NATO sets 1.5% spending target for critical infrastructure

In its conflict with the U.S. and Israel, Iran struck oil refineries, tankers, petrochemical facilities, civilian airports, aluminum smelters, water-desalination plants and Amazon data centers, the Journal reported. In other recent conflicts, Ukrainian power stations, American utilities and subsea cables from the Baltic Sea to Taiwan have all become targets, the report said.

The North Atlantic Treaty Organization’s 32 countries last year agreed that as part of a pledge to spend 5% of economic output on defense and security, 1.5% would go to military-adjacent needs including protecting critical infrastructure and networks. Spending targets range from cybersecurity and industrial capacity to railroads, bridges and ports needed for military logistics. Progress on those efforts will be a focus when leaders gather for a NATO summit on July 7 in Turkey, according to the Journal.

Adm. Giuseppe Cavo Dragone, NATO’s top military adviser, said the alliance needs a broader definition of security. “We need a wide concept of defense—defense is no longer just military,” he told the Journal.

Companies are seeking greater clarity from governments on what protections they will provide and subsidies to help defend privately owned assets that serve a public good, the Journal reported. “We’ve been spoiled for too long by peace,” said Norman Heit, global corporate security and resilience director at Vodafone. “People don’t appreciate that physical security for businesses is a public good, like defense.” Heit said that if companies are expected to support the state in protecting critical infrastructure, they need incentives to do so.

New regulations are drawing pushback. In Germany, industry associations representing private companies and municipal utilities have opposed new physical protection standards, warning of financial ruin. New Zealand’s government has faced resistance from industry groups over a proposal to fine critical-infrastructure companies and their directors for cybersecurity breaches, the Journal reported.

Digital threats to physical systems are compounding the challenge. U.S. authorities in April warned that Iranian hackers were trying to disrupt American drinking-water systems by targeting computer equipment that connects hardware with software. A year earlier, suspected Russian hackers remotely manipulated valves on a Norwegian hydroelectric dam, according to the Journal. Gianni Cuozzo, chief executive of cybersecurity startup Exein, said “digital attacks on physical systems create physical problems.”

Marc Glasser, who worked on cybersecurity and infrastructure security for three decades at the U.S. Department of Transportation and the Department of Homeland Security, said the private sector’s role has limits. “The private owner can invest in redundancy, monitoring, and repair capacity, but only governments and militaries can really deter, patrol, attribute, or respond to hostile state activity,” he told the Journal.

Noel Hacegaba, chief executive of California’s Port of Long Beach, one of the nation’s busiest ports handling $300 billion in cargo annually, said the threat landscape has expanded dramatically. “Five years ago, port security was mostly about people and freight. Today, it’s about people, freight, software, hardware and airspace all at once,” he told the Journal. Hacegaba launched a cyber-defense operations center in May to counter tens of thousands of daily cyberattacks.

Iranian drone attacks in March struck data centers in the United Arab Emirates and Bahrain that had been used for banking and other commercial purposes, the Journal reported. The facilities remain offline.

Sam Winter-Levy, a fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, said the disruptions are a warning. “It’s better to learn these lessons now than down the road,” he told the Journal.