The devastating flash flooding that hit central Texas in July 2025 quickly brought out thousands of local volunteers to help search over more than 60 miles for people swept away by rushing waters.
With little formal infrastructure for responding to such a widespread disaster, volunteers and local authorities relied on a civilian version of the military’s Technical Awareness Kit (CIVTAK) for operational command-and-control (C2). CIVTAK enabled them to successfully use personal mobile devices to check in, get maps and directions and ensure accountability for search actions.
This unexpected emergency exposes a gap in US response preparedness for another type of threat – an attack on critical infrastructure. The possibility is not theoretical. For example, it is known that nation state-sponsored cyber attackers like Salt Typhoon, Volt Typhoon and CARR have already infiltrated US power and water infrastructure, potentially putting every American community at risk.
Even our military is not immune. After funding cuts, some domestic bases are sourcing power, water and medical support from outside their own boundaries. They are consequently as vulnerable to threats as any other off-base community. And while considerable emphasis and investment is being put toward external-facing threats, even programs like the space-based Golden Dome missile defense system, which will require satellite ground station infrastructure, are vulnerable to cyber infiltration.
While most cyber threats are effectively thwarted at the state and local levels, nation state-level threats require more. Right now, the country lacks a robust C2 plan to enable coordination among impacted cities, states, the National Guard, the military and the intelligence community. Yet such communication is essential to effective preparation and response. Three capabilities are integral to achieving it:
- Resiliency. Given the many possible attack vectors, resiliency is essential to proactively shutting down whatever pathways into critical infrastructure are targeted. The nuclear power industry is the standard for the most efficient posture, applying unidirectional hardware-enforced security measures like data diodes to overcome vulnerabilities inherent in software-based firewalls commonly found in critical infrastructure environments. Regrettably, most current cyber protection for other sectors effort is being put into passive activities like compliance.
What is also needed is aggressive prevention that anticipates the threat. Federal agencies including US Northern Command (NORTHCOM), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA) regularly conduct national tabletop cyber C2 exercises that prepare for external attacks but not this newly prioritized homeland defense imperative.
The federal government should foster similar localized tabletops and organizations to develop the physical and psychological resiliency that will be needed to withstand the manifestation of an attack. The Texas Cyber Command, the only state-level command of its kind to date, offers a strong example. Still, the National Security Agency (NSA) and other federal agencies clearly have capabilities that Texas does not. A means to share those when disaster strikes is required.
Industry also has an important role to play. The right incentives will encourage engagement and a willingness to invest in developing innovative capabilities to address the threat. For instance, changing the law to more favorably treat cyber defense measures in operating expense (OPEX) versus capital expense (CAPEX) budgeting will enable faster and more flexible capability acquisition, driving better outcomes for government and a more attractive business opportunity for industry. Without undue regulation, the private sector also needs an achievable standard of resiliency, such as exists for the nuclear industry, instead of disparate requirements from different agencies.
- Information Exchange. C2 methods need to accommodate the range of stakeholders that will be involved in a given incident. Different states will have different infrastructure sectors to work with, such as ports, agricultural regions, energy plants and others. Depending on the situation, diverse local, state and federal agencies will be involved. In a decentralized fight, a classic military C2 hierarchy simply won’t work. Coordinated authority will be required, but it needs to flexibly span local and national entities.
Response will also require passing intelligence across many agencies who have not previously handled sensitive federal information. This will undoubtedly involve responders that do not have the clearance levels customary for federal intelligence communications. Consequently, network environments will need a cross-domain capability that enforces secure, controlled information exchange across different classification levels, . filters data and prevents unauthorized access or malware.
- Mobile C2. The Texas flooding “minutemen” proved how personal mobile phones and tablets are integral to effective disaster response. These lightweight devices that most everyone already carries are the perfect instruments for fast communication. The existing commercial communication ecosystem should be tapped as a domestic network that can be used for rapid C2 all the way up the chain of command.
We face an urgent need to install an effective national emergency preparedness network. This requires changes to current operating norms and a reoriented intelligence community that thinks internally as well as externally. The administration’s National Cybersecurity Strategy published in March touched briefly on modernizing federal networks and securing critical infrastructure. However, government agencies must prioritize these reformations because ultimately, the very real threat to our homeland demands it.
