Summary

  • NATO’s allocation of 1.5 percent of economic output for critical infrastructure protection reclassifies civilian commercial assets as national security nodes, transferring the financial burden of physical and cyber defense to private operators.
  • Cybersecurity vendors and defense contractors capture the immediate procurement benefits of this reclassification while municipal utilities and commercial infrastructure operators absorb the compliance costs.
  • The doctrinal expansion of the defense perimeter creates a reinforcing dynamic where each documented attack on civilian targets generates political pressure to designate additional asset classes as critical infrastructure.
  • State commitments to fund downstream resilience currently lack the corresponding upstream deterrence and attribution capacity that private operators require to manage sovereign state-actor threats.

NATO’s agreement by its 32 member countries to allocate 1.5 percent of economic output toward critical infrastructure protection operationalizes a doctrinal shift that reclassifies civilian commercial assets as national security nodes. This redefinition, documented in a Wall Street Journal report, transfers the financial burden of physical and cyber defense to private operators while channeling procurement spending toward cybersecurity vendors and defense contractors. As state actors demonstrate the military value of targeting business assets, the architecture of national defense now runs directly through private balance sheets, creating a structural mismatch between funded downstream resilience and unfunded upstream deterrence capacity.

Who benefits

The 1.5 percent target reflects the state’s attempt to manage the boundary between private operations and national defense. The 1.5 percent target is not a stand-alone line item; it operationalizes a doctrinal claim that civilian assets become national-security assets by classification, with the obligations following the classification. In systems-dynamics literature, following Donella Meadows, this configuration is characterized as a “shifting-the-burden” archetype, wherein the state delegates defense responsibility to private actors while the original security problem remains.

The visible beneficiaries of this realignment are cybersecurity vendors, defense contractors supplying the new perimeter, and government agencies expanding their regulatory mandates. The 1.5 percent target channels spending through procurement systems that, by their design, favor firms already positioned to supply the services. The source names Exein, a cybersecurity startup led by chief executive Gianni Cuozzo, and the Port of Long Beach, which launched a cyber-defense operations center in May to counter tens of thousands of daily cyberattacks. Vodafone global corporate security and resilience director Norman Heit frames the supplier position, stating, “We’ve been spoiled for too long by peace. People don’t appreciate that physical security for businesses is a public good, like defense.”

The counterparties absorbing the obligation are operators rather than suppliers: municipal utilities, ports, water systems, refineries, and data centers. The cost-bearers include shareholders of critical infrastructure firms and operators of local municipal utilities. The visible edge of this cost distribution manifests in industry pushback. In Germany, industry associations representing private companies and municipal utilities have opposed new physical protection standards, warning of financial ruin. In New Zealand, industry groups have resisted a government proposal to fine critical-infrastructure companies and their directors for cybersecurity breaches. Heit noted that if companies are expected to support the state in protecting critical infrastructure, they require incentives to do so. The parameter whose alteration shifts this distribution is the definition of “critical infrastructure”: a broader definition expands the supplier market and increases the operator cost base proportionally. The legitimate value of the current arrangement, grounded in the substrate, is that states lack the operational footprint and capital to manage every commercial node; leveraging private management remains efficient for routine operations, even as the threat profile has shifted.

What happens next

Once a class of assets is designated “critical,” the designation creates a constituency for further designation. Operators in adjacent industries are incentivized to seek coverage to access subsidies and to avoid being singled out. Vendors are incentivized to expand the perimeter. Regulators, tasked with implementing the 1.5 percent target, are incentivized to demonstrate progress, and broader scope is the path of least resistance. Each documented incident broadens the political case for the next designation. The dominant loop, stated descriptively: attacks on civilian targets lead to calls for hardening, spending flows to protection vendors, the attack surface expands as more assets are built and networked, and more attacks occur.

The documented attack trajectory in the substrate illustrates this expansion. In the conflict the Journal reports between Iran and the U.S. and Israel, oil refineries, tankers, petrochemical facilities, civilian airports, aluminum smelters, water-desalination plants, and Amazon data centers were struck. Subsea cables from the Baltic Sea to Taiwan have been targeted. Iranian drone attacks in March struck data centers in the United Arab Emirates and Bahrain that had been used for banking and other commercial purposes; the facilities remain offline. These attacks demonstrate a strategy of targeting under-defended, high-value private nodes rather than hardened military installations. Furthermore, U.S. authorities in April warned that Iranian hackers were attempting to disrupt American drinking-water systems by targeting computer equipment that connects hardware with software. A year earlier, suspected Russian hackers remotely manipulated valves on a Norwegian hydroelectric dam.

The balancing channel to this reinforcing dynamic is compliance costs producing industry pushback, which is visible in the German and New Zealand resistance. The long delay of this balancing channel relative to the reinforcing channel gives the expansion trajectory time to harden before the friction accumulates. A compliance-driven mandate risks producing a minimum-compliance equilibrium, where companies invest only enough to avoid penalties rather than countering novel state-actor tactics. Industry voices have proposed alternative designs that treat physical and cyber defense as a state-provided utility, fully subsidized by the government and operated by military or national cyber commands. Heit’s call for incentives reflects a broader industry argument to distinguish commercial cyber risk from sovereign state-actor risk, potentially through state-backed reinsurance pools or direct government provision of active defense, rather than regulatory fines that guarantee only minimum compliance. The specific mechanism of state-backed reinsurance pools is not named in the substrate; Heit’s quote names “incentives” generally.

A structural mismatch exists between funded and unfunded capacity. Marc Glasser, who worked on cybersecurity and infrastructure security for three decades at the U.S. Department of Transportation and the Department of Homeland Security, told the Journal, “The private owner can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can really deter, patrol, attribute, or respond to hostile state activity.” The 1.5 percent target funds downstream resilience; the source does not document a corresponding commitment to the upstream capacity Glasser identifies as the constraint. Cuozzo stated, “digital attacks on physical systems create physical problems,” a statement that asserts the new attack surface without naming the corresponding response surface.

The temporal dimensions of this dynamic separate immediate cost shocks from long-term structural repricing. In the short term, the friction manifests as regulatory pushback and direct facility targeting. In the long term, the entire risk-adjusted return on critical infrastructure investment will be repriced to account for permanent military targeting. The framework’s durability depends on whether the reinforcing dynamic outpaces the balancing dynamic before the upstream capacity Glasser describes is built. The current disruptions serve as an early indicator of a permanent recalibration. The next milestone in the substrate is the NATO summit on July 7 in Turkey, where, according to the source, progress on the 1.5 percent line is to be reviewed. The “July 7” day is sourced from the originating article and not independently confirmed in supplementary reporting, which references a “July 2026 Ankara Summit” without specifying the day.

How this is being framed

The doctrinal claim the framework rests upon is articulated by Adm. Giuseppe Cavo Dragone, NATO’s top military adviser, who told the Wall Street Journal, “We need a wide concept of defense—defense is no longer just military.” That redefinition is the load-bearing structure beneath the new spending. The convergence of the threat landscape, as framed in the source, is captured by Noel Hacegaba, chief executive of California’s Port of Long Beach, which handles $300 billion in cargo annually. Hacegaba told the Journal, “Five years ago, port security was mostly about people and freight. Today, it’s about people, freight, software, hardware and airspace all at once.” Cuozzo’s assertion that “digital attacks on physical systems create physical problems” reinforces this convergence framing.

The window framing in the source material is established by Sam Winter-Levy, a fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, who told the Journal, “It’s better to learn these lessons now than down the road.” The statement frames the present as a learning window. The present is also a window in which the cost distribution is being set; the lessons will be learned, in the first instance, by the operators carrying the obligations while the suppliers supplying the response, and the regulators defining the perimeter, work through the same window from a different position in the structure.

The source material understates the balancing channel. The cost distribution is described as “rising,” representing a single-direction pressure. The dynamic has a balancing channel the source material names in part: the cost pass-through to end consumers of protected services, including utilities, port users, and data-center tenants. The magnitude of that pass-through is not quantified in the substrate. A second balancing channel the source material does not document is the substitution effect, the theoretical possibility that hardening designated targets displaces attacks onto undesignated ones. The Norwegian dam and U.S. water-system incidents are presented in the source as examples of digital attacks on physical systems that “compound the challenge,” not as evidence of displacement from hardened sites; treating them as a substitution finding would extend the source further than it supports. The pushback documented in Germany and New Zealand is described in the source as resistance to “regulations” rather than as the friction term in a balancing loop that slows scope expansion; treating it as a one-time obstacle, rather than as a continuing constraint on the rate of designation, is closer to what the substrate supports. The architecture of national defense now runs directly through private balance sheets, requiring a new equilibrium between commercial operations and sovereign security.

Analytical techniques used in this piece

This analysis applies the methods below. Each links to a short, plain-English explainer you can read and reuse.

Cui Bono — Who Benefits
Asks who gains and who pays from a state of affairs, decision, or claim.
Red-Team Assessment
Models a capable adversary probing a plan for the seams they would exploit.
Systems Dynamics (Structural)
Maps a system’s structure — stocks, flows, and the architecture that shapes its behavior.
Incentives
People respond to the rewards a system actually pays out — often not the ones it intends.