We Are Conducting Combat Operations Against Iran Like Cyber Doesn't Exist — Will American Citizens Pay the Price?

ashcoachingandconsulting.com

OPINION | CYBERSECURITY & NATIONAL SECURITY

March 5, 2026

By Amy S. Hamilton  | 

The United States is conducting active combat operations against Iran. American and Israeli forces have struck Iranian leadership compounds, nuclear facilities, and military infrastructure in operations that have killed Iran's Supreme Leader and senior commanders and triggered active missile and drone exchanges across the Middle East.

In every prior conflict in American history, we have organized our defenses around the weapons our adversaries would use to retaliate. Against Iran in 2026, those weapons include something no missile defense system intercepts: cyberattacks on water systems, power grids, banks, and hospitals. And while Washington debates force posture in the Middle East, the federal apparatus responsible for defending American citizens in the cyber domain is, at this precise moment, gutted, leaderless, and silent.

Municipal Water Authority of Aliquippa via AP

Iran Has Already Proven They Can Hit Our Infrastructure

Most Americans don't know this: in late 2023, Iran-linked hackers successfully compromised water treatment facilities in Pennsylvania and other states by exploiting Israeli-made Unitronics programmable logic controllers — the same industrial equipment that runs pumps, valves, and chemical dosing systems in municipal water plants. The attack wasn't sophisticated. It didn't require elite nation-state resources. It required basic exploitation of internet-connected industrial systems that had no business being publicly accessible in the first place.

Water supply is not an abstraction. It is the most fundamental infrastructure that sustains human life in any city or town. The fact that hostile foreign actors demonstrated the capability to interfere with it — and did so largely without consequence or sustained public attention — should have triggered an emergency review across every layer of the federal cyber apparatus. It did not. It was, at most, a footnote.

Congress, to its credit, noticed. The executive branch largely did not.

The Senate Raised the Alarm — Just Weeks Before the Bombs Fell

On February 4, 2026 — just 24 days before U.S. and Israeli strikes on Iran triggered the current crisis — the Senate Environment and Public Works Committee convened a dedicated hearing on cybersecurity threats to American water infrastructure. Republican Chairman Shelley Moore Capito of West Virginia and Democratic Ranking Member Sheldon Whitehouse of Rhode Island were in rare bipartisan alignment: the threat is real, the vulnerability is deep, and the federal response has been inadequate.

Chairman Capito laid out the scale of the problem plainly. There are approximately 170,000 water and wastewater utilities across the United States, the vast majority of them small systems operating with limited technical staff, aging infrastructure, and virtually no dedicated cybersecurity expertise. She noted that the EPA had already identified water systems still using a single shared login for all employees, systems that had never changed default passwords, and systems that still allowed former employees full access. These are not advanced attack surfaces — they are open doors.

Senator Whitehouse was more pointed. His statement documented that since 2023, Russian, Iranian, and Chinese hackers had successfully attacked small municipal water systems in Texas, Pennsylvania, and Massachusetts, and had probed the defenses of countless others. Rhode Island facilities alone had experienced at least six cyberattacks over six years, resulting in hundreds of thousands of dollars in losses. He warned that less than 25 percent of water and wastewater utilities conduct annual cybersecurity risk assessments. Then he asked the question that should be echoing through every federal agency right now: just imagine the consequences of a coordinated nationwide hit. His conclusion was unambiguous: we are not ready.

Whitehouse also called out the executive branch directly, stating that the Trump administration had forced out thousands of federal cybersecurity experts, cut funding to research and readiness programs, and damaged relationships with key international intelligence partners. His conclusion: we need to strengthen our national cybersecurity capabilities, not weaken them.

The expert witnesses at the hearing reinforced the picture. Dr. Scott Simonton of Marshall University's Institute for Cyber Security described the challenge of building scalable, plug-and-play cybersecurity frameworks for small utilities that have no capacity to staff the problem on their own. Matt Odermann of the North Dakota Rural Water Systems Association testified to the unique exposure of rural systems — often the most isolated, the most underfunded, and the most attractive as soft targets. Scott Dewhirst of Fairfax Water, representing the Association of Metropolitan Water Agencies, spoke to the workforce gap that leaves even large utilities struggling to recruit and retain the cyber talent needed to defend complex industrial systems.

This hearing happened. These warnings were given, on the record, in a United States Senate hearing room, less than four weeks before U.S. military strikes made Iran's cyber retaliation not a hypothetical but a near certainty. The executive branch had every opportunity to treat this testimony as a call to action. Instead, the cuts continued, the director's chair stayed empty, and the strategy documents kept Iran in the rear-view mirror.

The Old Rules No Longer Apply

In 2026, the threat environment has been transformed — not just escalated, but fundamentally restructured. Three years ago, Iranian cyber actors operated under a recognizable set of constraints: chain of command, political calculation, fear of escalation, and the moderating influence of leadership that understood where lines were. Those constraints are gone.

We killed their Supreme Leader. We killed senior commanders. We struck the very nerve centers of the regime. Whatever one thinks of those decisions, the cybersecurity consequence is unambiguous: the Iranian cyber apparatus is now operating in a decapitated, decentralized, and vengeful state. The operatives who remain — inside Iran and in cells operating across the globe — no longer answer to leaders who weigh consequences carefully. They answer to rage, ideology, and an imperative to strike back at anything American.

Palo Alto Networks' Unit 42 explicitly flagged this dynamic in their March 2, 2026 threat brief: state-aligned cyber units may now be acting in operational isolation, and command-and-control degradation may be producing tactical autonomy for cells operating outside Iran. In plain English — nobody is telling these operators to hold back anymore. The measured restraint that characterized even hostile Iranian cyber operations three years ago has been replaced by an open mandate to cause maximum damage by any means available.

Broadcom's Symantec Threat Hunter Team has documented that the Iranian APT group Seedworm — a subordinate element of Iran's Ministry of Intelligence and Security — has been actively operating on the networks of a U.S. bank, a U.S. airport, and the Israeli operations of a U.S. defense and aerospace software supplier since early February 2026. Novel malware was deployed. Data exfiltration was attempted. Unit 42 documented approximately 60 hacktivist groups coordinating attacks as of March 2, including a newly formed "Electronic Operations Room" that stood up the same day U.S.-Israeli strikes began. Iranian-aligned groups have claimed hits on energy infrastructure, fuel systems, payment networks, and healthcare systems across the region — and have explicitly targeted U.S. networks.

The Department of Homeland Security issued a law enforcement bulletin this week warning of imminent low-level cyberattacks against U.S. networks. DHS Secretary Kristi Noem publicly acknowledged a heightened threat environment. The private sector threat intelligence community is sounding every available alarm.

Against all of this: silence from the top of the federal cybersecurity structure. And that silence did not begin this week. It was written into our strategy documents months ago.

The Strategy Documents That Looked Away

Every administration publishes a National Security Strategy and, through the Department of Defense, a National Defense Strategy. These documents are supposed to represent the considered judgment of the nation's senior leadership about where the threats are, how serious they are, and how the government will organize to address them. They set priorities. They allocate attention. They send signals — to agencies, to Congress, to allies, and to adversaries — about what this administration believes matters.

Read both documents published by this administration, and then ask yourself: where is Iran's cyber threat?

The 2025 National Security Strategy, released in December 2025, makes only three passing references to Iran — and all of them celebrate its diminished state following the twelve-day Israel-Iran conflict. The document essentially declared mission accomplished on Iran, framing the country as "greatly weakened" and no longer a serious strategic priority. The Atlantic Council's analysis noted the strategy was "essentially declaring Iran a closed chapter." The Center for Maritime Strategy observed that Iran, once a central fixture in every NSS since the 1979 revolution, was now mentioned only in the context of its prior defeat.

Most strikingly, the 2025 NSS does not treat Iranian cyber operations as a live threat to U.S. critical infrastructure at all.

This is not a minor editorial omission. It reflects a strategic judgment that cyber threats to the homeland's infrastructure are not a front-burner concern. That judgment was wrong when the document was written. It is catastrophically wrong today.

The 2026 National Defense Strategy, released by Secretary Hegseth's Pentagon in January 2026, represents a partial course correction on Iran — acknowledging that the country is rebuilding its conventional forces and may attempt to reconstitute its nuclear program. But its treatment of cyber is thin, and its tone throughout has been described by CSIS analysts as reading more like a political rally than a strategic planning document. It does not establish cyber as a primary operational domain for the Iran threat. It does not assign clear responsibilities. It does not reflect the urgency that the private sector threat intelligence community has been communicating for months.

Here is the practical consequence of that strategic blind spot: when a National Security Strategy declares Iran a solved problem and a National Defense Strategy fails to elevate cyber as a priority domain for Iranian retaliation, every layer of the federal bureaucracy takes its cues accordingly. Budget decisions flow from strategy. Agency priorities flow from strategy. Personnel allocations flow from strategy. When the strategy says Iran's cyber threat is not the main event, the apparatus responds — by doing less, planning less, and resourcing less. The documents told the federal government to look away. And it did.

Meanwhile, Iranian cyber units were, in the words of cybersecurity firm Anomali, "activated and retooling before the kinetic trigger." They did not wait for our strategy documents to catch up.

Where Is the Federal Cyber Apparatus?

I spent years advising at the Cabinet level on exactly these scenarios. There is a well-established architecture for how the federal government is supposed to respond to an elevated and documented nation-state cyber threat. It involves multiple layers, each with a distinct role. Right now, every one of those layers appears to be either absent, diminished, or pointed in the wrong direction.

The NSC Cybersecurity Directorate sits at the apex of the federal cyber response structure. It exists to coordinate strategy across agencies, align the intelligence community with operational defenders, and ensure the President has clear situational awareness of active cyber threats. In a moment like this — with documented Iranian intrusions on U.S. critical infrastructure networks and an openly hostile, decentralized Iranian cyber proxy network operating in real time — the NSC Cyber Directorate should be driving a whole-of-government response with urgency. Instead, there has been nary a public word. No framework announced. No visible coordination. No signal to adversaries that we are awake and watching.

OMB's Office of the Federal Chief Information Security Officer (CISO) is responsible for driving cybersecurity policy and compliance across the entire civilian federal enterprise — every department, every agency, every system that touches federal data. Federal agencies right now hold vast troves of data and access that Iranian actors would love to exploit. The absence of visible OMB Cyber action in this environment is not reassuring — it is alarming.

NSA's Cybersecurity Directorate possesses the most sophisticated foreign cyber threat intelligence and defensive capabilities in the U.S. government. Those capabilities should be oriented with singular focus toward the Iranian threat actors actively operating on American networks right now. Instead, in recent years we have watched NSA cyber resources pulled toward auditing voting machines in Puerto Rico and scrutinizing election infrastructure in Georgia. Whatever one thinks of election security as a policy matter, it is emphatically not NSA's core mission. Foreign adversary cyber threats are. Iran is Exhibit A, and NSA Cyber should be driving deep threat hunting, indicator sharing, and active defense against Iranian intrusion sets — loudly and visibly enough that our adversaries know we are engaged.

CISA — the Cybersecurity and Infrastructure Security Agency, the primary civilian body for critical infrastructure defense — is operating at roughly 38% of necessary staffing levels following DOGE-driven cuts. It has been without a confirmed director since January 20. Its red teams, the specialized units that simulate real attacks to find vulnerabilities before adversaries do, have been gutted across multiple rounds of eliminations. The Cyber Incident Response Team has been hollowed out. The $10 million Multi-State Information Sharing and Analysis Center program — the primary pipeline for pushing threat intelligence to the state and local governments that actually operate water plants, power utilities, and transit systems — has been cut. CISA is not just weakened; it is structurally compromised at the precise moment it is most needed.  In a heightened threat environment, CISA should be issuing emergency binding operational directives, demanding accelerated patching of known vulnerabilities, requiring agencies to report on their Iranian threat exposure, and tightening the screws on federal contractors.

Taken together, this is not a gap in one agency. It is a failure of the entire federal cyber defense architecture at the worst possible moment.

The Silence Is Its Own Message

I've asked colleagues across the public and private sector a simple question this week: have you heard anything from the White House Cyber Directorate, from OMB, from NSA Cyber about a coordinated federal response to the Iranian threat? The answer, uniformly, has been no. Not a framework. Not an advisory. Not a press briefing. Not a signal.

Adversaries read silence. When Iranian cyber operators see no coordinated federal response — no visible NSC posture, no OMB guidance tightening federal networks, no NSA Cyber advisories, no CISA director standing at a podium saying we are actively defending — they draw a rational conclusion: the door is open. The absence of visible deterrence is itself an invitation.

Cyber threats are also invisible until they are catastrophic. Most Americans will not notice that a water system's safety margins have been eroded until the water isn't safe. They won't notice that federal network intrusions are going undetected until classified data surfaces on a foreign server. The victims of a successful attack on financial infrastructure won't know their exposure for months. The lag between action and consequence in cybersecurity is exactly what allows political actors — and inattentive bureaucracies — to claim everything is fine, right up until it isn't.

We have handed our adversaries a gift — a weakened defense, a silent command structure, and a distracted public. We did it to ourselves.

What Needs to Happen — Now

This is not a partisan argument. It is a demand for basic competence in the face of a documented, active, and escalating threat. The federal cyber apparatus must function. Here is what that requires:

The NSC Cybersecurity Directorate must immediately stand up a visible, coordinated Iran cyber response. This means convening the interagency, aligning CISA, NSA, Cyber Command, and the intelligence community on a unified threat picture, and communicating clearly — to allies, to the private sector, and to adversaries — that the United States is actively defending its networks. The silence must end.

OMB as the Federal CIO and CISO Council Chairs should be messaging across the federal agencies. Many agencies still have not even received increased threat warnings. Staff and cybersecurity teams need to be briefed on the Iranian cyber threat.

NSA Cybersecurity must refocus on its actual mission: foreign adversary threats. Iran is not a theoretical adversary. It is an active one, operating on U.S. networks today. NSA Cyber's threat hunting, indicator sharing, and advisory capabilities should be fully oriented toward Iranian intrusion sets. Domestic election infrastructure audits are not NSA's lane. Foreign nation-state cyber threats are.

CISA should issue emergency directives to federal civilian agencies. Known Iranian attack vectors, including credential spraying, phishing, and exploitation of internet-facing systems, should trigger immediate hardening requirements across the federal enterprise. Federal contractors with access to sensitive systems need heightened scrutiny. CISA has the authority. It needs to use it.

Water, energy, and critical infrastructure operators must be treated as active targets — because they are. The 2023 Iranian attacks on water treatment facilities were a proof of concept that was never adequately answered. Every internet-connected industrial control system in every municipal water and power utility in the country should be on an emergency hardening track. The fact that many remain exposed years after that attack is a policy failure that now carries genuine consequence.

The one corner of the critical infrastructure defense ecosystem that appears to be functioning is the Information Sharing and Analysis Centers — and their uneven response right now is its own kind of warning. Health-ISAC CEO Errol Weiss has urged member organizations to harden internet-facing systems, validate DDoS protections, and rehearse incident response. MS-ISAC held a member webinar within days of the strikes, with intelligence officials warning that hacktivist groups are beginning to coalesce into coordinated collectives with more robust targeting capabilities. These are the right moves.

But the two ISACs covering the sectors Iran has already demonstrated it can hit — WaterISAC and E-ISAC, covering the electric grid — have been conspicuously quiet. WaterISAC's last public posting is dated February 26, two days before the strikes began. E-ISAC has not surfaced in any post-strike threat coverage. Whether that silence reflects classified coordination happening behind closed doors, or organizations simply overwhelmed and under-resourced, the public-facing void sends the wrong signal to 170,000 water utilities and every grid operator in the country who is right now wondering whether to be on a war footing. They should be. Someone needs to tell them.

The Stakes Could Not Be Higher

I have spent my career at the intersection of government and cybersecurity. I understand the complexity of coordinating across agencies, the inertia of large institutions, the difficulty of communicating technical threats to political audiences. I am not naive about how hard this work is.

But I also know what a functioning federal cyber response looks like. It has an active NSC driving coordination. It has OMB pushing compliance with urgency across the civilian enterprise. It has NSA Cyber sharing threat intelligence with speed and purpose. It has a CISA with the people and resources to defend the networks that Americans depend on every day. And it makes noise — visible, deliberate, public noise — so that adversaries understand the cost of escalation.

What we have right now is the opposite of that. Iranian hackers are on U.S. networks. Their command structure has been shattered, making them more dangerous and less predictable than ever. Sixty-plus hacktivist proxy groups are coordinating in real time. DHS is quietly warning law enforcement. And the full federal cyber apparatus — the NSC, OMB, NSA Cyber, CISA — is conspicuously, inexplicably silent.

The lights we take for granted, the water from our taps, the banking systems our businesses depend on — all of it is defended by institutions that are right now either diminished, distracted, or missing in action. That is the conversation we should be having. It is the one we are not.

None of what I am calling for requires the government to reveal sources, methods, or operational details. It requires a press release. It requires a podium. It requires someone in authority to stand up and say: we see the Iranian cyber threat to the American homeland, we are acting on it, and here is what we are asking critical infrastructure operators to do right now. That is not a security risk — it is the minimum a government conducting undeclared combat operations owes its citizens.

Americans already know what government silence looks like in this conflict. Automated embassy hotlines told stranded Americans that no evacuation points were in place and that U.S. government help could not be guaranteed — even as the country they were stranded in was being bombed at American direction. The State Department's recorded message told callers, "please do not rely on the U.S. government for assisted departure or evacuation at this time" — while the Secretary of State held press conferences assuring the world that help was on the way.

The gap between public reassurance and operational reality was the story. On cyber defense, there is not even public reassurance.

Someone needs to say it clearly: the Iranian cyber threat is real, it is here, and the federal apparatus responsible for defending against it has gone quiet. That silence will not protect us. It will only embolden them.

About the Author

Amy S. Hamilton is a former Cybersecurity Advisor to the U.S. Department of Energy, where she advised on cyber risk, critical infrastructure protection, and national security strategy. She is the founder of ASH Coaching and Consulting, where she works with executives and organizations on cybersecurity leadership, resilience planning, and strategic risk. She can be reached at ashcoachingandconsulting.com.

Sources: Broadcom/Symantec Threat Hunter Team (security.com, March 5, 2026) • Palo Alto Networks Unit 42 (March 2, 2026) • GovTech / DHS Bulletin (March 5, 2026) • TechCrunch / The Record / Dark Reading (CISA Cuts, 2025-2026) • Valley Techlogic (February 2026) • NPR (December 2023)

© 2026 ASH Coaching and Consulting | ashcoachingandconsulting.com