The Republic is a journal published by The Palantir Foundation, featuring commentary and essays on technology, national security policy, and international affairs.

Continuity of the Economy

Kobayashi Kiyochika, “Use of Electricity during the Siege of Pyongyang,” Woodblock Print Triptych, 1894, The Met.

Continuity of the Economy

Deterring a massive cyberstrike begins with preparing to survive it.

By

Samantha F. Ravich, Ph.D., was a commissioner on the Cyberspace Solarium Commission and is the chair of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies.

Unlike the Cold War-era’s government dominance of the national security industrial and innovation base, today the private sector fuels American prowess. The United States boasts the world’s strongest military because it is the world’s strongest economy.

The cybersecurity domain is possibly the clearest example of the private sector’s influence. The vast majority of the hardware and software that keeps our country safe, secure, and prosperous is created by private companies, not the government. The critical infrastructure that keeps our lights on, supplies us with potable water, allows us to access our banking system, and provides us with our transportation, distribution, and communication systems is primarily in the hands of industry. A large-scale adversarial cyberattack on that same critical infrastructure would cripple not just industry, but our livelihoods and lives.

This is not some far-off fantasy. In the last year alone, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) found “that People’s Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”1 Volt Typhoon, a PRC backed cyberthreat, has compromised some of the largest companies within the communications, energy, transportation systems, and water and wastewater sectors since 2021.2 The enemy has its hand around our throats and, if it so desires, can begin to squeeze.

President Trump can correct the mistakes of the last four years and appoint a national Continuity of the Economy coordinator to oversee economic continuity in the event of a massive cyberstrike. To ensure that proper private sector resources are utilized, the president should simultaneously appoint an industry counterpart (such as a senior executive from a systemically important critical infrastructure company) to work with the coordinator.3

The above recommendation has been circulating for the last five years. Its genesis was March 11, 2020, when the congressionally mandated Cyberspace Solarium Commission (CSC) rolled out its final report.4 In a large room on Capitol Hill filled to capacity with journalists, academics, congressional staff, and dozens of members of executive branch agencies, we commissioners – led by our co-chairs Senator Angus King and Representative Mike Gallagher – presented our findings and recommendations. We began with our foundational principle: deterrence is possible in cyberspace. We then discussed the governmental and private sector reforms needed to make deterrence a reality, each with an associated piece of draft legislation.

Many of us who served on the CSC lived through, or at least studied, the Cold War. We were all familiar with Continuity of Operations and Continuity of Government (COOP/COG) — planning documents on how to keep the government functioning in the event of a nuclear attack. COOP and COG went beyond the line of presidential succession and where to hold a session of Congress if the Capitol was obliterated. Those well-funded exercises were meant to ensure retaliation against the Soviets in the aftermath of even the most devasting of attacks and, as such, deter Moscow from escalating to that level.

In the early CSC meetings, we discussed the applicability of COOP/COG concepts for today’s world. From those discussions came one of our most innovative recommendations — our call for a Continuity of the Economy (COTE) plan “to ensure that we can rapidly restore critical functions across corporations and industry sectors, and get the economy back up and running after a catastrophic cyberattack. Such a plan is a fundamental pillar of deterrence — a way to tell our adversaries that we, as a society, will survive to defeat them with speed and agility if they launch a major cyberattack against us.” At the time of the report’s release, our COTE recommendation was seen by some as beyond our mandate and a bit hyperbolic. The American economy shutting down? Does the U.S. government really need a plan to help keep the economy running in the immediate aftermath of a widescale cyber-attack?

Five days after the release of the report, the COVID-19 lockdown began, and the economy nearly ground to a halt. While that crisis didn’t stem from a major cyberattack, people’s minds became more open to what a countrywide, cross-sector cyberattack could look like.

The CSC wasn’t prescient. Rather, we were just paying attention to the dramatic uptick each year in the scale, severity, and duration of cyberattacks on American national security and economic capabilities.

In 2018, the Center for Cyber and Technology Innovation at the Foundation of Defense of Democracies conducted a tabletop exercise to study what the government and private sector may want, need, or demand from each other in the aftermath of major cyber-attack steamrolling the economic landscape. The most notable finding was that “the U.S. government possesses response functions, emergency authorities, and powers that can be invoked during a significant cyber event, but the practical implications during severe cyberattack conditions remain unclear. It is critical to build and sustain resilient enterprises now to mitigate future catastrophic impacts.”5 During that tabletop it also became clear that, unless forced by legislation, the executive branch would be unlikely to do the hard work needed to plan and prioritize the outflow of limited resources during a time of catastrophe.

The CSC was lucky to have Tom Fanning as a Commissioner. At that time, he was the executive chairman of the Southern Company, the second-largest utility in the United States, serving over nine million gas and electric utility customers. He understood at a granular level that if a cyberattack crippled the banks, telecommunication companies, and the power companies, all hell would break loose. Who would decide what sectors should be prioritized? How many  government employees even understand that banks cannot run without telecommunications, telecommunications cannot run without power, and power cannot run without water? When faced with protecting the country, does the financial district of Manhattan stand in front, or behind, the Dallas-Fort Worth metro area, which is home to the largest distribution hub in the United States? Or should getting the water, power, and telecommunications surrounding Fort Bragg, the nation’s largest military base, take precedence? Who can even make those decisions? And how, without a plan in place that is exercised and understood (such as COOP and COG), would the elements of that plan be conveyed to relevant parties during a crisis?

The CSC knew that without a COTE plan, our country cannot meet even the minimal requirements for deterrence by denial or punishment. Our report included draft legislation on COTE, and we were heartened that in the 2021 annual defense bill, Congress mandated that the executive branch develop COTE plans within two years.6

However, the Biden Administration dragged its heels on beginning the work, despite letters from Senator King and Representatives Gallagher and Andrew Garbarino to the president to keep attention on the issue.7 When the White House finally did get to work, it soon became clear the interagency review process was stripping the COTE plan of some of its most important elements. The Biden administration was preparing to dismiss the need for COTE and (wrongfully) assert that existing government plans were sufficient.

The Center on Cyber and Technology Innovation (CCTI) stepped into the breach, writing its own report on how to set up an effective COTE process.8 Media coverage of the report — alongside ever more vicious cyberattacks against America’s critical infrastructure — prompted members of Congress to push the administration to develop COTE plans.

The 2024 National Defense Authorization Act required the Department of Defense to create a pilot program on assuring critical infrastructure support for military contingencies.9 The statute directs DOD to select three military bases and assess how the power, water, and telecommunications for each are supplied. Once this critical infrastructure baseline is created, the second step of the pilot is to recommend priorities for the order of recovery of these systems in the event of a significant cyberattack. Congress recognized that not all areas of a military base are of equal importance. If, for instance, the troops on a base need to mobilize quickly, buildings housing command and control coordination, logistics, and intelligence would certainly take precedence over the gym and the schools. But without having an accurate plan of how the power, water, and telecommunications flow into and around the base in coordination with one another, prioritization of restoration would be impossible. As a final step, the pilot program was directed to develop a lessons-learned database which was to be shared with the Committees on Armed Services of the House of Representatives and the Senate.10

As of this writing, no such pilot has been undertaken and no reports on this matter have been shared with Congress. And yet the need for such a COTE pilot for military bases continues unabated.

As just one small example, buried in the never-ending news cycle of major breaches on U.S. critical infrastructure by foreign adversaries was a January 29, 2025, media report that barely created a ripple of interest: “Dover Declares State of Emergency Due to Potential Cyber Security Breach.”11 The information surrounding the breach was scant and, in and of itself, not that interesting. The suspected breach may or may not have accessed protected or confidential information. It may or may not have had anything to do with critical infrastructure.

A town of about 40,000 people, Dover is the capital of Delaware. But it is also home to the Dover Air Force Base (AFB), the Department of Defense’s largest aerial port with approximately 11,000 Airmen and joint service members responsible for global airlift. The 436th and 512th airlift wings, operating out of Dover, together, account for 20 percent of the nation’s strategic outsized airlift capability.

If, as is the case for most U.S. military bases, Dover AFB’s power, water, and telecommunications needs are serviced by privately owned utilities, the molehill of a small cyber incident impacting a small city government can quickly grow to be a mountain jeopardizing our nation’s ability to defend our country at home or abroad.

The best way to defeat an enemy is to never let them off the base in the first place. The Japanese tried that out in Pearl Harbor. No doubt Beijing will be thinking along the same lines as they attempt to keep the United States out of any fight over Taiwan.

In 1941, 353 Imperial Japanese aircraft attacked Pearl Harbor’s U.S. battleships, cruisers, and destroyers. The Japanese, however, didn’t attack important military support installations such as the power station, fuel center, torpedo facilities, and the intelligence section of the Pearl Harbor base. Due to these intact support systems, Pearl Harbor and its assets were able to recover quicker than expected and six of the eight U.S. battleships there that day went on to fight in the war.

The modern-day version of Pearl Harbor could see China using cyber means to attack the critical infrastructure that supports our military bases. While the planes and ships may look unscathed from the outside, without power, water, and telecommunications they (and the military personnel needed to operate them) could be left at a standstill. This is all the more likely now, since such critical military infrastructure is often run by private sector entities that sit “outside the wire”— beyond the perimeter of the base’s secured zone.  Which brings us back to the not-very-interesting cyber-attack on the not-very-big city of Dover, Delaware and why it should concentrate our minds (yet again) on the peril our country faces.

President Trump’s recent executive order (EO) on national resilience is a step in the right direction. The EO would require the Assistant to the President for National Security Affairs (APNSA) to collaborate with relevant agencies on a national continuity policy review and recommend changes to “modernize and streamline the approach to national continuity capabilities, reformulate the methodology and architecture necessary to achieve an enduring readiness posture, and implement the National Resilience Strategy.”12 The EO’s findings will dictate the path to change these underlying policies.

As described by Mark Harvey and Rear Admiral (Ret.) Mark Montgomery in the COTE playbook, a national COTE manager can “lead the planning, conduct the exercises, maintain situational awareness, and sustain the necessary relationships between federal agencies and critical infrastructure owners and operators on a routine basis. This person can also hold federal agencies accountable for adding COTE requirements into existing plans and reviewing and updating plans on a regular cycle.” With the EO, President Trump has a critical opportunity to include CSC’s original recommendations. 

President Eisenhower was wise to create COOP and COG, and our country was fortunate that we never had to operationalize them due to a nuclear strike. President Trump can ensure our country is protected from the scourge of a cyberattack by fully implementing our COTE plan. Odds are, we will need to use it.

  1. U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” February 7, 2024. ↩︎
  2. Microsoft Threat Intelligence, “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Security, May 24, 2023. ↩︎
  3. Mark Harvey and RADM (Ret.) Mark Montgomery, “After the Attack: A Playbook for Continuity of the Economy Planning and Implementation,” Foundation for Defense of Democracies, September 13, 2023. ↩︎
  4. United States of America Cyberspace Solarium Commission, “Report,” March 2020. ↩︎
  5. Chertoff Group and Foundation for Defense of Democracies, “U.S. Government and Private Industry Must Prepare for Cyber-Enabled Economic Warfare Escalations,” Foundation for Defense of Democracies, February 05, 2019. ↩︎
  6. Willam M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283. ↩︎
  7. Annie Fixler, “Lawmakers Urge More Action to Ensure Resilience of the U.S. Economy,” Foundation for Defense of Democracies, November 14, 2022. ↩︎
  8. Harvey and Montgomery, “After the Attack.” ↩︎
  9. National Defense Authorization Act for Fiscal Year 2024, Pub. L. 118-131, 137 STAT. 548, codified as amended at 10 U.S.C. §§ 2224. ↩︎
  10. Ibid. ↩︎
  11. WBOC, “Dover Declares State of Emergency Due to Potential Cyber Security Breach,” January 29, 2025. ↩︎
  12. Executive Order on Achieving Efficiency Through State and Local Preparedness,” The White House, March 19, 2025. ↩︎