What China may have learned from Pearl Harbor

The best way to defeat an enemy is never to let it get to the battlefield in the first place. Japan tried to do that to the U.S. Navy at Pearl Harbor in 1941. No doubt Beijing will be thinking along the same lines as it attempts to keep the United States out of any fight over Taiwan.

In 1941, the means of attack were planes. More than 350 Imperial Japanese aircraft attacked U.S. battleships, cruisers, and destroyers at their moorings and piers, inflicting serious damage on the U.S. Navy’s surface fleet. Japan, however, did not attack the military infrastructure that supported fleet operations, such as fuel storage sites, ammunition dumps, the base power station, or even the buildings that housed the operations and intelligence sections of the Pacific Fleet. By ignoring these critical support systems, Japan ensured that Pearl Harbor and its assets were able to recover more quickly than expected. The U.S. Navy was conducting complex fleet operations months later at the Battle of the Coral Sea.

The modern-day version of this sort of attack could see China using cyber means to attack the critical infrastructure that supports our military bases and the transport systems required to mobilize our military forces. While the planes and ships — and, for that matter, tanks and artillery pieces — may look unscathed from the outside, without power, water, and telecommunications, the military equipment and military personnel needed to operate them could be left at a standstill. This is all the more likely since the critical infrastructure that supports U.S. military bases is often owned and operated by private sector entities.

Recent reporting indicates the U.S. has found malicious Chinese software or malware embedded in critical infrastructure networks in Guam and the continental U.S. The malware has penetrated electrical power, telecommunications, water utilities, oil and gas pipelines, and port control systems. These infiltrations could be aimed at either keeping equipment and supplies trapped on military bases or preventing their movement once out on public transportation systems. In either case, the reporting makes it clear that dry runs are already underway.

Fortunately, some U.S. leaders are thinking about this matter. Congress should be applauded for adding a provision to the just-passed fiscal 2024 National Defense Authorization Act that aims to shore up the critical infrastructure around military bases to prevent or mitigate the damage of a surprise cyberattack. The NDAA’s Section 1517, “Assuring Critical Infrastructure Support for Military Contingencies Pilot Program,” calls for a small number of military bases to conduct cyber resilience and reconstitution exercises to assess the risk of critical infrastructure attacks against the bases. Furthermore, the government has to determine how to prioritize the restoration of power, water, and telecommunications for a military installation in the event of a significant cyberattack on regional critical infrastructure.

If and when such an attack comes, utilities and businesses supporting the bases must know how to conduct a coordinated, rapid reconstitution effort — ensuring proper prioritization of power, water, and telecommunications systems that rely on each other to operate the base. Ensuring that the building housing important intelligence analysis, for instance, has both power and telecommunications restored quickly may not happen if exercises such as the ones Congress just legislated do not happen.

Even with this new legislation, we face two challenges. First, just because Congress legislates something does not mean the executive branch will uphold its responsibilities to implement the law. We saw this with the last attempt Congress made to force the administration to become better prepared in the event of an adversarial, cyber-enabled economic warfare attack against U.S. critical infrastructure. In the fiscal 2021 NDAA, Congress instructed the White House to organize the entire country to respond to comprehensive cyberattacks — a concept called “continuity of the economy.” After three years of kicking the can down the road, the Biden team essentially concluded it did not need to act at all.

Second, this new legislation is confined to critical infrastructures that directly support the security on military bases. An additional risk involves the entire transportation system that supports military mobility — the aviation, rail, road, and port systems that deliver military equipment, supplies, personnel, fuel, and ammunition from the bases to the front lines. This infrastructure is also at risk from malicious cyber activity and will need similar assessments and prioritization efforts. This will be good work for next year’s NDAA.

Time is not on our side, and this year’s NDAA puts a new urgency to the task. We don’t need to let ourselves suffer a surprise attack with no thought given to how to recover and respond. Quickly implementing this new congressional legislation to test the resilience of military bases will help ensure we are ready. Expanding the effort next year to assess further the military mobility of our national critical infrastructure is a necessary next step.

Samantha Ravich, Ph.D., is the chairwoman of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and was a commissioner on the congressionally mandated Cyberspace Solarium Commission. Retired Rear Adm. Mark Montgomery is CCTI’s senior director and directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he served as executive director.