Modern warfare now targets civilian infrastructure as a primary objective, forcing a costly convergence of corporate and national security.
NATO's 32 countries agreed last year to spend 1.5% of economic output protecting critical infrastructure, as Iran's war on civilian assets from oil refineries to Amazon data centers blurs the line between corporate and national security.
"We've been spoiled for too long by peace," said Norman Heit, global corporate security and resilience director at Vodafone. "People don't appreciate that physical security for businesses is a public good, like defense."
In its conflict with the U.S. and Israel, Iran struck oil refineries, petrochemical facilities, water-desalination plants and Amazon data centers across the Persian Gulf. Suspected Russian hackers remotely manipulated valves on a Norwegian hydroelectric dam last year, while U.S. authorities in April warned that Iranian hackers were targeting American drinking-water systems. The attacks reflect a broader shift: Ukrainian power stations, American utilities and subsea cables from the Baltic Sea to Taiwan have all become wartime targets.
The cost of hardening private assets — fortifying data centers with reinforced concrete, relocating desalination plants underground, duplicating critical networks — will run into billions of dollars, and arguments are already brewing between companies and governments over who should pay.
The New Defense Calculus
The North Atlantic Treaty Organization's commitment, part of a broader pact to spend 5% of GDP on defense and security, directs funds toward military-adjacent needs including cybersecurity, industrial capacity, railroads, bridges and ports needed for military logistics. Progress on those efforts will be a focus when leaders gather for a NATO summit Tuesday in Turkey.
"We need a wide concept of defense — defense is no longer just military," said Italian Adm. Giuseppe Cavo Dragone, NATO's top military adviser.
The spending target comes as companies face a rapidly expanding threat surface. Hackers increasingly target not just computer files but systems managing vital functions like building access and factory control, remotely causing physical damage. "Digital attacks on physical systems create physical problems," said Gianni Cuozzo, chief executive of Exein, an Italian cybersecurity firm.
Noel Hacegaba, chief executive of California's Port of Long Beach — which handles $300 billion in cargo annually — launched a cyber-defense operations center in May to thwart tens of thousands of daily attacks. "Five years ago, port security was mostly about people and freight. Today, it's about people, freight, software, hardware and airspace all at once," he said.
Who Bears the Cost?
In Germany, powerful industry associations representing private companies and municipal utilities have pushed back against new physical protection standards, warning they could spell financial ruin. New Zealand's government faced resistance over a proposal to fine critical-infrastructure companies and their directors for cybersecurity breaches.
"The private owner can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can really deter, patrol, attribute, or respond to hostile state activity," said Marc Glasser, who worked on cybersecurity and infrastructure security for three decades at the U.S. Department of Transportation and the Department of Homeland Security.
The European Union adopted new regulations after Russia's full-scale invasion of Ukraine requiring countries to reduce vulnerabilities, though many states are behind schedule on national risk assessments due this month. The U.K. proposed new laws to increase penalties for subsea sabotage, updating codes that date to the 19th century. In the U.S., the Cybersecurity and Infrastructure Security Agency, established in 2018, has seen its budget and staff shrink in recent years.
Iranian drone attacks in March took out data centers in the United Arab Emirates and Bahrain used for banking and other commercial purposes. They remain offline, part of a series of warning signs as growing reliance on artificial intelligence makes data centers indispensable. "It's better to learn these lessons now than down the road," said Sam Winter-Levy, fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace.
Most governments do not provide incentives for companies to invest beyond minimum legal resilience requirements, meaning the companies that can afford to invest will tout resiliency as a competitive advantage. "If companies are expected to support the state to protect critical infrastructure, they need to be incentivized to do that," Heit said. Vodafone and eight other telecom companies last year called on European authorities and NATO to boost public support and coordination in protecting subsea cables.
The latest efforts echo the response to the Sept. 11, 2001, attacks, when airports redesigned for efficiency upended operations to prioritize security. The U.S. restructured the federal government and pumped hundreds of billions of dollars into homeland security. Now, nearly every type of facility is a potential target — and no one has settled the bill.
This article is for informational purposes only and does not constitute investment advice.