Critical Infrastructure Security

Wired for risk: The overlooked cyber threat to America’s military communities

COMMENTARY: Across the country, military bases quietly support our national security and local prosperity. Places like Fort Bragg in North Carolina aren’t just platforms for power projection; They are deeply woven into the social and economic fabric of the regions where they are located.  Fort Bragg alone contributes an estimated $8.8 billion annually to North Carolina’s economy.

Also read:

More than 500 military installations—comprising thousands of sites and hundreds of thousands of buildings—serve as places where service members and their families live, work, and raise their children. These bases are far more than training grounds; they are communities where schools operate, families settle, and futures are built. Like in any American town or city, the infrastructure supporting these places meets people’s foundational needs. That same infrastructure also sustains military readiness, and today, it faces mounting cyber threats.

Separated by design, reconnected by necessity

Military bases were originally built away from civilian centers to protect local populations and comply with the Law of Armed Conflict, which requires distinction between combatants and civilians. Over time, however, these intentionally separate facilities have been reconnected through electrical grids, rail lines, water systems, telecommunications, and broadband into the very civilian infrastructure they were designed to remain apart from.

These connections—essential to daily life on base—now serve as entry points for adversaries. Foreign actors, particularly China, have already infiltrated U.S. critical infrastructure. They are embedding themselves deep within these systems, quietly positioning for maximum impact when the moment arises.

China’s Volt Typhoon campaign illustrates this strategy in action. When American Water—the utility servicing 18 military installationswas targeted by a cyberattack in late 2024, the effects rippled across mission-critical military and community-serving systems.

Critical systems in the dark

Inside every installation, an invisible nervous system keeps the lights on, the fuel flowing, the airfields safe, and the facilities running. This operational technology (OT)—from HVAC systems in barracks to access controls and water purification—forms the backbone of readiness and mission assurance.

Yet these systems remain largely unmanaged, unmonitored, and fragmented across commands and contractors. The Department of Defense lacks a unified inventory of these assets, and no enterprise-level strategy exists to secure them at scale. These interconnected cyber and physical systems are essential to daily operations and remain exposed to adversarial disruption.

The governance gap

Responsibility for cyber defense at military installations is distributed across a crowded field:

  • U.S. Cyber Command,
  • The military services,
  • Base commanders,
  • Local utility partners,
  • and civilian agencies.

    • Without clear ownership, resilience efforts remain fragmented, slow, and ineffective.

    Most cybersecurity frameworks remain centered on traditional IT environments, offering little practical guidance for OT systems. Even when Congress mandates progress, implementation is fractured across silos. This breakdown in coordination puts people, missions, and infrastructure at risk.

    A human-centered mandate

    At the Institute for Critical Infrastructure Technology (ICIT), we define critical infrastructure not only by its role in national defense, but by its role in sustaining lives. People depend on clean water, reliable electricity, healthcare access, secure housing, and stable communications daily.

    Military installations are at the crossroads of these two perspectives on critical infrastructure. They represent national assets and human ecosystems—small cities with young families, working spouses, and transitioning veterans. Safeguarding them maintains operational continuity and ensures the daily security of those who serve.

    Our strategy must be grounded at this crossroads. By safeguarding installations, we protect our ability to mobilize and project power and deliver on our promise to care for those who defend it.

    What must happen now

    The urgency is clear, and the roadmap is within reach. The Department of Defense must:

    • Integrate OT and cyber-physical systems into enterprise cybersecurity frameworks.
    • Define clear ownership and accountability across installation, engineering, and cyber leadership.
    • Map and monitor critical systems with the same rigor applied to kinetic threats.
    • Train defenders and operators to manage these hybrid environments with confidence.
    • Treat cyber resilience as both mission-essential and people-essential.

      • Military installations are wired for risk. Securing them demands a strategy rooted in clear governance, operational urgency, and human-centered purpose. At this crossroads of national defense and daily life, decisive action reinforces mission readiness and our responsibility to those who serve.

      Cory Simpson

      Cory Simpson is the CEO of Gray Space Strategies, a Washington, D.C.-based consulting and advisory firm, and the Institute for Critical Infrastructure (ICIT), a non-profit organization dedicated to the security and resilience of critical infrastructure that provides for people’s foundational needs. He also serves as a Senior Advisor to the Cyberspace Solarium Commission 2.0.  The opinions expressed in this article are his own and do not reflect the views of any employer or affiliated organization.

      Related

      More lucrative payouts pledged by Iranian ransomware gang for US, Israel intrusions

      Affiliates of the Iranian ransomware-as-a-service operation Pay2Key.I2P suspected to have descended from the state-backed Fox Kitten-linked Pay2Key group have begun receiving 80% of ransom proceeds from the group for intrusions against the U.S. and Israel last month, an increase from the 70% cut they have been given previously, amid escalating tensions in the Middle East, according to The Record, a news site by cybersecurity firm Recorded Future.

      AI leveraged to spoof State Secretary Marco Rubio

      Artificial intelligence was noted by the U.S. State Department to have been exploited to impersonate Secretary of State Marco Rubio as part of an ongoing scam, which has already been aimed at a U.S. senator and governor, as well as three or more foreign ministers.

      Related Events

      Get daily email updates

      SC Media's daily must-read of the most current and pressing daily news

      By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

      You can skip this ad in 5 seconds