When I served at the Cybersecurity and Infrastructure Security Agency, we never treated “over there” and “over here” as separate maps. In cyberspace, the map is one sheet of glass. If the United States hits a regime hard overseas, that regime looks for the fastest way to hit back without meeting us tank-for-tank or plane-for-plane. For Iran, that shortcut has a familiar shape: disruption, deniability, and psychological impact delivered through networks Americans rely on every day.
Operation Epic Fury began in the early hours of February 28, 2026, at the direction of the president, with U.S. and partner forces striking Iranian targets intended to reduce imminent threats to the United States, our forces, and our allies. Those targets included Islamic Revolutionary Guard Corpscommand-and-control facilities, Iranian air defenses, and missile and drone launch infrastructure. The White House has framed the operation as a decisive effort to end the nuclear threat and degrade the regime’s ability to project violence through missiles, proxies, and maritime forces.
That goal matters, and it should be accomplished. But strategic success abroad does not automatically translate into safety at home. Epic Fury raises the odds that Iran will try to impose costs on the American homeland in the one domain where distance is meaningless: cyber.
The good news is we do not have to guess what Iran will do. The playbook is already written, and much of it depends on basic, preventable weaknesses. In a joint fact sheet, CISA, the FBI, the NSA, and the Department of Defense Cyber Crime Center warned that Iranian cyber actors may target U.S. networks for near-term operations and that Defense Industrial Base firms face heightened risk, especially those with ties to Israeli research and defense organizations. The same warning lays out Iran’s repeatable methods: exploiting unpatched, internet-facing systems and using default or common passwords, including automated password guessing.
Iran’s advantage is not elegance. It is reach. They scan constantly for the doors we leave unlocked.
The clearest reminder is operational technology, the industrial control systems that keep water clean, power stable, and manufacturing lines running. The joint fact sheet documents a campaign from November 2023 through January 2024 in which actors affiliated with IRGC targeted internet-exposed programmable logic controllers and human-machine interfaces, and that the campaign included dozens of U.S. victims across water and wastewater; energy, food and beverage manufacturing; and healthcare and public health. The access vector was painfully familiar: public-facing control systems protected by factory-default passwords or no passwords at all.
We have also seen Iran use blunt-force disruption to create public pressure. In 2016, the Department of Justice announced charges against Iranian nationals tied to IRGC-affiliated entities for a coordinated distributed denial-of-service (DDoS) campaign that targeted U.S. financial institutions and for unauthorized access into a New York dam’s control systems. That case is a decade old, but its lesson is current: Iran does not need a perfect cyber force to cause real-world consequences. It needs targets that are reachable and leaders who assume “it won’t happen here.”
In a crisis, Iran will also try to turn cyber into theater. The same joint warning notes increased defacements and leaks by pro-Iranian actors and the likelihood of increased DDoS activity during periods of heightened tension, along with the risk of ransomware or ransomware-shaped operations and hack-and-leak intimidation. The goal is not only downtime. The goal is doubt: to make Americans question whether the services they depend on will still be there tomorrow.
What should we do? Not new slogans. Execution.
If you run a hospital, utility, county government, port, school system, or manufacturer, there is a short list that reduces Iran’s most likely options quickly:
First, reduce exposure. Identify what is internet-facing, especially remote access pathways, and pull anything unnecessary off the public internet.
Second, eliminate default credentials everywhere, particularly in and around operational technology. Default passwords on public-facing systems are a national security liability, not “technical debt.”
Third, make identity the choke point. Require strong authentication and tighten privileged access so a single stolen password is not a master key.
Fourth, patch what faces outward. Prioritize exposed edge devices and systems with known exploited vulnerabilities.
Fifth, rehearse recovery. Backups are not resilience until restoring from backup is practiced and leaders know how to keep operating while systems are rebuilt.
Washington also has a role, and it should focus on measurable readiness, not process.
Confirm the director of CISA. In a heightened threat environment, the nation’s cyber defense agency should not be led indefinitely without a Senate-confirmed director. The President re-nominated a director in January 2026; the Senate should move swiftly so CISA can operate with clear authority and accountability.
Then use CISA’s convening power to drive urgent, prioritized action across critical infrastructure, especially operational technology exposure reduction and remote access hardening, and to reinforce protection of the Defense Industrial Base where the joint agencies have warned risk is elevated.
Epic Fury is intended to reduce a serious threat overseas. The cyber front is how Iran will try to shift pain onto civilians and critical services at home. We can blunt that blowback, but only if we stop giving adversaries easy wins.
In cyberspace, the homeland is not protected by distance. It is protected by discipline.
