WASHINGTON — An Iranian cyberattack against the United States is a certainty and could possibly impact water supply systems or businesses, counterterrorism experts told the House Committee on Homeland Security Wednesday.

Iranian adversaries will likely attack through the weakest U.S. targets — American civilians who forget to practice basic security measures online like two-factor authentication, Atlantic Council senior fellow Tom Warrick said.

“Every American needs to realize they are a source of cyber vulnerability or a source of cyber strength,” said Warrick.

Committee Chairman Bennie Thompson, D-Miss., said the committee has $350 million dollars to allocate and is considering the most effective use of the funds.

Rep. John Katko, D-N.Y., highlighted the need for cybersecurity proficiency across the country and the vulnerability of smaller businesses, which likely cannot afford sophisticated cybersecurity.

He compared the hearing to discussions Congress had about terrorism before 9/11.

“We didn’t do enough before 9/11 to stop it from happening,” said Katko. “We now have this metastasizing problem of cybersecurity…it’s the greatest threat to our country right now.”

Vincent R. Stewart, special adviser to the Middle Eastern Media Research Institute, said the Iranian government has about 2,000 people organized from a strategic and tactical point. For Iran, the cost to enter cyberspace was surprisingly low, according to Stewart.

Stewart also said social media makes it easier for Iranians to play on the political divisions in America.

“I’m not afraid of Russians, Chinese, Iranians or anyone else in the world,” Stewart said. “I am afraid of the divide in our country.”

Warrick noted that Iran has historically followed “a peculiar sense of symmetry.” After the U.S. killing of Iranian Gen. Qasem Soleimani earlier this month, for example, Iran launched missiles at two U.S. bases in retaliation. If U.S.-Iran tensions continue to escalate, the Iranian government could retaliate through a cyberattack.

Warrick said the American public needs to take cybersafety more seriously and suggested schools teach cybersafety.