In 2022, Lawrence Livermore National Laboratory (LLNL) found Chinese surveillance cameras stealthily built into US critical-infrastructure systems. The discovery was part of a CISA-backed program called “CyberSentry,” which matched LLNL sensors with private-sector partners.
LLNL’s cyber program Leader Nate Gleason told a Department of Homeland Security (DHS) panel on July 22 that the CyberSentry project is currently on hold, while it awaits funding and sign-off from the Department of Energy and DHS.
National laboratories are not legally able to operate without being funded by a government agency, he said. The sensors are in place; just no one’s allowed to read what they’re detecting.
“Our threat-hunters stopped monitoring networks on Sunday,” he told Congress, referring to July 20.
In a hearing featuring visions of runaway trains, blacked-out hospitals, and downed water plants, industry experts spoke about defensive-security challenges facing today’s operational-technology operators. A solution, they proposed, requires public–private partnerships, including some on hold, or about to be.
The hearing was billed as a reflection on Stuxnet, a computer-worm discovered in 2010 that reportedly took down centrifuges supporting Iranian nuclear facilities around that time. (The New York Times reported in 2012 that Stuxnet was developed by the United States and Israel.)
The worm targeted industrial control systems at the uranium-enrichment plant at Natanz, Iran—not so much disrupting the computers it infected, according to journalist Kim Zetter, but the operational technology: the equipment and processes that those computers controlled.
“The same techniques Stuxnet used can be used against critical infrastructure in the US to disrupt services the public, government, and military rely on, or to damage equipment that can also cause death, either directly by causing passenger trains to collide, or indirectly by preventing patients from being treated at hospitals because the electricity is out,” Zetter, author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, shared in her opening statement.
The panelists, who included Zetter, Gleason, Dragos CEO Robert M. Lee, and executive director of the Operational Technology Cyber Coalition Tatyana Bolton, discussed partnerships set to expire.
- The Cybersecurity and Information Sharing Act of 2015 is set to expire in September. The law grants liability and privacy protections for organizations that share threat indicators and defensive measures through the Cybersecurity and Infrastructure Security Agency’s automated mechanisms. “If the legal protections established by this act were to lapse, this flow of information would be disrupted up to 80% to 90%, and national security put in jeopardy,” Bolton told attendees.
- The DHS’s State and Local Cybersecurity Grant Program (SLCGP), also set to expire in September, allocates $1 billion over four years to support state and local cybersecurity efforts. “Just as we wouldn’t expect an individual county such as Polk County in Texas to defend themselves against missile strikes from a nation-state, we shouldn’t expect them to respond to cyberattacks on their own. This is a national-security priority,” Bolton said. CISA, which has reportedly lost about a third of its workforce under the current administration, and the Federal Emergency Management Agency, administer the program.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Lee wants to see a “focused CISA” that connects with the private sector on threats, but lets companies lead on technology support. “Government tools have consistently underperformed in comparison to private-sector tools and at a higher cost to taxpayers,” he said in his opening statement.
The problem with a narrow focus, according to Zetter, is that small utilities lack the funds, in many cases, to attain security privately.
“They have relied on CISA for that kind of service. And I think that when we have legislation, of course, that has that ability to provide the funds, that’s really significant for those organizations, and that shouldn’t go away,” Zetter said.