Q&A: Defending Our Lifeline Sectors

Welcome back to the TechnologIST! I’m Lillian Ilsley-Greene , IST’s Communications Associate. In August of last year, IST Executive in Residence Josh Corman announced the launch of Cyber Civil Defense initiative UnDisruptable27 at BSides Las Vegas. In this month’s edition, I sat down with Josh to learn more about the project, its goals, and his work so far. 

We are too dependent on undependable things. There is a promise and a peril to connected technologies, and our dependence on connected technologies has been growing faster than our ability to protect it. As we are seeing increased disruptions to our most vital lifeline needs – water, emergency services, food, and power –  how can we turn the tide? 

IST’s UnDisruptable27 initiative, led by Executive in Residence for Public Safety & Resilience Joshua Corman , and initially supported in 2024 by seed funding from Craig Newmark Philanthropies , seeks to inform, influence, and inspire community action to strengthen the safety and security of our lifeline critical infrastructure systems by 2027. By taking a community-first approach and connecting directly with local infrastructure owners and operators, UnDisruptable27 hopes to build resilience into our systems before attackers like Volt Typhoon bring a hybrid conflict to our doors. 

This June, ICS VILLAGE , in partnership with IST, Crowell & Moring , National Security Institute (NSI) , and The Wilson Center will present Critical Effect DC, the eighth edition of D.C.’s annual industrial control systems (ICS) security conference. Formerly known as Hack the Plant, Critical Effect DC provides a unique platform for policymakers, think tanks, and the media to engage with leading voices in ICS and cybersecurity. This year, the conference adopts UnDisruptable27’s call to action and will prioritize timely, solution-driven content that tackles cross-sector critical infrastructure security and resilience challenges with a sense of urgency.  

In this month’s edition of the TechnologIST, I sat down with Josh to learn more about UnDisruptable’s goals, possible solutions, and the risks to our communities if we do not fortify our critical sectors in time. 

“When you add software to a system, you make it hackable. When you connect it to the internet, you make it exposed. The choice we made for connectivity exposes us to accidents like the 2024 CrowdStrike outage and adversaries like ransomware groups. The big gamble we were taking in this was that we’ll get all the obvious, immediate benefits, but we won’t be a target. Attackers used to steer clear of life safety industries, so for a time, we were able to enjoy that belief. But we took bigger gambles than we should have, and since 2016, healthcare has been among the top targets for attacks. This is important to understand because, by exposing ourselves to accidents and adversaries, we've allowed a different type of predator to do a different type of damage, with a protracted impact on our communities.“  - Joshua Corman, Executive in Residence for Public Safety and Resilience

UnDisruptable27 aims to build safety, security, and resilience into our communities’ lifeline critical sectors. What do you mean when you say “lifeline” sectors?   

“Think of this as stuff that humans need to survive, in the immediate sense. Most people have heard of the notion of critical infrastructure. Unlike many of our allies, the United States delegates public goods to be owned and operated by the private sector. 

In 2013, the Obama administration issued Presidential Policy Directive 21, which identified 16 sectors as “critical infrastructure.” These included things like financial services, healthcare, public health, and water and wastewater. But when everything's critical, nothing's critical.

So of those, CISA identified National Critical Functions that are more discrete and more like a lifeline utility. These provide drinking water, electricity, medical care, and maintain access to our medical records. So you can look at “lifeline” sectors as a service or function that should be running all the time and then could be disrupted for some amount of time, to some degree. These are the critical functions that, if disrupted for 24 or 48 hours, could affect public safety and human life.

All the sectors matter, but they have different life implications and public safety implications.” 

You recently joined Bryson Bort for an episode of the IST/ICS Village-produced podcast, Hack the Plant, to discuss UnDisruptable27 and the growing threats to our infrastructure systems. On the podcast, something you said stood out to me: “part of the reason we are defending indefensible things is our incentives have never been properly placed.” What do the proper incentives look like, to you?

“From my perspective, we have seen market failures in software, infrastructure technology, and operational technology. The problem is three-fold. 

First, there is a complete lack of liability for technology developers. We had the first losses of life from software failures over 30 years ago, but as software was a competitive international market – like AI is today – there was a conscious decision to delay the issue of liability. But what was meant to be a short moratorium has remained in place, leaving developers unaccountable. 

The second problem we have is information asymmetry. In theory, supply and demand take care of themselves. You have an informed public, constituting the demand, who are able to choose among sufficient supply. They buy the products that best meet their needs. But with the increasing complexity of software, IT, and OT, it's very difficult to know what we're buying. This is why I push for things like labeling, or SBOMs (Software Bill of Materials), or attestations about the software being patchable, or having disclosure programs. We need policies that can build the confidence of the buyer, even if they don’t understand underlying technology. 

And then third, we have rarer and more challenging market failures; sometimes what’s right for the company and the shareholders is wrong for the country. The Colonial Pipeline hack is a good example of this – they shut down operations, not because the pipelines were hacked, but because the business office was hacked. What was good for their shareholders was panic-inducing for the Eastern Seaboard. 

This all stems from a general lack of accountability that allows those who produce digital infrastructure to pass large amounts of unspecified risk downstream to the ecosystem, making it far more challenging to protect. We need public policy that will ensure that we maintain the trust and safety of the public, not just the sovereignty of private organizations.”

In June 2025, IST is partnering with ICS Village to host Critical Effect DC. How has UnDisruptable27’s mission impacted the theme of #CriticalEffect25?

“ICS Village has run Hack the Capitol, now Critical Effect DC, for seven years, and done an incredible job of bringing together Operational Technology (OT) and Industrial Control Systems (ICS) practitioners and public policymakers. I’ve joined both as a speaker and attendee, and Bryson and I have collaborated on several different projects. 

I approached Bryson and the team at ICS Village and proposed, instead of just focusing on what we need to do for the next five or ten years, what is the art of the possible in the next one or two? How can we add urgency, impact, and effect? So we’ve included more focus on this immediate need, and the possible consequences of disruption and destruction on these lifeline sectors. 

We already had a good start with the communities we touched, but this year we wanted to drive much more attention towards water, power, and emergency care. We want to reach past everyone who is already at the table, and look to the 85% of owners and operators who don't yet participate in public-private partnerships, aren’t members of an ISAC, and haven’t come to DC for conferences. 

We want this to be a call to meet the moment. I encourage every speaker to really turn up the heat on what could be done now, what could have the highest impact, how can we lean in harder than we could have without these partnerships?”

If you haven’t already, make sure you visit our website, register to join us in DC this June, and submit your proposal to present at Critical Effect DC by April 4. 

What are the risks to you and me if we are not able to prepare our critical infrastructure before 2027?

Recently, we've seen nation-state adversaries consider cyber offensive attacks as weapons of war in modern hybrid conflict. A lot of these attacks are scooping up any vulnerable, exposed equipment as a potential asset to be used indiscriminately. And sadly, most of our infrastructure is target-rich, but cyber-poor. Volt Typhoon is the most troubling example to me, but we’ve also seen two other groups attack water infrastructure located in Pennsylvania and Texas in the last year. 

So we know that more than one country that we could have a hybrid conflict with has shown an interest and ability to access our basic water systems. What does that mean for our communities? 

The most devastating scenario is, a water facility controlled by a group like Volt Typhoon executes a water hammer, a phenomenon in which a sudden pressure surge can overwhelm the pump system and cause significant disruption to water flow, and even burst pipes and damage property. Six thousand of our communities house hospitals, and attackers could target these areas of our cities to eliminate water flow to all an area’s healthcare facilities. 

Hospitals are equipped with diesel generators and can go quite a bit of time without power, but they cannot continue to operate for more than four to six hours without water. 

Were this to happen across enough communities, we may not have the repair technicians or replacement parts to fix them even that quickly. Delaying or degrading urgent care for even a few minutes can affect outcomes for our family members, our communities, and entire regions. This could be devastating.

As to the likelihood of this kind of event, former FBI director Christopher Wray warned in 2024 that the Chinese Communist Party could feasibly carry out large-scale, disruptive attacks to our lifeline critical infrastructure. If we interfere with CCP intentions in Taiwan, for example, they could wreak havoc on our critical infrastructure. We expect to have to interfere, therefore, we should prepare for the worst. 

More than that, as I said, we have seen successful compromises of our water systems by other nation state adversaries. If it’s not the PRC and Volt Typhoon, it will be someone else. Our lifeline infrastructures are exposed to any adversary, at any time, for any motive.” 

What’s next for the UnDisruptable27 Initiative?

“At this point, we’ve connected with the public-private partnerships we want to work with, and we’re turning to the infrastructure owners and operators. These are the people on the ground, working within these systems every day.

We need to come to them first, because this project is not asking for unhackable equipment. It’s that we want to form engineering approaches that, if the worst punch is thrown, do we believe we can take that punch? Have we marshaled our resources to the right and most consequential failure points?  

Resilience is not the absence of getting hit. It's the ability to take a punch, the ability to get back up if you get knocked down, the ability to fight through the pain. 

After the infrastructure owners and operators, we’ll turn to city managers. This is going to take a lot of hard conversations, prioritization, creative thinking, but we could make it such that despite our exposure to accidents and adversaries, our worst case failure modes are either mitigated or even eliminated, and hopefully, our everyday citizens and neighbors would never even have to know that they were at risk.” 

IST in the News

Fatima Faisal Khan reminds us why open-source tools matter

In an op-ed for Tech Policy Press , Ecosystem Trust and Safety Associate Fatima Faisal Khan an details the importance of ROOST.tools , a newly launched non-profit open source tooling hub, in the Trust and Safety ecosystem. “Just as open source helped software development to evolve into a field characterized by collaboration and rapid innovation, the trust and safety field has the potential to redefine itself through open source,” Fatima wrote. 

Philip Reiner on the cybersecurity implications of our changing relationship with Russia

CEO Philip Reiner spoke to NBC early this month in an article detailing U.S. allies’ concerns surrounding the Trump administration’s “conciliatory” approach to Russia. While experts speculate that the United States may have reached a private agreement with Moscow, Philip offered context: “Any engagement the Trump administration has to normalize relations around cyber has got to take into account the economic terrorism that Russia engages in via ransomware gangs.” 

Elsewhere at IST 

Cracked and Nulled: International Law Enforcement Takes Down Two of the World’s Largest Cybercrime Forums

In a recent victory against cybercrime, international law enforcement agencies jointly announced in January the successful disruption of Cracked and Nulled, two of the world’s largest cybercrime forums. IST Future of Digital Security Associate Gigi Flores Bustamante mante breaks down key actions and the operation’s strategic approach to disrupting ransomware. “Rather than solely focusing on arresting individual cyber criminals—who are often difficult to locate or operate from jurisdictions with little law enforcement cooperation—this effort zeroes in on the services and infrastructure that sustain ransomware operations,” Gigi wrote.

IST responds to federal requests for comment on AI policy

This month, IST submitted two responses to requests for comments from federal agencies on topics in the AI ecosystem. IST has long engaged with a diverse range of stakeholders across the AI ecosystem to better understand the emerging risks of AI foundation models and to develop technical- and policy-oriented risk reduction strategies, driving forward responsible innovation. Our comments to NIST proffered several IST reports concerning misuse for review, and our comments to the White House’s Office of Science and Technology Policy put forth six strategic objectives that would serve as the foundation of a new national strategy on AI. 

Patrick J. McGovern Foundation Renews Commitment to Supporting IST’s AI Risk Reduction Efforts

Over the last two years, with the support of The Patrick J. McGovern Foundation , IST has been on a mission to assess the risks and opportunities associated with the development and deployment of cutting-edge AI foundation models. IST is excited to announce renewed support from PJMF to further advance this vital work, and continue IST’s AI Risk Reduction Initiative. “It’s our collective responsibility to ensure AI advances human potential as systems evolve in autonomy,” said PJMF President Vilas Dhar .

Navigating AI Compliance, Part 2: Risk Mitigation Strategies for Safeguarding Against Future Failures

How exactly can AI builders and users defend against future failure risks, and increase trust in their products? “Navigating AI Compliance, Part 2,” authored by Senior Associate for AI Security Policy Mariami Tkeshelashvili and Adjunct Cyber and AI Policy Fellow Tiffany Saade , proposes risk mitigation strategies inspired by lessons learned from case studies of failures in AI-adjacent industries explored in Part 1. The report aims to guide decision-makers in fostering societal trust in AI systems, all while preventing the repetition of past mistakes.

What We’re Reading

Want more tech and security content? Check out some of the ISTeam's favorite pieces from the past month: 

1. The DragonForce ransomware group has been increasingly targeting organizations in Saudi Arabia, Resecurity analysts report. “This ransomware attack is part of a broader trend of cyber threats facing the region, particularly against critical infrastructure and major corporations,” the report reads. 
2. In a recent report co-authored by Dan Hendryks, Eric Schmidt, and Alexandr Wang, the authors warn against the dangers of reckless introduction of AI into national security systems, and propose a deterrence strategy: Mutual Assured AI Malfunction (MAIM). 
3. The discussion of the race between the United States and the People’s Republic of China for AI dominance has entirely overlooked the role of the Global South in shaping the future of AI, former Australian Ambassador for Cyber Affairs and Critical Technology Tobias Feakin wrote for Aspen Digital. “These nations are setting regulatory precedents, providing diverse datasets that enhance AI models, and determining the geopolitical balance of AI power through their technological alliances,” he said. 
4. A leading aerospace and defense electronics company announced the successful test of a powerful converter and complementary electromagnetic interference filter, meaning that it could be resilient in the face of electromagnetic interference generated by a nuclear detonation. 
5. In February, Google announced that production has begun on OpenTitan, the first open source silicon RoT by Nuvoton. Google plans to make the design and origin of the materials fully transparent, and have chips available for lab testing in Spring 2025.
6. The UK’s National Cyber Security Centre issued new guidance to help protect against future quantum computing threats. The roadmap outlines a three-phase timeline for key sectors and organisations to transition to quantum-resistant encryption methods by 2035, and encourages the wide adoption of post-quantum cryptography.
7. A week after $10 million in cuts to the Department of Homeland Security’s budget, President Trump signed an executive order that directed White House senior advisors to draft a national resilience plan that puts the onus of protecting critical infrastructure systems on the state and local governments. These reductions will expose state governments to national threats, a spokeswoman for the Center for Internet Security told the Wall Street Journal. 
8. To learn more about the cyberattack capabilities of AI, Google DeepMind researchers analyzed over 12,000 instances of real-world attempts to use AI in cyberattacks catalogued by Google's Threat Intelligence Group. Their paper presents a framework for assessing the potential of AI systems– including AGI–to help facilitate attacks. 

The Institute for Security and Technology designs and advances solutions to the world’s toughest emerging security threats. It is a nonpartisan, nonprofit organization based in the San Francisco Bay Area dedicated to solving critical international security challenges through better technology and policy. Donate today to support our mission.