflicts around the world continue to put the
lives of millions of children at risk and deny children and families access to critical water and sanitation
services, UNICEF warned today.
In the 9 countries* highlighted in Water Under Fire Volume 3: Attacks on water and sanitation services
in armed conflict and the impacts on children - including countries across the Middle East, Africa, Asia
and Europe - almost 48 million people, including children, are estimated to need safe water and
sanitation services.
Protecting water and sanitation services is critical to the survival of millions of children. In fragile
countries, children under the age of five are 20 times more likely to die due to diarrheal diseases than to
violence, and children in extremely fragile contexts are often more than eight times worse off across
water, sanitation and hygiene indicators than children born into stable and protected environments.
"Access to water is a means of survival that must never be used as a tactic of war," said UNICEF Director
of Emergency Programmes Manuel Fontaine. "Attacks on water and sanitation infrastructure are attacks
on children. When the flow of water stops, diseases like cholera and diarrhoea can spread like wildfire,
often with fatal consequences. Hospitals cannot function, and rates of malnutrition and wasting
increase. Children and families are often forced out in search of water, exposing them, particularly girls,
to an increased risk of harm and violence."
The report examines the immense impact on children and families when water and sanitation
infrastructure are attacked, damaged or destroyed, controlled or otherwise restricted in countries
besieged by armed conflict. It highlights that children's access to water has been threatened in nearly
every conflict-related emergency where UNICEF is responding.
Attacks Impact – Everyday Life
Cyber attacks can happen to anyone – Our lives are dependent on hackable items
Kenny, CNN writer and producer and Brown, CNN anchor and correspondent '21
[Caroline Kenny is a writer and producer for CNN, working with anchor Pamela Brown on CNN
Newsroom and Pamela Brown is a CNN anchor and senior Washington correspondent, 6-27-2021, CNN,
"Greater focus on defense of critical infrastructure against cyber attacks is needed, says cyber agency
chief," https://www.cnn.com/2021/06/27/politics/brandon-wales-cyber-security-cnntv/index.html,
In the wake of the Colonial Pipeline and JBS ransomware attacks in recent months, the head of the
nation's leading cybersecurity agency says these events are a harbinger of what's to come on the cyber
front and there needs to be a greater focus on shoring up the defenses of America's most important
assets.
"Both of those incidents highlight the actual real world consequences of cyber incidents, targeting our
critical infrastructure. And while today those attacks have impacted Americans at the gas pump and at
the supermarkets, our concern is where could this go next," Brandon Wales, the current acting director
of the Cybersecurity and Infrastructure Security Agency, told CNN's Pamela Brown in an interview.
While attacks like the ones on JBS and Colonial Pipeline are not new, they have increased in recent
years, according to Wales, and they're bolder than ever -- leading criminal attackers to look for bigger
targets for more ransom money, including targets that have real world consequences.
"We are concerned about where this could go in the future," Wales said. "I think our concern is that
more targeting of the industrial control systems, those things that actually enable critical infrastructure
to operate -- whether in water systems or power systems, the manufacturing base of the country --
those are targets, and unless we take urgent action, we are really concerned about the disruptive effects
that this could have on the American people."
Both JBS and Colonial Pipeline paid ransoms to their criminals to unlock their systems, but Wales
warned about the danger of such moves for the country as a whole.
"It has both short and long term impacts for the cybersecurity of the country and for the potential of
cybersecurity for those individual companies," Wales said. "A recent study found that 80% of companies
that have paid ransom have been hit again. And so the adversaries know that they are a target who's
willing to pay."
Why Americans should care
No company is too big or too small to fall victim to a ransomware attack, Wales said, and he advised all
companies and organizations to take steps to shore up their cyber defenses. Part of CISA's job is to not
only ensure that critical infrastructure is protected but to also help groups take steps to better enhance
their cybersecurity.
While a cyberattack may seem like a far-off idea for many, Wales said the number of potential victims "is
almost endless."
"We have seen ransomware target large companies and small multinational corporations and mom and
pop shops, nonprofit organizations, almost anyone who's operating an internet enabled business in the
United States is potentially vulnerable," Wales said. "We need to be doing more every single day to
make sure that no adversary can execute an attack that causes such catastrophic effects."
He said Americans' daily lives are intrinsically connected to cyber and therefore vulnerable to attack.
"If it's not 100% for most people, it's probably pretty close," Wales said. "You can just imagine, you get
up in the morning and you try to turn on your lights and they don't come on, you try to brush your
teeth, and the water is not, it's not there, it's not clean. You try to log on to check your email and it's not
working, you can't execute a financial transaction, because critical infrastructure in this country has
been compromised in some way by a cyber incident."
\
Water Scarcity Brink
Water shortages likely now – climate has pushed the system to the brink
Watts, Guardian Global Environment Editor '18
[Jonathan Watts is the Guardian's global environment editor who previously served as correspondent in
Japan (1996-2003), China (2003-2012) and Brazil (2012-2017), 3-19-2018, Guardian, "Water shortages
could affect 5bn people by 2050, UN report warns,"
https://www.theguardian.com/environment/2018/mar/19/water-shortages-could-affect-5bn-people-
by-2050-un-report-warns, accessed 6-28-2021, CG]
More than 5 billion people could suffer water shortages by 2050 due to climate change, increased
demand and polluted supplies, according to a UN report on the state of the world’s water.
The comprehensive annual study warns of conflict and civilisational threats unless actions are taken to
reduce the stress on rivers, lakes, aquifers, wetlands and reservoirs.
The World Water Development Report – released in drought-hit Brasília – says positive change is

possible, particularly in the key agricultural sector, but only if there is a move towards nature-based
solutions that rely more on soil and trees than steel and concrete.
“For too long, the world has turned first to human-built, or ‘grey’, infrastructure to improve water
management. In doing so, it has often brushed aside traditional and indigenous knowledge that
embraces greener approaches,” says Gilbert Houngbo, the chair of UN Water, in the preface of the 100-
page assessment. “In the face of accelerated consumption, increasing environmental degradation and
the multi-faceted impacts of climate change, we clearly need new ways of manage competing demands
on our freshwater resources.”
Humans use about 4,600 cubic km of water every year, of which 70% goes to agriculture, 20% to
industry and 10% to households, says the report, which was launched at the start of the triennial World
Water Forum. Global demand has increased sixfold over the past 100 years and continues to grow at
the rate of 1% each year.
This is already creating strains that will grow by 2050, when the world population is forecast to reach
between 9.4 billion and 10.2 billion (up from 7.7 billion today), with two in every three people living in
cities.
Demand for water is projected to rise fastest in developing countries. Meanwhile, climate change will
put an added stress on supplies because it will make wet regions wetter and dry regions drier .
Drought and soil degradation are already the biggest risk of natural disaster, say the authors, and this
trend is likely to worsen. “Droughts are arguably the greatest single threat from climate change,” it
notes. The challenge has been most apparent this year in Cape Town, where residents face severe
restrictions as the result of a once-in-384-year drought. In Brasília, the host of the forum, close to 2m
people have their taps turned off once in every five days due to a unusually protracted dry period.
By 2050, the report predicts, between 4.8 billion and 5.7 billion people will live in areas that are water-
scarce for at least one month each year, up from 3.6 billion today, while the number of people at risk of
floods will increase to 1.6 billion, from 1.2 billion.
In drought belts encompassing Mexico, western South America, southern Europe, China, Australia and
South Africa, rainfall is likely to decline. The shortage cannot be offset by groundwater supplies, a third
of which are already in distress. Nor is the construction of more dams and reservoirs likely to be a
solution, because such options are limited by silting, runoff and the fact that most cost-effective and
viable sites in developed countries have been identified.
Water Scarcity Impacts – Disease, Food, Energy, Econ
Water scarcity leads to water-borne illnesses, earthquakes, food and energy

shortages, economic decline, and increase global issues
Vyas, Interesting Engineering Guest Writer '19
[Kashyap Vyas holds a Master’s degree in Thermal Engineering with several research papers to his credit,
3-5-2019, Interesting Engineering, "What Happens When Water Becomes Scarce?",
https://interestingengineering.com/what-happens-when-water-becomes-scarce, accessed 7-1-2021, CG]
Here are some of the crucial effects that we will observe with water scarcity:
How Can the World Get Affected Due to Water Scarcity?
Lack of Access to Clean Water
No access to clean water will make the population exposed to deadly water-borne illnesses. The global
population is growing while the water resources are shrinking every year, which means, an increasing
number of people will face challenges of inadequate water accessibility.
Imbalance of Nature
There are some serious consequences attached to Earth running out of the water. There are various live
examples like California's Imperial Valley, where the rapid groundwater depletion has caused the ground
to dig in more by around 100 feet in the past 100 years.
The environmental scientists have predicted that the sinking terrain (due to the extraction of
groundwater) can lead to increased risk of earthquakes as Earth's crust is becoming lighter day by day.
Food Shortages
The shrinking water resources are gradually making it difficult for food production to keep up with the
increasing demand. If this scenario remains, the day is not far when political turmoil, civil war, and social
unrest will result due to food shortages.
Energy Shortages
With modernization, the need for energy has increased up to a great extent. However, energy
production requires freshwater resources. So, there are good chances of the world facing an energy
shortage if there's no required arrangement done in the future.
Economic Slowdown
The UN has estimated that half of the world's population will shift to the areas of high water stress by
2030. It is next to impossible to have a booming economy if fresh water is unavailable for farming,
industrial as well as individual use.
The production of water-intensive goods like food, car, and clothing could turn out to be limited. It can
further affect productivity due to increased illness.
Lastly, it can also reduce household disposable income due to increased water costs.
Increased Global Issues
The effects of worldwide water depletion will turn out to be appalling for global citizens. The World Bank
Vice President, Ismail Serageldin once predicted that the next century wars will be fought over water.
The conflicts have already begun in the USA where 35 states are fighting over water supplies.
Predicting these issues to happen soon in the near future, Essam Heggy, a research scientist and a part
of USC Viterbi's Arid Climate Water Research Centre finds an emerging need for more water education
across the globe.
He has conducted the study of different countries and the consequences that the people will be facing
because of water scarcity.
It started with Egypt - a country where more than 100 million people reside and have a high illiteracy
rate. What if it runs out of water?
The impact on food availability and prices will be seen in a jiffy. The health and environmental conditions
will worsen even more.
Waterborne Diseases Impact – Antibiotic Resistance
Waterborne diseases are antibiotic resistant and dangerous.

Blasco, et al., University of Valencia Department of Microbiology and Ecology Director,
08
[M.D. Blasco, recipient of a PhD fellowship from the Spanish Government (Ministry of Education),
Department of Microbiology and Ecology at the University of Valencia; C. Esteve, Department of
Microbiology and Ecology at the University of Valencia; E. Alcaide, Department of Microbiology and
Ecology at the University of Valencia, 11 July 2008, Journal of Applied Microbiology, “Multiresistant
waterborne pathogens isolated from water reservoirs and cooling systems,” Volume 105, Issue 2, pg.
473-474, https://doi.org/10.1111/j.1365-2672.2008.03765.x, accessed 7-1-2021]JMK
Discussion
Emerging waterborne pathogens, including L. pneumophila, P. aeruginosa and mesophilic Aeromonas

sp., constitute a major health hazard in both developed and developing nations (Sharma et al. 2003;
French 2005). A new dimension to this global problem is the emergence of antibiotic-resistant strains
belonging to these pathogenic bacteria (Nordmann and Guibert 1998; Overman and Janda 1999;
Nielsen et al. 2000; Jonas et al. 2003; French 2005; Huddelston et al. 2006). The present study reports on
the presence of antibiotic-resistant L. pneumophila, P. aeruginosa and mesophilic Aeromonas sp. strains
in cooling-tower basins and natural aquatic reservoirs.
It has been reported that Legionella species are rather susceptible to many antimicrobial agents (Saito et
al. 1985; Nielsen et al. 2000). However, there is no standard plate method for testing the antimicrobial
susceptibility in Legionella species, with the most commonly employed being both BSYE agar and BCYE
supplemented with a-ketoglutarate (BCYEa) agar (Saito et al. 1985; Pendland et al. 1997). Moreover,
there are no official guidelines for testing the susceptibility of Legionellaceae. The results obtained in our
study showed high levels of susceptibility to antibiotics in L. pneumophila in accordance with other
reports in which BSYE agar has been used as a testing medium (Saito et al. 1985; Pendland et al. 1997).
However, the growth of our environmental L. pneumophila strains was highly inhibited by very low
amounts of erythromycin and fluoroquinolones in contrast to that described for clinical isolates (Nielsen
et al. 2000; Jonas et al. 2003). It should be remarked that our L. pneumophila isolates displayed high MIC
values to trimethoprim ⁄sulphamethoxazole, aztreonam and oxytetracycline, although these
antimicrobials are not currently used to treat L. pneumophila infections.
Our environmental P. aeruginosa isolates, which were from both natural water reservoirs and cooling-
tower basins, presented MAR to the drugs tested. Interestingly, in general, our isolates presented MAR
index values higher than 0Æ5, although no antibiotic-contaminated materials, such as hospital or farm
wastes, are known to be discharged near the sampling points studied. In fact, the species P. aeruginosa
is considered to be naturally resistant to aminopenicillins, amoxycillin plus clavulanate, first- and
second-generation cephalosporins, cefotaxime, ceftriaxome, quinolones, trimethoprim, kanamycin,
chloramfenicol, tetracyclines and nitrofurantoin. Our environmental isolates agree in general with the
natural resistance reported for P. aeruginosa, except for the low resistance percentages observed for
cefotaxime (16Æ6%), kanamycin (83Æ3%), oxytetracycline (25%) and chloramfenicol (63Æ3%).
Moreover, all environmental P. aeruginosa isolates were susceptible to imipenem, ciprofloxacin and
levofloxacine, in contrast to the data reported by other authors, reviewed by Poole (2005). It is
noticeable that most antibiotic resistance data have been obtained from clinical P. aeruginosa strains
(Comite´ de l’antibiogramme de la SFM 1997; Livermore et al. 2001), and so our results demonstrate
that high levels of drug resistance are also found in environmental isolates.
Aeromonas species have emerged over the last decades as waterborne opportunistic pathogens
responsible for gastroenteritis, skin and soft tissue infections in aquatic animals and humans (Gon˜i-
Urriza et al. 2000b). Antibiotic sensitivity of clinical mesophilic Aeromonas has been extensively studied,
but less is known about the environmental strains. Our mesophilic Aeromonas isolates were mostly
resistant to one of the drugs used (83Æ8%), or showed MAR (46Æ4%). MAR index values for these
Aeromonas strains are currently below 0Æ2, as expected for bacterial isolates from nonantibiotic-
contaminated environments (Kruperman 1985). Members of the genus Aeromonas are known to
produce one to three inducible, co-ordinately expressed, and chromosomally encoded b-lactamases,
affording them resistance to some b-lactams (Walsh et al. 1997; Fosse et al. 2003). Regarding this fact,
our mesophilic Aeromonas were mainly susceptible to piperacillin (82Æ6%) and to third-generation
cephalosporines (97Æ4%), which is in accordance with other reports (Ka¨mpfer et al. 1999; Overman
and Janda 1999; Fosse et al. 2003). However, resistance to amoxicillin plus clavulanate (34Æ4%),
oxytetracycline (2Æ48%), and most of the quinolones used was lower than expected (Gon˜iUrriza et al.
2000b; Vila et al. 2002; Fosse et al. 2003;
Huddelston et al. 2006; Jacobs and Chenia 2007). On the other hand, it should be remarked that the
percentages we encountered of both imipenem- and erythromycinresistant Aeromonas are higher than
those previously reported for clinical and environmental Aeromonas isolates (Motyl et al. 1985;
Ka¨mpfer et al. 1999; Gon˜i-Urriza et al. 2000b; Vila et al. 2002; Jacobs and Chenia 2007).
In conclusion, this study demonstrates that antibiotic resistant pathogenic bacteria belonging to P.
aeruginosa and mesophilic Aeromonas species are common in aquatic environments, even in the
absence of any selective pressure. Thus, given the increase in bacterial resistance, the risk of
waterborne diseases caused by domestic and industrial use of freshwater should be re-examined.
Superbugs Impact – Extinction
Superbugs risk extinction---has the same potential as climate change.

Harvey, The Guardian, environment correspondent, 19
[Fiona Harvey, environmental correspondent for the Guardian, 29 April 2019, TheGuardian, “Antibiotic
resistance as big a threat as climate change – chief medic,”
https://www.theguardian.com/society/2019/apr/29/antibiotic-resistance-as-big-threat-climate-change-
chief-medic-sally-davies, accessed 7-1-2021]JMK
The threat of antibiotic resistance is as great as that from climate change, said Dame Sally Davies, and
should be given as much attention from politicians and the public.
“It would be nice if activists recognised the importance of this,” she said. “This is happening slowly and
people adjust to where we are, but this is the equivalent [danger] to extreme weather.”
Davies said efforts to combat the problem of common illnesses becoming untreatable by antibiotic
medicines should be coordinated at a worldwide level in a similar way as the Intergovernmental Panel
on Climate Change, the body of scientists set up in 1988 to tackle global warming.
The IPCC warned last year that climate change would lead to disaster within 12 years if urgent action
was not taken to reverse the growth in greenhouse gas emissions. Davies said the consequences of
antibiotic resistance posed at least as great a threat to humanity’s future, and in the same timescale, but
few efforts had been made to deal with the issue.
“There is not the appetite [among pharmaceutical companies] to develop new medicines,” she said.
“There is a systemic failure. We need something similar to the IPCC.”
She listed a series of problems that the world has allowed to build up, from overuse of antibiotics and a
lack of restraints on prescribing strong medications, to the rampant use of the drugs on animals,
including by farmers for “growth promotion”, as the drugs can make animals put on weight faster. Such
use has been banned in Europe and the US, but is common elsewhere, and even in the EU and US, the
use of strong antibiotics critical to human health is still allowed on animals despite scientific advice to
the contrary.
Davies said she had to be persuaded to regard any use of antibiotics on animals as ethical, given the
potential for overuse leading to increased bacterial resistance. “I do think now they can be used on sick
animals, I have been convinced,” she said. But she is still concerned that antibiotics are vastly overused
in farming, and that this is one of the biggest factors behind the growing problem of resistance. Globally,
by far the majority of antibiotic use is for animals.
Fish farming is also a major concern, said Davies, as the use of antibiotics has been largely overlooked in
that industry. Few areas of farming are free from concern – she noted antibiotics are allowed to be used
in spraying citrus fruit in the US, which she regards as a serious danger.
Davies will leave her post later this year, so will no longer have a government role when post-Brexit
trade deals with the US are likely to be signed. But she made it clear she would continue to speak out
against deals that she viewed as weakening the UK’s protections on antibiotic use. The US has different
rules to the EU on antibiotic use on animals and plants.
A landmark report published on Monday by the the UN’s Interagency Coordination Group on
Antimicrobial Resistance (IACG) recommended stronger rules should be brought in across the world to
prevent the overuse of such medicines on farms, and on people.
Haileyesus Getahun, the director of the IACG, said the threat of antimicrobial resistance was “a silent
tsunami”. He said the public were still largely unaware of the problem, but that it could yet be solved if
people were educated about the dangers. “We are calling for people to come together,” he said. “We
don’t see the effects of it yet, but what is coming will be a catastrophe.”
The report calls for the use of antibiotics as growth promoters in farm animals to be abolished globally,
and for the strongest antibiotics to be reserved for human use. The authors also called for
pharmaceutical companies to “prioritise public good over profit”, because of the market failure that
means developing new drugs, while of enormous public benefit, does not result in companies making
more money.
Another critical issue is sanitation, because the lack of clean water and good sanitation that afflicts more
than 2 billion of the world’s population is fuelling the rise of antibiotic resistance that quickly spreads
around the globe, including to rich countries.
The report found that failing to take urgent action would result in 24 million people being forced into
extreme poverty by 2030, and lead to 10 million deaths a year by 2050.
Economy Scenario
Scenario – Economy
Cyber threats to critical infrastructure are real and growing – potential for cascading
fallout threatens national security, the economy, and lives
In a recent issue of the New York Times, David Lipton and his colleagues reported that Russian
Intelligence had ‘hacked’ the Democratic National Committee in an attempt to influence the US
Presidential Election (Lipton et al. 2016). Clearly, challenges related to cyber-security have the potential
for becoming one of the most significant issues in the 21st century. In 2009, Barack Obama, President of
the United States (US) declared cyber threats to be among ‘the most serious economic and national
security challenges we face as a nation’ and stated that ‘America’s economic prosperity in the 21st
century will depend on cyber-security (Obama 2009)’. In January 2012, the US Director of National
Intelligence testified before the Subcommittee on Oversight, Investigations, and Management,
Committee on Homeland Security, House of Representatives that cyber threats pose a critical national
and economic security concern (Clapper 2012). To further highlight the importance of these threats, on
October 11, 2012, the US Secretary of Defense stated that the collective result of attacks on our nation’s
critical infrastructure (CI) could be ‘a cyber-Pearl Harbor; an attack that would cause physical destruction
and the loss of life (Panetta 2012)’. According to a 2013 report issued by the US General Accountability
Office (GAO), cybersecurity threats to systems supporting CI and federal information systems are
evolving and growing (US GAO 2013). In addition, the US GAO conducted a number of other studies
attempting to highlight and document US vulnerability to cyber-threats. These concerns apply to
governments throughout the world. A critical aspect of cybersecurity is the need to protect CI.
In an attempt to enhance and improve the security and resiliency of US CI through voluntary, and
collaborative efforts, in February 2013, the US President issued Executive Order 13636 (Fischer et al.
2013). The order expanded an existing Department of Homeland Security (DHS) program for
information; sharing and collaboration between the government and the private sector by:
• Developing a process for identifying CI that have a high priority for protection;
• Requiring the National Institute of Standards and Technology (NIST) to develop a Cybersecurity
Framework of standards and best practices for protecting CI; and
• Requiring regulatory agencies to determine the adequacy of current requirements and their authority
to establish requirements to address the risks.
Cyber-threats to US infrastructure, and other assets, are of growing concern to policymakers. These
threats have become ubiquitous in the United States and are troublesome because many information
and communications technology (ICT) devices and other components are interdependent. Therefore,
disruption of one component may have a negative, cascading effect on others. Cyber-attacks might
include denial of service, theft or manipulation of data. Damage to CI through a cyber-attack could have
a significant impact on national security, the economy, and the livelihood and safety of citizens. It is
clear that cyber-security issues include not only the threats associated with information technology but
also involve physical threats to CI.
Water is key to industries---attacks cause economic decline

America’s Drinking Water Infrastructure Safer Four Years Later?”, Volume 24, Issue 2, pg. 364-5, MLiao)
Statements made by captured terrorist leaders confirm that they understand it is also possible "to
disrupt the American economy" by attacking its critical drinking water infrastructure. 35 Aside from the
public's obvious need for drinking water, it may be surprising to know that " most treated drinking water
is used for purposes other than consumption. ' 36 "[C]lean water is essential for certain key industries
to produce power, process food, and manufacture essential products. '37 For example, hospitals and
other health care facilities, 38 power plants, firefighting, sanitation, and many other industrial processes
are all dependent upon a continuous flow of clean water. 39 Future demand is only going to increase. 40
Facilities reliant upon a steady supply of clean water would be unable to function properly in the face of
a catastrophic attack on the nation's water supply and distribution network.41 As a result, the damage
caused by an attack on drinking water facilities would be compounded as the cascading effects rippled
through other "interdependent" critical infrastructure sectors.4 2 This would have crippling economic
effects.
Cyberattacks severely damage the US economy.

Council of Economic Advisors, 18
[Council of Economic Advisors, 02-16-2018, White House, “The Cost of Malicious Cyber Activity to the
U.S. Economy,” https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-
Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf, Accessed 06-28-2021, CBM]
This report examines the substantial economic costs that malicious cyber activity imposes on the U.S.
economy. Cyber threats are ever-evolving and may come from sophisticated adversaries. Due to
common vulnerabilities, instances of security breaches occur across firms and in patterns that are
difficult to anticipate. Importantly, cyberattacks and cyber theft impose externalities that may lead to
rational underinvestment in cybersecurity by the private sector relative to the socially optimal level of
investment. Firms in critical infrastructure sectors may generate especially large negative spillover
effects to the wider economy. Insufficient data may impair cybersecurity efforts. Successful protection
against cyber threats requires cooperation across firms and between private and public sectors.
Overall:
• We estimate that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion
in 2016.
• Malicious cyber activity directed at private and public entities manifests as denial of service attacks,
data and property destruction, business disruption (sometimes for the purpose of collecting ransoms)
and theft of proprietary data, intellectual property, and sensitive financial and strategic information.
• Damages from cyberattacks and cyber theft may spill over from the initial target to economically
linked firms, thereby magnifying the damage to the economy.
• Firms share common cyber vulnerabilities, causing cyber threats to be correlated across firms. The
limited understanding of these common vulnerabilities impedes the development of the cyber insurance
market.
• Scarce data and insufficient information sharing impede cybersecurity efforts and slow down the
development of the cyber insurance market.
• Cybersecurity is a common good; lax cybersecurity imposes negative externalities on other economic
entities and on private citizens. Failure to account for these negative externalities results in
underinvestment in cybersecurity by the private sector relative to the socially optimal level of
investment.
• Cyberattacks against critical infrastructure sectors could be highly damaging to the U.S. economy.
Economic collapse risks global war

Sundaram, former United Nations Assistant Secretary-General for Economic
Development & Popov, former UN Secretariat senior economics researcher, 19
[Jomo Kwame Sundaram, Former Economics Professor, Former United Nations Assistant Secretary-
General for Economic Development, Received the Wassily Leontief Prize for Advancing the Frontiers of
Economic Thought, and Vladimir Popov, Research Director at the Dialogue of Civilizations Research
Institute and Former Senior Economics Researcher in the Soviet Union, Russia and the United Nations
Secretariat, 2-12-19, IPS – Inter Press Service News Agency, “, “Economic Crisis Can Trigger World War”,
http://www.ipsnews.net/2019/02/economic-crisis-can-trigger-world-war/, accessed 7-3-21]
Economic recovery efforts since the 2008-2009 global financial crisis have mainly depended on
unconventional monetary policies. As fears rise of yet another international financial crisis, there are
growing concerns about the increased possibility of large-scale military conflict.
More worryingly, in the current political landscape, prolonged economic crisis, combined with rising
economic inequality, chauvinistic ethno-populism as well as aggressive jingoist rhetoric, including
threats, could easily spin out of control and ‘morph’ into military conflict, and worse, world war.
Crisis responses limited
The 2008-2009 global financial crisis almost ‘bankrupted’ governments and caused systemic collapse.
Policymakers managed to pull the world economy from the brink, but soon switched from counter-
cyclical fiscal efforts to unconventional monetary measures, primarily ‘quantitative easing’ and very low,
if not negative real interest rates.
But while these monetary interventions averted realization of the worst fears at the time by turning the
US economy around, they did little to address underlying economic weaknesses, largely due to the
ascendance of finance in recent decades at the expense of the real economy. Since then, despite
promising to do so, policymakers have not seriously pursued, let alone achieved, such needed reforms.
Instead, ostensible structural reformers have taken advantage of the crisis to pursue largely irrelevant
efforts to further ‘casualize’ labour markets. This lack of structural reform has meant that the
unprecedented liquidity central banks injected into economies has not been well allocated to stimulate
resurgence of the real economy.
From bust to bubble
Instead, easy credit raised asset prices to levels even higher than those prevailing before 2008. US house
prices are now 8% more than at the peak of the property bubble in 2006, while its price-to-earnings
ratio in late 2018 was even higher than in 2008 and in 1929, when the Wall Street Crash precipitated the
Great Depression.
As monetary tightening checks asset price bubbles, another economic crisis — possibly more severe
than the last, as the economy has become less responsive to such blunt monetary interventions — is
considered likely. A decade of such unconventional monetary policies, with very low interest rates, has
greatly depleted their ability to revive the economy.
The implications beyond the economy of such developments and policy responses are already being
seen. Prolonged economic distress has worsened public antipathy towards the culturally alien — not
only abroad, but also within. Thus, another round of economic stress is deemed likely to foment unrest,
conflict, even war as it is blamed on the foreign.
International trade shrank by two-thirds within half a decade after the US passed the Smoot-Hawley
Tariff Act in 1930, at the start of the Great Depression, ostensibly to protect American workers and
farmers from foreign competition!
Liberalization’s discontents
Rising economic insecurity, inequalities and deprivation are expected to strengthen ethno-populist and
jingoistic nationalist sentiments, and increase social tensions and turmoil, especially among the growing
precariat and others who feel vulnerable or threatened.
Thus, ethno-populist inspired chauvinistic nationalism may exacerbate tensions, leading to conflicts and
tensions among countries, as in the 1930s. Opportunistic leaders have been blaming such misfortunes
on outsiders and may seek to reverse policies associated with the perceived causes, such as ‘globalist’
economic liberalization.
Policies which successfully check such problems may reduce social tensions, as well as the likelihood of
social turmoil and conflict, including among countries. However, these may also inadvertently
exacerbate problems. The recent spread of anti-globalization sentiment appears correlated to slow, if
not negative per capita income growth and increased economic inequality.
To be sure, globalization and liberalization are statistically associated with growing economic inequality
and rising ethno-populism. Declining real incomes and growing economic insecurity have apparently
strengthened ethno-populism and nationalistic chauvinism, threatening economic liberalization itself,
both within and among countries.
Insecurity, populism, conflict
Thomas Piketty has argued that a sudden increase in income inequality is often followed by a great
crisis. Although causality is difficult to prove, with wealth and income inequality now at historical highs,
this should give cause for concern.
Of course, other factors also contribute to or exacerbate civil and international tensions, with some due
to policies intended for other purposes. Nevertheless, even if unintended, such developments could
inadvertently catalyse future crises and conflicts.
Publics often have good reason to be restless, if not angry, but the emotional appeals of ethno-populism
and jingoistic nationalism are leading to chauvinistic policy measures which only make things worse.
At the international level, despite the world’s unprecedented and still growing interconnectedness,
multilateralism is increasingly being eschewed as the US increasingly resorts to unilateral, sovereigntist
policies without bothering to even build coalitions with its usual allies.
Avoiding Thucydides’ iceberg
Thus, protracted economic distress, economic conflicts or another financial crisis could lead to military
confrontation by the protagonists, even if unintended. Less than a decade after the Great Depression
started, the Second World War had begun as the Axis powers challenged the earlier entrenched colonial
powers.
Internal Link – Control Systems
Economic effects of supervisory control and data acquisition (SCADA) vulnerability

culminate into adverse costs.
[Anna, also American Enterprise Institute Visiting Scholar, 06-21-2021, American Enterprise Institute,
“Americans need to know the economic truth about cyber threats,”
https://www.aei.org/articles/americans-need-to-know-the-economic-truth-about-cyber-threats/?
The greatest cyber threat to the public today exists in companies and organizations where cyber and
physical domains overlap, and where malicious actors may cause equipment damage and even deaths.
A particular vulnerability lies in the so-called supervisory control and data acquisition (SCADA) software
that controls physical equipment, and which is widely used by energy, transportation, manufacturing,
and many other companies. SCADA systems are unfortunately quite vulnerable to cyberattacks. Luckily,
unlike other countries, critical infrastructure systems in the U.S. have been spared so far from SCADA
attacks despite known cyber intrusions, most likely because the hackers fear a punitive U.S. response.
When assessing the cost of malicious cyber activity to the U.S. economy, it is important to account for
the negative spillover effects: The overall cost is larger than the sum of the losses suffered by the
directly affected entities. Because the economy is so interconnected, the adverse shocks propagate
through company networks, affecting other firms in the supply chain, and, as we saw in the most recent
ransomware attacks, even reaching consumers in the end. In 2018, malicious cyber activity costs the
U.S. economy up to 0.64 percent of GDP. One can easily imagine that, given the lucrative nature of the
business and the low risk of being caught, the costs of malicious cyber activity to the U.S. economy will
likely continue to grow.
Economic Impact – Ripple Effect
Cyberattacks on critical infrastructure causes widespread shutdowns and economic

disruption
Fitch Wire, Press Release, ‘21
(Fitch Ratings, provider of credit ratings, commentary, and research, 6/9/21, FitchRatings, “Public
Infrastructure Cyberattacks May Pose Broad Financial Risk”, https://www.fitchratings.com/research/us-
public-finance/public-infrastructure-cyberattacks-may-pose-broad-financial-risk-09-06-2021, Accessed
6/30/21, MLiao)
The recent Colonial Pipeline cyberattack illustrates the broader financial effects that can result from
attacks on critical public infrastructure, Fitch Ratings says. A breach of critical assets, such as power or
water supply or public transportation, that halts service could result in widespread public and private
sector shutdowns if utilities cannot provide service or employees are not able to commute to their
places of work.
Infrastructure that has been compromised can directly affect state and municipal government finances
in the near term through ransom payments and/or the costs of remediation and restoration of data and
service, as well as over the longer term, as a result of broad economic disruption that leads to loss of tax
revenue.
Economic Impact – Company Collapse
Cyber hacks can collapse companies

[Anna, also American Enterprise Institute Visiting Scholar, 06-21-2021, American Enterprise Institute,
“Americans need to know the economic truth about cyber threats,”
https://www.aei.org/articles/americans-need-to-know-the-economic-truth-about-cyber-threats/?
While many companies often fail to report and even detect intrusions into their networks because of the
sophisticated actions of nation-states and increasingly skilled cyber criminals, the FBI is able to
independently detect some of the hacks. Through its victim notification program, the Bureau notifies the
affected entities and also offers to help. I was surprised however to discover that companies frequently
refuse the FBI’s offer. Some firms may honestly believe that they can adequately handle the
investigation and recovery. But more nefarious reasons could be at play. (For example, if in the course of
investigation the FBI discovers potential wrongdoing, it will be obligated to investigate further; hence,
some victims may pre-emptively refuse the FBI’s help.)
To make the public aware of the full scope of the cyber threat, the FBI would do a great service to all by
revealing — through the use of anonymized data — the targets of its victim notification program.
Making public thousands of observations on cyber intrusions would serve to encourage companies to
increase their cybersecurity spending and will help speed up the growth of the emerging cyber
insurance sector. Moreover, releasing the anonymized data on the companies that refused the FBI’s
help would help encourage socially responsible investing.
An FBI report would also help shed light on the nature of cyber threats. While ransomware attacks and
the “distributed denial-of-service” attacks, which disrupt access to public websites, are relatively easy to
detect and get oversized media attention as a result, they are generally not the most devastating for
companies. In a 2018 report on the economic cost of malicious cyber activity, my CEA colleagues and I
found the most devastating are cyber intrusions that result in the theft of a company’s intellectual
property and confidential strategic plans. Such thefts are difficult to detect and most are never reported
to the public. Typically, companies, universities, and government agencies working on strategically
important and not-yet-patented technologies are the ones being targeted. More recently, COVID
vaccine developers were being targeted for intellectual property theft. For small, single-product
companies, a cyber theft of their intellectual property can be devastating and even result in bankruptcy.
Smart Cities Scenario
Scenario – Smart Cities
Cities account for 70% of greenhouse gas emissions, transitioning to Smart cities
creates sustainable development necessary to combat climate change
Cheng, Earth.org author '21
[Iris Cheng is an author at Earth.Org, 04-28-2021, Earth.Org - Past | Present | Future, "Importance of
Smart Cities in the Fight Against Climate Change", https://earth.org/smart-cities-climate-change/,
In 2020, the United Nations Development Programme estimated that cities account for 70% of the
world’s greenhouse gas emissions and are facing natural disasters such as flooding and heat stress
because of climate change. The proportion of the global population living in cities and towns is expected
to rise from 54% in 2015 to 66% by 2050. To mitigate the environmental impacts of this urban migration
and fight climate change, the concept of smart cities has become important .
There is still a lack of a universally agreed-upon definition of a smart city and many organisations have
proposed different definitions. For example, the OECD has defined smart cities as the “initiatives or
approaches that effectively leverage digitalisation to boost citizen well-being and deliver more efficient,
sustainable and inclusive urban services and environments as part of a collaborative, multi-stakeholder
process.” The International Telecommunication Union defined a smart city as “an innovative city that
uses ICTs [information and communications technologies] and other means to improve quality of life,
efficiency of urban operation and services and competitiveness, while ensuring that it meets the needs
of present and future generations with respect to economic, social and environmental aspects.”
What are the elements of a smart city? The European Commission suggested a smart city should have
smarter urban transport networks, upgraded water supply, environmentally friendly water disposal
facilities and buildings with high energy efficiency. In Hong Kong, the Smart City Blueprint for Hong Kong
(Blueprint 2.0) issued by the government in 2020 listed out more than 130 initiatives such as using
remote sensing devices to monitor air pollution, implementing smart recycling systems, and installing
LED lamps in public light systems.
The importance of sustainable city development is seen in one of the Sustainable Development Goals
(SDGs), which is working to make cities and human settlements inclusive, safe, resilient and sustainable .
The SDGs were created in 2015 by the United Nations General Assembly and serve as the blueprint for
countries to achieve a better and more sustainable future for all.
Many countries and cities are eager to develop smart cities to pursue sustainable development and to
improve the life of citizens. For example, the South Korean government developed a smart city plan in
2019. The plan focuses on the sharing of government data and active interactions between citizens and
government via e-platforms. Other developing countries are also working to build smart cities, such as
Vietnam and India.
“All Vietnam’s efforts in smart city development are aimed at three fundamental goals which are
sustainable urban environment, high-quality life for residents and a competitive economy,” said Tran
Quoc Thai, director of the Department of Urban Development under the Ministry of Construction,
according to the Hanoi Times.
In 2015, the Indian government announced a Smart Cities Mission (SCM) to build 100 smart cities in five
years. According to the SCM, the main objective of the mission is to promote cities that provide core
infrastructure, clean and sustainable environment and give a decent quality of life to citizens through
the application of smart solutions.
The development of smart cities has been further supported via bilateral cooperation. These
partnerships include the Memorandum of Understanding (MoU) on the Strategic Collaboration on Smart
City Development between Singapore and China (Shenzhen). This MOU, which came into effect in 2020,
listed out cooperation such as in digital connectivity, and technology collaboration. Moreover, Germany
launched a project in 2018 to help three Indian cities to become sustainable smart cities. The German
government aimed at using digital opportunities intelligently to create cities, which are good to live in
and also allow people to achieve climate targets.
On the other hand, Amnesty International expressed concern about whether smart cities have been
developed at the expense of people’s human rights including privacy and freedom of expression.
It is believed that the development of smart cities could fight against climate change and could improve
people’s quality of life with the use of advanced technologies. But at the same time, human rights must
always be put at the centre of any development plans for smart cities.
Water services are crucial to every part of the Smart City – cyber threats pose major
risks
Alabi, PhD in Urban and Regional Planning, 20
IMPLEMENTATION-IN-WATER-SECTOR.pdf, Accessed 6/26/21, MLiao)
A robust cybersecurity implementation is very crucial for the water industry and its business operations
in order to succeed in the 21st century data-driven sector and technology enabled economy (KPMG,
2018). Water services and distributions are regarded as an important critical infrastructure for the
advancement of modern society known as “Smart City”. Cyber threats are one of the major significant
risks to the water sectors and as the water utilities sector continue to advance and adopt digital
technologies transformations across its network and business operations/processes; the security teams
within the water utilities sector constantly facing with an increased security risk and vulnerabilities
which comes with external connections to water network systems (OWL-CyberDefence, 2018).
Cybersecurity should be an integral part of the water utilities growth and this will assist to leverage data
and deployment of new emerging technologies that will help water sector to keep up with their
competitors and at the same time ensuring resilience against cyber threats and meet the fundamental
expectation of their customers (KPMG, 2018). According to Germano (2019) “Managing cybersecurity is
a complex challenge that requires an interdisciplinary, risk-based approach, involving an organization’s
business leaders, including their technical and legal advisors”. This section of the paper provides the
fundamental literature review around cybersecurity in the water sector.
Reducing greenhouse gas emissions crucial to averting existential risks of catastrophic

climate change
Kaplan, Washington Post Climate and Science Reporter, 7-3-21
(Sarah, Georgetown University BS in International Culture and Politics, 7-3-21, The Washington Post,
“Climate change ahs gotten deadly. It will get worse.”, https://www.washingtonpost.com/climate-
environment/2021/07/03/climate-change-heat-dome-death/
The heat dome was just one of a barrage of climate catastrophes that struck the world in recent weeks.
Western wildfires are off to a scorching start, with firefighters actively battling 44 large blazes that have
burned nearly 700,000 acres. Parts of Florida and the Caribbean are bracing for landfall of Hurricane
Elsa, the Atlantic’s fifth named storm in what is one of the most active starts to hurricane season on
record. Nearly half a million people in Madagascar are at risk of starvation as the country grapples with
dust storms, locusts and its worst drought in decades. In Verkhoyansk, Siberia — usually one of the
coldest inhabited places on the planet — the land surface temperature was 118 degrees.
“Climate change has loaded the weather dice against us,” said Katharine Hayhoe, a climate scientist at
Texas Tech University and chief scientist for the Nature Conservancy “These extremes are something we
knew were coming,” she added. “The suffering that is here and now is because we have not heeded
the warnings sufficiently.”
Humans burning fossil fuels have caused the globe to warm roughly 1 degree Celsius, or 2 degrees
Fahrenheit, since the preindustrial era. It’s a seemingly incremental change, but it has led to
disproportionately frequent and severe natural disasters. Think of the climate as a bell curve, Hayhoe
said, with temperatures distributed according to how common they ought to be. The center of the bell
curve may have shifted just a couple of degrees, but the area of the curve now in the “extreme” zone
has increased significantly.
Within the next week, researchers expect to publish a “rapid attribution” study that determines how
climate change made the Northwest heat wave more likely. Yet precisely quantifying the role of climate
change in the event has been difficult because the heat was just so extreme, said Michael Wehner, a
climate scientist at Lawrence Berkeley National Laboratory in California who is contributing to the
attribution effort. “It’s well beyond what straightforward statistical analysis would suggest. It’s well
beyond what climate models suggest,” he continued. “But it happened.” Studies show the chance of a
given tropical storm becoming a hurricane that is Category 3 or greater has grown 8 percent every
decade. The acreage of the West burned by wildfire is twice what it would otherwise be. The heat wave
that struck the Northwest this week brought temperatures that were as much as 11 degrees above the
previous all-time high. That increase in intensity is partly due to the fact that meteorological phenomena
are occurring in a hotter world. Summers in the Northwest are about 3 degrees Fahrenheit hotter than
they were a century ago.
“But there are other, nonlinear, things going on,” Wehner adds. For example, heat causes water to
evaporate from vegetation and soil, which uses up energy and helps bring temperatures down — a
phenomenon called evaporative cooling. But climate change has made the West both hotter and dryer.
As the mercury ticks upward, the landscape becomes even more parched, which allows it to heat up
even faster. Now, more than 93 percent of the American West is in moderate to severe drought,
according to the U.S. drought monitor. Another physical phenomenon, called the Clausius-Clapeyron
equation, shows that for every 1 degree Celsius (1.8 degrees Fahrenheit) of warming, the atmosphere
can hold 7 percent more moisture. This means that warm conditions make storms much wetter, leading
to record-breaking rainfall events like Hurricane Harvey in 2017.
Scientists have been aware of these phenomena for decades, and have long warned about the potential
for even moderate amounts of global warming to trigger catastrophic weather extremes. The heat being
so devastating should be a warning sign for all of us. The 2015 Paris Climate Agreement calls for
humanity to limit global warming to “well below” 2 degrees Celsius. A subsequent report from United
Nations scientists found that warming beyond 1.5 degrees Celsius would trigger catastrophic sea level
rise, near-total loss of coral reefs and a calamitous increase in the frequency and intensity of natural
disasters. But the world is unlikely to meet either of those goals. Most countries have not reduced
greenhouse gas emissions nearly enough to meet targets set in the Paris agreement. Even if they meet
their existing pledges, researchers say the world has just a 5 percent chance of keeping warming “well
below” 2 degrees.
If we continue to burn fossil fuels at the current rate, studies suggest, the Earth could be 3 to 4 degrees
Celsius hotter by the end of the century. The Arctic will be free of ice in summertime. Hundreds of
millions of people will suffer from food shortages and extreme drought. Huge numbers of species will
be driven to extinction. Some regions will become so hot and disaster-prone they are uninhabitable.
“It’s a very different planet at those levels,” Wehner said. “This is really serious. As a society, as a
species, we’re going to have to learn to adapt to this. And some things are not going to be adaptable.”
Extreme heat is likely to be one of those things. Studies of heat waves suggest that a half a degree
Celsius increase in summertime temperatures can lead to a 150 percent increase in the number of heat
waves that kill 100 people or more. Research published last year in the journal Science found that the
human body can’t tolerate temperatures higher than 95 degrees when combined with 100 percent
humidity.
The scene in emergency departments across the Northwest this week underscores that science. Wait
times at the OHSU emergency department were 5 to 7 hours, Tanski said. At Swedish Health Services —
Cherry Hill in Seattle, doctors were seeing patients in hallways because all the rooms were full. “I’ve
never seen anything like this,” said David Markel, an emergency physician at the Seattle hospital. During
an overnight shift on Monday, he treated 12 patients for heat illness. Some were so sick their kidneys
and livers were failing, their muscles starting to break down. “I don’t claim to be an expert in climate
change or environmental science,” Markel said. “But I definitely care for people who are impacted by
the extremes of climate. … And it’s like, the more crises we face the more clear it is.” Jeff Duchin, Seattle
and King County’s chief public health officer, put it more bluntly: “Climate change is a health
emergency,” he said in a statement this weekend. “And reducing greenhouse gas emissions is literally a
matter of life and death.”
Water Key to Smart Cities
Water is a key next step for smart cities—Key to reduce water loss
Mulholland, Former Government Technology web editor and photographer '16
[Jessica Mulholland is a former web editor and photographer for government technology, 12-20-2016,
Government Technology, "Making a Case for Water as a Key Component in the Smart City",
https://www.govtech.com/fs/infrastructure/making-a-case-for-water-as-a-key-component-in-the-
smart-city.html, accessed 7-5-2021, CG]
“Water has real immediacy to people — a real, vital connect to their lives. There is just a certain
resonance with the very nature of the infrastructure. That means water utilities are in a strong position
to help implement smart technologies ,” said Andrew Trump.
As director of the utility practice at global engineering, consulting and construction company Black &
Veatch, Trump laid out the case for water as a key component in smart cities in the June paper 2016
Strategic Directions: Water Industry Report. As 2016 drew to a close, Trump said most of the industry’s
ambitions remain unrealized.
Water has yet to take a place in the roster of smart city regulars, and that is unfortunate, he said.
There's much that water could do to enhance the urban fabric, and much technology could do to
improve the water infrastructure.
When it comes to hydrology, the clearest smart city agenda item has to do with what the water industry
calls “loss” or what laymen think of as leakage.
“We have a growing opportunity to put more and more smart sensors on the distribution system, just
like in electricity and gas," he said. "Engineers want to reduce losses: The water system can be leaky and
now you can put sensing technology along the system to detect where those losses are occurring.”
It’s a huge problem: Some $2.6 billion nationwide is lost as water mains leak trillions of gallons of
treated drinking water each year, the EPA reported.
In addition to upgrading infrastructure with smart sensors, government could look at the citizen-facing
side of smart technologies, improving the end-user experience with better water metering systems.
“Instead of just having a monthly read that says ‘you used so many gallons,’ you could give much more
granular information. How much water do you use on a daily basis? Or it could send an alarm if water
use is inordinately high,” Trump said.
Smart metering would have a two-fold benefit. For cities, more sophisticated meters could cut down on
the time and effort needed to monitor consumption. For citizens, high-tech meters could give a better
understanding of water usage and perhaps prompt behavioral changes to help conserve resources.
Because water is used across the civic spectra — by individuals and businesses, often in vast quantities
— even incremental improvements in this arena could have a significant effect.
“Suppose you have customers getting more reliable information and becoming more mindful around
consumption," he said. "Now let’s say the provider is more capable of preventing losses in the system.
Taken together, those can be really quite meaningful.”
Water ties into other systems, for example in the energy needed to route and manage the hydraulic
infrastructure. “Because of those connections, if we look at even a small change in water, it can have a
really big cumulative impact,” Trump said.
While little has happened to put water on the smart cities map, there is some indication that the
industry may be heading in that direction. The schedule for an upcoming smart cities symposium, for
instance, includes water in a session on smart metering, and the Smart Cities Week conference in May is
slated to include a session on smart water. In its research, Black & Veatch found that 48.5 percent of the
municipal leaders and water providers it interviewed see water as an integral part of the smart cities
planning and funding process.
Smart water technology is key to fixing water infrastructure – Better protection of

water quality and saves billions
Goldfarb, Kando CEO '20
[Ari Goldfarb is the CEO of Kando, 28-08-2020, American City and County, "Smart water tech: The future
of smart cities", https://www.americancityandcounty.com/2020/08/28/smart-water-tech-the-future-of-
smart-cities/, accessed 7-5-2021, CG]
The United States’ aging water infrastructure is in dire need of an upgrade. Most of the country’s water
infrastructure is at least half a century old, and with that comes a host of problems, including frequent
leaks and poor water quality. With precious water resources becoming more and more scarce, the
problem is growing increasingly urgent.
According to the American Society of Civil Engineers, there are an estimated 240,000 water main
breaks annually across the U.S., at a direct cost of $2.6 billion. Deteriorating infrastructure imposes
more than a merely financial burden: As pipes deteriorate and increasing amounts of pollutants enter
the drinking water supply, public health is endangered. A 2017 investigation revealed that up to 63
million Americans were exposed to potentially unsafe drinking water over the previous decade,
underscoring that disasters like the Flint, Michigan water crisis are only the tip of iceberg when it comes
to America’s water management problems.
Further compounding the country’s water challenges is the mounting threat of climate change, which
will usher in extreme weather conditions that America’s degrading water infrastructure simply will not
likely be able to handle. Given these myriad challenges, it’s hardly surprising that in the American Water
Works Association’s most recent State of the Water Industry report, leaders identified the need to
renew and replace outdated infrastructure as the industry’s top challenge.
Smart water technology has a major role to play in addressing the problems posed by aging
infrastructure. By integrating intelligent monitoring and resource management solutions, local
governments can gain vital insights: How much water is present in the overflow from a storm? What
contaminants and pollutants are flowing through municipal pipes– and at what levels? What patterns in
supply and demand can drive smarter decisions about optimizing water management?
With the introduction of smart water tech, our cities can better understand what’s going on, especially
underground, which is beneficial for the industrial and utility sectors too. Zion Market
Research forecasts that the smart water tech market will reach $31.6 billion by 2024, with technological
improvements in information and communication technologies, the Internet of Things (IoT), and data
analytics fueling the market’s growth.
IoT sensors, for instance, can enable water managers to detect any anomalies in municipal systems,
including leaks; peaks and valleys in usage; equipment failures; and pollutants to ensure local utilities
and industry are complying with all water protection regulations. By creating visibility into buried assets
to understand the conditions of underground infrastructure, utilities can compare current performance
with sought after standards, predict when and where problems may arise, and treat trouble spots
preventively before they become costly problems.
Cities around the country are finding notable success by integrating smart water technology. At a cost
of $1.2 million, Kansas City, Missouri installed smart sewer and stormwater management systems –
including the globe’s largest sewer sensor network – enabling continuous monitoring and management
of water flow and autonomous stormwater detention. The projected savings to Kansas City taxpayers
over the coming years? More than $1 billion.
A smart storm water management system in Ann Arbor, Michigan has helped the city save $1 million in
infrastructure costs. Sensor nodes in the city’s water system provide real-time information on water
flow and quality, while remote-controlled valves release water from basins after a storm.
Houston, Texas began partnering with Microsoft in 2018 to upgrade its smart city infrastructure,
including the installation of smart water meters that collect usage data every 15 minutes, ultimately
enabling real-time leak alerts.
Water technology’s benefits even extend to the field of epidemiology. IoT sensors placed in sewer
systems are helping cities around the globe detect traces of the novel coronavirus in wastewater,
allowing authorities to pinpoint infection hotspots and to more efficiently identify outbreaks. In a
stunning finding, Italian scientists recently announced that coronavirus may already have reached Italy
in December 2019 – far earlier than previously thought – based on sewage samples collected from Milan
and Turin. Not only can sewers help public health officials understand the full extent of an outbreak, but
by helping governments identify hubs of contagion, they can allow for a much more targeted, localized
response – potentially preventing the need for more sweeping lockdown measures. Sewers have long
been sources of valuable intelligence for addressing public health challenges. For instance, Israeli
authorities were able to contain a 2013 polio outbreak because a sewage surveillance system built after
a 1988 outbreak had provided an early warning of transmission.
New pipes, dams, and storage tanks won’t be enough to deliver the quality water infrastructure today’s
cities need. Smart technology must be integral to communities’ water infrastructure , as it is essential
to achieving better management of this critical resource, offering real-time insights for protecting water
quality and security, unlocking significant cost savings and even combating future pandemics. As these
days of COVID-19 prompt societies to search for new ways of building more modernized, more resilient
systems, investments in smart water technology are a clear place to start.
Smart Cities - Climate Change
Smart cities key to better quality of life – safety, public health, and environmental
sustainability – including significant decrease in emissions
Woetzel, McKinsey & Company Asia and global economic trends researcher, et al. 18
[Jonathan, Jaana Remes, McKinsey & Company productivity/competitiveness/urbanization/health
researcher, Brodie Boland, McKinsey & Company helper to real-estate organizations/infrastructure
investors/city governments prepare for the future, Katrina Lv, McKinsey & Company advisee for
infrastructure/real estate/economic development/ strategy in serving governments in China, Suveer
Sinha, McKinsey & Company adviser in the infrastructure and industrial sectors on strategy and
transformation, Gernot Strube, advises in the infrastructure/aerospace/rail, sectors on digital
transformations, John Means, McKinsey & Company sustainable communities developer, Jonathan Law,
McKinsey & Company specialist on economic development/innovative social finance, Andres Cadena,
McKinsey & Company specialist in Latin America economic development, and Valerie von der Tann,
General Manager at ViaVan, 6-5-18, McKinsey & Company, “Smart cities: Digital solutions for a more
livable future,” https://www.mckinsey.com/business-functions/operations/our-insights/smart-cities-
digital-solutions-for-a-more-livable-future#, Accessed 6-29-21, CBM]
Applications can help cities fight crime and improve other aspects of public safety
Deploying a range of applications to their maximum effect could potentially reduce fatalities (from
homicide, road traffic, and fires) by 8 to 10 percent. In a high-crime city with a population of five million,
this could mean saving up to 300 lives each year. Incidents of assault, robbery, burglary, and auto theft
could be lowered by 30 to 40 percent. On top of these metrics are the incalculable benefits of giving
residents freedom of movement and peace of mind.
Technology is not a quick fix for crime, but agencies can use data to deploy scarce resources and
personnel more effectively. Real-time crime mapping, for instance, utilizes statistical analysis to highlight
patterns, while predictive policing goes a step further, anticipating crime to head off incidents before
they occur. When incidents do occur, applications such as gunshot detection, smart surveillance, and
home security systems can accelerate law-enforcement response. But data-driven policing has to be
deployed in a way that protects civil liberties and avoids criminalizing specific neighborhoods or
demographic groups.
Seconds count when lives are at stake, making speed critical for first responders in getting to the scene
of emergencies. Smart systems can optimize call centers and field operations, while traffic-signal
preemption gives emergency vehicles a clear driving path. These types of applications could cut
emergency response times by 20 to 35 percent. A city with an already low response time of eight
minutes could shave off almost two minutes. A city starting with an average response time of 50
minutes might be able to trim that by more than 17 minutes.
Smart-city technologies can make daily commutes faster and less frustrating
Tens of millions of people in cities worldwide begin and end every workday fuming in traffic or piling
into overcrowded buses and trains. Improving the daily commute is critical to quality of life.
By 2025, cities that deploy smart-mobility applications have the potential to cut commuting times by 15
to 20 percent on average, with some people enjoying even larger reductions. The potential associated
with each application is highly variable, depending on each city’s density, existing transit infrastructure,
and commuting patterns. In a dense city with extensive transit, smart technologies could save the
average commuter almost 15 minutes a day. In a developing city with more grueling commutes, the
improvement might be 20 to 30 minutes every day.
In general, cities with extensive, well-used transit systems benefit from applications that streamline the
experience for riders. Using digital signage or mobile apps to deliver real-time information about delays
enables riders to adjust their routes on the fly. Installing IoT sensors on existing physical infrastructure
can help crews fix problems before they turn into breakdowns and delays.
Applications that ease road congestion are more effective in cities where driving is prevalent or where
buses are the primary mode of transit. Intelligent syncing of traffic signals has the potential to reduce
average commutes by more than 5 percent in developing cities where most people travel by bus. Real-
time navigation alerts drivers to delays and helps them choose the fastest route. Smart-parking apps
point them directly to available spots, eliminating time spent fruitlessly circling city blocks.
Cities can be catalysts for better health
The sheer density of cities makes them critical although currently underutilized platforms for addressing
health. Recognizing that the role of technology in healthcare is broad and evolving by the day, we
analyze only digital applications that offer cities room to play a role. We quantify their potential impact
on disability-adjusted life years (DALYs), the primary metric used by the World Health Organization to
convey the global disease burden, reflecting not only years of life lost to early death but also productive
and healthy life lost to disability or incapacity. If cities deploy the applications included in our analyses to
their fullest effect, we see the potential to reduce DALYs by 8 to 15 percent.
Applications that help prevent, treat, and monitor chronic conditions, such as diabetes or cardiovascular
disease, could make the biggest difference in the developed world. Remote-patient-monitoring systems
have the potential to reduce the health burden in high-income cities by more than 4 percent. These
systems use digital devices to take vital readings, then transmit them securely to doctors in another
location for assessment. This data can alert both patient and doctor when early intervention is needed,
heading off complications and hospitalizations.
Cities can use data and analytics to identify demographic groups with elevated risk profiles and target
interventions more precisely. So-called mHealth interventions can send out lifesaving messages about
vaccinations, sanitation, safe sex, and adherence to antiretroviral therapy regimens. In low-income cities
with high infant-mortality rates, data-based interventions focused on maternal and child health alone
could reduce DALYs by more than 5 percent. Another 5 percent reduction is possible if developing cities
use infectious-disease surveillance systems to stay a step ahead of fast-moving epidemics. Telemedicine,
which provides clinical consultations by videoconference, can also be lifesaving in low-income cities with
doctor shortages.
Smart cities can deliver a cleaner and more sustainable environment

As urbanization, industrialization, and consumption grow, environmental pressures multiply.
Applications such as building-automation systems, dynamic electricity pricing, and some mobility
applications could combine to cut emissions by 10 to 15 percent.
Water-consumption tracking, which pairs advanced metering with digital feedback messages, can nudge
people toward conservation and reduce consumption by 15 percent in cities where residential water
usage is high. In many parts of the developing world, the biggest source of water waste is leakage from
pipes. Deploying sensors and analytics can cut those losses by up to 25 percent. Applications such as
pay-as-you-throw digital tracking can reduce the volume of solid waste per capita by 10 to 20 percent.
Overall, cities can save 25 to 80 liters of water per person each day and reduce unrecycled solid waste
by 30 to 130 kilograms per person annually.
Air-quality sensors do not automatically address the causes of pollution, but they can identify the
sources and provide the basis for further action. Beijing reduced deadly airborne pollutants by roughly
20 percent in less than a year by closely tracking the sources of pollution and regulating traffic and
construction accordingly. Sharing real-time air-quality information with the public via smartphone apps
enables individuals to take protective measures. This can reduce negative health effects by 3 to 15
percent, depending on current pollution levels.
Smart cities can create a new type of digital urban commons and enhance social connectedness
Community is hard to quantify, but MGI surveyed urban residents to determine if digital channels for
communicating with local officials as well as digital platforms that facilitate real-world interactions (such
as Meetup and Nextdoor) can have an impact. Our analysis suggests that using these types of
applications could nearly double the share of residents who feel connected to the local community, and
nearly triple the share who feel connected to local government.
Establishing channels for two-way communication between the public and local agencies could make
city governments more responsive. Many city agencies maintain an active presence on social networks,
and others have developed their own interactive citizen apps. In addition to disseminating information,
these channels create vehicles for residents to report concerns, collect data, or weigh in on planning
issues. Paris has implemented a participatory budget, inviting anyone to post project ideas and then
holding online votes to decide which ones merit funding.
Becoming a smart city is not a strategy for job creation, but smart solutions can make local labor
markets more efficient and slightly lower the cost of living
Many local officials want to know if becoming a smart city will lead to an infusion of high-paying tech
jobs or accelerate a wave of automation. Our analysis finds a slightly positive net impact on formal
employment. Smart technologies will directly eliminate some jobs (such as administrative and field jobs
in city government) while creating others (such as maintenance, driving roles, and temporary installation
jobs).
Smart cities solve for a litany of environmental problems, including climate change.
Iqbal, Gemalto Public Services & Transport and IoT director, 18
[Haider, 08-13- 2018, Internet of Business, “How smart cities can help build a sustainable world,”
https://internetofbusiness.com/how-smart-cities-can-build-a-sustainable-world/, accessed 07-05-2021,
HSP]
Sustainability is a powerful force for positive change in our world; one that is driving transformation,
innovation, and improvement across all aspects of society.
No longer limited to conserving natural resources, sustainability now encompasses a broad range of
challenges, including urban growth, transportation, our carbon footprints, and even people’s work-life
balance.
As the world’s population is expected to increase by an estimated 33 percent before 2050, and with
nearly 70 percent of those people living in urban environments, sustainability has become a focal point
for forward-thinking cities.
Together, the Internet of Things (IoT) and smart city technologies are one of the keys to success in this
field. In fact, Gartner predicts that by 2020, half of all smart city objectives will be focused on climate
change, resilience, and sustainability.
With an expected growth rate of more than 19 percent every year, the global smart cities market is
predicted to reach $3.6 trillion by 2025, up from $773 billion in 2016.
Innovative businesses and municipalities see the potential, and are working together on programmes
that illuminate just what smart cities can do to meet global sustainability goals.
Using smart city infrastructure to our advantage
Smart cities are built on complex and intelligent frameworks of ubiquitous digital networks, connecting
citizens, governments, and objects that simultaneously send and receive data. Cloud-based software
applications receive, manage, and analyse this data, and transform it into real-time intelligence that,
ultimately, will help improve the way we work, travel and live.
In a smart city for instance, intelligent garbage solutions are redefining and optimising waste
management. The World Bank estimates that the global cost of managing our landfill collections alone
will rise to $375 billion by 2025 – an unsustainable cost in the long term.
Smart garbage bins, self-powered with solar technology, have the ability to communicate when they are
full in real time, preventing overflows and eliminating unnecessary scheduled pick-ups that will save
time, fuel, and wear and tear on the roads.
BigBelly is one such company transforming the way we approach waste collection. With successful pilot
schemes around the world, from Singapore to New York City to Melbourne, it is working to reduce the
frequency of collections by 70-80 percent and limit our dependence on rubbish bins.
For example, in Dún Laoghaire, a small portside town outside Dublin, BigBelly helps to manage the
waste left behind by tourists and provide a real-time solution to the waste-collection issues posed by
Ireland’s unpredictable weather. The result has been an annual saving of €200,000 in costs and 69 tons
of CO2.
Providing the complete city experience

However, the IoT’s sustainability reach extends far beyond smart city waste management. Take
Quayside in Toronto, for instance, a 12-acre site that Google’s Sidewalk Labs has covered in IoT sensors
to monitor and optimise processes all over the city.
Using the embedded sensors, city managers can monitor traffic flows, noise levels, air quality, energy
usage, and travel patterns in real time. These insights allow businesses, citizens and the government to
review and make changes swiftly to improve city services and amenities.
The installation has been designed to tackle the challenges of urban growth and achieve new standards
of sustainability.
Similarly, Belmont, an initiative associated with Bill Gates, was envisaged as a sustainable,
technologically advanced community built from the ground up in the Arizona desert. This new city is at
the forefront of the sustainability movement and is based on a communication and infrastructure
foundation that encompasses cutting-edge technology, high-speed digital networks, data centres, and
autonomous vehicles to optimise how we live our lives.
Smart cities allow for less greenhouse gas emissions, better air quality, more water
conservation, and solid waste reduction.
Wilson, Energy Digital Editor, 20
[Georgia, 10-14-2020, Energy Digital, “How smart cities can power a sustainability revolution,”
https://energydigital.com/smart-energy/how-smart-cities-can-power-sustainability-revolution, accessed
07-05-2021, HSP]
How smart cities can drive sustainability goals and energy efficiencies
Having the capability to advance Sustainable Development Goals by 70%, smart cities can deliver a
cleaner and more sustainable environment. With increased urbanisation, industrialisation and
consumption comes the addition of increased environmental challenges. While technology is only one
element that can help to address these challenges, overall analysis by McKinsey highlights that
“deploying a range of applications to the best reasonable extent could cut emissions by 10 to 15%, lower
water consumption by 20 to 30%, and reduce the volume of solid waste per capita by 10 to 20%.”
Greenhouse gas emissions
For cities that find structures as a major source of emissions, McKinsey reports t hat building automation
systems can lower emissions by just under 3% in most commercial buildings and 3% in residential
homes. Other technologies that can significantly impact emissions are dynamic electric pricing, ride-
hailing and demand based microtransit, intelligence traffic signals and congestion pricing.
Air quality
While some of the above can improve air quality, to directly address this challenge requires
implementing air quality sensors. While this does not automatically solve pollution, the technology can
identify the source, providing the ability to make more informed decisions. McKinsey reported that
Beijing reduced its deadly airborne pollutants by 20% in under a year by closely tracking the source of
pollution and regulating traffic and construction.
In addition, sharing real time air quality information provides the public with the capability to take
protective measures to reduce negative health effects by three to 15% depending on the current levels
of pollution.
Water conservation
Harnessing water consumption tracking technology paired with advanced metering and digital feedback
messages can reduce consumption by 15% in higher income cities where residential water is high.
However, McKinsey notes that its effectiveness depends on whether it is paired with a pricing strategy.
In developing countries, the biggest source of water waste is leaking pipes. Utilising sensors and
analytics can help to cut the loss by up to 25%.
Solid waste reduction
With low-tech recycling reaching its limits, McKinsey reports that technology could help to further
reduce the volume of un-recycled solid waste. An example of this could be to harness digital tracking
and payments, however this should be considered alongside other policy initiatives particularly for
developing economies with tight household budgets.
Cities are responsible for the majority of energy consumption and greenhouse gas
emissions
Ovington, Frontier Economics Consultant, and Houpis, Frontier Economics
Telecommunications Director, ‘18
(Tom, MSc in Economics from Warwick University and a BA in Economics and Management from Oxford
University, George, October 2018, Frontier Economics, “How Smart Cities can help tackle climate
change”, http://www.frontier-economics.com/uk/en/news-and-articles/articles/article-i4604-how-
smart-cities-can-help-tackle-climate-change/#, Accessed 7/5/21, MLiao)
Today 55% of the world’s population lives in urban areas, with this share expected to grow to 68% by
2050.[1] Cities are responsible for the majority of the world’s economic activity, energy consumption
and greenhouse gas emissions. Therefore, to significantly cut emissions, urban centres will need to both
use less energy and take greater advantage of periods when intermittent renewable energy is available.
“Smart cities” are expected to play a pivotal role in achieving these objectives. The term smart city can
encompass a broad range of initiatives, but in this article we focus on those closely linked to the Internet
of Things (IoT). These initiatives offer cities the potential to make step changes in efficiency by
harnessing new technologies and automating processes in applications as diverse as those shown in the
figure below.
Figure 1: Potential Smart Cities Applications

Note: *Examples include charging electric cars and switching on washing machines. This will be useful
because energy generation from renewable sources, such as wind and solar, are intermittent. **Users
may reduce consumption if they are more aware of how much energy they are using.
5G adoption supports development of Smart Cities and the battle against global
warming
What policymakers need to do
In general, competing networks should support the delivery of the 5G infrastructure necessary to
underpin a wide range of applications and use cases, including those related to the development of
smart cities.
However, to help fill potential gaps in 5G provision needed for smart cities to fully develop, some policy
intervention is likely to be required. In cities, where operators are most likely to densify their networks,
sites suitable for hosting 5G infrastructure – probably small cells - will be at a premium. This raises
access issues. It could also be a costly exercise to deploy multiple networks. A so called ‘neutral host’
type model could be deployed to help fill gaps in 5G coverage without undermining the overall dynamics
of competing national network operators. This could call for some policy intervention.
Policymakers can also play a role in ensuring that the public sector is an early adopter of 5G. This will
spur the proliferation of use cases and generate economies of scope in the use of 5G.
Conclusion
Smart cities can help to reduce greenhouse gas emissions in the transport sector and by reducing
electricity and heat production. The transport sector makes up 14% of global greenhouse gas emissions,
whilst electricity and heat production contribute 25%[9] (although these percentages don’t solely relate
to cities). By throwing their weight behind 5G, policymakers can not only promote a range of new use
cases and apps that will improve consumer experiences and business productivity, but they can also
support the effort to develop smart cities and ultimately contribute to the battle against global warming.
Smart cities significantly reduce greenhouse gas emissions, water consumption, and
solid waste volume.
Woetzel, McKinsey Global Institute, director, et al., 18
[Dr. Jonathan Woetzel,; Jaana Remes, economist and a partner at the McKinsey Global Institute,; Katrina
Lv, leads McKinsey’s work in the public sector and infrastructure in China; Suveer Sinha, leads the Capital
Projects & Infrastructure Practice; Gernot Strube, advises clients in the infrastructure, aerospace, rail,
and machinery sectors on digital transformations, operational strategy, and performance improvement;
John Means, serves on McKinsey's global real estate executive committee and leads development
services; Jonathan K. Law, worked at the United Nations, the New York City Economic Development
Corporation,; Andres Cadena, leads McKinsey’s Strategy & Corporate Finance, Financial Services, and
Public Sector Practices in Latin America; Valerie von der Tann, former senior project manager at the
Berlin office of McKinsey & Company, June 2018, McKinsey, “SMART CITIES: DIGITAL SOLUTIONS FOR A
MORE LIVABLE FUTURE,” pg. 7-8, https://www.mckinsey.com/~/media/McKinsey/Business
%20Functions/Operations/Our%20Insights/Smart%20cities%20Digital%20solutions%20for%20a
%20more%20livable%20future/MGI-Smart-Cities-Executive-summary.pdf, accessed 6-29-2021]JMK
Smart cities can deliver a cleaner and more sustainable environment
As urbanization, industrialization, and consumption grow, environmental pressures multiply. While

technology is only one option for addressing these issues, it can be a powerful one. Overall, our analysis
finds that deploying a range of applications to the best reasonable extent could cut emissions by 10–15
percent, lower water consumption by 20–30 percent, and reduce the volume of solid waste per capita
by 10–20 percent.
Greenhouse gas emissions. In a city where structures are the major source of emissions, building
automation systems can lower emissions by just under 3 percent if adopted in most commercial
buildings and by an additional 3 percent if adopted in most homes. Another application with significant
potential is dynamic electricity pricing, which allows utilities to charge more when demand peaks. By
reducing consumption and shifting the load to off-peak periods, it reduces the power sector’s use of
backup “peaker plants” that produce more emissions. E-hailing and demand-based microtransit could
significantly reduce emissions if fuel-efficient fleets offset more polluting alternatives. Intelligent traffic
signals, congestion pricing, and other mobility applications also cut emissions from traffic.
Air quality. Some of the energy-saving and mobility applications described above could improve air
quality as a secondary benefit. To tackle this issue more directly, cities can install air quality sensors.
They do not automatically address the causes of pollution, but they can identify the sources and provide
the basis for further action. Beijing reduced deadly airborne pollutants by roughly 20 percent in less than
a year by closely tracking the sources of pollution and regulating traffic and construction accordingly.
Sharing realtime air quality information with the public via smartphone apps enables individuals to
take protective measures, potentially reducing negative health effects by 3–15 percent, depending on
current pollution levels.
Water conservation. Water consumption tracking, which pairs advanced metering with digital feedback
messages, can nudge people toward conservation. It could reduce consumption by 15 percent in a
higher-income city where residential water usage is high, although its effectiveness depends on
whether it is paired with a pricing strategy. In many parts of the developing world, the biggest source
of water waste is leakage from pipes. Deploying sensors and analytics can cut those losses by up to 25
percent.
Solid waste reduction. As low-tech recycling programs reach the limits of what they can do, technology
could further reduce the volume of unrecycled solid waste. Digital tracking and payment for waste
disposal, for instance, charges users for exactly for the amount and type of trash they throw away. But
this type of application should be considered alongside other policy initiatives, particularly in developing
economies where household budgets are tight and a great deal of informal recycling already takes place.
Smart city technology crucial to address climate change

Gupta, Nirma University Law student, ‘20
[Nivrati, a student at the Institute of Law, Nirma University, Ahmedabad, 12-7-20, Pleaders, “Bridging
the paradox : smart cities vs. sustainable cities ,” https://blog.ipleaders.in/bringing-paradox-smart-cities-
sustainable-cities/, accessed: 7-5-21, AHP]
Inhabited by over 7 billion people, our planet is in the midst of a massive ecosystem transition, climate
change, tectonic plate movements and biological evolution. Among these, climate change is one of the
most critical issues affecting our planet and is largely attributable to human activities. Climate change
brings with it adverse effects such as threats to biodiversity and ecosystems, risks to human health,
rising sea levels due to the accelerated melting of glaciers and ice caps, increased water stress and
decreased agricultural productivity.
These issues are driving many economies and cities around the world to focus on mitigating greenhouse
emissions to counter climate change impacts. Cities account for the bulk of the world’s greenhouse gas
emissions and energy consumption. As cities in most nations are drivers of economic growth,
urbanization is projected to continue to increase in the near future. This will, in turn, drive the depletion
of non-renewable resources and add to carbon dioxide emissions. Innovation and digital technology
must be leveraged to tackle rising urbanization and climate change issues to minimize energy
consumption and improve the quality of life. To address urbanisation challenges and ensure
sustainability, innovation must be combined with energy, digital technology and information and
communications technology. Sustainability encompasses not only the environment but also social equity
and the economy. The globe is witnessing a shift in economic power corridors, as China and India are
considered to be the most powerful economies to watch out for. These emerging economic giants need
to take precautionary steps to avoid the devastating effects of climate change.
Impact---Climate Change
Climate change has disproportionate effects beyond climate model predictions

environment/2021/07/03/climate-change-heat-dome-death/, Accessed 7-4-21, MLiao)
The heat dome was just one of a barrage of climate catastrophes that struck the world in recent weeks.
Western wildfires are off to a scorching start, with firefighters actively battling 44 large blazes that have
burned nearly 700,000 acres. Parts of Florida and the Caribbean are bracing for landfall of Hurricane
Elsa, the Atlantic’s fifth named storm in what is one of the most active starts to hurricane season on
record. Nearly half a million people in Madagascar are at risk of starvation as the country grapples with
dust storms, locusts and its worst drought in decades. In Verkhoyansk, Siberia — usually one of the
coldest inhabited places on the planet — the land surface temperature was 118 degrees.
“Climate change has loaded the weather dice against us,” said Katharine Hayhoe, a climate scientist at
Texas Tech University and chief scientist for the Nature Conservancy.
“These extremes are something we knew were coming,” she added. “The suffering that is here and now
is because we have not heeded the warnings sufficiently.”
Humans burning fossil fuels have caused the globe to warm roughly 1 degree Celsius, or 2 degrees
Fahrenheit, since the preindustrial era. It’s a seemingly incremental change, but it has led to
disproportionately frequent and severe natural disasters.
Think of the climate as a bell curve, Hayhoe said, with temperatures distributed according to how
common they ought to be. The center of the bell curve may have shifted just a couple of degrees, but
the area of the curve now in the “extreme” zone has increased significantly.
Within the next week, researchers expect to publish a “rapid attribution” study that determines how
climate change made the Northwest heat wave more likely. Yet precisely quantifying the role of climate
change in the event has been difficult because the heat was just so extreme, said Michael Wehner, a
climate scientist at Lawrence Berkeley National Laboratory in California who is contributing to the
attribution effort.
“It’s well beyond what straightforward statistical analysis would suggest. It’s well beyond what climate
models suggest,” he continued. “But it happened.”
Studies show the chance of a given tropical storm becoming a hurricane that is Category 3 or greater has
grown 8 percent every decade. The acreage of the West burned by wildfire is twice what it would
otherwise be. The heat wave that struck the Northwest this week brought temperatures that were as
much as 11 degrees above the previous all-time high.
Climate change causes food shortages, droughts, and species extinction
environment/2021/07/03/climate-change-heat-dome-death/, Accessed 7-4-21, MLiao)
If we continue to burn fossil fuels at the current rate, studies suggest, the Earth could be 3 to 4 degrees
Celsius hotter by the end of the century. The Arctic will be free of ice in summertime. Hundreds of
millions of people will suffer from food shortages and extreme drought. Huge numbers of species will be
driven to extinction. Some regions will become so hot and disaster-prone they are uninhabitable.
“It’s a very different planet at those levels,” Wehner said. “This is really serious. As a society, as a
species, we’re going to have to learn to adapt to this. And some things are not going to be adaptable.”
Extreme heat is likely to be one of those things. Studies of heat waves suggest that a half a degree
Celsius increase in summertime temperatures can lead to a 150 percent increase in the number of heat
waves that kill 100 people or more. Research published last year in the journal Science found that the
human body can’t tolerate temperatures higher than 95 degrees when combined with 100 percent
humidity.
Smart Cities Impact – Social Problems
Smart Cities can help solve complicated social problems

Joshi, Honeywell Building Solutions General Manager, 21
[Aseem, 2-23-21, Forbes, “Urban Intelligence Rising: Why Smart Cities Are Better Cities,”
https://www.forbes.com/sites/honeywell/2021/02/23/urban-intelligence-rising-why-smart-cities-are-
better-cities/?sh=10c75c1219ef, accessed 6-30-21, JC]
Cities around the world are replacing educated guesses with data-based decisions that are better for
citizens and for the environment. In the process, they’re building an entirely new type of infrastructure
that marries bits and bytes with steel and stone.
The result is a paradigm shift in the urban experience. Instead of being known for their problems
— cities of the past were criticized for being dense, dangerous and dirty — cities are becoming
esteemed for their solutions: Cities of the future will be lauded as safe, healthy and efficient.
In a word, cities are becoming smarter.
You’ve heard the term “smart cities” before. What you might not realize, however, is just how much a
city’s IQ affects its residents. Smart cities will be more than dots on a map. They will be portals through
which humanity discovers new ways to live, work and play. And that’s going to change everything.
What Makes Cities ‘Smart’?
Understanding smart cities’ potential requires understanding what makes them smart to begin with. The
answer, of course, is technology. But not just technology. Rather, integrated and automated technology.
A traditional city is a series of silos. There is a department in charge of housing, for example, a
department in charge of transportation, and another department in charge of streets and sanitation.
Although they’re united under a single mayor and a single city council, each has its own discrete
ecosystem that serves its own distinct mission. They don’t compete, necessarily. But they don’t exactly
collaborate, either.
A smart city, on the other hand, is a system of systems wherein each city function is connected to all
others, creating a single web of information from otherwise segregated streams. The product of that
web is a holistic instead of fractured urban portrait that gives citizens and governments the unabridged
insight they need in order to solve complicated social problems.
Consider something as common as traffic accidents.
In a smart city, traffic cameras can capture accidents in real time. When an incident happens, they can
use artificial intelligence to instantly recognize that a collision has occurred, then automatically alert
stakeholders with location coordinates and other relevant intelligence about the situation. The result —
a faster response — could help save lives and reduce traffic congestion, thereby making the city safer as
well as more enjoyable to live in.
Machine learning algorithms can subsequently process traffic data and, over time, learn to predict
accidents before they happen. Armed with that information, the city can re-engineer streets and traffic
signals, post signage, issue public alerts or take other pre-emptive actions.
Traffic lights could also be adjusted based on needs. For example, say there is a sporting event in a
stadium that finishes at 9 p.m. Traffic emptying out of the area will spike. A smart city would adjust
traffic lights durations in anticipation to help the area empty out faster. The same use case applies when
traffic densities change, the city recognizes that fact and adjusts traffic light duration accordingly.
Smart Cities Impact – Crime
The integration of technology into cities effectively deters crime.

Sloly, Deloitte National Security & Justice practice Partner, 18
[Peter Sloly, partner at Deloitte and a former deputy chief of police with the Toronto
Police Service, Ottawa PD Chief of Police. He leads the firm’s National Security & Justice
practice, 2018, “Emerging tech that can make smart cities safer: High-tech still needs to
be high-touch,” https://www2.deloitte.com/ca/en/pages/public-sector/articles/emerging-tech-
smart-cities-safer.html, accessed 6-29-2021]JMK
Exponential technologies, big data, and advanced analytics are revolutionizing policing across Canada
and around the world. While they can’t replace the human element and back-to-basics policing, as we
wrote about in our previous post, these real, emerging, or aspirational technologies are disrupting
traditional policing models for the better.
They’re providing new ways to help police services connect to citizens, build trust, and strengthen
relationships with communities. They can also improve public safety—a recent study suggests smart
technologies could help cities reduce crime by 30 to 40 percent, and enable 20 to 35 percent faster
response times for emergency services1. That’s the kind of results smart cities the world over are
seeking in their quest to capitalize on emerging technologies to help improve the delivery and cost-
effectiveness of services to their citizens.
The following are some examples of promising technology enablers for police services.
Next-generation 911
The 911 systems we use to reach police and other first responders in an emergency haven’t changed
much in the roughly 50 years since their introduction. Dispatchers field citizens’ calls and relay
information verbally, using traditional telephone and radio technologies.
Next-generation 911 (NG911) services coming online can dramatically improve the quality of
information . Operating over internet-based networks, NG911 systems can transmit a vast array of
digital data. As well as calling 911, citizens can send texts, photos, videos, and more, which dispatchers
can review and send directly to responding officers.
Smartphones, social media, and citizen partners
Smartphones enable citizens to capture and share detailed information in near-real time with police,
whether through NG911 systems, social media sites, or dedicated public safety mobile apps. The ability
to rapidly exchange information and participate in joint problem-solving on digital platforms can be a
powerful way for police and citizens to build safer communities together.
One of the world’s first examples of this is in the Dutch city of Groningen, where police introduced an
innovative prototype of an NG911 mobile app called ComProNet (community protection network).
During a crime or other incident, police can use ComProNet to send a push notification to every user’s
smartphone and launch a Twitter feed for the incident. Similarly, citizens who witness a crime can press
the app’s alert button to connect to a police operations centre and send information such as photos and
videos.
Predictive policing: Preventing public safety problems
Predictive policing harnesses the power of big data and analytics to sift through historical public safety
data, police blotters, criminal behavioural data, camera feeds, social media , and more to predict when
and where crimes and other forms of public disorder are likely to occur. It’s already in practice: Based on
the success of a recent pilot project2 , Vancouver police are using predictive models to identify areas in
the city where residential or commercial burglaries are anticipated and then dispatching officers to deter
potential thieves.
What makes predictive policing especially attractive is its potential to prevent crime, which is the best
way to keep communities safe and increase community confidence in policing.
AT: No Smart Cities
Smart cities are popping up now

Cheng, Earth.org author '21
[Iris Cheng is an author at Earth.Org, 04-28-2021, Earth.Org - Past | Present | Future, "Importance of
Smart Cities in the Fight Against Climate Change", https://earth.org/smart-cities-climate-change/,
Many countries and cities are eager to develop smart cities to pursue sustainable development and to
improve the life of citizens. For example, the South Korean government developed a smart city plan in
2019. The plan focuses on the sharing of government data and active interactions between citizens and
government via e-platforms. Other developing countries are also working to build smart cities, such as
Vietnam and India.
“All Vietnam’s efforts in smart city development are aimed at three fundamental goals which are
sustainable urban environment, high-quality life for residents and a competitive economy,” said Tran
Quoc Thai, director of the Department of Urban Development under the Ministry of Construction,
according to the Hanoi Times.
In 2015, the Indian government announced a Smart Cities Mission (SCM) to build 100 smart cities in five
years. According to the SCM, the main objective of the mission is to promote cities that provide core
infrastructure, clean and sustainable environment and give a decent quality of life to citizens through
the application of smart solutions.
The development of smart cities has been further supported via bilateral cooperation. These
partnerships include the Memorandum of Understanding (MoU) on the Strategic Collaboration on Smart
City Development between Singapore and China (Shenzhen). This MOU, which came into effect in 2020,
listed out cooperation such as in digital connectivity, and technology collaboration. Moreover, Germany
launched a project in 2018 to help three Indian cities to become sustainable smart cities. The German
government aimed at using digital opportunities intelligently to create cities, which are good to live in
and also allow people to achieve climate targets.
Smart cities are developing right now: San Diego and Copenhagen.
Iqbal, Gemalto Public Services & Transport and IoT director, 18
[Haider, 08-13- 2018, Internet of Business, “How smart cities can help build a sustainable world,”
https://internetofbusiness.com/how-smart-cities-can-build-a-sustainable-world/, accessed 07-05-2021,
HSP]
Taking it to the next level
While these projects might appear piecemeal or isolated, it’s not difficult to imagine a future in which
every town and city has similar IoT sensors embedded in its infrastructure in order to reduce citizens’
environmental footprints and improve the way we live.
But like any growing market, scalability is always an issue. In order to expand these projects to have an
impact at city, national, or even global level, governments and businesses alike need to overcome
significant barriers to success.
In China for example, the government plans to build 100 new smart cities from by 2020, focusing on
innovation and information-intensive infrastructure. But lack of investment in infrastructure or trust in
security are often cited as holding bold initiatives like this back. This is often because decision-makers
are not given substantial promises on ROI.
The way to tackle this problem is to prove that there is real demand from citizens for sustainability
projects. With engaged citizens, governments and businesses alike can make more informed decisions
about investing in technology that the public both wants and will use.
Barcelona, for instance, has a longstanding reputation as a metropolis at the forefront of technological
innovation and has recently reviewed its smart city agenda to make sure it keeps its citizens at the heart
of its strategy. After all, smart bins or intelligent lighting are only beneficial if people actually use them.
We are already seeing real examples of success at city level. Copenhagen’s meteoric rise to become the
world’s leading smart city can be traced back to its sustainability profile and smart city ecosystem.
Elsewhere, San Diego’s smart city movement has revolutionised the city’s approach to climate change,
sustainability, and green innovation with intelligent street lights and solar-powered charging stations.
It’s all about trust
But while infrastructure provides the smart city capabilities, open data – and more importantly, trust in
its use and security –underpins the future of a sustainable city.
Historically, governments, enterprises, and individuals have all held their data close, sharing as little of it
as possible. In the past, privacy concerns and fear of security breaches far outweighed the value of
sharing information.
People can’t be blamed for that lack of trust. With security threats such as WannaCry or NotPetya
sending shockwaves around the world, it’s understandable that the idea of openly sharing data is not
always quickly adopted.
This resistance can only be overcome when citizens trust the city and the people put in charge of
protecting their data. This is why every government and business must buy into models that are built
with data security and citizen benefit at their foundations.
Initiatives such as the UK’s Open Data Institute go some way towards establishing a trustworthy data
ecosystem, but we must go further. Secure solutions, ranging from data anonymisation to digital
identities, smart encryption, and cognitive threat detection, will be crucial in making citizens feel more
comfortable about sharing their data.
If they remain reluctant, smart city initiatives will fail, slowing our progress towards a more sustainable
world.
We are all rapidly reshaping our planet and our global culture is embracing sustainability for a viable
future. Today’s innovations, such as those demonstrated by BigBelly or Quayside, are but a glimpse of
the immense potential that smart city technologies hold to meet the collective desire for a sustainable
world.
But the only way we can maximise the potential of smart cities to deliver on this is with the combined
trust of citizens, businesses, and governments. Without it, we risk patchy and underwhelming
deployments.
Smart technologies are being implemented now---Singapore

While fully functioning smart cities may appear a distant dream, some urban centres are already starting
to implement smart technologies. For example, in Singapore, which is often ranked as the best-
performing global smart city, improvements in mobility are already coming through. First piloted in
2015, Beeline is an application for crowdsourced bus services. It works by the government sharing
anonymised data with privately run bus operators to suggest new routes which are determined by
community demand. This leads to more efficient public transport and helps to reduce private car usage.
Infrastructure Scenario
Scenario – Infrastructure
Attacks on water facilities cascade into other critical infrastructure sectors

effects.
Disruption of critical infrastructure would cause catastrophic loss of life

Weiss, United Medical Instruments, National Sales Director & Weiss, UCLA-Olive View
Medical Center neurosurgeon, 19
[Matthew & Martin, 5/29/2019, Energy, Sustainability and Society, “An assessment of threats to the
American power grid”, Volume 9, No. 18,
https://energsustainsoc.biomedcentral.com/articles/10.1186/s13705-019-0199-y#Sec2, accessed 7-3-
21, AFB]
Consequences of a sustained power outage
The EMP Commission states “Should significant parts of the electrical power infrastructure be lost for
any substantial period of time, the Commission believes that the consequences are likely to be
catastrophic, and many people will die for the lack of the basic elements necessary to sustain life in
dense urban and suburban communities.” [67].
Space constraints preclude discussion on how the loss of the grid would render synthesis and
distribution of oil and gas inoperative. Telecommunications would collapse, as would finance and
banking. Virtually all technology, infrastructure, and services require electricity.
An EMP attack that collapses the electric power grid will collapse the water infrastructure—the delivery
and purification of water and the removal and treatment of wastewater and sewage. Outbreaks that
would result from the failure of these systems include cholera. It is problematic if fuel will be available to
boil water. Lack of water will cause death in 3 to 4 days [68].
Food production would also collapse. Crops and livestock require water delivered by electronically
powered pumps. Tractors, harvesters, and other farm equipment run on petroleum products supplied
by an infrastructure (pumps, pipelines) that require electricity. The plants that make fertilizer,
insecticides, and feed also require electricity. Gas pumps that fuel the trucks that distribute food require
electricity. Food processing requires electricity.
In 1900, nearly 40% of the population lived on farms. That percentage is now less than 2% [69]. It is
through technology that 2% of the population can feed the other 98% [68]. The acreage under
cultivation today is only 6% more than in 1900, yet productivity has increased 50 fold [69].
As stated by Dr. Lowell L Wood in Congressional testimony:
“If we were no longer able to fuel our agricultural machine in the country, the food production of the
country would simply stop, because we do not have the horses and mules that used to tow agricultural
gear around in the 1880s and 1890s”.
“So the situation would be exceedingly adverse if both electricity and the fuel that electricity moves
around the country……… stayed away for a substantial period of time, we would miss the harvest, and
we would starve the following winter” [70].
People can live for 1–2 months without food, but after 5 days, they have difficulty thinking and at 2
weeks they are incapacitated [68]. There is typically a 30-day perishable food supply at regional
warehouses but most would be destroyed with the loss of refrigeration [69]. The EMP Commission has
suggested food be stockpiled for a possible EMP event.
Internal Link---Health & Econ
Water systems are critical to public services, risking health and the economy
Nuzzo, Johns Hopkins Center for Health Security Senior Scholar, ‘6
(Jennifer, DrPH Johns Hopkins Bloomberg School of Public Health, Johns Hopkins Bloomberg School of
Public Health Department of Environmental Health and Engineering Associate Professor, Global Health
Council on Foreign Relations Senior Fellow, 2006, Biosecurity and Bioterrorism, “The Biological Threat to
U.S. Water Supplies: Toward a National Water Security Policy”, Volume 4, Number 2, http://www.upmc-
biosecurity.org/website/resources/publications/2006/2006-06-15-watersecuritypolicy.html, Accessed
7/5/21, MLiao)
In addition to providing potable drinking water, U.S. water systems are critical to the maintenance of
many vital public services, such as fire suppression and power generation. Disruption of these systems
would produce severe public health and safety risks, as well as considerable economic losses. Thus,
water systems have been designated as critical to national security by the U.S. government. Previous
outbreaks of waterborne disease have demonstrated the vulnerability of both the water supply and the
public’s health to biological contamination of drinking water. Such experiences suggest that a biological
attack, or even a credible threat of an attack, on water infrastructure could seriously jeopardize the
public’s health, its confidence, and the economic vitality of a community. Despite these recognized
vulnerabilities, protecting water supplies from a deliberate biological attack has not been sufficiently
addressed. Action in this area has suffered from a lack of scientific understanding of the true
vulnerability of water supplies to intentional contamination with bioweapons, insufficient tools for
detecting biological agents, and a lack of funds to implement security improvements. Much of what is
needed to address the vulnerability of the national water supply falls outside the influence of individual
utilities. This includes developing a national research agenda to appropriately identify and characterize
waterborne threats and making funds available to implement security improvements.
Water infrastructure failures cascade – threatening other infrastructure

Cioffi, York University Environmental Studies Masters Candidate, 15
[Giovanna, 2-9-15, York University in Toronto, “THE TERROR RISK TO CURRENT WATER
INFRASTRUCTURE SYSTEMS,”
https://yorkspace.library.yorku.ca/xmlui/bitstream/handle/10315/30282/MESMP02555.pdf?
sequence=1&isAllowed=y, p. 22, accessed 6-30-21, AHP]
The potential to attack the water sector is certainly not new. In 1941, the Director of the Federal Bureau
of Investigation, J. Edgar Hoover stated, “It has long been recognized that among public utilities, water
supply facilities offer a particularly vulnerable point of attack to the foreign agent, due to the strategic
position they occupy in keeping the wheels of industry turning and in preserving the health and morale
of the American populace” (Hoover, 1941, 1861-1865). What Hoover is discussing is the notion of
interdependency, and most especially today, interconnectivity.
Increasingly, water infrastructure systems have become controlled and automated from remote
locations in the name of efficiency. Additionally, this infrastructure relies on services provided by other
critical infrastructures. This creates a ‘system of systems’ where a failure in one infrastructure has the
capability of cascading, resulting in a disruption or failure to other critical infrastructures, and ultimately
having consequences that could affect public health and safety, the economy, the government, national
security, and finally, public confidence (Bahadur and William, 2011, 67). To illustrate this further, Figure
6 on the next page maps the interdependencies of the water sector.
Attacks on water facilities spillover into other critical infrastructure sectors

effects.
Water is essential to life and the infrastructure is interdependent

Cioffi, York University Environmental Studies Masters Candidate, 15
[Giovanna, 2-9-15, York University in Toronto, “THE TERROR RISK TO CURRENT WATER
INFRASTRUCTURE SYSTEMS,”
https://yorkspace.library.yorku.ca/xmlui/bitstream/handle/10315/30282/MESMP02555.pdf?
sequence=1&isAllowed=y, p. 4, accessed 6-30-21, AHP]
No living organism is self-sustaining. Although the means of survival has changed drastically over the
years - especially for humans - nothing changes the fact that humans need water to survive. As time has
passed, technology has allegedly improved, and so has, at least for some, standards of living. For most
Canadians, instead of fetching water, it now conveniently pours out of the taps in their homes.
Modern societies are built within and around networks of infrastructures that allow it to function.
Generally, these infrastructures are often referred to as critical infrastructure, and include any necessary
societal functions such as power generation, transmission and distribution, the continuity of
government, communication networks, transportation networks, and among various others, water
supply, treatment, storage and distribution networks. The reality of the twenty-first century is that
modern societies are inherently dependent, interdependent and interconnected to each of these critical
infrastructure systems.
Every day, Toronto treats more than one billion litres of potable water (City of Toronto, 2014). Each day,
people are dependent on the City, not only to provide them with this invaluable resource, but to also
ensure that it is safe to consume. The significance of ensuring a municipality’s water infrastructure is
safe rests on different levels of government.
Infrastructure Impact – Irrigation, Flooding, Drinking Water
Critical water infrastructure attacks hurt irrigation, flood control, and drinking water
The number of individual assets comprising America's critical drinking water infrastructure is enormous.
There are more than 75,000 dams and reservoirs, 160,000 public drinking water systems, 16,000 publicly
owned wastewater treatment facilities, tens of thousands of major pumping stations, and over 2 million
miles of pipes and aqueducts. 48 These individual assets make up water .systems that range from
"massive, well-known federal and state irrigation, flood control, and drinking water projects down to
part-time single well systems providing water during the tourist season at a campground. '49
Because of how ubiquitous drinking water system components are throughout the country, terrorists
are presented with ". . .an almost infinite array of potential targets. '50 Each of the thousands of
individual assets that make up this expansive infrastructure represents a potential vulnerability. Beyond
the sheer numbers, "the realities of the existing infrastructure include unprotected reservoirs, systems
with inadequate or no treatment capabilities, minimal real-time quality and pressure monitoring, open
distribution systems, aging infrastructure, limited resources... and significant growth in demand. ' 51 Put
simply, securing this nation's water infrastructure is a monumental task.
Black Sky Add-on
Resourcing, preparing, and implementing emergency plans key to reducing the risk of
catastrophic Black Sky events
Brzozowski, WaterWorld, 18
[Carol, 08-07-2018, WaterWorld, “Cybersecurity Strategies for Water Utilities,”
https://www.waterworld.com/drinking-water/treatment/article/14070919/cybersecurity-strategies-for-
water-utilities, accessed 06-28-2021, HSP]
A blueprint for cybersecurity is rooted in the Black Sky Hazard, a concept introduced in a National
Association of Regulatory Utility Commissioners (NARUC) paper, “Resilience for Black Sky Days:
Supplementing Reliability Metrics for Extraordinary and Hazardous Events,” written by Paul N. Stockton.
Stockton is the managing director of Sonecon and an international leader in infrastructure resilience,
continuity planning, and installation and personnel security, as well as US national security and foreign
policy.
The Electric Infrastructure Security Council began using the Black Sky concept as a framework when
working with electric utilities, the US Department of Homeland Security (DHS), the US Department of
Energy (DOE), and the US Department of Defense—along with the United Kingdom, Israel, and others—
on a series of Black Sky playbooks to support resilience, restoration, and recovery planning.
The group soon realized the most pressing health challenges of such a massive outage would actually be
water-related in the potential lack of drinking water, basic sanitation, and fire protection, notes Story.
Whether they come via cyber attacks or through severe weather events, threats are intrinsically tied to
the water-energy nexus: what happens to one sector affects both. “What if an electromagnetic pulse
shuts down the electric grid and you have a population center of greater than one million people who
are out of electricity for at least 25 days? How do we withstand that? How would you evacuate a major
urban center with no drinkable water and no sanitation services? There will be concerns about disease,”
she points out.
The recently-released Electric Infrastructure Protection (EPRO) Handbook II (Water) was written to
address resilience of water and wastewater service following a Black Sky event, says Story, noting that
the handbook was also a collaborative effort of American Water and AWWA.
In its executive summary, the handbook makes the point that the US and partner nations remain at risk
of blackouts far more severe than those occurring from Superstorm Sandy, Hurricane Katrina, or other
previous events. More progress in strengthening electric grid resilience is necessary to build
preparedness for Black Sky outages covering multiple US states or regions lasting a month or longer.
Risks come not only from cyber-attacks, but geomagnetic disturbances from severe solar storms and an
electromagnetic pulse strike, damaging unprotected, high-voltage transformers and other high-voltage
grid components throughout multi-state regions. Cataclysmic earthquakes in seismic zones pose unique
threats.
Such power outages disrupt water and wastewater systems that depend on the flow of electricity,
affecting water pumps, lifts, treatment systems, and other critical system components, making it
impossible in a wide area, long duration blackout to provide emergency drinking water and water for
firefighting to millions of affected citizens. Failure of wastewater systems would contaminate surface
water, a primary factor in spreading disease.
A growing number of utilities are installing their own emergency power generators or arranging with
partners such as the US Army Corps of Engineers (USACE) to do so. Many also are expanding capacity to
store generator fuel onsite, and plan for essential treatment chemical delivery.
Utilities also are affiliating with the AWWA’s Water and Wastewater Agency Response Network (WARN)
in which utilities help other utilities respond to and recover from emergencies.
Part of a utility’s playbook is establishing minimalist, sustainable service levels in coordination with
regulators, emergency managers, and other partners for meeting customer needs in wide area blackouts
lasting a month or more, and accounting for limited fuel, treatment chemical resupply, and other
logistical problems.
That entails infrastructure investments as necessary, which may require additional funding by utility
boards of directors or government officials. Power generators and fuel storage may require regulatory
policy development and associated pre- or post-outage waivers of Clean Air Act standards and other
regulatory policy changes, the EPRO handbook points out.
Private contractors and government agencies will need to be able to supply replacement generators, as
well as fuel and treatment chemicals despite the severe disruption of transportation and
communications systems Black Sky hazards will create. Backup power requires resilient fuel sources and
reliance on those sources depends on a utility’s location and infrastructure.
[Story = Susan Story, American Water CEO]

Terrorism & Cyber War Scenarios
Scenario – Terrorism
Water terrorism rising now—263% increase in attacks since 1970

In 2014, after losing a number of Somalian cities it had captured to African Union and Somali troops, the
terrorist group Al-Shabaab changed its tactics. To demonstrate its continued power and presence, Al-
Shabaab cut off water supplies to its formerly held cities. Residents from these cut-off cities were forced
to fetch water from nearby towns, many of which Al-Shabaab controlled. But the terror group
prevented anyone living in government-controlled territory from entering, which increased people’s
frustration with the government.
Attacking water is not a new terror tactic. Three decades earlier, in the midst of Peru’s economic crisis
and failed agrarian reforms, the leftist group Shining Path destroyed precious water infrastructure , along
with bridges and electrical systems. More recently, the Islamic State of Iraq and the Levant (ISIL) took
control of Tabqa (2013) and Mosul (2014) dams, spurring fears the dams would fail and disrupt water
flows and hydropower generation.
To better understand incidents like these, we launched a study to codify, quantify, and conduct a
geospatial analysis of water-related terrorism. Using the Global Terrorism Database, which includes
more than 170,000 terrorism incidents from 1970-2016, we developed a method to codify types of
water-related terrorism. Using this method, we found 675 water-related incidents in 71 countries,
conducted by 124 known terrorist organizations, and resulting in approximately 3,400 dead or wounded
people. Contrary to the belief that terrorists typically use water as a weapon, we found that the most
common target of water-related terrorism was water infrastructure: the pipes, dams, weirs, levees, and
treatment plants associated with water storage, treatment, and delivery. Terrorists target infrastructure
to inconvenience government authorities, influence populations, and cripple corporations.
On the Rise, But Not Everywhere
While water-related terrorism is not new, it is on the rise, increasing 263 percent from 1970 to 2016,
according to our analysis. The highest concentration of incidents—68 percent—occurred in the post-
9/11 era, while 18 percent took place during the Cold War period and 13 percent in the post-Cold War
period.
Terrorist attacks on water pose multiple threats, even to places not directly attacked
The terror organizations with the highest number of incidents include ISIL, the Taliban, Colombia’s FARC,
and the Shining Path. Shining Path and ISIL both favor attacking water infrastructure, which is
consistent with the overall target pattern we found. The Taliban targets people associated with water
resources, such as dam security guards and Afghanistan’s minister for energy and water , who it
attempted to assassinate in 2009. It also has the highest proportion of “water as a weapon” incidents,
close to 20 percent, in which water is used to poison or drown people, or water sources are ground zero
for detonating bombs.
FARC targeted oil infrastructure, which then contaminated water resources that sometimes supplied
drinking water. For example, in 2015, FARC bombed the Tansandio pipeline, releasing 10,000 barrels of
oil into Colombia’s Mira River. As a result, 150,000 people lost their access to water in the country’s
most severe environmental disaster to date.
Future Studies, Future Threats
Going forward, we intend to look more extensively at the regions with the highest number of incidents,
and examine related transboundary watersheds. We will also look at downstream communities where
the population is highly dependent on surface water, and countries with extensive water development
infrastructure.
Water-related terrorism can strain efforts to manage transboundary watersheds already plagued by
weak governing institutions and uncoordinated water development, posing an additional threat
alongside their existing climatic, economic, social, and political challenges .
These threats could be especially challenging in transboundary watersheds where attacks on upstream
water infrastructure impact downstream countries. In the Amazon River basin, for example, Brazil may
suffer consequences of Peru’s Shining Path attacks on the infrastructure in the Andean region
headwaters—and have no official recourse. None of the current treaties or international water
agreements on the Amazon include language about how to respond to terrorism.
Finally, terrorist attacks on water infrastructure pose a particular threat to highly developed rivers and
waterways, where computer systems control the flow of water through dams and other water
infrastructure. For example, in 2016, the U.S. Justice Department announced that an Iran’s Islamic
Revolutionary Guards Corps had hacked into the control system of a small dam north of New York City.
While this attack was not successful (and even if it had been, the consequences would’ve been limited),
a cyberattack on the dams along the Columbia or Missouri rivers, for example, could wipe out millions of
people downstream.
Cyber attack cause public panic – risks erosion of democratic norms and escalatory
retaliation
Gross, University of Haifa political science professor, et al, 17 (Michael L., Daphna Canetti
and Dana R. Vashdi, School of Political Science, The University of Haifa, Mt. Carmel, Haifa, Israel,
“Cyberterrorism: its effects on psychological well-being, public confidence and political attitudes”,
Journal of Cybersecurity, 3(1), 2017,49-58, doi: 10.l093/cybsec/tyw018,
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5370589/, accessed 7/2/21, sbl-gdi21)
Our results show that cyberterrorism, even when non-lethal, impacts the civilian population in several
ways. First, cyberterrorism aggravates anxiety and personal insecurity. Secondly, lethal and non-lethal
terrorism exacerbate perceptions of threat and personal insecurity. Thirdly, many people, particularly
those with high levels of threat perception, are willing to support strong government policies. These
policies split along two lines and include foreign policy (e.g. cyber and/or kinetic military responses to
cyberattacks) and domestic policy (e.g. tolerance of government surveillance and control of the
Internet). As threat perception increases, individuals take increasingly stringent political views. Like
conventional terrorism, cyberterrorism hardens political attitudes as individuals are willing to exchange
civil liberties and privacy for security and support government surveillance, greater regulation of the
Internet and forceful military responses in response to cyberattacks. And while these measures are
meant to ensure national security, such foreign and particularly domestic policies may adversely affect
the unfettered discourse necessary for a vibrant and open democratic society [44].
Fear from terrorist attacks causes racism and nationalism

Walsh, Ontario Tech Criminology and Justice Assistant Professor, 17
[James, 07-01-2017, International Sociological Association, “Moral panics by design: The case of
terrorism,” Volume 65, Issue 5, https://doi.org/10.1177%2F0011392116633257, p. 6-7, accessed 06-30-
2021, HSP]
Public concern and consensus regarding terrorism have often reached seismic proportions following an
attack. Underpinned by its violent and unanticipated nature, and further stoked by the volume and
intensity of media and political discourse, terrorism produces a ‘culture of fear’ (Furedi, 2006), dynamics
witnessed in public opinion surveys, newscasts, official alerts, security checkpoints, warning posters,
armed guards, behavioral evidence, whether increased expenditures on personal safety, refusals to fly
or travel internationally, or spikes in hate crimes and vigilantism directed towards those of Muslim or
Middle Eastern background, provides more immediate proof of heightened anxiety (Mueller, 2006;
Welch, 2006).2 Such dynamics are also evidenced in rituals of solidarity and security. Like other external
threats, terrorism may produce significant, albeit fleeting, displays of patriotism, unity, and loyalty.
Faced with a threatening enemy: ‘people draw together; symbols are rallied around; leaders exalted;
control becomes more centralized’ (Collins, 2004: 53).
Hostility
Terrorism also produces intense enmity towards its perceived perpetrators. Approached as fanatical,
nihilistic, and ‘ultra-deviant’, terrorism’s practitioners are constructed as inhuman and beyond reason
and civilization, dynamics frequently displaying collateral consequences for entire national, religious,
and racial groups with no connection to political violence (Mythen and Walklate, 2006; Welch, 2006).
Typifying such dynamics, around the start of the 20th century Anarchists and political radicals in Europe
and North America were characterized as ‘wild animals’, ‘lunatics’, and a ‘growing bacillus menacing the
… body politic’ (Miller, 2013: 124). Additionally, the military dictatorship in 1970s Argentina framed
small bands of revolutionary terrorists as threats to Christendom and Western Civilization, claims
legitimating massive acts of state terror against almost anyone expressing sympathy for leftist ideologies
(Oplinger et al., 2013). Finally, in the
early 1980s, American judge Arthur Goldberg characterized terrorism as a ‘clear and present threat to
[civilization’s] very existence’ (Townshend, 2011: 33).
Amid the WOT, virulent rhetoric has been ratcheted up considerably. Political elites have not only
channeled, but actively cultivated public resentment through hardened distinctions between
friend/enemy and good/evil, dynamics positing an in-group of respectable citizens and an out-group of
threatening others. Characterized as a ‘new kind of evil’ (Hoffman, 2006: 30), President Bush claimed Al-
Qaeda endangered collective morality and the very order of American society, seeking ‘not merely to
end lives but to disrupt and end a way of life’ (Jackson, 2005: 194). Terrorism’s moralization was also
witnessed in official explanations. The 9/11 attacks were depicted as an assault on America’s exceptional
moral and political qualities, whether its democratic, open, or pluralistic character.3 This depoliticized
framing reduced the attacks to the evil deeds of deranged, pathological individuals, denying the
possibility that American militarism and aggression within the Islamic world might have contributed to
the violent acts the country was attempting to liquidate. Like other elite-engineered moral panics, such
rhetorical moves functioned to unite citizens in collective opprobrium, reaffirm their morality and
0identity, and divert attention from more pressing and intractable issues.
Failure to strengthen resiliency ensures authoritarian state responses, including

escalating conflict, collapsing global stability
Kerttunen, Tallinn University of Technology Centre for Digital Forensics and Cyber
Defence Senior Research Scientist, 20 (Mika, Chapter 12 CYBERTERRORISM A Schrodinger s cat in
ROUTLEDGE HANDBOOK OF INTERNATIONAL CYBERSECURITY Edited by Eneken Tikk and Mika
Kerttunen, p. 170-71, sbl-gdi21)
Cyberterrorism is a conceptual construction. We have fortunately not yet witnessed death and physical
destruction through digital means. Intimidating people and influencing opinion is as yet a reality beyond
the usual accounting of inter alia recruitment, communication, and training. Therefore, we should not
wait for death and destruction to occur before taking action. Most importantly, we should better
acknowledge the public and political influence on-line terrorism has upon us.
Cyberterrorism can indirectly threaten international peace and security. By inciting hatred and harsh
responses, it deteriorates bilateral relations, regional stability, and domestic peaceful conditions. It
escalates in-built tensions and latent and on-going conflicts. When cyberterrorism is attributable to a
foreign government, it is likely to threaten international peace and security without such conditioning
public factors.
Measures to counter cyberterrorism are primarily designed to solve technical, societal, and national
challenges. These measures indirectly strengthen international peace and security. Normative,
organizational, and technical measures reduce vulnerabilities against several types of threat actors,
vectors, and vulnerabilities, including unintentional incidents and insider threats.
As the UN Security Council (2014) has reaffirmed, universal adherence to and implementation of the
rule of law, as well as emphasis on the vital importance it attaches to promoting justice and the rule of
law as an indispensable element for peaceful coexistence and the prevention of armed conflict.
Strengthening international peace and security, adherence to rule of law, respecting human rights and
supporting sustainable development goals help to prevent and root out terrorism. Enhancing domestic
resilience and improving incident management and forensic and attribution capabilities, prevents
terrorism from achieving its destructive and transformative objectives and avoid false attribution,
thus reducing the most probable causes of terrorism threatening international peace and security.
Export controls created to prevent the acquisition of weapons of mass destruction and advanced
conventional armament need to include ICT systems, equipment, and software but also capability
elements that help design cybertools to penetrate, weaken or defeat governmental, corporate and
individual information security.
Imposing intrusive restrictions and law enforcement measures may appear a good option for many
governments. However, since terrorism tries to provoke the hardening of political and social attitudes,
harsh measures should be applied with caution. Export controls can be seen as unjust and increase
national insecurity. Terrorizing on-line messaging and incitement needs to be disrupted but mainly to
prevent societal radicalization and a cycle of revenge.
The Baader-Meinhof/Rofe Armee Fraktion was a group that tried to provoke the Federal Republic of
Germany into class struggle and revolution in the 1970s. With the help and exploitation of social media,
contemporary terrorists are far more successful in manipulating domestic and global attitudes — often
harshly reactionary rather than supportive of terrorism. Extraordinary powers and non-transparent
security measures degrade the liberal order and modern way of life that terrorists of all colour despise.
By restricting our preferred way of life, and by limiting individual freedoms, we are polarizing our
societies. We are also fos- tering a world order of difference and intolerance, a world order of fear and
hatred, where international peace and security easily becomes exposed, vulnerable, and breached.
Scenario – Cyber War with Russia
Russian cyberattacks against critical infrastructure are likely now---it aligns with their
strategic objectives.
Koehler, Georgetown Security Studies Program M.A. Candidate, 19
[R. Kekoa Koehler, M.A. Candidate in the Security Studies Program at Georgetown University,
concentrating in U.S. National Security Policy. Kekoa currently works as an adjunct research assistant for
the RAND Corporation’s Homeland Security and Operational Analysis Center and previously worked as a
Special Assistant to the Assistant Secretary for Strategy, Plans, Analysis, and Risk—Office of Policy at the
Department of Homeland Security. He graduated from Hawaii Pacific University with a B.A. in
International Relations, January 2019, Georgetown Security Studies Review, “When the Lights Go Out:
Vulnerabilities to US Critical Infrastructure, the Russian Cyber Threat, and a New Way Forward,” Vol 7,
Issue 1, pg. 29-30, https://georgetownsecuritystudiesreview.org/wp-content/uploads/2019/01/GSSR-
7.1-final-text-updated.pdf#page=27]JMK
The Threat Actor: Offensive Intent and a Ukrainian Test-Bed
The Russian Federation possesses advanced offensive cyber intrusion and intelligence capabilities that
were developed to infiltrate the crucial energy generation and water systems of their strategic
adversaries. As the nature of US strategic competition with the Russian Federation changes, the USG
faces a significant national security challenge from Russian cyber operations targeting US CIKR
systems.
Russian hacking operations are integral toward achieving Russia’s broader national, regional, and global
strategic objectives. The Russian government sees its national security objectives tied to global and
regional threats that seek to contain and constrain Russia’s development as a major power.21 The
enlargement of NATO and the location of its military infrastructure led by US efforts in Estonia and
Poland create an inherent threat to Russian national security from the perspective of the Russian
government.22 Additionally, Russia identifies post-revolutionary Ukraine as an immediate security
threat on its western border and a sign of US attempts to surround Russia with adversarial states. To
combat this strategic threat, Russia turned to improving its offensive cyber operation capabilities. The
Russian government recognizes its disadvantage in the conventional military realm which drove it to
pursue below-threshold cyber operations and other gray-zone capabilities that provide attribution
deniability, political and civil-society confusion, and drawn out response times for Russia’s
adversaries.23
Following the ousting of Ukrainian President and Russian ally Viktor Yanukovych in 2014, Russian
intelligence and military cyber operators have honed their capabilities in targeted CIKR operations using
Ukraine’s systems as a test-bed.24 In 2015, Russian cyber teams breached the ICS of three Ukrainian
power distribution stations, locked controllers out of their substation control systems, and disabled 60
Ukrainian substations resulting in over 225,000 people losing access to power .25 The attackers then
disabled backup power supplies to two of the three distribution centers, leaving Ukrainian operators
stumbling in the dark as they attempted to bring the substations back online.26 Successful Russian cyber
operations on Ukraine’s CIKR systems portends similar attacks for power generation plants and
distribution centers in the United States. The control systems in Ukraine were surprisingly more secure
than some in the United States as they were well-segmented from the control center’s business
networks with robust firewalls.27 Disturbingly, the USG reported in 2014 that unattributed hackers
planted similar versions of malware found in the Ukrainian power grid attacks on the networks of US
power and water utilities systems.28 While the Ukrainian grid attack may have only lasted a few hours,
US electrical grids are more extensively interconnected to key sectors that enable the US economy
and provide crucial utilities services to US metropolitan areas with far larger populations than in
Ukraine.
The US will respond to cyberattacks with nuclear weapons.

Klare, Hampshire College Peace and World Security Studies Emeritus Professor, 19
[Michael, 11-12-2019, Arms Control Association, “Cyber Battles, Nuclear Outcomes? Dangerous New
Pathways to Escalation,” https://www.armscontrol.org/act/2019-11/features/cyber-battles-nuclear-
outcomes-dangerous-new-pathways-escalation, accessed 06-29-2021, HSP]
Under the Obama administration’s NPR report, released in April 2010, the circumstances under which
the United States would consider responding to non-nuclear attacks with nuclear weapons were said to
be few. “The United States will continue to…reduce the role of nuclear weapons in deterring non-
nuclear attacks,” the report stated. Although little was said about what sort of non-nuclear attacks might
be deemed severe enough to justify a nuclear response, cyberstrikes were not identified as one of these.
The 2018 NPR report, however, portrayed a very different environment, one in which nuclear combat is
seen as increasingly possible and in which non-nuclear strategic threats, especially in cyberspace, were
viewed as sufficiently menacing to justify a nuclear response. Speaking of Russian technological
progress, for example, the draft version of the Trump administration’s NPR report stated, “To…correct
any Russian misperceptions of advantage, the president will have an expanding range of limited and
graduated [nuclear] options to credibly deter Russian nuclear or non-nuclear strategic attacks, which
could now include attacks against U.S. NC3, in space and cyberspace.”1
The notion that a cyberattack on U.S. digital systems, even those used for nuclear weapons, would
constitute sufficient grounds to launch a nuclear attack was seen by many observers as a dangerous shift
in policy, greatly increasing the risk of accidental or inadvertent nuclear escalation in a crisis. “The entire
broadening of the landscape for nuclear deterrence is a very fundamental step in the wrong direction,”
said former Secretary of Energy Ernest Moniz. “I think the idea of nuclear deterrence of cyberattacks,
broadly, certainly does not make any sense.”2
Despite such admonitions, the Pentagon reaffirmed its views on the links between cyberattacks and
nuclear weapons use when it released the final version of the NPR report in February 2018. The official
text now states that the president must possess a spectrum of nuclear weapons with which to respond
to “attacks against U.S. NC3,” and it identifies cyberattacks as one form of non-nuclear strategic warfare
that could trigger a nuclear response.
The Nuclear-Cyber Connection
A US-Russia nuclear war kills millions and dramatically alters the Earth’s climate.
Whitcomb, Live Science contributor, 19
[Isobel, 08-30-2019, Live Science, “A Nuclear Winter Could Last Years After an All-Out War Between
Russia and the US,” https://www.livescience.com/nuclear-winter-disaster.html, accessed 07-01-2021,
HSP]
If Russia and the United States launched an all-out nuclear war, it would spell disaster for everyone on
Earth, a new study suggests. Not only would explosions, fires and radiation exposure kill millions in
targeted cities, but a "nuclear winter" lasting months to years would also drastically alter the Earth's
climate, causing freezing summers and worldwide famine.
The Cold War may be over, but nuclear bombs are still uniquely destructive, and there's more than
enough of them to cause climate catastrophe, said study co-author Alan Robock, an environmental
scientist at Rutgers University in New Jersey.
"People think that nuclear weapons are just bigger bombs," he told Live Science.
But they're not. When a nuclear bomb explodes, one-third of its energy goes into an immediate
explosion of heat and light, according to a review published in the journal WIREs Climate Change. An
aftershock follows this explosion, leveling any structures around the detonation and creating piles of
kindling ready to catch fire. Then, as fires rage, smoke billows into the atmosphere. While rain would
wash out some of that smoke, much of it would drift into the stratosphere, where it could linger above
the clouds, blotting out the sun. That's what would cause nuclear winter.
The authors of the new study, published July 23 in the Journal of Geophysical Research: Atmospheres,
used modern climate models to calculate the effects of smoke from nuclear explosions on Earth's
temperature, wind patterns and more. Their study wasn't the first to model the effects of nuclear
winter; in 2007, a team of researchers led by Robock ran a similar simulation.
However, this new study looked at Earth in higher resolution than the earlier research, said Robock. The
recent research also looked at more locations and included processes not described by the previous
model, like the effects of soot on atmospheric chemistry and the influence of nuclear winter on the
oceans.
Even with the updated calculations, the outcome of nuclear winter was bleak. That gives Robock more
confidence that the outcomes suggested by these models are accurate predictions he said.
"People criticize models because they're imperfect," Robock said, "but if you can reproduce the model,
you can have confidence in your result."
"There really would be a nuclear winter with catastrophic consequences," Joshua Coupe, a doctoral
student in atmospheric science at Rutgers University and lead author of the study, said in a statement.
The researchers found that if the U.S. and Russia were each to launch their entire nuclear arsenals at
one another, soot would drift high into the atmosphere, blotting out the sun for months to years.
Summers would become a thing of the past, with temperatures throughout much of the Northern
Hemisphere dipping below freezing year-round. Growing seasons would be cut by 90%, and most of the
world would be plagued by famine.
In addition to dropping surface temperatures, nuclear winter would have a major impact on everything
from ocean currents to the jet stream. The study's model predicted a seven-year-long El Niño, a
normally yearlong weather pattern in the Pacific Ocean that usually occurs only every three to seven
years. It leads to either drought or extreme rainfall in affected regions.
During a nuclear winter, people turning to the oceans to supplement dwindling crops would be
disappointed, as much of the ocean's biodiversity would also disappear. Finally, as if the effects on
climate weren't enough, soot would poke huge holes in the ozone layer, bombarding the surface of
Earth with ultraviolet radiation.
This isn't the first time scientists have warned of the potentially disastrous climatic consequences of
nuclear war. In the early 1980s, the height of the nuclear arms race, scientists (including astronomer Carl
Sagan) first hypothesized that smoke from nuclear explosions could blot out the sun, drastically altering
Earth's climate. The term "nuclear winter" was coined in 1983, when a landmark study in the journal
Science calculated that temperatures could fall below freezing in the middle of continents.
Scenario – Cyber War
Cyber threats are on the rise now

The ransomware attack on Colonial Pipeline, rather than an isolated attack by an emboldened adversary,
represented an escalation of an existing global trend where malicious threat actors target critical
infrastructure sites.
Colonial paid $4.4 million in ransom to a Russia-linked threat actor called DarkSide, after the attackers
exploited a legacy VPN profile and compromised the company's IT environment.
"When it came to Colonial Pipeline shutting down, I think that was a big wakeup call for a lot of sectors
in terms of what was originally a cyber issue on the information technology side, can disrupt operations,
which is something that we've been focused on for a number of years now," Jim Hempstead, managing
director in Moody's Global Project and Infrastructure Finance Group.
Moody's cited data from Claroty, an industrial cybersecurity specialist, which showed 297 cyber
vulnerabilities across the energy, water and wastewater sectors during the second half of 2020. The
figures represented an increase of 23% from the 2019 period and 66% from the 2018 period.
Moody's also noted a series of high-profile ransomware attacks on energy and other utilities around the
world in recent months, including the June 2020 attack on Enel Group by the Snake ransomware
organization and the February 2020 attack on a U.S. natural gas facility that had to halt pipeline
operations for two days.
The Oldsmar water treatment facility in Florida was also the target of a threat actor that gained remote
access by exploiting the operator's supervisory control and data access system through TeamViewer.
Some industries have taken steps to boost cybersecurity practices and regulatory oversight in recent
months.
Cyber warfare creates a litany of impacts that are conflict multipliers

Townsend, Untied States Cybersecurity Magazine Staff Writer, 19
[Caleb, 5-14-19, United States Cybersecurity Magazine, “Cyber Warfare: Modern Front-lines,”
https://www.uscybersecurity.net/cyber-warfare/, accessed 6-30-21, JC]
Sabotage
When thinking of a cyber threat, one often hears about credit cards being stolen, websites going down,
or information being sold on the dark web. However, sabotage in the cyber warfare sense involves
targeting computers, satellites, or infrastructures that people rely on. Indeed, sabotage causes mass
panic and disruption.
Some common targets include power grids, water systems, financial systems, etc. One notable example
is Stuxnet. Stuxnet was a malicious computer worm that was used by the American military as part of an
operation entitled Operation Olympic Game. The worm infiltrated factory computers and was intended
to sabotage Iran’s uranium enrichment facility. Therefore, New York Times reported that Suxnet is “The
first attack on critical industrial infrastructure that sits at the foundation of modern economies.”
Espionage
Nobody regards most forms of espionage, cyber or not, as cyber warfare in the traditional sense.
However, when espionage exposes major nation state powers, reacting forces often describe said
espionage as attack. As a result, tensions will heighten between the warring states. Therefore, espionage
is often known as a “soft threat”, one that usually leads to larger threats.
Some known examples include America spying on other countries, as revealed by Edward Snowden or
the NSA’s spying on Angela Merkel. Additionally, the Office of Personnel Management Data
Breach and Titan Rain are both solid examples of Chine engaging in corporate espionage.
Denial-of-Service Attack
A Denial-of-Service (DoS) attack occurs when legitimate users are unable to access information or other
network resources. This act of cyber warfare targets high profile services such as banking and credit card
companies.
Often, rival governments will employ a DoS attack in order to take down a competitor’s website.
However, in more extreme cases, a state-sanctioned DoS could cripple an entire web of infrastructures.
In many cases, DoS attacks link to ransomware implementations.
Propaganda
Much like espionage, propaganda is a “soft threat” or second tier form of cyber warfare. Propaganda is a
concerted effort to control public perception on a topic by controlling the types of media that people
see. Propaganda is not an uncommon occurrence. In fact, every country uses propaganda of some sort.
Using WW2 and America as an example, Disney used to put out anti-nazi cartoons starring Donald Duck.
In addition, cartoonists like Dr. Seuss and comic strips like Little Orphan Annie, and Superman would
attempt to sway public opinion on the war. Even commercials of the time urged the public to buy war
bonds.
However, as time progresses, propaganda becomes more subtle and more insidious. In fact, more
serious cases of social media manipulation, fake news websites, and online censorship qualify as a form
of psychological warfare. These methods help create a distrust in the government. Additionally, they can
influence elections and warp infrastructure. However, most notably, propaganda delegitimizes social
and political structures upon which cyber defenses rely on.
Note: Highlighted in yellow are words I think we might want to replace.

Internal Link – Panic
The vulnerabilities of the system make for an era of cyberattacks that threaten lives
now
Perlroth, New York Times cybersecurity journalist, 21
[Nicole, 6-7-21, The New York Times, “Are We Waiting for Everyone to Get Hacked?,”
https://www.nytimes.com/2021/06/05/business/leon-panetta-cyber-attacks.html, accessed: 6-28-21,
AHP]
MONTEREY, Calif. — Leon Panetta is one of the few American government officials who can look around
at the nation’s rolling cyberdisasters and justifiably say, “I told you so.”
The former secretary of defense was among the first senior leaders to warn us, in the most sober of
terms, that this would happen in a 2012 speech that many derided as hyperbolic. He didn’t foretell
every detail, and some of his graver predictions — a cyberattack that could derail passenger trains or
worse, derail trains loaded with lethal chemicals — have yet to play out. But the stark vision he
described, of hackers seizing our critical switches and contaminating our water supply, is veering
dangerously close to the reality we are living with now.
In just the past few months, hackers — we still don’t know who — were caught messing with the
chemical controls at a water treatment plant in Florida, in what appeared to be an attempt to
contaminate the water supply just ahead of Super Bowl weekend in Tampa. Ransomware attacks are
striking every eight minutes, crippling hospitals and American mainstays like gas, meat, television, police
departments, NBA basketball and minor league baseball teams, even ferries to Martha’s Vineyard. This
past week, the targets were one of the world’s largest meatpacking operators and the hospital that
serves the Villages in Florida, America’s largest retirement community. The week before it was the
pipeline operator that carries half the gas, jet fuel and diesel to the East Coast, in an attack that forced
the pipeline to shut down, triggered panic buying and gas shortages and was just days from bringing
mass transit and chemical refineries to their knees.
And those are just the attacks we see. Beneath the surface, American businesses are quietly paying off
their digital extortionists and burying breaches in hopes that they never see the light of day. China
continues to cart off America’s intellectual property, most recently in an aggressive cyberassault on the
defense industrial base, and curiously, New York’s Metropolitan Transportation Authority. Russia’s
government hackers have shut off the power in Ukraine twice. They’ve reached the control switches at
American power plants, and breached nuclear plants too. And Russia’s elite intelligence agency, the
S.V.R., slithered its way through hundreds of American companies and government agencies for nine
months before it was caught. In the process, it wrecked confidence in the software supply chain. And,
officials concede, its agents are quite likely still inside.
To anyone who had been paying the slightest bit of attention, none of this comes as a surprise. We are
racing toward — in fact have already entered — an era of visceral cyberattacks that threaten Americans’
way of life. And yet, despite the vulnerabilities these attacks reveal, individuals, organizations and
policymakers have yet to fundamentally change their behavior.
[Panetta = Leon Panetta, former Secretary of Defense and former Director of the Central Intelligence
Agency]
Community fear leads to intense anxiety and stress that can cause physical health to
deteriorate
Small, MD, UCLA David Geffen School of Medicine professor, 16
[Gary, 8-23-16, STAT, “The science of mass hysteria: When we face uncertainty, our minds crave
explanations,” https://www.statnews.com/2016/08/23/terrorism-mass-hysteria-panic-science/,
accessed 6-30-21, JC]
Incidents of mass panic or hysteria depend on the mood of the crowd at the time an episode occurs.
Over the past 30 years, I have studied many outbreaks of mass panic and hysteria. In all of them, the
common denominator is a backdrop of anxiety and stress. Fear and anxiety can spread from person to
person like a contagious disease. When people are predisposed to overreact to any fearful stimulus,
mass hysteria can instantaneously take over a crowd.
Social contagion can occur anywhere that groups of people gather, and they aren’t limited to the fear
of terrorist attacks. I have investigated incidents where large groups of people became ill because they
were convinced that an environmental threat was causing them real physical symptoms — headache,
pain, numbness, fainting — even when no actual threat existed. On May 20, 1981, elementary school
students in Templeton, Mass., were afflicted with nausea, abdominal pain, and shortness of
breath during two school assemblies. Following extensive searches, investigators concluded that the
illness resulted from a psychological rather than a physical cause.
Sometimes such illnesses can persist for days. Most of the time, though, once the afflicted crowd
disperses, the symptoms disappear, probably because they are only “contagious” when new victims
observe others falling ill. Rumors about the causes of these outbreaks are common and spread quickly
through neighboring communities via social media.
The J.F.K. episode did not involve social contagion of psychosomatic symptoms, but rather the spread of
panic, fear, and false beliefs. These have contributed to mass hysteria outbreaks recorded as far back as
the Middle Ages, when nuns in isolated convents would meow together at specific times of day for no
reason.
On October 30, 1938, many listeners believed that Martians were invading the United States as they
listened to Orson Welles do his “The War of the Worlds” radio dramatization. In 1944, residents of
Mattoon, Ill., believed that a “phantom gasser” was spraying poisonous mist into the bedroom windows
of teenage girls, causing nausea, vomiting, and burning sensations in their mouths and throats.
In the early 1950s, when people in the state of Washington were on edge about nuclear testing, many
believed that cosmic rays or shifts in the Earth’s magnetic field were causing previously unnoticed
windshield pits or dings in their cars. Some even blamed it on “supernatural gremlins.” These examples
show how a worried group can misinterpret physical phenomena and environmental cues that might
otherwise go unnoticed.
In this new era of terrorism, we have a lot to worry about. My guess is that we can expect to observe
more of these episodes. Thanks to almost daily reports of terrorist attacks, we’re told to be ever more
vigilant of anything suspicious or out of the ordinary. Such attentiveness has saved many lives since
9/11. But at the same time we need more effective ways of stopping the spread of rumors and false
beliefs of imminent threats.
When we face uncertainty, our minds crave explanations. Because of the regular and graphic accounts
of terrorist explosions and gunfire that can occur almost anywhere — airports, malls, city streets, or
concerts — a loud popping sound is no longer interpreted as a burst balloon or an engine backfire but as
a signal to flee from impending danger.
In today’s frenzied, digitally connected world, anxiety and panic can spread farther and faster than ever
before. We need countermeasures to calm rising fears. Many blame the media for fueling fear and
panic, but an important job of the press is to inform the public of events as they emerge. Although
sensationalized headlines can sometimes fuel social contagion of panic, the media also have the ability
to quell mass fear.
Because we are living in a new era of terrorism, we need new action plans that will help authorities pool
resources so they can inform us of real danger and also manage benign events so they aren’t
misinterpreted as threats and cause unnecessary mass panic. Policy makers, public health officials, and
national and local authorities must become more effective in using social media to inform those at risk
about real threats and sensible responses. Just as many know the Heimlich maneuver and CPR to
address individual medical emergencies, the public needs a menu of coordinated plans of action to help
avert future outbreaks of mass panic.
Truth and knowledge trump anxiety and fear any day.

Internal Link – Vulnerability – Bio, Chemical, Cyber Attacks
Vulnerable water systems risk bioterrorism, chemical contamination, and cyber attack
Shermer, District of Columbia General Attorney, 06
America’s Drinking Water Infrastructure Safer Four Years Later?”, Volume 24, Issue 2, pg. 368-9,
accessed 6-29-21, MLiao)
Frighteningly, there are a variety of means by which either objective can be carried out. "Drinking water
utilities have long been recognized as potentially vulnerable to terrorist attacks of various types,
including physical disruption, bioterrorism, chemical contamination, and cyber attack. '63 Furthermore,
drinking water systems are vulnerable to radiological contamination, as well as through their
dependence upon other critical infrastructure sectors for their proper operation. 64 Terrorists have
shown interest in utilizing all of these methods to carry out their insidious goals.65 Worse yet, "[t]he
knowledge, technology, and materials necessary to build weapons of mass destruction are spreading.,
66
Since September 11th, we have also unfortunately come to realize that the terrorist organizations
likeliest to attempt such attacks are "more global in [their] range, and more ruthless in [their] ideology
than all but [their] most dedicated students could have ever imagined. '67 They are strategic actors who
"choose their targets deliberately based on the weaknesses they observe in our defenses and our
preparations. '68 Furthermore, many terrorist organizations are extremely well-financed. 69 These
resources enable terrorists to pursue their most violent objectives by enticing those with technical
expertise to help them gain access to mankind's deadliest weapons. 70
Internal Link – Espionage
Cyber hacking can be used for espionage and political leverage

Armerding, Synopsys Software Integrity Group security advocate, 15
[Taylor, 11-5-2015, CSO Online, "Hostile nations have breached U.S. infrastructure. But don’t panic,"
https://www.csoonline.com/article/3001449/hostile-nations-have-breached-u-s-infrastructure-but-don-
t-panic.html, accessed 6-29-2021, CG]
Don’t worry too much. But don’t be too happy either.
That seems to be the mixed message to Americans who rely on the nation’s critical infrastructure for
just about everything that defines modern life: Lights, heat, air conditioning, clean water,
transportation, appliances, TV, the expanding Internet of Things (IoT) and, of course, social media.
There has been ongoing, sometimes fierce, debate for more than a decade about the likelihood of a
cyberattack taking down the grid and other industrial control systems (ICS), not just for a few days or
weeks, but for months or even a year or more.
Obviously, nothing of that scale has hit the nation yet. But the topic hit front pages and major TV news
shows recently because retired ABC TV “Nightline” anchor Ted Koppel is now on tour promoting his
new book, “Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath,” in which he
contends that not only is the nation’s critical infrastructure vulnerable to cyberattacks, but that multiple
hostile nation states have already breached those systems and that the U.S. has no plan in place to cope
with a catastrophic attack. He told TV interviewers that he and his wife are concerned enough that, “we
decided we were going to buy enough freeze-dried food for all of our kids and their kids."
Koppel began to research the subject after hearing multiple warnings from top government officials and
private sector security experts about those vulnerabilities.
The warnings go back years, coming from people like former Secretary of Defense Leon Panetta,
who said in 2012 that a major cyberattack could amount to a “cyber Pearl Harbor.” Panetta also said at
the time that the U.S. was at “a pre-9/11 moment.”
James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for
Strategic and International Studies (CSIS), told CBS’s “60 Minutes” in November 2009, that if major
electrical generators went down, it would require three or four months just to order replacements .
“It's not like if we break one, we can go down to the hardware store and get a replacement,” he said.
Other officials say there is no reason to panic. Director of National Intelligence James Clapper, in
a "statement for the record" less than two months ago before the House Permanent Select Committee
on Intelligence, said he believes the chances of a “Cyber Armageddon” are remote.
But, he acknowledged ICS vulnerabilities to what sounded like death by a thousand cuts. “We foresee
an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will
impose cumulative costs on U.S. economic competitiveness and national security,” he said.
And he essentially admitted that U.S. infrastructure has been breached. “… foreign actors are
reconnoitering and developing access to US critical infrastructure systems, which might be quickly
exploited for disruption if an adversary’s intent became hostile,” he said.
Clapper named hostile nation states including Russia, China, Iran and North Korea , but especially
Russia, which he said has developed the capability to remotely hack at least three ICS vendors, “so that
customers downloaded malicious software designed to facilitate exploitation directly from the vendors’
websites,” he said.
Meanwhile, ICS-CERT (Industrial Control Systems Computer Emergency Readiness Team) reported in
March that it had received reports of 245 ICS incidents in 2014, more than half of which were advanced
persistent threats (APT).
And USA Today reported in September that cyber attackers had successfully breached the U.S.
Department of Energy (DoE) 159 times between October 2010 and October 2014.
The bottom line, according to a range of experts, is that while Clapper is probably correct that a
catastrophic attack is unlikely, it is very much possible.
As Chris Petersen, CTO and cofounder of LogRhythm, put it, “nation states like Russia know that to
actually do something harmful would be considered an act of war by the U.S.
“We have to get eyes on these systems and make sure we understand when attacked.”
“However, just as Russia paraded mobile ballistic missiles during the Cold War, they are equally as
interested in parading their cyber capabilities,” he said, adding that most hostile nation states want their
enemies to know about their capabilities, but would only use them in a worst-case situation – the cyber
equivalent of a balance of terror.
Petersen and others have also said in the past that nation states like China and Russia want to get inside
U.S. ICS less for destructive purposes and more for espionage and political leverage, as a deterrent
against U.S. policies they find objectionable.
Alan Berman, president of DRI International, noted that “having access and doing damage are two very
different consequences,” of cyber intrusions.
He cited the cyber espionage campaign named Dragonfly (aka Energetic Bear), which security vendor
Symantec reported in 2014 had targeted U.S. and European energy firms. The attacks bore the,
“hallmarks of a state-sponsored operation,” it said.
“It appears that their mission has been information gathering,” Berman said.
“Having access and doing damage are two very different consequences,” of cyber intrusions.
But that mentality may not apply with less stable nation states like Iran and North Korea, or terrorist
groups like ISIL, which seem to be more interested in apocalyptic conflicts than simply maintaining their
own national security.
And Joe Weiss, managing partner at Applied Control Solutions, said it is not just Russia and China that
have the capability to breach U.S. systems. “ The Iranians are very good at this,” he said.
What is more worrisome to Weiss and others is that not much has changed to improve security of ICS
in the past decade, even with the increase and sophistication of attacks.
The large majority of ICS facilities have hard-coded passwords, which can’t be changed without
modifying the entire program.
That is because, as Udi Yavo, cofounder and CTO of enSilo, put it, those systems were, “designed under
the assumption that they would never be connected to other systems, including the Internet,” and
therefore, designers didn’t “bake in the relevant security measures.”
Petersen agrees. Since those systems were, “largely isolated, not connected to the Internet, they
weren’t designed for security since nobody could get to them without physical access,” he said. “That
has all changed. ICS are now connected to corporate networks that are connected to the Internet, and
are remotely accessible.”
Cyber-attacks on infrastructure are used by foreign nations as leverage

Kenny, CNN writer and producer and Pamela Brown, CNN anchor and correspondent '21
[Caroline Kenny is a writer and producer for CNN, working with anchor Pamela Brown on CNN
Newsroom and Pamela Brown is a CNN anchor and senior Washington correspondent, 6-27-2021, CNN,
"Greater focus on defense of critical infrastructure against cyber attacks is needed, says cyber agency
chief," https://www.cnn.com/2021/06/27/politics/brandon-wales-cyber-security-cnntv/index.html,
"So we know that multiple nation states want to target our critical infrastructure to hold it at risk at a
time and place of their choosing. We assume that that would likely be in the, in the event of some type
of conflict, they want to hold our infrastructure at risk, to try to affect US political decision making
during those environments or during those times," Wales said.
Brown asked Wales if they are basically holding leverage over the United States when doing that, to
which Wales responded, "That's their goal."
Wales warned that the United States government needs to do more to protect its cyber infrastructure,
but it's also the job of the American people and American companies to take the issue seriously and to
be "cyber smart."
"The threats we face in the cyber world are real and they're growing," Wales said. "We're not helpless,
there are things that we can do, as the American people, as the US government, as our private sector
community, can do working together to tackle this problem and we need to view it in this whole of
government, whole of nation way, because only then are we really going to be successful against the
adversaries that we face."
[Note – Wales = Brandon Wales, the current acting director of the Cybersecurity and Infrastructure
Security Agency]
Internal Link – Ransomware
Ransomware targets infrastructure to “inflict as much pain as possible”

Iyengar, CNN Business India editor, Duffy, CNN Business writer '21
[Rishi and Duffy, 6-4-2021, CNN, "Hackers have a devastating new target,"
https://www.cnn.com/2021/06/03/tech/ransomware-cyberattack-jbs-colonial-pipeline/index.html,
Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money
online. But now hackers have found a significant moneymaker in targeting physical infrastructure.
These attacks have potential to spark mayhem in people's lives, leading to product shortages, higher
prices and more. The greater the disruption, the greater the likelihood that companies will pay to
alleviate it.
"If you're a ransomware actor, your goal is to inflict as much pain as possible to compel these
companies to pay you," said Katell Thielemann, Gartner's vice president analyst for security and risk
management. "This is beyond cybersecurity only, this is now a cyber-physical event where actual,
physical-world processes get halted. When you can target companies in those environments, clearly
that's where the most pain is felt because that's where they make money."
Multiple recent ransomware attacks have originated from Russia, according to US officials. On
Wednesday, the FBI attributed the attack on meat producer JBS to Russia-based cybercriminal group
called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar
to DarkSide, the group US officials said was behind the ransomware attack that shut down the Colonial
Pipeline last month.
Experts say both REvil and DarkSide operate what are essentially "ransomware-as-a-service" businesses,
often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut
of the profits. In some cases, they also carry out their own attacks. Russian law enforcement typically
leaves such groups operating within the country alone if their targets are elsewhere, because they bring
money into the country, cybersecurity experts say.
JBS has not said whether it paid any ransom to the attackers, but Colonial Pipeline's CEO admitted to
paying $4.4 million in ransom to resume its operations. Experts typically advise against paying ransoms
to avoid funding the criminal groups that impose them, but companies sometimes have little choice to
get back up and running.
The list of potential targets is long. The US government's Cybersecurity and Infrastructure Agency (CISA)
lists 16 different industries as "critical infrastructure sectors," including energy, healthcare, financial
services, water, transportation, food and agriculture, the compromise of which could have a
"debilitating effect" on the US economy and security. But experts say much of this infrastructure is
aging, and its cyber defenses haven't kept up with the evolution of bad actors.
To make matters worse, many companies in those industries haven't historically thought of themselves
as tech companies, meaning their systems may be less sophisticated and easier to compromise,
according to Mark Ostrowski, head of engineering at Check Point.
Cyber Impact Magnifiers/Laundry Lists
Cyber-attacks can kill people and destabilize the whole country

Boubaker, Stormshield Industrial Security Business Line Head, 21
[Khobeib, 04-16-2021, Stormshield, “Water infrastructure: when states and cyber attacks rear their ugly
heads,” https://www.stormshield.com/news/water-infrastructure-when-states-and-cyber-attacks-rear-
their-ugly-heads/, accessed 06-28-2021, HSP]
Because this is also one of the objectives of the cyber attacks directed against water infrastructure:
advanced strategic attacks, the impact of which may endanger the lives of part of the country’s
population. And bring about the destabilisation of an entire country. The challenge of protecting public
health linked to water is a critical one, which the water companies must take into account as part of
their efforts to combat cyber attacks. “If you can affect a water distribution site you can affect the
population, with the risk of significant physical harm. A successful cyber attack against the water
industry is an attack which can generate an immediate risk” warns Tarik Zeroual.
Looking beyond the work carried out by this university, changing the chemical treatment of water could
pose a real risk. Last April, Iran attempted to do just this using cyber attackers to affect the quality of the
water supplying part of the Israeli population. The attackers firstly took control of American servers to
cover their tracks before then moving on to attack the target water distribution systems. The attack
ultimately failed, but had it succeeded, the harm to public health would have been considerable, with
part of the population probably being poisoned.
Last July, Israel reported two new attacks against its critical water infrastructure. This time, it wasn’t the
urban water systems being targeted but those used for the agricultural sector. It was therefore a lower
level attack, although Iran is suspected of being the originator of these attacks with the aim of
destabilising the state of Israel and weakening it politically. For both attempts, the attackers once again
used American servers to the affect the pump control programs.
Cyber warfare creates a litany of impacts that are conflict multipliers

Townsend, Untied States Cybersecurity Magazine Staff Writer, 19
[Caleb, 5-14-19, United States Cybersecurity Magazine, “Cyber Warfare: Modern Front-lines,”
https://www.uscybersecurity.net/cyber-warfare/, accessed 6-30-21, JC]
Sabotage
When thinking of a cyber threat, one often hears about credit cards being stolen, websites going down,
or information being sold on the dark web. However, sabotage in the cyber warfare sense involves
targeting computers, satellites, or infrastructures that people rely on. Indeed, sabotage causes mass
panic and disruption.
Some common targets include power grids, water systems, financial systems, etc. One notable example
is Stuxnet. Stuxnet was a malicious computer worm that was used by the American military as part of an
operation entitled Operation Olympic Game. The worm infiltrated factory computers and was intended
to sabotage Iran’s uranium enrichment facility. Therefore, New York Times reported that Suxnet is “The
first attack on critical industrial infrastructure that sits at the foundation of modern economies.”
Espionage
Nobody regards most forms of espionage, cyber or not, as cyber warfare in the traditional sense.
However, when espionage exposes major nation state powers, reacting forces often describe said
espionage as attack. As a result, tensions will heighten between the warring states. Therefore, espionage
is often known as a “soft threat”, one that usually leads to larger threats.
Some known examples include America spying on other countries, as revealed by Edward Snowden or
the NSA’s spying on Angela Merkel. Additionally, the Office of Personnel Management Data
Breach and Titan Rain are both solid examples of Chine engaging in corporate espionage.
Denial-of-Service Attack
A Denial-of-Service (DoS) attack occurs when legitimate users are unable to access information or other
network resources. This act of cyber warfare targets high profile services such as banking and credit card
companies.
Often, rival governments will employ a DoS attack in order to take down a competitor’s website.
However, in more extreme cases, a state-sanctioned DoS could cripple an entire web of infrastructures.
In many cases, DoS attacks link to ransomware implementations.
Propaganda
Much like espionage, propaganda is a “soft threat” or second tier form of cyber warfare. Propaganda is a
concerted effort to control public perception on a topic by controlling the types of media that people
see. Propaganda is not an uncommon occurrence. In fact, every country uses propaganda of some sort.
Using WW2 and America as an example, Disney used to put out anti-nazi cartoons starring Donald Duck.
In addition, cartoonists like Dr. Seuss and comic strips like Little Orphan Annie, and Superman would
attempt to sway public opinion on the war. Even commercials of the time urged the public to buy war
bonds.
However, as time progresses, propaganda becomes more subtle and more insidious. In fact, more
serious cases of social media manipulation, fake news websites, and online censorship qualify as a form
of psychological warfare. These methods help create a distrust in the government. Additionally, they can
influence elections and warp infrastructure. However, most notably, propaganda delegitimizes social
and political structures upon which cyber defenses rely on.

Cyber War Brink – Retaliation Brink
Biden likely to retaliate soon.

Sanger, New York Times national security correspondent, et al., 7/1/21
[David E. Sanger, White House and national security correspondent, and a senior writer for NYT; Julian E.
Barnes, national security reporter for The New York Times covering the intelligence agencies; Nicole
Perlroth, covers cybersecurity and digital espionage for NYT, specializing in cyberattacks, 1 July 2021,
NYT, “Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China,”
https://www.nytimes.com/2021/03/07/us/politics/microsoft-solarwinds-hack-russia-china.html,
accessed 7-1-2021]JMK
The first major move is expected over the next three weeks, officials said, with a series of clandestine
actions across Russian networks that are intended to be evident to President Vladimir V. Putin and his
intelligence services and military but not to the wider world.
The officials said the actions would be combined with some kind of economic sanctions — though there
are few truly effective sanctions left to impose — and an executive order from Mr. Biden to accelerate
the hardening of federal government networks after the Russian hacking, which went undetected for
months until it was discovered by a private cybersecurity firm.
Cyber War Impact – Nuclear Retaliation
The US will respond to cyberattacks with nuclear weapons.

Under the Obama administration’s NPR report, released in April 2010, the circumstances under which
the United States would consider responding to non-nuclear attacks with nuclear weapons were said to
be few. “The United States will continue to…reduce the role of nuclear weapons in deterring non-
nuclear attacks,” the report stated. Although little was said about what sort of non-nuclear attacks might
be deemed severe enough to justify a nuclear response, cyberstrikes were not identified as one of these.
The 2018 NPR report, however, portrayed a very different environment, one in which nuclear combat is
seen as increasingly possible and in which non-nuclear strategic threats, especially in cyberspace, were
viewed as sufficiently menacing to justify a nuclear response. Speaking of Russian technological
progress, for example, the draft version of the Trump administration’s NPR report stated, “To…correct
any Russian misperceptions of advantage, the president will have an expanding range of limited and
graduated [nuclear] options to credibly deter Russian nuclear or non-nuclear strategic attacks, which
could now include attacks against U.S. NC3, in space and cyberspace.”1
The notion that a cyberattack on U.S. digital systems, even those used for nuclear weapons, would
constitute sufficient grounds to launch a nuclear attack was seen by many observers as a dangerous shift
in policy, greatly increasing the risk of accidental or inadvertent nuclear escalation in a crisis. “The entire
broadening of the landscape for nuclear deterrence is a very fundamental step in the wrong direction,”
said former Secretary of Energy Ernest Moniz. “I think the idea of nuclear deterrence of cyberattacks,
broadly, certainly does not make any sense.”2
Despite such admonitions, the Pentagon reaffirmed its views on the links between cyberattacks and
nuclear weapons use when it released the final version of the NPR report in February 2018. The official
text now states that the president must possess a spectrum of nuclear weapons with which to respond
to “attacks against U.S. NC3,” and it identifies cyberattacks as one form of non-nuclear strategic warfare
that could trigger a nuclear response.
The Nuclear-Cyber Connection
A cyberattack can led to escalation that risks going nuclear.

Yet another pathway to escalation could arise from a cascading series of cyberstrikes and counterstrikes
against vital national infrastructure rather than on military targets. All major powers, along with Iran and
North Korea, have developed and deployed cyberweapons designed to disrupt and destroy major
elements of an adversary’s key economic systems, such as power grids, financial systems, and
transportation networks. As noted, Russia has infiltrated the U.S. electrical grid, and it is widely believed
that the United States has done the same in Russia.12 The Pentagon has also devised a plan known as
“Nitro Zeus,” intended to immobilize the entire Iranian economy and so force it to capitulate to U.S.
demands or, if that approach failed, to pave the way for a crippling air and missile attack.13
The danger here is that economic attacks of this sort, if undertaken during a period of tension and crisis,
could lead to an escalating series of tit-for-tat attacks against ever more vital elements of an adversary’s
critical infrastructure, producing widespread chaos and harm and eventually leading one side to initiate
kinetic attacks on critical military targets, risking the slippery slope to nuclear conflict. For example, a
Russian cyberattack on the U.S. power grid could trigger U.S. attacks on Russian energy and financial
systems, causing widespread disorder in both countries and generating an impulse for even more
devastating attacks. At some point, such attacks “could lead to major conflict and possibly nuclear
war.”14
Cyber War Impact – Miscalculation
Miscalculation in response to an attack risks escalatory conflict

Baliga, Northwestern University Managerial Economics and Decision Sciences
Professor, et al, 18
[Sandeep Baliga, John L and Helen Kellogg Professor of Managerial Economics and Decision Sciences in
the MEDS Department at the Kellogg School of Management, Northwestern University; Ethan Bueno de
Mesquita, Sydney Stein Professor and Deputy Dean at the Harris School of Public Policy at the University
of Chicago; Alexander Wolizky, Professor of Economics, MIT, 3 August 2018, KelloggInsight, “How
Governments Can Better Defend Themselves Against Cyberattacks,”
https://insight.kellogg.northwestern.edu/article/how-governments-can-better-defend-themselves-
against-cyberattacks, accessed 7-1-2021]JMK
Modeling Cyber Warfare
To analyze what happens in a cyberattack, the researchers conceived of a straightforward scenario.

“There’s one defender, and multiple possible attackers,” Baliga explains, “and any of the attackers can
attack the defender.”
If an attacker chooses to attack the defender, they receive some payoff. “It could be something quite
concrete, like if you find the plans for a stealth bomber,” Baliga says. “Or you find a bunch of credit card
numbers, and you use those to do illegal trades.”
Next, the defender receives some “signal” suggesting whether they have been attacked and who is to
blame. In the real world, this signal typically includes the digital footprints left in the wake of a
suspected cyberattack (such as the signs suggesting, but not proving, that China was behind Titan Rain).
However, this signal is rife with ambiguity—it conveys only that the defender may have been attacked,
and that a certain party is responsible, leaving plenty of room for error.
Sometimes, defenders will not even realize that they have been attacked (such as when the Iranian
government failed to detect malware installed in their nuclear facilities, instead blaming malfunctions on
faulty parts). The researchers call this “detection failure.” Other times, defenders believe that they have
been attacked even when they have not (as perhaps was the case in 2008, when the Department of
Defense suspected Russia of installing a worm that came from a U.S. soldier’s USB drive). The
researchers call this a “false alarm.” And sometimes the signal will lead them to blame the wrong party
for the attack. The authors call this “mis-identification.”
Based on the imperfect signal, the defender must choose whether, and against whom, to retaliate.
Obviously, every attacker wants to avoid retaliation. “Maybe I’ve hacked and found the stealth bomber
plans—but if I get attacked and some secret stuff of mine gets taken away or some cyber infrastructure
is destroyed, then I might regret my attack altogether,” Baliga explains. “So the payoff depends on both
what I find through my hack, and whether I’m retaliated against or not.”
At the same time, the defender does not want to counterattack willy-nilly. After all, if they retaliate
against an innocent party, it can set off a chain reaction of back-and-forth aggression between two
formerly peaceful parties.
The researchers translated this scenario into mathematical language. From there, they could deduce the
strategies that provide the optimal result for each party, given all of the other parties’ strategies. (This is
the concept of Nash equilibrium named for its inventor, John Nash, the subject of the movie “A Beautiful
Mind.”)
Under which circumstances would attackers decide to attack? And how would defenders retaliate, given
so much uncertainty? “Our first objective was just to provide a structure to think though the various
attribution problems that might arise,” Baliga explains. This led to the taxonomy of detection failure,
false alarms, and misidentification. “With that in place, we didn’t know how the analysis would go.”
Aggression Breeds More Aggression
The most important result of the model: once one potential attacker becomes more aggressive , all of
the other attackers also become more aggressive. This connection between attackers’ strategies stems
from the problem of attribution.
Baliga explains the logic behind this odd conclusion. If a defender—the U.S., for example—sees signals
indicating that a particular party—say, Russia—has cyberattacked them, they become more likely to
blame Russia for any subsequent attack. Other countries observe this and realize that now they can
likely hack the U.S. and collect their payoffs with little risk of being retaliated against.
“That then means that China can hack us, or even France can hack us—anybody can hack us and we
would think it’s likely Russia,” Baliga says.
By looking closely at the mechanics of the model, the authors also discovered what it would take to
deter cyber warfare in this context. Simply getting better at identifying one’s attacker, it turned out, was
not enough.
To explain why, Baliga offers another example. If the U.S. receives a weak signal of a cyberattack, as well
as a weak signal that it was committed by Russia, they may choose to retaliate against Russia. But after
U.S. identification abilities improve, that same weak evidence of there having been an attack now seems
less convincing than it did before—after all, if it was really a Russian attack, the new, more sophisticated
intelligence would have picked it up, or so the thinking goes. So, it is now more likely that the weak
signal is a false alarm, and the U.S. may choose not to retaliate after a weak signal that previously would
have triggered an aggressive response.
“If I’m the defender and I’m retaliating less aggressively after some signals and more aggressively after
others, it is not clear how the net effect goes. It could turn out that I retaliate less on average after my
identification technology improves,” Baliga says.
That makes everyone more aggressive, since other countries now see an opportunity to attack with
fewer consequences, he explains. So a policy of reducing misidentification alone can backfire.
Cyber War Impact – Russia
A Russian cyberattack can escalate into a war

Olejnik, Oxford Center for Technology and Global Affairs Research Associate, 19
[Lukasz, 04-02-2019, Council on Foreign Relations, “Global Consequences of Escalating U.S.-Russia Cyber
Conflict,” https://www.cfr.org/blog/global-consequences-escalating-us-russia-cyber-conflict, accessed
07-01-2021, HSP]
Cyber conflicts involving state actors are quickly becoming a geopolitical reality. Perhaps the most cited
example, the alleged Russian interference in the 2016 U.S. election, is a continued source of conflict in
U.S.-Russia relations. The story took another turn last October when the U.S. Cyber Command
conducted an offensive cyber operation against the Internet Research Agency (IRA), the “Russian troll
factory” linked to using disinformation campaigns during the 2016 elections, and onwards. While the
operation has yet to be confirmed by the U.S. government, media reports and U.S. officials’ commentary
taken together suggest the event occurred. The U.S. action, which took place during the 2018 midterm
elections, has been portrayed as a defensive warning against Russia and other U.S. adversaries online.
But the result of the offensive operation may, however, in the end benefit Russia and possibly
contribute to escalation in the cyber domain globally.
Somewhat unexpectedly, the operation was confirmed by the apparent target. In a public
announcement, the Russian Federal News Agency (FNA), which is reportedly tied to the IRA, describes a
cyberattack that supposedly caused storage system malfunction, specifically destructively targeting the
RAID controller and causing hard drives being formatted. While FNA’s credibility is low, the report’s
claim that the offensive cyber operation resulted in a significant disruption seems undeniable.
Supporters praise the operations as a long-overdue action against Russia that additionally demonstrates
the operational capabilities of the U.S. Cyber Command to the public opinion. Some may claim that the
attacks have a deterrence value. Others may question whether an operation conducted on the day of
elections could reasonably degrade any disinformation operations. Whatever the strategic gains the
consequences of the cyber operation will not be limited to the United States—their significance is
global. This action marks an unprecedented milestone in the history of cyber conflict. For the first time
two major cyber powers have engaged in aggressive reciprocal cyber activity in public.
From the U.S. perspective the attack might be a warranted response to the Russian involvement in 2016,
but from a policy and diplomatic standpoint Russia might stand to benefit from the attack, both
internally and externally. First, it remains unclear how the United States can justify its cyber operation
under international law, and whether such a response would be proportional and necessary, as
required. While the United States may characterize the attack as a warranted countermeasure, the
Russian state has always denied interference in the 2016 U.S. elections. Second, Russia might use the
operation to portray itself as a victim. Both the Kremlin and the Russian ambassador to Washington
recently expressed their concern about the perceived dangers of cyberattacks, specifically those coming
from the United States. Furthermore, as the U.S. military has technically hacked a media outlet, the
United States may face the optics of a military attack on a civilian entity.
Domestically, Russia is currently already in the process of isolating its networks from the outside
internet. Russia’s official justification for the action is to lower the risk of external cyberattacks;
however, in reality the goal is to increase control over the networks, including strict traffic filtering,
reminiscent of the China’s Great Firewall. While Russia’s narrative rings hollow, U.S. reports of
cyberattacks on Russia may be exploited internally to justify the changes.
There is also the danger of a retaliation. While Russia could simply limit its response to a diplomatic
message, the standard previously followed by the United States, escalation in response to the
November action might follow, potentially on a previously unseen scale. Intensifying cyber conflict
would not only seriously impact national security, but also increase geopolitical risk for businesses.
Today, most cyber attacks focus on espionage or data theft. Offensive activity elevated to the disruption
of civilian systems - for example, causing utility service interruptions - would result in serious
ramifications; the 2017 NotPetya wiper worm served as a pointed demonstration of potential
consequences. This issue would be made more severe by the constantly evolving theater.
The number of potential cyber conflict participants continues to increase, with dozens of countries
globally building military cyber capabilities. In conventional military operations, armed forces in close
proximity are often at an increased risk of escalatory events, like Russian involvement in Eastern Ukraine
or the recent events on the Indian and Pakistani border. The concept of borders and distance does not
really exist in cyberspace; dozens of armed forces are constantly within the virtual arm’s length, creating
a constant possibility of interaction and escalation. Additionally, despite the meticulous preparation and
execution of cyber operations, the situation can quickly spin out of control in a manner difficult to
predict. The further militarization of the internet might lead to an increased escalation risk. While
today’s cyber tug-of-war happens well below the threshold of armed conflict, engaging in discussions
about norms at the UN within the First Committee and the Group of Government Expert process,
adopting the restraint-inducing principles enshrined by international humanitarian law and increasing
the doctrinal transparency are absolutely necessary going forward.
The US will respond to a Russian cyberattack, causing a conflict to escalate

Cerulli, American Security Project Junior Adjunct Fellow, 19
[Rossella, 06-20-2019, American Security Project, “Attacking the Grid: The Danger of U.S.-Russia Cyber
Escalation,” https://www.americansecurityproject.org/attacking-the-grid-the-danger-of-us-russia-cyber-
escalation/, accessed 07-01-2021, HSP]
The targeting of the Russian power grid is a response to interference in the 2016 election, and a
warning against further attempts. National Security Advisor John Bolton declared that it is intended to
signal to adversaries that “it’s not worth your while to use cyber against us.” The issue here is that this
offensive posture threatens inflicting economic and physical damage in response to damage done to
American sovereignty, which is not easily measurable. This is dangerous because the benefit of a cyber
escalation or attack must be balanced against the predicted cost of an adversary’s response. The actual
form of a cyberwar is still unknown, so both sides are unable to consider long-term reactions that may
result in consequences too great to bear.
America’s ability to wreak havoc on the Russian power grid, if utilized, may result in both economic and
physical harm to the people of that country. This use of cyber weapons to undermine adversaries’
critical infrastructure is becoming more common. In 2010, the U.S. and Israel deployed the Stuxnet
worm, destroying one fifth of Iran’s nuclear centrifuges. In 2015, Russian hackers hit Ukrainian energy
companies with malware, cutting off power to 80,000 customers. It is important to consider that these
historical precedents demonstrate how cyber operations can have real-world effects, but in neither case
did these attacks see an equivalent retaliatory response.
What Costs Are We Willing to Inflict (and Bear)?
American society has accepted cyber risk as a part of everyday life. According to the Pew Research
Center, 64% of Americans have personally experienced a major data breach. The ubiquity of hacks
means that nearly every type of company—ranging from Equifax to Target —is impacted. Furthermore,
the analysis of cyberattacks’ economic cost is clear: the White House Council of Economic Advisors
estimates that in 2016 the nation lost between $57 and $109 billion from hacks and data breaches.
Clearly, society and businesses have internalized cyber risk. It remains to be seen whether a similar
acknowledgement has occurred on the state level.
The costs of targeting the Russian power grid would be shouldered largely by the civilian population and
businesses. Moreover, the burden would fall disproportionately on the most vulnerable—those too poor
to afford back-up sources of power and those reliant on hospital facilities. The reality of the civilian cost
of a cyberattack has not yet been driven home. Without this knowledge, the U.S. cannot achieve clarity
about the extent of damage it is willing to inflict in a future cyberwar.
What’s Next?
Since a clearly stated cyber escalation system does not yet exist, the scope of actions and reactions
between the U.S. and Russia in a potential cyberwar remains unpredictable.
The potent combination of uncertain costs and lack of strategic precedent means that use of cyber
capabilities as deterrent mechanisms will accelerate tensions. A Russian countermove is inevitable, if it
hasn’t already occurred. Escalation without being able to predict a retaliatory response will continue
until a dramatic demonstration of some kind definitively communicates the bounds of either country’s
tolerance for cyber-induced damage.
Cyber War Impact – China
Chinese attack risks retaliation and escalation

Sanger, New York Times national security correspondent, et al., 7/1/21
[David E. Sanger, White House and national security correspondent, and a senior writer for NYT; Julian E.
Barnes, national security reporter for The New York Times covering the intelligence agencies; Nicole
Perlroth, covers cybersecurity and digital espionage for NYT, specializing in cyberattacks, 1 July 2021,
NYT, “Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China,”
https://www.nytimes.com/2021/03/07/us/politics/microsoft-solarwinds-hack-russia-china.html,
accessed 7-1-2021]JMK
American officials continue to try to better understand the scope and damage done by the Chinese
attack, but every day since its revelation has suggested that it is bigger, and potentially more harmful,
than first thought.
“This is a crazy huge hack,” Christopher C. Krebs, the former director of the Cybersecurity and
Infrastructure Security Agency, wrote on Twitter on Friday.
The initial estimates were that 30,000 or so systems were affected, mostly those operated by businesses
or government agencies that use Microsoft software and run their email systems in-house. (Email and
other systems run on Microsoft’s cloud were not affected.)
But the breadth of the intrusion and the identities of the victims are still unclear. And while the Chinese
deployed the attack widely, they might have sought only to take information from a narrow group of
targets in which they have the highest interest.
There is little doubt that the scope of the attack has American officials considering whether they will
have to retaliate against China as well. That would put them in the position of engaging in a potentially
escalating conflict with two countries that are also its biggest nuclear-armed adversaries.
China has been using cyberattacks to conduct espionage.

Giglio, Thee Atlantic staff writer, 19
[Mike, 08-26-2019, The Atlantic, “CHINA’S SPIES ARE ON THE OFFENSIVE,”
https://www.theatlantic.com/politics/archive/2019/08/inside-us-china-espionage-war/595747/,
Accessed 07-04-2021, HSP]
Espionage and counterespionage have been essential tools of statecraft for centuries, of course, and
U.S. and Chinese intelligence agencies have been battling one another for decades. But what these
recent cases suggest is that the intelligence war is escalating—that China has increased both the scope
and the sophistication of its efforts to steal secrets from the U.S. “The fact that we have caught three at
the same time is telling of how focused China is on the U.S.,” John Demers, the head of the National
Security Division at the Justice Department, which brought the charges against Mallory, Hansen, and
Lee, told me. “If you think about what it takes to co-opt three people, you start to appreciate the actual
extent of their efforts. There may be people we haven’t caught, and then you have to acknowledge that
probably a small percentage of the people who’ve been approached ever go as far as these three did.”
Many espionage cases don’t go public. “Some of the cases rarely see the light of a courtroom, because
there’s classified material we’re not willing to risk,” one U.S. intelligence official told me, speaking on
condition of anonymity due to the sensitivity of the topic. “Sometimes they’re not charged at all and are
handled through other means. And there are others that remain ongoing that have not and will not
become public.”
These recent cases provide just a small glimpse of the growing intelligence war that is playing out in the
shadows of the U.S.-China struggle for global dominance, and of the aggressiveness and skillfulness with
which China is waging it. As China advances economically and technologically, its spy services are
keeping pace: Their intelligence officers are more sophisticated, the tools at their disposal are more
powerful, and they are engaged in what appears to be an intensifying array of espionage operations that
have their American counterparts on the defensive. China’s efforts aimed at former U.S. intelligence
officers are just one part of a Chinese campaign that U.S. officials say also includes cyberattacks against
U.S. government databases and companies, stealing trade secrets from the private sector, using
venture-capital investment to acquire sensitive technology, and targeting universities and research
institutions.
By their nature, espionage wars are conducted in the shadows and hard to see clearly. But in recent
weeks I spoke with several current and former U.S. officials, including America’s counterintelligence
chief, who have been on the front lines of the one being waged between the U.S. and China, to get a
sense of how it is being fought, of China’s intelligence operations—the methods, the targets, the goals—
and of what the U.S. needs to do to combat it.
Chinese espionage causes a litany of impacts including economic losses and a loss of
US hegemony.
Eftimiades, Penn State University Homeland Security Program Lecturer, 2018
[Nicholas, 12-04-2018, The Diplomat, “The Impact of Chinese Espionage on the United States,”
https://thediplomat.com/2018/12/the-impact-of-chinese-espionage-on-the-united-states/, accessed 07-
04-2021, HSP]
First order effects of China’s espionage include the impact on the U.S. economy through loss of
intellectual property. Economic espionage activities comprise stealing trade secrets, manufacturing
capabilities, material development techniques and data, consumer market data, source code, software,
etc. It is primarily the People’s Liberation Army (PLA), state owned enterprises (SOEs), and private
companies/individuals who conduct this type of economic espionage. Cyber espionage and insider
access (recruitments of agents) are the primary means to collect this type of information.
A conservative estimate of the annual cost to the U.S. economy from China’s economic espionage is
$320 billion. The Intellectual Property Commission Report provided an estimate of the cost of IP theft
for the United States in three categories — counterfeit and pirated tangible goods, software piracy, and
trade theft. That estimate is somewhere between $225 billion and $600 billion. The Office of the
Director of National Intelligence estimates the cost as $400 billion. Independent statistics from the
European Union, Canada, and the United States show China is responsible for more than 80 percent of
this number (for the U.S. specifically, the figure varies annually between 71 and 87 percent). Using the
DNI’s estimate for IP theft ($400 billion), Chinese economic espionage is responsible for an annual loss
to the U.S. of minimum of $320 billion. This calculation for loss includes a 20 percent reduction for
commercial products that would never have been purchased at full market cost.
The impact of economic espionage and illegal exports does not end with an annual loss statement.
Economic losses have cascading impacts that include loss of industries, loss of domestic production
capabilities, loss of jobs, reliance on others, and, of course, a trade imbalance. The U.S. Congress
estimates China’s IP theft has resulted in the loss of 2 million American jobs. The cumulative effect on
the U.S. economy is trillions of dollars and falling global economic competitiveness.
The Chinese government could stop economic espionage activities. It is, however, not in Beijing’s
interests to do so. Approximately 8 percent of China’s gross domestic product comes from the
counterfeiting of creative works, software, consumer goods, and industrial products. These are tangible
items and do not include the value of research and development costs, industrial processes, consumer
market research, etc. the value of which is arguably much higher.
Impact on U.S. National Security
The most important implication for U.S. national security planners is the loss of military technological
advantage. China’s advances in weapons systems — including autonomous robotics, avionics,
hypersonics, and naval systems — are based in large part on technology stolen from the United States
and certain allies. This massive and sustained espionage campaign combined with two decades of
increased defense spending provided China’s PLA Navy and Air Force with substantial power projection
capabilities throughout Southeast Asia. The PLA Navy has achieved anti-access, area denial capabilities
against its neighbors who also claim territories in the South and East China Seas.
One of the most important targets for Chinese espionage is U.S. space capabilities. Several illegal export
cases showed a focused and aggressive campaign to collect technologies relating to advanced optics,
sensors, cryogenic coolers, composites, engine design, fabrication techniques, software, etc. In 2015, the
PLA created a Strategic Support Force as its cyber, space, and electronic warfare branch. China is quickly
becoming more capable in space and counterspace operations, eroding the U.S. advantage in this
contested, congested, and competitive environment. The increase in PLA capabilities is significant
because of the U.S. dependency on space capabilities for communications, economic strength, critical
infrastructure safety and resiliency, and to project military power globally.
China’s espionage activities that result in its increased power projection capabilities have geopolitical
implications throughout Asia. As China’s offensive military power grows, it advances an assertive and
coercive foreign policy that is changing the balance of power in Asia. China is now able to (and does)
coerce, threaten, or employ military force to enforce its territorial claims in East and Southeast Asia.
Terrorism Impact – Securitization
Cyber attacks on infrastructure erode civilian security, making public more susceptible
to sacrificing privacy for military security and retaliation
Gross, Washington University Professor of Chemistry, Medicine, and Immunology, et
al., 2017
[Michael, Daphna Canetti, University of Haifa Professor of Political Psychology, Dana Vashdi, University
of Haifa Associate Professor, 08-04-2017, Bull at Sci, “The psychological effects of cyber terrorism,”
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5370589/, accessed 06-29-2021, HSP]
Human security thrives when societies are open, tolerant, peaceful, and vibrant, and when they offer
citizens the conditions necessary to flourish economically, intellectually, physically, and emotionally
(Tadjbakhsh and Chanoy 2007). Physical security is a necessary condition for human security but not
sufficient if civil society fails to allow its members to thrive. To thrive, individuals must maintain
tolerance and social discourse. By inducing stress and anxiety, cyber terrorism endangers psychological
wellbeing and increases perceptions of threat even if individuals suffer no physical harm. Once cyber
terrorism successfully breaches a critical infrastructure to kill and injure (as in our film clips), these
effects are more pronounced. Threat perception is not all bad. Reasonable perceptions of threat are
essential to protect individuals and their communities from dangerous surprises but become disabling
when they foster insecurity and prompt visions of an inescapable cycle of violence (Canetti-Nisim et al.
2009). It is the nature of cyber terrorism to target civilians (Gross 2015, 153–183). Some of this is mere
efficiency: Civilian targets are softer than military targets or critical infrastructures, which states take
great pains to protect. But part is strategic: Targeting civilians is a way to demoralize and terrorize. This
is precisely what Anonymous, Hamas, and Islamic State promise to do.
In response, civilians are increasingly willing to jettison privacy and support military retaliation. Neither
outcome bodes well for human security. Privacy embraces the right to keep secrets and preserves a
domain for individuals to build their personal identities and communicate without interference or
duress. Surveillance inhibits free speech, discourages political opposition, prevents dissenters from
organizing or publishing anonymously, and disrupts the flow of information necessary for a well-
functioning civil society. Surveillance threatens privacy but not without cause. Surveillance can
strengthen physical security. Gaining access to the content of e-mails and social media may allow law
enforcement authorities and intelligence agencies to co-opt and cripple hostile organizations. Physical
security is as important for human security as privacy. Balancing the two will be exceptionally
challenging in the shadow of cyber terrorism, and cyber security experts and policy makers cannot
unilaterally fortify the former at the expense of the latter.
Terrorism leads to intensified policing and securitization.

Walsh, Ontario Tech Criminology and Justice Assistant Professor, 17
[James, 07-01-2017, International Sociological Association, “Moral panics by design: The case of
terrorism,” Volume 65, Issue 5, https://doi.org/10.1177%2F0011392116633257, p. 7-9, accessed 06-30-
2021, HSP]
Disproportionality
As the primary indicator of moral panics’ emergence disproportionality also represents a ‘central
problematic of the moral panic literature’ (Goode and Ben-Yehuda, 2010: 29). Several critics have
argued it is often impossible to definitively prove the revealed extent of a problem is incommensurate
with societal reactions (Ungar, 2001; Waddington, 1986), dynamics uniquely applicable to ‘future-
oriented’, unquantifiable, and potentially catastrophic threats like terrorism. While risk assessments and
forecasts indicate societal reactions are disproportionate (Mueller, 2006), they neglect that, more than
sources of harm, terrorist acts augur deeper, more prevalent threats. While many folk devils are
conjured solely through media and political campaigns, terrorists actively cultivate uncertainty and
manufacture a deferred future haunted by the quotidian possibility of violence. Nonetheless, while
terrorism produces a frightening and unpredictable landscape, the available evidence suggests official
and popular reactions are unwarranted when compared to more harmful issues. For example, between
1969 and 2013 5755 Americans, domestically and internationally, died in terrorist attacks, a figure
dwarfed by deaths from domestic gun violence in 2013 alone (33,636 [CDC, 2014]). Given this
information, surely terrorism’s characterization as a civilizational threat and expenditures in excess of
US$1 trillion on homeland security are disproportionate and exaggerated.
In terms of specific manifestations, official responses to terrorism frequently entail punitive rhetoric and
policies that provoke irrational fear. To be clear, state responses are not preordained and remain
contingent upon, among others, regime type, public
sentiment, the severity of the perceived threat, and elite interests. Although many governments have
adopted hardline orientations, others have responded with measured assessments and reactions.4
Nonetheless, the historical record reveals government reactions frequently represent ‘extreme
example[s] of … disproportion[ality]’ (Hunt, 2011: 59).
Severe responses to terrorism are often informed by precautionary logics, preemptive measures, and
the exploitation of anxiety regarding future devastation. Through allusions to shadowy threats and
worst-case scenarios state managers have frequently manipulated genuine public concern for political
purposes, whether boosting legitimacy, achieving consent, or advancing initiatives (military
interventions, immigration restriction, political repression, heightened surveillance and policing, etc.)
previously lacking the requisite support (Altheide, 2006; Walsh, 2015). Around the turn of the 20 th
century governments throughout Europe and North America exaggerated the menace of Anarchist
violence, advancing claims of a global network and conspiracy in which Anarchists were secretly ‘lurking
all over the continent’ (Miller, 2013: 114). Alongside promoting labor repression, for several countries,
such assertions galvanized support for mass round-ups and deportations of foreign radicals associated
with ethnic and religious minorities. At present, ‘the … impossibility of estimating the terrorist risk has
enabled political elites to circulate decidedly fanciful claims’ regarding the threat of radical Islam
(Mythen and Walklate, 2006: 387). In justifying the WOT’s politico-legal architecture, Vice President
Cheney emphasized terrorism’s unknown and potentially cataclysmic nature, noting ‘If we make the
wrong choice, the danger is that we will get hit again … in a way that is devastating’ (Altheide, 2006:
415). President Bush echoed such sentiments, claiming, ‘We cannot wait for the final proof … in the
form of a mushroom cloud’ (Welch, 2006: 23).
In terms of institutional responses, terrorism, like other moral panics, typically inspires escalations of
social control and discipline, whether police repression, the abrogation of human rights, techniques of
social defense, or the bending, suspension, and circumvention of the law (Cohen, 2002: 66–72, 140–
145). Such measures are often exceedingly elastic and based on group-based profiles where shared
social characteristics (nationality, phenotype, religion, etc.) incite suspicions of malevolence and
criminality. While visible in several cases, whether the Red Scare or the Battle of Algiers (Crenshaw,
1972; Miller, 2013), these dynamics are especially conspicuous at present. With its appeals to ‘infinite
justice’ and global conflict without clear adversaries and parameters, the WOT has provided an alibi for
creating a fluctuating net of enforcement that can be ‘cast over any form of resistance to sovereign
power’ whether activists, domestic minorities, foreigners, or other suspect populations (Gregory, 2003:
319). Such trends are uniquely applicable to the contemporary climate of Islamophobia. Specifically,
terrorism’s interpretation through registers of racial and religious difference has incited ‘signification
spirals’ (Hall et al., 1978) in which fears and threats stemming from small-scale subversive and
antagonistic groups (jihadists) result in the construction of entire collectivities (Muslims in general) as
folk devils that are inherently risky, dangerous, and other.
Volatility
Traditionally conceived as ‘eruptive … and quick to subside’ (Hunt, 2011: 57), it is increasingly
acknowledged that moral panics vary in ‘intensity, duration, and impact’ (Garland, 2008: 13). While
many are transient and ephemeral, others, whether regarding drugs, street crime, or terrorism,
represent persistent sources of unease. When coupled with the rise of a globalizing mass media and 24-
hour news cycle these developments have transformed moral panics from brief eruptions into enduring
states of anxiety and insecurity (Carrabine, 2008). For terrorism, while the hysteria it produces may
abate, it displays long-lasting repercussions, whether a lingering sense of vulnerability that can quickly
transmutate into full-blown panic or the entrenchment of intensified policing and securitization.
Excessive surveillance erodes freedom.

Schneier, Harvard University Berkman Klein Center for Internet & Society Fellow and
Harvard University Kennedy School Public Policy Lecturer, 18
[Bruce, 11-16-2018, Wired, “Surveillance Kills Freedom By Killing Experimentation,”
https://www.wired.com/story/mcsweeneys-excerpt-the-right-to-experiment/, accessed 06-30-2021,
HSP]
Ultimately, this fear stagnates society in two ways. The first is that the presence of surveillance means
society cannot experiment with new things without fear of reprisal, and that means those experiments
—if found to be inoffensive or even essential to society—cannot slowly become commonplace, moral,
and then legal. If surveillance nips that process in the bud, change never happens. All social progress—
from ending slavery to fighting for women’s rights—began as ideas that were, quite literally, dangerous
to assert. Yet without the ability to safely develop, discuss, and eventually act on those assertions, our
society would not have been able to further its democratic values in the way that it has.
Consider the decades-long fight for gay rights around the world. Within our lifetimes we have made
enormous strides to combat homophobia and increase acceptance of queer folks’ right to marry. Queer
relationships slowly progressed from being viewed as immoral and illegal, to being viewed as somewhat
moral and tolerated, to finally being accepted as moral and legal.
In the end it was the public nature of those activities that eventually slayed the bigoted beast, but the
ability to act in private was essential in the beginning for the early experimentation, community
building, and organizing.
Marijuana legalization is going through the same process: it’s currently sitting between somewhat
moral, and—depending on the state or country in question—tolerated and legal. But, again, for this to
have happened, someone decades ago had to try pot and realize that it wasn’t really harmful, either to
themselves or to those around them. Then it had to become a counterculture, and finally a social and
political movement. If pervasive surveillance meant that those early pot smokers would have been
arrested for doing something illegal, the movement would have been squashed before inception. Of
course the story is more complicated than that, but the ability for members of society to privately
smoke weed was essential for putting it on the path to legalization.
We don’t yet know which subversive ideas and illegal acts of today will become political causes and
positive social change tomorrow, but they’re around. And they require privacy to germinate. Take away
that privacy, and we’ll have a much harder time breaking down our inherited moral assumptions.
The second way surveillance hurts our democratic values is that it encourages society to make more
things illegal. Consider the things you do—the different things each of us does—that portions of society
find immoral. Not just recreational drugs and gay sex, but gambling, dancing, public displays of affection.
All of us do things that are deemed immoral by some groups, but are not illegal because they don’t harm
anyone. But it’s important that these things can be done out of the disapproving gaze of those who
would otherwise rally against such practices.
If there is no privacy, there will be pressure to change. Some people will recognize that their morality
isn’t necessarily the morality of everyone—and that that’s okay. But others will start demanding
legislative change, or using less legal and more violent means, to force others to match their idea of
morality.
It’s easy to imagine the more conservative (in the small-c sense, not in the sense of the named political
party) among us getting enough power to make illegal what they would otherwise be forced to witness.
In this way, privacy helps protect the rights of the minority from the tyranny of the majority.
This is how we got Prohibition in the 1920s, and if we had had today’s surveillance capabilities in the
1920s it would have been far more effectively enforced. Recipes for making your own spirits would have
been much harder to distribute. Speakeasies would have been impossible to keep secret. The criminal
trade in illegal alcohol would also have been more effectively suppressed. There would have been less
discussion about the harms of Prohibition, less “what if we didn’t…” thinking. Political organizing might
have been difficult. In that world, the law might have stuck to this day.
China serves as a cautionary tale. The country has long been a world leader in the ubiquitous
surveillance of its citizens, with the goal not of crime prevention but of social control. They are about to
further enhance their system, giving every citizen a “social credit” rating. The details are yet unclear, but
the general concept is that people will be rated based on their activities, both online and off. Their
political comments, their friends and associates, and everything else will be assessed and scored. Those
who are conforming, obedient, and apolitical will be given high scores. People without those scores will
be denied privileges like access to certain schools and foreign travel. If the program is half as far-
reaching as early reports indicate, the subsequent pressure to conform will be enormous. This social
surveillance system is precisely the sort of surveillance designed to maintain the status quo.
For social norms to change, people need to deviate from these inherited norms. People need the space
to try alternate ways of living without risking arrest or social ostracization. People need to be able to
read critiques of those norms without anyone’s knowledge, discuss them without their opinions being
recorded, and write about their experiences without their names attached to their words. People need
to be able to do things that others find distasteful, or even immoral. The minority needs protection from
the tyranny of the majority.
Privacy makes all of this possible. Privacy encourages social progress by giving the few room to
experiment free from the watchful eye of the many. Even if you are not personally chilled by ubiquitous
surveillance, the society you live in is, and the personal costs are unequivocal.
Terrorism Impact – Authoritarianism Impacts
Authoritarian governments led to war and Covid-19 has only magnified the likelihood.
Day, United Nations University Centre for Policy Research Head, and Druet, former UN
Political Peacebuilding Affairs official, 20
[Adam, Dirk, 06-08-2020, The Hill, “COVID-19 could lead to new wars in authoritarian countries,”
https://thehill.com/opinion/international/501739-covid-19-could-lead-to-new-wars-in-authoritarian-
countries, Accessed 07-04-2021, HSP]
The COVID-19 pandemic has triggered widespread concern about democracy, with pundits like Larry
Diamond claiming that democracy is now under imminent threat as authoritarian tendencies take over.
The ability of authoritarian governments to control their populations and prevent the spread of the
disease may appear like an upside for dictatorial regimes.
However, in a new report, which we helped author, on how authoritarian regimes fall, we point to a
troubling prospect: Many countries with strong authoritarian governments are more susceptible to
economic shocks, much more likely to experience a collapse in regime when a strong downturn occurs
and more at risk of descending into violent conflict than are more conventional democracies. This
research suggests that governments (and financial markets) should be worried about a rise in violence
as the pandemic takes hold in these economies, given that those very governments have often failed to
deal effectively with systemic inequalities.
A shock to the system
Authoritarian regimes are not alone in being susceptible to economic shocks; all systems become more
fragile during downturns. Our study, however, found many of them to be especially sensitive to bad
economic performance. Without the ballot box, authoritarian leaders under pressure tend to impose
heavy-handed crackdowns on political freedoms, inflaming public resentment and higher chances of
uprising.
Nearly every overthrow of an authoritarian ruler over the past 30 years was preceded by a significant
economic crisis. Recent examples include the popular protests that toppled Zine El Abidine Ben Ali in
Tunisia amidst an economic crisis; the large-scale popular uprising in Yemen in 2011 during a severe oil
shortage; and the coup that ousted Zimbabwe’s President Mugabe during the long downward economic
trajectory of the country. The 2019 coup against President Bashir in Sudan was also driven in large part
by disastrous economic performance generating a popular uprising.
As the pandemic begins to drive global economies down, highly authoritarian regimes may appear to be
in control of their populations in terms of enforcing social distancing. However, many of these measures
result in reduced civil liberties and strengthened ruling party control, very often controlled by a single
person and their family or immediate entourage. What may in the short term prevent the spread of the
virus is likely to bring political and economic resentment to the boiling point in many fragile systems. In
Brazil, for example, President Bolsonaro’s antagonistic approach to the press, combined with the
country’s poor COVID-19 response, has some experts predicting his government might fall. As
authoritarian regimes become more desperate to limit the socio-political fallout of the COVID-19 crisis,
we can anticipate a higher risk of social uprisings in many parts of the world soon.
A greater risk of violence
This points to a worrying trend when authoritarian regimes fall: transitions out of authoritarian rule
appear to be getting more violent. In the 1990s, one of the most common ways to depose of dictators
was through military coups, particularly in Latin America — an efficient, often quite brutal, process that
had a relatively low likelihood of sparking widespread violence. Today, however, by far the most
prevalent cause of collapse in authoritarian rule is popular uprising, which can, in turn, provoke a coup
(such as in Sudan) and historically has tended to be the most violent form of transition. Authoritarian
rulers often respond to peaceful protests by repressive, violent crackdowns, which then risk escalating
into broader conflict.
This is in part because popular uprisings pose a direct threat to rulers: roughly 85 percent of successful
uprisings against authoritarian systems result in the installation of a new leader. As opposition groups
around the world develop strategies during the pandemic, they may be more inclined to mobilize
directly against autocrats who have held power for long spells. And these men (they are all men) rarely
relinquish power without a fight.
It’s about inequality
Authoritarianism hurts the economy and causes war.

Kasparov, Human Rights Foundation chairman, and Halvorssen, Human Rights
Foundation president, 17
[Garry, Thor, 02-13-2017, The Washington Post, “Opinion: Why the rise of authoritarianism is a global
catastrophe,” https://www.washingtonpost.com/news/democracy-post/wp/2017/02/13/why-the-rise-
of-authoritarianism-is-a-global-catastrophe/, Accessed 07-04-2021, HSP]
If injustice and oppression aren’t bad enough, authoritarian governments bear an enormous social cost.
Dictator-led countries have higher rates of mental illness, lower levels of health and life expectancy, and,
as Amartya Sen famously argued, higher susceptibility to famine. Their citizens are less educated and file
fewer patents. In 2016, more patents were filed in France than in the entire Arab world — not because
Arabs are less entrepreneurial than the French, but because nearly all of them live under stifling
authoritarianism. Clearly, the suppression of free expression and creativity has harmful effects on
innovation and economic growth. Citizens of free and open societies such as Germany, South Korea and
Chile witness advances in business, science and technology that Belarusans, Burmese and Cubans can
only dream of.
And consider that free nations do not go to war with each other. History has shown this to be the only
ironclad law of political theory. Meanwhile, dictators are always at war, often with a foreign power and
always with their own people. If you are worried about public health, poverty or peace, your mandate is
clear: Oppose tyranny.
AT — Risk Overblown
Unpredictable nature of cyberattacks make the impact much more dangerous

Perlroth, New York Times cybersecurity journalist, 2021
[Nicole, 6-7-21, The New York Times, “Are We Waiting for Everyone to Get Hacked?,”
https://www.nytimes.com/2021/06/05/business/leon-panetta-cyber-attacks.html, accessed: 6-28-21,
AHP]
“If not this, then what?” Mr. Panetta still asks. “What will it take?”
He fears it really will take the “Cyber Pearl Harbor” he predicted nearly a decade ago, when he warned
of what would come if Americans didn’t shape up: a coordinated cyberattack on critical infrastructure
that “would cause physical destruction and the loss of life, an attack that would paralyze and shock the
nation and create a profound new sense of vulnerability.”
In the decade that followed, cybersecurity experts quibbled with his word choice — “Cyber Pearl
Harbor” — arguing alternately that it was overly alarmist or infantilizing, that the use of war lingo leaves
everyday Americans and mainstream organizations with the impression they are helpless to combat
illusive “cyberbombs.”
That, Mr. Panetta says, was never his intention. “I got some complaints about using the word ‘Pearl
Harbor,’” Mr. Panetta conceded. “They said you should be very careful about using that word, and my
response was, ‘Call it whatever the hell you want.’ It’s a national security threat. Don’t try to fool
yourself that somehow, just because you don’t like the words, the threat is not real.”
‘Playing with fire’
These days, Mr. Panetta has swapped analogies. Like most Californians, he has fire on his mind. The
former secretary of defense resides on his family’s old walnut farm turned vineyard in the parched
Carmel Valley, where the surrounding hills are still singed from last year’s fires. The entire state is
bracing for another inferno. And Mr. Panetta can’t help but see our digital woes through a ring of fire.
“You know cyber is a little bit like playing with fire,” he reflected on a recent afternoon. “You’re not
quite sure just how something is going to play out. It could blow back on you from a dozen different
directions.”
[Panetta = Leon Panetta, former Secretary of Defense and former Director of the Central Intelligence
Agency]
Solvency
Regulation and Resources
Codified protocols with the resources to implement them are key

Barrett, Wired Executive Editor, 21
[Brian, 04-02-2021, Wired, “Water Supply Hacks Are a Serious Threat– and Only Getting Worse,”
https://www.wired.com/story/threat-to-water-supply-is-real-and-only-getting-worse/, accessed 06-26-
2021, HSP]
The threat to water systems is inextricably tied to the broader threats to critical infrastructure, which
have surged in recent years, according to Brandon Hoffman, chief information security officer for the
threat intelligence firm Intel 471. “Adversaries see that critical infrastructure is underfunded and
undermanaged from a security perspective.”
Last year, Intel 471 found that a likely Iranian hacker was offering to sell network access to a water
treatment plant in Florida over the messaging app Telegram. (They have not tied that activity it to the
Oldsmar incident.) Hoffman expects water supply infrastructure to be an increasingly popular target,
especially as incidents like Post Rock and Oldsmar highlight both the vulnerability of those plants and
the amount of harm they can cause.
“It’s kind of a double-edged sword,” Hoffman says about the recent cases. “On the one hand, you want
people to have awareness. On the other hand, success begets success. The more people that see it, the
more people will want to target it.”
To the extent that there’s good news, basic cybersecurity protections would go a long way to prevent
attacks by insiders and amateurs. (If a sophisticated state-sponsored hacker wants to break into your
water treatment plant, that’s another story without a happy ending.) The question, though, is who’s
going to pay for implementing them. While President Biden introduced a sweeping $2 trillion
infrastructure bill this week, the White House’s detailed breakdown of priorities made no mention of
cybersecurity. That’s not to say that whatever bill Congress eventually proposes won’t put resources
toward shoring up those systems, but it should be a priority from the start.
“They need more resources. That needs to be codified. They need to be given more staff, more money,
more tools, more intelligence. It’s a huge gap,” says Dragos’s Carhart. “The thing that really scares me is
they just add some laws that require more box-checking for those people, and they don’t give them any
more people and they don’t give them any more money." The more time beleaguered IT staff have to
spend checking boxes for compliance, Carhart says, the less time they have to install patches, update
their systems, and implement the other security basics so many of them lack.
The water supply is fundamental to people's health and safety. The Post Rock incident is yet another
warning of the risk it faces and the potential consequences of continuing to ignore it.
Requirements Key
All water utilities should implement security and response protocols to minimize risks
Until recently, water utilities regarded resiliency as a matter of defense against severe weather events.
Now cybersecurity threats—including cyber terrorism—have taken a place on the list of water utilities’
top concerns.
It’s not enough to be able to keep people from getting into a utility’s system, points out Susan Story,
American Water CEO.
“Someone will find a way to get in,” she asserts. “How will you handle it when it happens? We can
defeat them 100 million times, but if they get in once . . . we can’t let that one get in. And we’ve got to
make sure that when they get in, we know how to respond.”
“Every public water supply and wastewater utility should assess the likelihood and consequences of a
supply disruption, identify critical vulnerabilities, and consider alternative power or supply redundancy
to mitigate service disruptions lasting up to 72 hours or longer if public health, environmental, or
economic impacts are severe,” the American Water Works Association (AWWA) states in a 2014
resolution.
“Careful thought must be given to how much water service—such as minimum daily demand—can be
assured, given local circumstances. In addition, every utility should have a robust emergency response
plan that includes a public communications plan tailored to its needs and circumstances, for use in case
of an electric supply disruption.”
American Water adopted the National Institute of Standards and Technology (NIST) Cyber Security
Framework, created as a result of a 2013 executive order from President Obama to improve critical
infrastructure.
Created through collaboration between industry and government, the framework consists of standards,
guidelines, and practices to promote the protection of critical infrastructure, says Story. “The prioritized,
flexible, repeatable, and cost-effective approach of the framework helps owners and operators of critical
infrastructure manage cybersecurity-related risk,” she says. “We hold ourselves to the same standard of
the electric utilities and the grid. The framework is voluntary for the water sector at this point.”
In the meantime, the AWWA created the Process Control System Security Guidance document to
support water utility adoption of the NIST framework, says Story.
The document details 12 steps the water utility industry should take to shore up cybersecurity that
addresses governance and risk management; business continuity and disaster recovery; server and
workstation hardening; access control; application security; encryption; telecommunications, network
security, and architecture; physical security of process control system equipment; service level
agreements; operations security; education; and personnel security.
American Water participated as a subject matter expert on the development of that document. That
document and NIST standards should be part of every water utility’s blueprint, notes Story.
Requiring risk assessments and implementation of countermeasures necessary to

solve
Alabi, Federal University of Technology Senior Researcher, et al., ‘20
IMPLEMENTATION-IN-WATER-SECTOR.pdf, Accessed 6/26/21, MLiao)
Cybersecurity Challenges in Water Utilities
It is obvious that cybersecurity challenges have the potential to become one of the defining issues of the
21st century. Of recent, many water industries are increasingly incorporating emerging digital
technology into their day-to-day routine operations and as a result of this, there is an increase in water
utilities vulnerability to cyberthreats (Clark et al, 2016.). One of the challenges of cybersecurity in the
water utilities is the potentials of the cyber criminals exploiting antiquated computer systems to have
access to the water valve and flow operations and manipulate the flow of water and amount of
chemicals used for water treatment. The cyber attackers gain access to customer data through the
water company’s online payment system. The cyber attackers gained administrator credentials and find
their ways laterally through the water network (Germano, 2019). There are many unique challenges
facing the water industry in the area of cybersecurity and implementation of security countermeasures.
Some of the key challenges of cybersecurity in the water utilities are (Panguluri et al, 2011a.): 1)
Exponential increase of interconnected business operations and control system networks; 2.) Multitude
of cross-sectors cybersecurity standards; 3). Substantial variation of proprietary industrial control
equipment and; 4). The differences in the equipment vendor’s approaches to meet the security
standards. The various challenges mentioned can be met through voluntarily choosing and adopting
appropriate security standards, performing a gap analysis and conducting vulnerability or risk analysis,
and ensuring necessary countermeasures that meets the security and the water industry requirements
(Panguluri et al, 2011a).
Regulatory Frameworks
Regulatory guidance exists – but is not mandatory
Germano, American Water Works Association '19
[Judith H. Germano is a worker for American Water Works Association, 2019, AWWA, " Cybersecurity
Risk & Responsibility in the Water Sector”,
https://www.awwa.org/Portals/0/AWWA/Government/AWWACybersecurityRiskandResponsibility.pdf,
Standards, guidance, regulation and insurance are available to help water sector entities address
cybersecurity issues and develop comprehensive cybersecurity policies, programs and procedures.
Standards, Guidance and Regulation Standards, toolkits and regulatory mandates help guide water
sector entities regarding cybersecurity defenses and requirements addressing technological, physical
and personal considerations. A discussion of the water sector’s regulatory authorities and critical
infrastructure partners is provided in the DHS and U.S. Environmental Protection Agency (USEPA) Water
and Wastewater Systems Sector-Specific Plan (SSP), including a list of authorities in Appendix 2 and list
of Critical Infrastructure Partners in Appendix 3 of the SSP.46
For more specific guidance in building and enhancing a cybersecurity program and plan, resources
developed by the National Institute of Standards and Technology and the American Water Works
Association (AWWA) are particularly helpful.
NIST Framework & Publications
A key and especially helpful cybersecurity resource is the National Institute of Standards and
Technology (NIST) framework. This is a voluntary set of standards, guidelines and best practices to
manage cybersecurity related risk.47 As NIST states, the “Cybersecurity Framework’s prioritized, flexible
and cost-effective approach helps to promote the protection and resilience of critical infrastructure and
other sectors important to the economy and national security.”48 On April 16, 2018, NIST published a
newer Version 1.1 of the Framework, which is fully compatible with Version 1; it includes additional
guidance on identity management and supply chain cybersecurity.49 NIST also provides additional
guidance, including through special publications (SPs) and webinars, including SP800, on computer
security, SP1800 on cybersecurity practice guides, and SP500 on computer systems technology.
AWWA Guidance & Use-Case Tool
The AWWA provides Process Control System Security Guidance for the Water Sector and a supporting
Use-Case Tool that also is very helpful for establishing and improving cybersecurity systems specific to
operations technology (OT) but can also inform enterprise security practices. The Water Sector
Coordinating Council, the USEPA and NIST have recognized the AWWA Guidance and Use-Tool as the
foundation of a voluntary, sector-specific approach to implementing the NIST Cybersecurity
Framework.50 The Process Control System Security Guidance for the Water Sector identifies 12
cybersecurity “practice categories,” and recommends specific, critical practices under each category that
direct map water-specific application to the NIST Cybersecurity Framework.
In an effort to provide water utilities with actionable tasks, the Use-Case Tool generates a prioritized list
of recommended controls based on specific characteristics of the utility. The user selects from a series of
pre-defined use cases that represents the type of functions their process control system may perform.
The Use-Case Tool places emphasis on actionable recommendations with the highest priority assigned
to those that will have the most impact in the short term. It should be noted, that the tool does not
assess the extent to which a utility has implemented any of the recommended controls.
HIPAA Security Rule
The Health Insurance Portability and Accountability Act (HIPAA), while specific to “covered entities” and
“business associates” providing medical services or handling personal health information, provides a
HIPAA Security Rule that can provide helpful cybersecurity guidance event to non-HIPAA regulated
entities.51 Regardless of whether your organization must comply with HIPAA, the HIPAA Security Rule
“provides a clear, jargon-free framework for developing information security policies and programs” and
can help municipalities and other water sector owners and operators build a solid foundation for
cybersecurity programs.52 In particular, as Jeffrey Morgan notes in a CIO.com article,53 the final six
pages of the HIPAA Security Rule, includes a helpful matrix on required actions for administrative,
physical and technical cybersecurity safeguards.
State and Federal Regulation
Certain states have enacted regulations or provided guidance to address and prioritize cybersecurity in
the water sector. For example, on July 21, 2017, New Jersey enacted the Water Quality Accountability
Act (WQAA, effective as of October 19, 2017), which established new requirements designed to improve
the safety, reliability and administrative oversight of the water infrastructure.54 The Act applies to
public water systems with more than 500 service connections—approximately 300 water systems in
New Jersey.55 The New Jersey WQAA requires covered water system operators to inspect, maintain,
repair and update their infrastructure consisting with AWWA standards, and requires water system
operators with internet connected control systems to create cybersecurity programs and join the NJ
Cybersecurity and Communications Integration Cell, designed to foster better collaboration and
improved cybersecurity defenses.56
New York Public Health Law requires water suppliers to develop and submit emergency plans that,
among other things, include “a vulnerability analysis assessment, including an analysis of vulnerability to
terrorist attack and cyber attack, which shall be made after consultation with local and state law
enforcement agencies.”57
Connecticut’s Public Utilities Regulatory Authority (PURA) set forth a Public Utilities Cybersecurity Action
Plan with Compliance Standards and Oversight Procedures, dated April 6, 2016.58 The Connecticut Plan
seeks to increase partnership among utilities, increase monitoring and develop an enhanced “culture of
security” to address cyber risk. The Connecticut Plan references the AWWA Guidance and Use-Tool and
the NIST Framework, among other guidance for improving cybersecurity.59
At the federal level, the recent America’s Water Infrastructure Act of 2018,60 requires community water
systems serving a population of more than 3,300 persons to conduct a risk and resilience assessment of
their systems (42 U.S.C. 300i-2). This includes assessing the security of any electronic, computer, or
other automated systems that the community water system uses. The Act also requires covered
community water systems to certify to the USEPA, starting in March 2020 and re-certifying every five
years, that they have completed the required assessments.
Fed Key
Federal support and oversight ensure protection while preserving necessary

individualized solutions
Huhn, CIA Officer Technical Intelligence and Cyber Security Manager, 20
[Heidi, November 2020, Capella University, “Defending Infrastructure against Cyber Attacks through
Qualified Cybersecurity Professionals in the Federal Government: A Case Study,” page 88,, ProQuest,
Theme 1 suggests protecting critical infrastructure against cyberattacks is further complicated by the
make-up of sixteen sectors, each with unique protection requirements from cyberattacks. Additionally,
risk prioritization, through commercial best practices, are evolving versus extensive federal government
frameworks. This theme discusses the research gaps between previous scholarly journals and
professional documentation. Previous research discusses the complexity of skills required in protecting
critical infrastructure though this research contends a solid private and public sector relationship is
critical in facilitating network protections. Maglaras et al. (2018) broached the idea that critical
infrastructure sector requires multifaceted solutions. Maglaras et al. (2018) posited that modern
industrial control systems (ICS) have morphed into large, complex, connected systems susceptible to
new vulnerabilities and threats. Maglaras et al. (2018) stated that a defense-indepth approach applies
multiple levels of security at the various system and network layers. Applying the various layers delays
an attacker from gaining access to the system or the data (Maglaras et al., 2018). Utilizing a concrete
public and private sector relationship facilitates greater knowledge input for implementing effective
cybersecurity measures. Previous research did not discuss the practical implementation aspects of using
the National Institute of Standards and Technology (NIST) framework of their study. In fact, Shackelford
and Bohm (2016) posited that the NIST framework created an innovative, agile, and cost-effective
approach in protecting critical infrastructure (Government Accountability Office, 2018b). The
groundbreaking research of this study points to the difficulty of a one-size-fits-all approach to protecting
the unique, individual sixteen critical infrastructure sectors. Factors such as unique critical sector needs,
risk prioritization, and commercial best practices are essential in protecting critical infrastructure
against cyberattacks. Shackelford and Bohm (2016) posited that the NIST framework creates an
innovative approach to bilateral governance and strengthening the public-private sector policy-based
approach in protecting critical infrastructure. This supports the finding of this study that collaboration
among the federal, state, and local level governments is essential because ownership of the unique
critical infrastructure assets is at the state and local government levels. The federal government
provides the required protection guidelines and oversight of implementation. Each critical infrastructure
entity stands alone in the threats, vulnerabilities, and mitigations.
Multiple Barrier Approach
Multiple barrier approach solves full spectrum of risk management

Sector-specific partners include: the EPA, DHS, the National Institute for Science and Technology (NIST),
the American Water Works Association (AWWA), the Water Research Foundation, the Water
Environment Research Foundation and other water associations, educational institutions, national
research laboratories, public and private research foundations, states/local agencies, PWSs and related
organizations.
The water utility industry has been active in a number of ways to improve cyber-security in the industry.
For example, the Virginia Department of Health in collaboration with USEPA Region 3 has undertaken an
evaluation of cybersecurity practices in 24 utilities of varying size and characteristics (Manalo et al.
2015). In California various water districts have formed a committee to take the lead in promoting
awareness of cyber-security throughout the State’s public water utilities (Johnson & Edwards 2007).
For example, in an effort to provide PWSs with more actionable information on cybersecurity, AWWA
has released the Process Control System Security Guidance for the Water Sector (AWWA 2014) and a
supporting Use-Case Tool (Roberson & Morley 2014). The goal of AWWA’s guidance is to provide water
sector utility owners/operators with a consistent and repeatable course of action to reduce
vulnerabilities to cyber-attacks as recommended by the American National Standards Institute
(ANSI)/AWWA G430 and the Executive Order 13636 (EO 13636 2016).
The ANSI/AWWA G430 (AWWA 2015) standard defines the minimum requirements for a protective
security program for the Water Sector. The standard promotes the protection of employee safety, public
health, public safety and public confidence. This standard is one of several in the AWWA Utility
Management series designed to cover the principal activities of a typical public water system. This
AWWA standard has received the SAFETY Act designation from the DHS in February 2012.
The G430 standard applies to all water and wastewater systems regardless of size, location, ownership
or regulatory status. This standard was built on the long-standing drinking water sector practice of using
a ‘multiple barrier approach’ to protect public health and safety. The requirements of this standard
support a utility-specific security program and are expected to result in consistent and measurable
outcomes. They address the full spectrum of risk management including organisational commitment,
physical and cyber-security and emergency preparedness.
Risk Assessment Solvency
Risk assessments build resilience and ensures flexible and efficient investment
Fischbach, RAND Corporation Water and Climate Resilience Center Senior Policy
Researcher, ‘17
(Jordan R., NOAA Mid-Atlantic Regional Integrated Sciences and Assessments Center Co-investigator,
Former Homeland Security Operational Analysis Center Assurance Manager, member of the National
Academy of Sciences, Engineering, and Medicine Water Science and Technology Board, PhD in policy
analysis from Pardee RAND Graduate School, RAND Corporation, 7/12/17, “How Should Water
Professionals Invest in Resilience?”, Accessed 6/30/21, MLiao)
Water professionals can think about building resilience as a process of embracing and managing future
uncertainty. Rather than seeking to predict which long-term stressor, drought, or other shock to plan
for, I, along with other colleagues at RAND, help planners consider a wide range of “what if” scenarios.
This robust decision making approach uses computer simulation models and scenario analysis to identify
future threats, systematically tests management strategies against these scenarios, and uses data
visualization and statistical techniques to highlight key trade-offs for planners and stakeholders. The
resilience benefits are threefold.
First, it helps identify “no regrets” investments that perform well regardless of scenario. Second, it leads
to adaptive strategies that are flexible and introduces new investments only when challenging
conditions become likely. Finally, it can answer emerging questions and support conversations between
planners and stakeholders during complex and difficult planning processes.
Basic fixes to control systems and threat assessments can reduce risks
Williams, Water World, 17
[Andrew, 01-01-2017, Water World, “The threat of cyber security breaches has emerged as a growing
risk for water utilities. Earlier this year hackers linked to Syria breached the security of an American
water utility and tampered with critical systems to control water flow. What practical steps can utilities
take to safeguard facilities and customer details from cyber security risks?,”
https://www.waterworld.com/international/utilities/article/16201183/cyber-security-how-water-
utilities-can-protect-against-threats, Accessed 06-28-2021, CBM]
“Money has been spent on increasing efficiency and digitalising both operational assets and customer
facing services like payment and communication systems, all of which bring increased vulnerability,
which has not, in any case that I have seen, been effectively mitigated,” he says.
Looking ahead, he urges companies to carry out full external audits of IT networks and systems to
identify specific risks, followed by the splitting of critical operational networks like SCADA systems from
business networks to mitigate the risk of operational disruption via a ‘softer’ access point on a business
network.
“Water companies also need systems in place to allow employees at all levels to understand how
vulnerable the sector is and begin to transform culture and interest. I often use a Stuxnet film as part of
my briefing materials. Despite Stuxnet being five years old, I am asked every time in the water sector, ‘is
that real?’ by senior members of staff. That, for me is the primary indicator that the level of risk within
the sector is not understood, simply because it has not happened yet,” he adds.
In terms of practical steps, Morley also points out that AWWA has developed guidance and a use-case
tool that provides a baseline for utilities managers that allows the utility to consider “how they use
various technologies ... and provides a prioritised list of controls that would be applicable”.
“The utility can then use the report to evaluate if those controls have been implemented or how they
might take action to do so,” he says.
“There are very simple actions that can be taken to manage cyber risk and reduce exposure. This is just
as much a liability for a utility as a broken main or failed pump … the value of process control systems to
the mission of the utility must be recognised and integrated to overall capital and risk management
programs,” adds Morley.
Meanwhile, Arceneaux stresses there are several best practices utilities can implement - particularly
those found in a free recent WaterISAC guide called 10 Basic Cybersecurity Measures: Best Practices to
Reduce Exploitable Weaknesses and Attacks, developed in partnership with the Department of
Homeland Security’s ICS-CERT division.
ICS-CERT has advised utilities to implement the first three recommendations, including inventorying
control system devices and eliminating exposure of this equipment to external networks, segmenting
networks and applying firewalls, and using secure remote access methods “as soon as practical”.
Other recommendations include establishing role-based access controls, using only strong passwords
and conducting cybersecurity training for employees, and encouraging boards and senior leadership to
understand the potential threats and consequences to the utility and provide the necessary resources.
[Note – He = Barry Searle, director of training at intqual-pro, Morley = Kevin Morley, federal relations
manager at the American Water Works Association, Arceneaux = Michael Arceneaux, managing director
at WaterISAC - a non-profit, water industry-lead centre for sharing physical and cyber threat information
with utilities and water sector professionals in government and private companies]
Cybersecurity Countermeasures
Risks of cyber attacks against water are rising – establishing strong countermeasures is
key to solve
Summary and conclusions
As infrastructure becomes increasingly connected, cyberphysical security in CI such as water supply will
become an even greater concern. In the United States, cyber-security issues are extremely important
from a national security perspective (US GAO 2013); however, there is a strong desire for the separation
of powers between the Federal government and the individual States that has made developing a
unified cyber-security strategy difficult.
It is clear that cyber threats to the water sector are real. The insider attack on the Maroochy Shire
wastewater treatment plant provides an insight into the real consequences of a specific attack and there
have been confirmed cases of cyber-attacks against domestic water utilities. Such attacks could affect
public health and increase distrust of government, by delivering contaminated water that could
potentially cause sickness without detection.
In the United States virtually all drinking water utilities, even subdivision-sized systems, have become
dependent on SCADA systems. It is therefore imperative that PWSs adopt suitable countermeasures to
prevent or minimise the consequences of cyber-attacks. Establishing a strong cybersecurity environment
is the basis for implementing a strong cyber-defence. Such a program should consist of technology,
people and physical protection, where the last refers to physical protection of cyber-devices from
physical tampering. It is also critical that utility management create and support a cyber-security culture.
The lack of policies and procedures may pose a significant barrier to developing adequate cyber-
security; if management support is lacking, there will never be an effective cyber-security culture.
Utilities in the United States should avail themselves of the free opportunities available through the US
DHS to train their staff and allocate necessary funding to achieve improvements in cybersecurity. The
greatest challenge for the water industry is the large variance in system size, staffing, and resources
available to the individual utilities. Utilities should adopt countermeasures that best meet their security
and organisational requirements.
[Note – SCADA = Supervisory Control and Data Acquisition, ICS = Information Control Systems, PWSs =
public water supplies]
Implementing precautions reduces risk
Smith, Governing Senior Staff Writer, 21
[Carl, 06-01-2021, Governing, “How Simple Fixes Can Prevent Cyber Attacks on Water Systems,” Nexis,
While a cybercriminal or foreign actor might be able to engineer an attack that could breach even a well-
protected network, most of the events included in a review of water cybersecurity incidents over the
last 20 years could have been prevented with routine precautions.
Perhaps the most notorious occurred in Australia in 2000, when nearly a million liters of raw sewage
were released into a river, park and residential grounds by an angry former employee. The ICS was not
protected by any procedures, defenses or policies, including the fact that the worker's access to it had
not been revoked.
A 2007 attack against the Tehama-Colusa Canal Authority in California was also the work of a former
employee, as was a 2012 event at the Florida Key Largo Waste Treatment District. In 2014, a fired
employee of a company that manufactured smart water meters used his access to interfere with the
meters of five water utilities across three states. A former employee of the Post Rock Rural Water
District in Ellsworth, Kan., has been indicted for logging into its system in 2019 and interfering with
cleaning and disinfecting systems.
The pandemic made remote access to IT and operational technology (OT) a necessity, but also brought a
new risk: equipment used on a "plug and play" basis, without adequate attention to security. The
Oldsmar attack that sent shockwaves through the sector was possible because the attacker connected to
the OT through an insecure laptop belonging to a remote worker.
It's difficult to make the threat of cyberattacks real to all stakeholders, says Morley. "In the past it was,
'Who'd want to come to my town? I'm just this small little community,'" he says. "But on the Internet,
it's ones and zeros, it's open doors — and for the criminal actor, it's a game of statistics."
Secure Network
Secure network design raises the cyber security culture and reduces risk of attack
Secured network design
It has been traditional for industrial control systems to apply standard IT security systems to control
networks, including physical security, personnel security and ICS network perimeter protections
including firewalls and network intrusion detection systems (NIDS). However, a Ponemon Institute study
(Ponemon Institute LLC 2013) found that malicious cyber breaches took an average of 80 days to detect,
and 123 days to resolve. An example of a technological approach that may protect an ICS is a
unidirectional gateway. Therefore, many experts recommend that technological innovations such as
unidirectional gateways be used as the modern alternative to firewall perimeter protections for ICSs
(Waterfall 2016). Figure 2 illustrates a unidirectional gateway deployment. All unidirectional gateways
are combinations of hardware and software as shown below. A possible approach is a unidirectional
gateway which results in a system able to transmit information from a protected individual network, but
physically unable to transmit any information back to that protected network from outside the system.
In cases where a unidirectional gateway is unaffordable (e.g., in smaller-sized utilities) or is technically

challenging to implement, utilities should investigate other alternatives such as implementing virtual
routing and forwarding (VRF) (Stack 8 2015). VRF technology is included with some off-the-shelf routers
that allow different routing tables to work simultaneously within a given router. Devices using the
different routing tables are virtually isolated, unable to communicate with each other even though they
are connected to the same hardware. This allows network paths to be virtually segmented without using
multiple devices. Internet service providers often take advantage of VRF functionality to create separate
virtual private networks (VPNs) for customers. This technology is also referred to as VPN routing and
forwarding.
Cybersecurity designs should strive to limit access or incorporate isolation capabilities of ICS/SCADA
systems. The isolation of an ICS system can be achieved by establishing security enclaves (or zones) with
virtual local area networks (VLANs) or subnets that are segregated from lower security zones like
corporate networks or any Internet accessible zones. Information passing from one security zone to
another should be monitored. Figure 3 illustrates an example of a secure PWS architecture.
In this example, the ICS environment has been isolated with no ingress electronic connections. The use
of data diodes between the SCADA/ICS (process control) and corporate (business analytics, payroll,
accounting, email, etc.) IT environments allows for information sharing from the ICS environment
through a truly one-way transfer of data from ICS historians (databases) for business needs and
reporting.
The use of true isolation through data-diode technologies between the treatment plant ICS and the
corporate environment (Fig. 3) is more recent. The adoption of this technology within the water sector
has been observed by the authors at one utility but is gaining increasing acceptance within the water
sector. Some PWSs have identified the use of this technology in their advance security posture planning
documents. However, the implementation of this technology requires an investment in both capital and
labour. At least two full-time-equivalent (FTE) technology staff are typically required for several months
during the development, testing, verification and deployment phases. Additionally, depending upon the
complexity of the architecture, a successful deployment may require three or more FTEs. After the full
implementation and optimisation of the secure PWS architecture, at least 1=4 to 1=2 FTE will be
necessary to manage and support this type of security posture. Based on current water sector
cybersecurity implementation and execution costs, it is estimated that this technology implementation
(depending on the features) would average around $300 000 for initial implementation and
optimisation.
The application of secure architecture and isolation of the ICS environment prevents both remote access
connection and unauthorised computers or network devices including third party vendors from entering
into the ICS environment. Furthermore, the utility will also need to address the issue of securely
installing patches, anti-virus signature files and application updates. These approaches typically involve
the use of portable media (USB memory and USB hard drives) which present security concerns. By
deploying unidirectional gateways (based on data Diode technology) the cyber risk of compromise from
external networks, like the internet, is significantly reduced if not eliminated. However, trusted insiders,
portable media, and physical intrusions still present a potential vector into the system. Therefore, a
strong media protection policy, as well as strong physical controls needs to be developed to maintain
the integrity of the environment. Prior to adding a network device or computer to the ICS environment,
a thorough analysis should be conducted. Once approved, the equipment should stay at a secure off-site
location for future use and identified as an ICS component.
The suggested architecture along with strong policies and procedures is necessary in order to develop a
security culture that raises the level of awareness of each employee. Management should provide all
necessary training for the core cybersecurity staff. The next stage in security is to monitor and verify that
the security controls are working as designed through monitoring and log-file analysis. Systems,
applications and security components should enable login. This capability should be centrally located
through a security information and event management system to allow central management of
monitoring appliances. It should include logreviews and alerting capabilities in the event that the system
starts to identify anomalies with the systems for early detection, alerting and recovery capabilities.
Finally, when excessing or decommissioning equipment, a proper equipment disposal process should be
in place to ensure no proprietary information ever leaves the environment. A proper disposal process
protects from malicious reverse engineering, discovery and reconnaissance activities.
Systemic control measures key to preventing attacks
Smith, Governing Senior Staff Writer, 21
[Carl, 06-04-2021, Governing, “How Simple Fixes Can Prevent Cyber Attacks on Water Systems,”
https://www.governing.com/security/how-simple-fixes-can-prevent-cyberattacks-on-water-systems,
The cyber criminals behind the May ransomware attack on the Colonial Pipeline have said that their
motivation was to “make money,” not to create problems for society. This is hard to reconcile with an
assault against critical infrastructure that forced a temporary shutdown of 45 percent of the East Coast’s
supply of diesel, gasoline and jet fuel, even if the hackers did receive $4.4 million.
It’s not yet known who is behind the February attack on a water treatment plant in Oldsmar, Fla., but
there’s no question that it was intended to cause harm, taking over a control system and releasing
unsafe levels of sodium hydroxide into the water supply.
An operator noticed what was happening and corrected the problem. It’s likely that system sensors and
redundancies would have prevented a disaster without human intervention, but the event was the stuff
of nightmares.
In April, the National Security Council announced the start of a 100-day plan to improve the
cybersecurity of America’s electrical infrastructure. Following the Colonial Pipeline incident, the
president gave remarks that his public-private initiative would also include water systems.
About 200 utility companies provide electricity to the majority of Americans. All together, there are an
estimated 3,000 electric utilities in the country. When it comes to the nation’s water sector, the picture
is much more complicated.
More than 52,000 community drinking water systems in the U.S. provide tap water to nearly 300 million
Americans. Ninety-three percent provide water to fewer than 10,000 people, and 67 percent to fewer
than 500. There are also more than 100,000 non-community drinking water systems at campgrounds,
schools, hospitals, office buildings, factories and other locations. Wastewater infrastructure includes
16,000 treatment systems that serve 250 million citizens.
Numerous and varied, the nation’s water utilities share similar vulnerabilities and can benefit from
similar protective strategies. Many effective countermeasures can be implemented without great
expense, but that doesn’t mean they are always in place.
Unseen, Not Nonexistent
Managers at utilities of all sizes are seeing a constant barrage of attacks of varying degrees of
sophistication, says Kevin M. Morley, Ph.D., manager of federal relations for the American Water Works
Association (AWWA). “If you’re not monitoring, you may have a false sense of security,” he says. “If you
don’t look, it doesn’t mean it’s not happening.”
Cyber vulnerability is an abstract concept to most people, including leadership, unless they are directly
involved in preventing attacks, says Morley. To some extent, this can be attributed to the way devices
and connectivity are marketed.
“People may have computers and phones, but we don’t train consumers on the security of the things
we’ve been shoving into their homes for the past 20 to 30 years,” he says. “It’s not part of the dialogue
to talk about how to set up your Wi-Fi system or your home network that’s now connected to the
refrigerator and the hairdryer and the light bulbs.” Moreover, consumers are conditioned to give their
data away, not to protect it.
In most cases, water service is part of municipal government. To achieve efficiency, one IT department
often manages all departments in a city or county. It’s not unusual for city leaders to focus on the basics
— computers, email, payroll — rather than the details of network security.
In addition to the information technology system (ITS) necessary for the business functions of
government, water utilities use industrial control systems (ICS) to manage the pumps, motors and other
equipment that make their plants run. If a network is not configured properly, and the ICS is not
segmented, separated from the ITS, an attack could affect both systems.
“You’re only as strong as the network itself,” says Morley. “If the network is serving multiple systems, all
those points on the compass need to be secured.”
Water industries should be mandated to follow a segmentation policy.

Boubaker, Stormshield Industrial Security Business Line Head, 21
[Khobeib, 04-16-2021, Stormshield, “Water infrastructure: when states and cyber attacks rear their ugly
heads,” https://www.stormshield.com/news/water-infrastructure-when-states-and-cyber-attacks-rear-
their-ugly-heads/, accessed 06-28-2021, HSP]
Major problems require major solutions. To counter the cyber attacks targeting it, the water industry
needs to filter everything arriving in its facilities from the outside world. To do so, the sector has
introduced a segmentation policy on its different sites. This is a vital approach when it comes to
protecting water infrastructure, all the more so as it can take varying forms. “The water companies are
segmenting each of their sites and controlling the communication flows transiting through them”,
explains Raphaël Granger. Over and above the segmentation of their operational sites, the water
industry is also separating the IT environment (PCs, servers, users) from the OT environment (the
operational environment) within them. This segmentation is designed to isolate the operational part in
the event of an attack. Finally, within the OT part, it’s possible to find another form of segmentation,
with a separation between the supervision part and the implementation part (PLCs).
The key stakeholders in the cyber sector, including the software publishers, are supporting the water
companies in this move to segmentation and through a certain number of security solutions aimed at
improving their capacity to prevent cyber attacks. “To guarantee cyber security for water systems, the
software publishers are helping the companies operating in this sector to check the reliability and
compliance of their network protocols. Using industrial firewalls, the idea is to ensure that these
protocols are not modified or compromised by a cyber attacker”, adds Raphaël Granger. For this
industry, it’s therefore very important to have solutions able to verify the legitimacy of the orders
performed by the PLCs and to introduce systems making it possible to manage and secure remote access
(for remote maintenance or alert management, etc.).
The water industry is organising to fight back against cyber attacks, but this is only just the beginning. In
the near future, the industry will need to face a new challenge, that of extending its security policies
throughout the whole chain, beyond the water treatment facilities, and adopting a more advanced IIoT
approach which involves securing communications and systems from end to end, from the plant through
to the consumer.
[Granger = Raphael Granger, Stormshield Named Account Manager]
Investments in security improvements to operational tech are key to solve

Milbourne, Webroot Security Intelligence Director, 21
[Grayson, 6-23-21, CSO US, “Lessons from Critical Infrastructure Attack Vectors: The Need for Cyber
Resilient Infrastructure,” https://www.csoonline.com/article/3622813/lessons-from-critical-
infrastructure-attack-vectors-the-need-for-cyber-resilient-infrastructure.html, accessed 6-30-21, JC]
What can we do to bring about a hardening of U.S. infrastructure cybersecurity? Four immediate
methods come to mind:
Incentivize cybersecurity investment. Ransomware insurance isn’t a bad idea, but providers won’t
subsidize poor security practices forever. We’re already seeing some pushback against companies that
happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-
protected organizations may have gotten away with it for a while, but surging ransomware incidents are
ushering those days out the door.
Actively promote that investment. Policy analysts who have studied this issue urge government, at
whatever level, to ensure that critical infrastructure providers have the financial wiggle room to invest in
better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our
near misses should make it clear that this is a national security imperative. Even private companies like
Colonial, which were previously under less pressure than a public utility to account for compromises,
should be invited in.
Make smarter ICSs more secure. IoT devices are not going anywhere. Their applications are many and
varied and they make us more effective. Unfortunately, they’re seldom designed with cybersecurity in
mind. In high-stakes applications like water treatment, oil and gas delivery, and power distribution, this
cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence
feeds that make their smart devices more secure. This problem has been well studied but should be
addressed with greater urgency.
Don’t forget to secure corporate networks, too. Just because the computer in the lobby of corporate HQ
can’t crank up the sodium-hydroxide level in the drinking water doesn’t mean it’s not worthy of
antivirus. If access between corporate and operational networks exists, it can be exploited by
determined cybercriminals. Endpoint protection for all devices and network-level security are the bare
minimum. With phishing attacks enabling the majority of breaches year after year, it’s important to train
workforces on how to spot them.
For the time being, major damages and fears of prolonged fuel shortages may be unfounded with the

Colonial Pipeline attack, but we need to act deliberately now in order to avoid relying on the same luck
in the future.
Note: ICS: Integrated Computer Solutions, IoT: Internet of things. OEM: Original Equipment
Manufacturer
Culture Solvency
Establishing a strong cyber security culture is key to reducing risks
Protecting drinking water systems
Creating a cybersecurity culture
Many water managers are unfamiliar with information technology (IT) and SCADA/ICS technology, much
less cybersecurity defences. Therefore, they must depend on their technical staff. However, there are
steps that utility managers can take to secure their systems against cyber-attacks (Clark & Hakim 2016;
Panguluri et al. 2016). Fisher (2014) lists an eight-stage process for creating major change:
• Establishing a sense of urgency by identifying the potential crises.
• Creating the guiding coalition by putting together a group with the power to lead change.
• Developing a vision and strategy including policies and procedures to define and enforce security.
• Communicating the change vision.
• Empowering broad-based action.
• Generating short-term wins.
• Consolidating gains and producing more change.
• Anchoring new approaches in the emergent culture.
Establishing a cyber-security culture is the framework for implementing a strong defensive program. It
puts the three legs of cyber-security on a firm foundation, namely, technology, people and physical
protection. The last of these items implies locating IT equipment in a safe location.
User and employee education is a key step in preventing cyber attacks.

ICS/OT attacks are increasing, Miller said, and Dragos has reason to think it will only get worse.
"Our belief is that there's investment being made in understanding these systems and how to
manipulate them, but those investments by these activity groups require a four- to six-year span in
order to get up to speed. So, what we're seeing is investments made five years ago and [the number of
attacks] will continually be increasing over time," he said.
However, he noted increased interest from clients in improving security posture.
"When I look at the number of security engagements my team does, it's increasing, and the security
posture for our clients is not where we want it to be, but they are engaging us more," Miller said. "There
is an increased focus on this, there is investment, there is a continued effort to gain visibility into
environments where they didn't have visibility before."
Williams said that while there are strides to be made in critical infrastructure security, "We are not one
hacker on TeamViewer away from shutting down, quote-unquote, 'the power grid.'"
"People come out of the woodwork every time there's one of these stories [like Oldsmar]. There's a lot
of these strawmen [talking] about how this represents all kinds of problems with security and, 'Oh my
gosh, we're one hack away from all your power being shut off and us being thrust back into the Dark
Ages.' That's just hyperbole."
But, again, OT and ICS environments frequently face security challenges like technological and economic
limitations, and Geyer recommended organizations improve their posture with simple steps such as
applying multifactor authentication, auditing logs, and implementing strong authentication and access
management.
In addition, Geyer recommended organizations pay attention to lessons learned in enterprise IT risk
management, specifically those related to user education. Users are trained in IT environments to not
click on suspicious links or open strange emails, and these are lessons that people who aren't
conventional cybersecurity experts can take to heart.
"If you can remove 80-90% of the common attack vectors just in user education, it dramatically
decreases what the security team needs to clean up," Geyer said. "If you can train OT engineers about
what the common things are that can add risk to the enterprise, you can significantly reduce risk from a
cyber incident and critical infrastructure standpoint and focus the scarce cyber resources you have as a
safety net for what escapes the first line of defense."
[Note – Miller = Ben Miller, vice president of professional services and R&D at industrial cybersecurity
vendor Dragos, Williams = Jake Williams, founder of security firm Rendition Infosec and former National
Security Agency security engineer, Geyer = Grant Geyer, chief product officer at industrial cybersecurity
vendor Claroty]
Employee investment programs key to cybersecurity.
Huhn, CIA Officer Technical Intelligence and Cyber Security Manager, 20
[Heidi, November 2020, Capella University, “Defending Infrastructure against Cyber Attacks through
Qualified Cybersecurity Professionals in the Federal Government: A Case Study,” page 65, ProQuest,
Investing in employees through training, career paths, and system compliance is essential for
protecting critical infrastructure. While not necessarily cost-effective, these are essential factors for
building cybersecurity skills and investing in protecting information systems. P11acknowledged that
investing in employees through external and replacement training allows for “a surge capability when a
lot of problems are hitting the glass at the same time.” Participants stated that the federal government
is too quick to outsource to contractors when investments should be made by nurturing employees and
providing applicable career paths. Investing in compliance teams to implement effective measures or
the right technology increases the chances of protecting against a cyberattack and decreases the
likelihood of negative litigation.
AT – Regulations Now
Section 2013 established requirements for risk assessments, but there is a lack of
follow-through
American Water Works Association Federal Relations Manager Kevin Morley told us in an email that the
AWWA, an international water management nonprofit founded in 1881, works "to build threat
awareness and provide best practices with our partners." He said there is a challenge in working with
constrained resources, but he pointed out there are low-cost options to improve security postures.
"There is a capacity challenge in the transfer and implementation of such practices, some of which may
necessitate significant investment by an already resource-constrained entity. Other practices like strong
passwords and unique users are controls that don't have major budgetary implications. In combination,
these practices provide for a cybersecurity risk management strategy," Morley said.
Both AESolutions and AWWA work directly with water municipalities; we asked both Cusimano and
Morley about whether their municipality clients and partners are learning from the Oldsmar attack.
Morley said "100%" and called the breach a "demonstration of why such cyber assessments are
important." He added that water systems have been assessing cyberthreats since the passing of a law
known as America's Water Infrastructure Act (AWIA) in 2018. Section 2013 of the AWIA established
requirements for community water systems that serve more than 3,300 people to "develop or update
risk assessments and emergency response plans (ERPs)."
Cusimano said that in his experience working with clients, the response to AWIA's passing has been
mixed.
"We've been helping municipalities around the country meet that requirement. Some are putting more
effort into it than others. Some are kind of treating it purely as a paper exercise -- filing the paperwork
but not really using it as an impetus to really understand their cyber-risk. Others are," he said.
Cusimano added that while AESolutions generally works with clients who already have security
programs in place, they have seen more inquiries since the highly publicized intrusion at Oldsmar.
Critical infrastructure and cybersecurity
Oldsmar's water treatment plant falls under the umbrella of critical infrastructure, a term that refers to
assets and systems necessary for the proper functioning of a society. Critical infrastructure facilitates
the economy, public safety and public health ; it can account for water, power, internet, heating,
military, transportation and much more.
In terms of cybersecurity, specialized technology is used to support critical infrastructure -- both
hardware and software. Some of this technology is connected to the internet and, as such, attacks
against critical infrastructure occur with sometimes far-reaching results.
While industrial cybersecurity and critical infrastructure are technically separate spaces, there is
significant overlap between the two because of the amount of industrial technology used by critical
infrastructure organizations.
[Note – Cusimano = John Cusimano, vice president of industrial cybersecurity at consultancy AESolutions
and active member of the ISA Global Cybersecurity Alliance]
Federal Incentives Solvency
Federal policy could help struggling water utilities.
Knopman, Pardee RAND Principal Researcher and Professor, Catt, Pardee RAND
Assistant Policy Researcher and Ph.D Candidate, 18
[Debra, David, 01-16-2018, RAND Corporation, “How Federal Policy Could Help Water and Wastewater
Utilities,” https://www.rand.org/blog/2018/01/how-federal-policy-could-help-water-and-
wastewater.html, accessed 06-30-2021, HSP]
How could federal policy change this equation, and should Congress and the administration even try?
The scant details of the Trump administration's plan to provide funding to communities that generate
new revenue streams for their own infrastructure projects is unlikely to lead to new federal spending in
economically distressed regions.
In contrast, a more targeted approach could directly address the need for innovation, higher efficiency
in utilities, and boost the prospects of these communities. Federal incentives could stimulate the
development of innovative water and wastewater systems that can be fully compliant with
environmental and public health standards at significantly less cost than current technologies provide.
One thing Congress could do is significantly increase its funding of the new Water Infrastructure Finance
and Innovation Act (WIFIA) program, EPA's existing State Revolving Fund programs, and the USDA's
Water and Environmental Programs for small rural communities to provide more low-cost financing and
loan guarantees to communities in need.
According to the Congressional Budget Office, $20 million in budget authority under WIFIA could
support up to $200 million in loans. To speed the innovation process, the government could create
prizes for development of smaller-scale water technologies or a competitive grant program that
incentivizes corporate and venture capital investment in technologies that reduce costs.
Utility-administered rate assistance lifeline programs for low-income customers, perhaps supported
through the WIFIA mechanism, could be contingent upon utilities meeting certain criteria about
operating expenses, asset management planning, or other business conditions and nudge utilities
toward either consolidation or another more efficient and innovative business model. Greater assurance
of their poorest consumer's ability to afford water rates could spur utilities to make needed investments
in infrastructure improvements.
By taking a more targeted approach in the water and wastewater utility sector, the federal government
could address the root causes of infrastructure problems more effectively than a spending initiative that
simply spreads money around with the hope that more spending might do some good. The same could
be said for other areas, including transportation infrastructure.
Resources Key
Most water systems are operating on tiny budgets
Barrett, Wired Executive Editor, 21
[Brian, 04-02-2021, Wired, “Water Supply Hacks Are a Serious Threat– and Only Getting Worse,”
https://www.wired.com/story/threat-to-water-supply-is-real-and-only-getting-worse/, accessed 06-26-
2021, HSP]
“Most water utilities are handled by municipalities, so they can be managed by very small towns on very
small budgets. They operate on a shoestring,” says Carhart. “A lot of water utilities, especially municipal
utilities, have maybe one IT person if they’re very lucky. They definitely don’t have a security person on
staff, in most cases.” Neither Post Rock nor Travnichek's lawyer responded to a request for comment
When your job is to make sure that the computers work at a water utility, you understandably might
prioritize the processes that safeguard the potable supply over implementing, say, federated identity
measures that would prevent a former employee from popping back in.
Which is, unfortunately, something that happens more often than you might think. The Post Rock
incident, as with Oldsmar and the unnamed intrusion Verizon spotted a few years back, have grabbed
attention because they could have resulted in physical harm. But water utilities have experienced a slow
but sustained onslaught over the past decade. In the first half of the 2010s, it was consistently among
the most-targeted sectors, though still far behind critical manufacturing and energy. In 2015 , the US
Industrial Control Systems Cyber Emergency Response Team fielded 25 cybersecurity incidents in the
water and wastewater sector; in 2016, the last year for which data is available, it saw 18. A recent study
published in the Journal of Environmental Engineering looked at 15 cyberattacks against water systems
in some depth and found that they ran the gamut from data theft to cryptojacking to ransomware.
[Note – Carhart = Lesley Carhart, a principal threat analyst at Dragos, an industrial control system
security firm]
Increased funding is key to protect against cyberthreats

Former Cybersecurity and Infrastructure Security Agency Director Christopher Krebs was asked about
the Oldsmar attack at a House of Representatives Homeland Security Committee meeting on Feb. 10.
Krebs referred to Oldsmar's weak security posture as likely "the rule, rather than the exception."
He pointed to the small budgets given to municipalities as a key factor preventing them from having the
extensive security programs they need. This point was echoed by infosec professionals and critical
infrastructure experts we interviewed.
John Cusimano, vice president of industrial cybersecurity at consultancy AESolutions and active member
of the ISA Global Cybersecurity Alliance, said budget plays a factor in the cybersecurity preparedness of
water municipalities, which is often based on the size of the municipality. A water treatment facility in
Washington, D.C., for example, will have a higher cybersecurity budget than a small suburb of Tampa,
Fla.
Resources key – Water utilities are struggling to make revenue

Knopman, Pardee RAND Principal Researcher and Professor, Catt, Pardee RAND
Assistant Policy Researcher and Ph.D Candidate, 18
[Debra, David, 01-16-2018, RAND Corporation, “How Federal Policy Could Help Water and Wastewater
Utilities,” https://www.rand.org/blog/2018/01/how-federal-policy-could-help-water-and-
wastewater.html, accessed 06-30-2021, HSP]
As with any viable business, a water utility's revenues must at least cover costs. Revenues typically come
from charges to customers via rates approved through some public review process, but can also come
from land, property, and other assessments and taxes. When armed with good governance
arrangements and strong financial management, water utilities in metropolitan areas generally do well,
although they still are challenged by the costly need to replace century-old pipes. However, trends in
demographics and socioeconomic conditions are stressing the utility business model elsewhere.
Cities with growing low-income communities and a shrinking middle class have smaller populations
across which to spread the large fixed costs of water and wastewater utilities. Communities with
stagnating or declining economic conditions are particularly sensitive—and resistant—to increases in
water rates, which have already on average been outpacing inflation by a factor of three since 2000.
And all communities struggle to overcome the short-term political incentives for elected officials to keep
rates low. In these places, undercharging leads to a downward spiral of deferred maintenance, under-
investment in new capital, and corner-cutting of services wherever possible. Unfortunately, deferred
maintenance almost always leads to even more costly repairs down the line.
Rural communities are even more challenged by high per-capita costs of operating water and
wastewater utilities that are compliant with state and federal regulatory standards. An analysis of North
Carolina water and wastewater utilities from 2008 to 2016 found that utilities serving populations under
1,000 were much more likely to run multi-year deficits than utilities serving populations in excess of
10,000 due to their reluctance to raise rates.
Revolving Funds Solvency
EPA Revolving Funds can effectively increase investments in water infrastructure

protections
EPA Press Office, United States Environmental Protection Agency, 20
[EPA Press Office, 10-28-20, United States Environmental Protection, “EPA Highlights Increased
Investment in Water Infrastructure Through State Revolving Funds”,
https://www.epa.gov/newsreleases/epa-highlights-increased-investment-water-infrastructure-through-
state-revolving-funds, accessed 6-28-21, JC]
WASHINGTON (October 28, 2020) — Today, the U.S. Environmental Protection Agency (EPA) released
2019 annual reports for the Clean Water State Revolving Fund (CWSRF) and Drinking Water State
Revolving Fund (DWSRF) programs. Over the past four years, EPA has worked with its state partners to
increase the utilization and leveraging of these funds to accelerate investment in water infrastructure
and better serve both urban and rural communities across the nation. In 2019 alone, these programs
provided $9 billion to support new and revitalized water infrastructure.
“EPA has worked with the states to improve the efficiency and effectiveness of the state revolving
funds,” said EPA Assistant Administrator for Water David Ross. “As a result, more funding is being used
to revamp water infrastructure in communities across the country.”
In 2019, the CWSRF provided over $6.2 billion in assistance for a wide range of water infrastructure
projects, including modernizing aging wastewater infrastructure, implementing water reuse strategies,
and addressing stormwater management challenges. Since the program’s inception, the CWSRF has
provided over $138 billion in low-cost funding to water quality projects across the nation. This low-cost
financing represents a savings of more than $43 billion in interest costs over the life of the program.
In 2019, the DWSRF provided over $2.8 billion in assistance to water systems for a wide range of water
infrastructure projects, including transmission and distribution, system consolidation, and drinking
water treatment facilities. The DWSRF also funded an additional $178 million for critical activities
including operator certification, water system capacity development, and source water protection. Since
its inception, the DWSRF program has funded more than $41.1 billion in infrastructure projects at
below-market interest rates. This low-cost financing represents a savings of approximately $10 billion in
interest costs over the life of the program.
AT – No Enforcement
Federal agencies are committed to enforcing water protections

Lisa Morgan, Cyber Security Hub contributor, ‘21
[Lisa Morgan is a contributor to Cyber Security Hub who surveys and monitors the latest trends in cyber
security and creates news articles, market reports, case studies, and in-depth analysis for a captive
audience consisting of c-level, VPs, and directors of cyber security and information technology, 4-9-
2021, Cyber Security Hub, "Another Cyber Attack Affecting Water Supply,"
https://www.cshub.com/attacks/articles/another-cyber-attack-affecting-water-supply, Accessed 6-24-
2021, CG]
On March 27, 2019, the Post Rock Water District in Ellsworth, Kansas experienced a cyber security
breach that threatened drinking water safety . The hacker was former employee Wyatt Travnichek, 22,
who had worked at the plant from January 2018 until January 2019. Though Travnichek resigned, he
remotely accessed one of a Post Rock Water District computer to shut down the cleaning and
disinfecting procedures that make water potable.
Travnichek was indicted on March 31, 2021 for tampering with a public water system and reckless
damage to a protected computer which together carry a maximum sentence of 25 years and maximum
fines of up to $500,000.
During his employment, Travnichek accessed a computer off hours for plant monitoring purposes.
However, his credentials were not revoked at the time of his departure.
Post Rock Water District is a relatively small operation that, like its peers, would lack formidable IT
resources. The company serves 1,500 residential and 10 wholesale customers.
State and federal law enforcement solve the case
The Kansas Bureau of Investigation, U.S. Environmental Protection Agency (EPA) and FBI jointly
investigated the incident which led to Travnichek's indictment. According to a statement by Lance Ehrig,
special agent in charge of the EPA's Criminal Investigation Division in Kansas, "EPA and its law
enforcement partners are committed to upholding the laws designed to protect our drinking water
systems from harm or threat of harm. Today's indictment sends a clear message that individuals who
intentionally violate these laws will be rigorously prosecuted ."
By making an example of Travnichek, the indictment is intended to dissuade others who are targeting
water systems and other infrastructure. However, such actions are especially ineffective when the
attacks are sponsored by a nation state.
Off-Case Answers
Federalism Answers
Link Answer – Cyber Is Federal Authority
No link – cybersecurity is within federal jurisdiction

Li, Seventh Circuit US Court of Appeals Clerk, ‘19
(Carol, majored in Political Science and Sociology at Northwestern University, worked at Seyfarth Shaw
as a legal technologist, 2019, Notre Dame Law Review, “A Repeated Call for Omnibus Federal
Cybersecurity Law, Volume 94, Issue 5, pg. 2231, https://scholarship.law.nd.edu/cgi/viewcontent.cgi?
article=4868&context=ndlr, Accessed 6/26/21, MLiao)
A. Benefits of Federalism Do Not Apply in Cybersecurity
Critics may argue that data security and privacy are areas of law that ought to be left to the states.
However, the nature of the internet and electronic commerce is not one that is defined by state
borders. Electronic commerce and associated data breaches have an “inherently interstate nature.”198
The moment a “developer’s app is offered in the iTunes store, consumers in all fifty states can download
it,”199 potentially placing that developer immediately within the scope of every state’s cybersecurity
and data privacy laws.
The federal government exerts authority over cyber security for critical infrastructure
Hakim, Temple University Professor of Economics, et al., ‘17
(Simon, PhD in Regional Science from the University of Pennsylvania, Director of the Center for
Competitive Government at Temple University, Erwin Blackstone, Professor of Economics at Temple
University, PhD in economics from the University of Michigan, Robert Clark, Former Consultant in
Environmental Engineering for the EPA, PhD in Civil Engineering from Cornell University, 2017, Cyber-
Physical Security: Protecting Critical Infrastructure at the State and Local Level, pg. 135, MLiao)
Water is a vital component of human life, and access to safe drinking water is essential for human
survival. After water is used, the resulting wastewater must be treated to prevent disease and damage
to the environment. From a public health and an economic perceptive, both water and wastewater
utilities represent critical infrastructures that must be protected. The terrorist attacks of September 11,
2001, brought to light the many threats and vulnerabilities faced by the United States. In response, the
federal government directed efforts to secure the nation’s critical infrastructure and initiated programs
such as the National Strategy to Secure Cyberspace (Bush 2003). This program addresses the
vulnerabilities of Supervisory Control and Data Acquisition (SCADA) systems a.k.a. Industrial Control
Systems (ICS) and called for the public and private sectors to work together to foster trusted control
systems. The SCADA/ICS systems are essential components for the effective operation of medium-to-
large water and wastewater utilities in the U.S. The Homeland Security Presidential Directive (HSPD-7
2002) and its successor, the Presidential Policy Directive (PPD-21 2013), reaffirmed Water Sector as one
of the 16 critical infrastructure sectors that must be protected.
Link Answer – EPA authority
No link---the Safe Drinking Water Act gives the EPA authority

Several SDWA provisions authorize EPA to enforce the requirements of the SDWA Amendments and
take action against incidents involving the intentional contamination of drinking water facilities. 259
First, SDWA § 300g-3 "gives the EPA general authority to issue administrative orders or pursue injunctive
or other civil relief" for violating "applicable requirements" under the SDWA Amendments, such as the
certification requirements under section 1433(a)(2) and 1433(b). 260 Drinking water facilities face
significant penalties under this provision for failing to submit vulnerability assessments or ERPs
certifications before the statutory deadlines, or for submitting false information in vulnerability
assessments and ERPs certifications. 261 Offenses involving the submission of false or misleading
information may also lead to criminal penalties under other statutes. 262
The SDWA Amendments also substantially increased criminal and civil penalties under SDWA § 300i-1
for "tampering offenses. '263 Tampering offenses are defined as the actual, attempted, or threatened
introduction of "a contaminant into a public water system with the intention of harming persons" or
"otherwise interfer[ing] with the operation of a public water system with the intention of harming
persons. '264 The increased penalties for these offenses were intended to provide a strong deterrent
against would-be attacks on public drinking water supplies.
Lastly, SDWA § 300i provides EPA with emergency powers to pursue administrative or civil actions for
monetary and injunctive relief "in cases where there may be an imminent and substantial
endangerment to public health" due to the actual or threatened contamination of a community water
system. 265 The SDWA Amendments expanded the type of incidents constituting an "imminent and
substantial endangerment to health" to include " a threatened or potential terrorist attack (or other
intentional act designed to disrupt the provision of safe drinking water or to impact adversely the safety
of drinking water supplied to communities and individuals).. ."266 EPA's expanded authority under this
provision allows it to act even when there is only a threatened incident and "no actual 'contamination'
of a water supply. 2' 67
AT – State/Local Reject Federal Action Link
States and cities want federal intervention to help infrastructure.

Bergal, PewTrust Staff Writer, 21
[Jenni, 05-10-2021, PewTrust, “Cities Say They Badly Need Critical Infrastructure Funding,”
https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2021/05/10/cities-say-they-badly-
need-critical-infrastructure-funding, accessed 06-26-2021, HSP]
The vast majority of city officials say infrastructure funding is a top priority, according to survey data
released Monday by the National League of Cities, which represents 19,000 cities, villages and towns.
Ninety-one percent of nearly 600 local leaders surveyed in March and April ranked the need for more
money as the biggest factor affecting their decision-making about infrastructure.
“The best time to invest in infrastructure was years ago. The second-best time is right now,” Vince
Williams, the league’s first vice president and mayor of Union City, Georgia, said in a news release. ”The
needs of America’s communities, families and workers are simply not being met by the current level of
funding and support from the federal government on this critical issue.”
President Joe Biden has proposed a massive $2 trillion infrastructure package, and Democrats and
Republicans in Congress have come up with their own infrastructure plans.
As Biden and Congress hash it out, some governors and state legislatures that wound up with
unexpected budget surpluses despite the pandemic are planning to use a chunk of the money to make
one-time investments in road construction, broadband or other infrastructure projects. Some also are
looking to make long-term investments in bigger-ticket items such as expanding public transit options.
But cities and towns say their needs also are great, and they’re asking Congress for help.
“Our transportation network is a knot of congestion and disrepair, our broadband and connectivity lags
behind the rest of the world, families drink from bottled water in the absence of safe tap water, and all
the while, federal partnership for infrastructure has faltered, allowing America to fall behind an ever-
increasing demand,” the league posted on its website.
Politics Answers
Link Uniqueness Answer – Federal Action Now
No link: Congress has already started to work on water infrastructure.

Humphreys, Environmental Policy Analyst, 21
[Elena, 03-01-2021, CRS, “Safe Drinking Water Act (SDWA): Water System Security and Resilience
Provisions,” https://crsreports.congress.gov/product/pdf/IF/IF11777, accessed 06-26-2021, HSP]
The disruption of a safe and reliable water supply remains a long-standing concern related to the
protection of public health. Several events have increased congressional attention to water system
security and resilience from events that could disrupt the provision of water supply. These include a
cyberattack on an automated system at a water treatment plant serving a Florida community and water
service disruptions in Texas related to frigid weather and power losses. Intentional acts and natural
hazards can damage water infrastructure, including automated systems that control treatment, resulting
in the interruption of safe and reliable drinking water.
Water systems are one type of critical infrastructure (CI) covered by broader efforts to improve CI
security. The U.S. Environmental Protection Agency (EPA) has been designated the lead agency
responsible for water sector security, including cybersecurity (Executive Order 13636). (See CRS Report
R45809, Critical Infrastructure: Emerging Trends and Policy Considerations for Congress.)
To address both intentional acts and extreme weather that may threaten water systems, Congress
added several provisions to the Safe Drinking Water Act (SDWA) to support the safety of water supplies
and resilience of water systems. Primarily found in SDWA Part D “Emergency Powers,” these provisions
range from risk and resilience assessment and emergency response planning, to civil and criminal
penalties against those who tamper or attempt to tamper with a public water system (42 U.S.C. §300i-
300i4). The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (the
Bioterrorism Preparedness Act; P.L. 107-188; Title IV) added or revised many of these SDWA provisions.
After first focusing on security, Congress expanded SDWA provisions to address water system resilience
to a range of risks such as droughts, floods, wildfires, and other extreme weather/natural events.
America’s Water Infrastructure Act of 2018 (AWIA; P.L. 115-270) amended provisions to expand the risks
that water systems evaluate and authorized grant programs to increase resilience.
In addition, as a condition of taking on primary enforcement authority, SDWA requires states to have an
adequate plan for providing safe drinking water under emergency circumstances, such as “earthquakes,
floods, hurricanes, and other natural disasters, as appropriate” (42 U.S.C. §300g-2(a)(5)). The act
authorizes various financial assistance programs that may assist water systems in addressing threats
that could disrupt water service. These authorized resilience-related financial assistance programs have
yet to receive appropriations, or began receiving appropriations in FY2020.
Federal government elevating cybersecurity focus now

Olsen, Tampa Bay News reporter, 21
[Jillian, 02-9-2021, Tampa Bay News, “White House responds after hacker raises chemical level at
Oldsmar's water treatment plant,” https://www.wtsp.com/article/news/national/white-house-oldsmar-
water-hack/67-e651bb1b-0b86-4c56-bda8-502a192bc2ba, Accessed 06-24-2021, CBM]
WASHINGTON, D.C., USA — The investigation into the hacker who gained access to the city of Oldsmar's
water treatment plant and bumped the sodium hydroxide in the water to a "dangerous" level" has now
gotten the attention of the White House.
During a Tuesday press briefing, Press Secretary Jen Psaki was asked about the incident that is being
investigated by the Pinellas County Sheriff's Office, along with the FBI and U.S. Secret Service because it
remains unclear if the breach came from within the U.S. or from a foreign actor.
Psaki left the details to the federal officials but commented on the threat of cybersecurity attacks as a
whole.
"I will say, broadly speaking, that the president, the vice president, members of our national security
team are focused on elevating cybersecurity as a threat that has only increased over the past several
years," Psaki said. "That's why they've made it an across government focus and why he has elevated
positions in the White House and in other parts of our government."
The act being referred to happened on Feb. 5 in Pinellas County when Sheriff Bob Gualtieri says a hacker
twice entered the City of Oldsmar's water treatment system responsible for controlling the chemicals
and other operations.
On the second entry, the hacker is reported to have adjusted the amount of sodium hydroxide in the
water from 100 parts per million to 11,100.
“This is obviously a significant and potentially dangerous increase. Sodium hydroxide, also known as lye,
is the main ingredient in liquid drain cleaners," Gualtieri said during a press conference.
Bipartisan Support
Water security legislation has bipartisan support

Miller, The Hill, 21
[Maggie, 3-11-21, The Hill, “Lawmakers roll out bill to protect critical infrastructure after Florida water
hack,” https://thehill.com/policy/cybersecurity/542828-lawmakers-roll-out-bill-to-protect-critical-
infrastructure-after-florida, accessed 6-27-21, JC]
A group of bipartisan House lawmakers on Thursday introduced legislation intended to protect critical
infrastructure from cyberattacks after an unsuccessful hack of a Florida water treatment facility.
The Department of Homeland Security (DHS) Industrial Control Systems Enhancement Act, spearheaded
by House Homeland Security Committee ranking member John Katko (R-N.Y.), would give more
authority to the Cybersecurity and Infrastructure Security Agency (CISA) to protect critical systems
against attacks.
The CISA director would be required to maintain the ability to detect and respond to attacks on
industrial control systems, and also be able to provide assistance to critical infrastructure groups.
The director would also be required to collect and distribute information on vulnerabilities in systems to
owners and operators.
Lawmakers rolled the bill out a month after officials in Oldsmar, Fla., announced that a hacker had
unsuccessfully attempted to tamper with systems at the town’s water treatment facility to poison the
water.
The legislation is also being introduced as CISA continues to grapple with two major cyber espionage
incidents likely involving Russian and Chinese hackers that have potentially compromised thousands of
U.S. government and private sector troops.
The bill’s co-sponsors include a range of key House cybersecurity leaders, including House Homeland
Security Committee Chairman Bennie Thompson (D-Miss.), cybersecurity subcommittee
Chairwoman Yvette Clarke (D-N.Y.), cybersecurity subcommittee ranking member Andrew Garbarino (R-
N.Y.), and Rep. Jim Langevin (D-R.I.), chair of the House Armed Services Committee’s cybersecurity
subcommittee.
Other co-sponsors are Reps. Don Bacon (R-Neb.), Kat Cammack (R-Fla.), Carlos Gimenez (R-Fla.),
and John Rutherford (R-Fla).
Bipartisan support for cyber security funding

Lisa Morgan, Cyber Security Hub contributor, ‘21
[Lisa Morgan is a contributor to Cyber Security Hub who surveys and monitors the latest trends in cyber
security and creates news articles, market reports, case studies, and in-depth analysis for a captive
audience consisting of c-level, VPs, and directors of cyber security and information technology, 4-9-
2021, Cyber Security Hub, "Another Cyber Attack Affecting Water Supply,"
https://www.cshub.com/attacks/articles/another-cyber-attack-affecting-water-supply, Accessed 6-24-
2021, CG]
Attacks on water treatment plants is a critical infrastructure security problem.
In 2018, the U.S. Department of Homeland Security (DHS) and the FBI warned that the Russian
government is specifically targeting the water sector and other critical infrastructure. That same year,
the U.S. government formed the Cybersecurity and Infrastructure Security Agency ( CISA) to make the
nation's critical infrastructure more resilient to cyber and physical threats.
Yet on February 5, 2021, a hacker attempted to adjust the sodium hydroxide (lye) levels in a Florida
water treatment plant which is operated by the City of Oldsmar. In small quantities, sodium hydroxide
helps sanitize water safely. However, in larger quantities it can be fatal.
In the Florida case, a hacker gained access to the computer controlling the chemical levels, similar to
Travnichek. According to Sheriff Bob Gualtieri who spoke at a February 8 press conference, the still
unknown hacker successfully increased the sodium hydroxide level from 100 ppm to 11,100 ppm.
Fortunately, an operator witnessed the breach live and returned the chemical level to its appropriate
setting, then reported the incident. The water was subsequently tested to validate its safety. A criminal
investigation in cooperation with the FBI and the U.S. Secret Service has been initiated.
Meanwhile, the Biden Administration claimed to launch an "urgent initiative" to improve national

cybersecurity which included a proposal to increase CISA's budget by 30% as part of the COVID-19 relief
package. The proposal was removed from the bill because some lawmakers failed to perceive a
connection between CISA and the pandemic. However, bipartisan efforts may increase CISA's funding
through another bill or legislation, especially now that the Biden Administration has announced plans to
retaliate against Russia for the SolarWinds attack and China is associated with the recent Microsoft
Exchange attack.
Counterplan Answers
States CP – Solvency Answers
Fed key – state and local approaches are by definition fragmented

The adoption of the GDPR is itself a huge addition of obligations for companies to the already-messy,
piecemeal framework of cybersecurity law. The amount of GDPR-inspired legislation at the state and
global levels is only making compliance with cybersecurity law more unmanageable and difficult.
Without federal legislation, it will be increasingly tougher for companies to understand how to comply
with these regulations; how to best protect themselves from liability; and, most importantly, how to
protect consumers’ data privacy. Thus, policymakers should consider creating preemptive federal
cybersecurity to replace the current fragmented and unworkable approach.
“[P]rospects for federal regulation of cybersecurity and consumer privacy were dim” even during the
Obama administration, and “meaningful federal legislation and regulation are nonstarters” within the
Trump administration.193 However, from the hack of Sony, “allegedly orchestrated and sponsored by
North Korea,”194 to the Russian hacking of the 2016 U.S. elections,195 it is clear that data security has
become a “national security issue.”196 Despite the challenges in securing federal regulation of
cybersecurity and data privacy, this Note repeats the call for a federal omnibus regulation, a national
answer to a national security issue. While there are substantial limits and issues with the FTC’s
enforcement of data privacy, regulation from a de facto enforcement agency “appears significantly
preferable to relying on burgeoning state regulation.”197
No solvency---state experimentation undermines cybersecurity enforcement

Cybersecurity Law, Volume 94, Issue 5, pg. 2232-3, https://scholarship.law.nd.edu/cgi/viewcontent.cgi?
One of the biggest benefits of federalism—and one of the biggest criticisms of a federal omnibus privacy
law—is that it allows for state experimentation. Critics argue that “[t]he preemptive scope of an
omnibus federal privacy law [would be] likely to block new approaches to information privacy.”200
Additionally, states are more often the “first to act in response to new problems or issues, of which
many arise in a time of rapid technological and cultural change.”201 While innovation is important, and
it is true that innovation and experimentation occur more effectively at the state level, that very
experimentation has, in effect, undermined security compliance. Particularly in light of the GDPR, the
passage of GDPR-inspired state legislation, and the increasing presence of various state and federal
enforcement agencies, it is becoming more difficult for companies to know what to comply with and
how to comply effectively. And because of the reality that the “ever evolving nature of technology
creates a moving target for agency enforcement,”202 it may even be more important that there is a
single, centralized enforcement authority, as opposed to fifty dynamic experiments occurring at once,
with the expectation that businesses comply.
Additionally, leaving cybersecurity and data privacy laws to the states may allow the most restrictive
state policy to dictate.203 Currently, the FTC is arguably the largest federal enforcement authority in
cybersecurity and data privacy. However, its model, as discussed in Section I.B, is highly problematic and
limited, despite its growing position as the de facto data protection authority.204 FTC enforcement
initiatives “are supplemented by an increasing number of state government actions bearing on data
security.”205 The cybersecurity landscape, as it stands, is overly difficult to comprehend, which makes it
far too costly and unmanageable to comply with. Thus, a centralized and streamlined set of regulations
will help further the goal of achieving actual security.
States CP – Permutation Solvency
State and federal collaboration is the best way to solve.

Story maintains that for every water utility—from the smallest to a large one such as American Water
that operates across many states—it’s critical to partner with state and local governments in the effort
to protect against cybersecurity so that “what one person knows, the other knows.”
American Water’s state operations partner with environmental organizations, fusion centers, public
service commissions, and state emergency planners, she says.
“From a federal standpoint, we are able to help our state operations, because we partner with the
Federal Bureau of Investigation, the Department of Homeland Security, and participate on the Water
Sector Coordinating Council. We partner with the Centers for Disease Control and the United States
Environmental Protection Agency because of water quality and potential water contamination.”
Multi-level partnerships solve best – including federal, state, and utilities

Brzozowski, Water World, 18
water-utilities, 06-28-2021, HSP]
Story issues a four-point call to action to states and governors: “One, please promote communications
and teamwork. Make sure your agencies are working with all of the utilities. Make sure the public
utilities commissions, electric, gas, and water providers are doing this together and bring in federal
partners such as the Department of Homeland Security. It’s important that people are talking and
sharing information.”
Ensuring resiliency in assets and infrastructure is her second call to action. “This is not easy,” she
concedes. “From the water industry standpoint, we have, in many of our states, the ability to get capital
investment in pipes recovered more timely through system infrastructure charges, which is really
important. But to get approval to do something for resiliency that we hope never gets used? It’s more
difficult.”
The third call: consider private-public partnerships. “Nobody can do this on their own,” points out Story.
“We all have to share our best practices, because we’re all trying to do the same thing and we’re after
the same objective.”
The fourth call to action is for governors to head up simulation exercises in their states. Recently,
Pennsylvania held a day-long Black Sky exercise facilitated by the Electric Infrastructure Security Council,
drawing together 130 people representing federal agencies, the military, Homeland Security, state
agencies, and all of the utilities.
[Story = Susan Story, American Water CEO]

Voluntary CP – Solvency Answers
No solvency---companies have no incentive to improve cybersecurity and customers

don’t care
While “highly publicized breaches provide one form of incentive,” even in high-profile cases like Target,
who “paid $39 million to settle a class action lawsuit resulting from the cybersecurity breach of its
customers’ personal information,”212 a Deloitte study reported that “56 percent of respondents said
they still plan[ned] to shop . . . at retailers that have experienced a data breach.”213 Consumers
reported they continue to shop at breached stores for a variety of reasons: the store offers the best
prices,214 they “do not feel enough harm, or simply do not care enough . . . to change their spending
behavior.”215
Even though cybersecurity is regarded as “a matter of national security and defense” and “a public good
that benefits all,” private entities are relied upon “to provide the public good even though there is little
economic incentive to do so.”216 Within the current landscape, companies are not sufficiently
incentivized to bolster their cybersecurity defense. Cybersecurity funding by private entities continues to
be underfunded, even though “[t]he frequency, complexity, and costs associated with attacks are
increasing.”217 Part of the underfunding is because organizations “are unable to accurately quantify the
financial value of prospective investments” in cybersecurity defense.218 The full cost of a cyberattack is
not felt by the breached organization, but “borne by numerous unrelated third parties”; thus, “the
amount of investment in cybersecurity will not incorporate the full, actual cost of potential harm.”219 If
an entity could accurately measure and make the optimal— or even adequate—investment in
cybersecurity, the entity “will not be able to charge for the positive externalities it generates.”220

Water Hacks Aff - Gonzaga 2021

Uploaded by

Copyright:

Available Formats

Water Hacks Aff - Gonzaga 2021

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Water Hacks Aff - Gonzaga 2021

Uploaded by

Copyright:

Available Formats

What are the main arguments made regarding the solvency of voluntary cybersecurity practices by private companies?

What are the main arguments made regarding the solvency of voluntary cybersecurity practices by private companies?

What factors contribute to private companies underfunding cybersecurity according to the passage?

What factors contribute to private companies underfunding cybersecurity according to the passage?

Water Hacks Affirmative – Scholars GDI21

What keeps you up at night?

Risk and resilience

Federal lawmakers have started to take note.

 assess and report cyber threats and vulnerabilities

Water Systems Vulnerable

Critical Infrastructure Risk

CISA didn’t immediately respond to a request for comment Tuesday.

Now is key – Passive approach risks disaster – strengthening protections key to

[Note – PWSs = public water supplies]

Water plant regulation must come from the EPA

The EPA does not require submission of risk assessments

There are numerous challenges to managing water cybersecurity risks

CHALLENGES TO MANAGING CYBER RISK

Water systems are extremely vulnerable—government aid is needed.

Take the case of ONE Gas Inc. in Tulsa, Oklahoma.

The agencies didn’t respond to requests for comment.

Such official indifference — even hostility — hasn’t been uncommon.

Garcetti’s office didn’t respond to a request for comment.

The industry is finally focused on fighting back.

Cyber-security challenges in the United States

SCADA makes water infrastructure uniquely vulnerable to cyberattacks

Prioritize water infrastructure---potential consequences are catastrophic

Cyber threats are on the rise now.

Ransomware risk high

The Threat Actor: Offensive Intent and a Ukrainian Test-Bed

Water terrorism rising now—263% increase in attacks since 1970

On the Rise, But Not Everywhere

Water infrastructure uniquely vulnerable due to outdated protocols

Common vulnerabilities in the water supply industry

Operational technology and industrial control systems are uniquely vulnerable

Critical infrastructure and cybersecurity

In terms of cybersecurity, specialized technology is used to support critical infrastructure -- both

All of those systems can be hacked, he said.

Cybercrime has changed---now is key

Water infrastructure cyber high risk and uniquely vulnerable

Communicating about cyberterrorism in forums like debate reduces fear, alongside

Critical infrastructure is at significant risk of attack

“Nation-state adversaries are increasingly looking at critical infrastructure as a battlespace,” the

Cyber protections, meanwhile, haven’t kept up.

Physical infrastructure is significantly outdated, and digitization poses unique risks.

Critical infrastructure is in desperate need of protection.

Contamination risks poisoning millions

Cyberattacks on water infrastructure risk water poisoning

Common vulnerabilities in the water supply industry

Damage to water infrastructure results in catastrophic flooding and less drinking

What keeps you up at night?

Water attacks lead to disease spread

Why Americans should care

The World Water Development Report – released in drought-hit Brasília – says positive change is

Water scarcity leads to water-borne illnesses, earthquakes, food and energy

How Can the World Get Affected Due to Water Scarcity?

Lack of Access to Clean Water

Increased Global Issues