Future of Digital Security

Q&A with Josh Corman on UnDisruptable27 

This month at BSides Las Vegas, IST Executive in Residence Joshua Corman announced the launch of UnDisruptable27, a new initiative that seeks to inform, influence, and inspire community action to strengthen the safety and security of our lifeline critical infrastructure systems by 2027. 

Through community awareness and creative arts solutions, UnDisruptable27 aims to build resilience in our water and wastewater systems, emergency medical care and hospital services, food supply chains, and power grids. With $700,000 in initial seed funding from Craig Newmark Philanthropies, UnDisruptable27 will run a pilot project focusing on the nexus of water and urgent care. 

Director of Strategic Communications Sophia Mauro sat down with Josh to learn more about the newly-launched effort to strengthen the resilience of lifeline critical infrastructure, dubbed “UnDisruptable27.” How did Josh’s deep background in leading grassroots efforts and protecting critical infrastructure influence his decision to take on this project? How does UnDisruptable27 intersect with and build upon existing initiatives in the ecosystem? And what is the end goal? 

Read the full interview in the August edition of IST’s newsletter, The TechnologIST. 

Q: How has your background–at I Am The Cavalry, CyberMedSummit, and elsewhere– played a role in your decision to take on this project? 

A: For 11 years now, I Am The Cavalry has been focused on where bits and bytes meet flesh and blood. For the past 7 years, CyberMedSummit has hosted critical conversations on how to collaborate, discuss, and solve cyber challenges that stand in the way of the safe and secure delivery of healthcare. 

I’ve always been concerned that our dependence on connected technology was growing faster than our ability to secure it in areas affecting public safety, and economic and national security. More recently, I changed that line to: through our over-dependence on undependable technologies, we have created conditions such that any accident or adversary can have a profound impact on public safety, economic security, and national security. 

This is a path I have been on and have been investing in, alongside thousands of volunteers who have been helping to make the world a safer place.

Q: What led you to IST and to this particular project?   

A: What changed on the path I was already on was this sense of acute urgency. And for me, that came from two things: 

  1. While I and others knew generally about the concept of Volt Typhoon, on January 31st of this year, four U.S. government cybersecurity leaders warned the House in an unclassified briefing, indicating that they could feasibly carry out large-scale, disruptive attacks to our lifeline critical infrastructure as early as 2027.
  2. Even though we have a spirited, vigorous debate about the best way to regulate minimum cybersecurity for hospitals–including target rich, cyber poor hospitals–the majority of hospitals are at risk of closure or acquisition or decline. The February 2024 attack on Change Healthcare and its subsequent fallout showed that even if these hospitals do everything right, these systemically important critical infrastructure entities that they all depend upon can cause a one-to-many harm. As a result, many citizens had denied, degraded, and delayed care, affecting worsened outcomes, both in hospitals and pharmacies. 

Insiders in the DC beltway or the cybersecurity industry know that we may have a hybrid warfare conflict with China, Russia, or Iran… but the average citizen doesn’t. And insiders know that if a handful of entities get disrupted, that could have an outsized impact on lifeline critical infrastructure…but the average citizen doesn’t.

In short, this added fuel to the fire for me. We are seeing more disruptions, larger disruptions, longer disruptions, and more life safety-altering disruptions. And each one of these is a failure that is blindsiding our neighbors and our communities.

Q: How has your thinking about the project crystallized in the last few months? 

A: At RSA this year, I gave a talk with David Etue on getting serious about critical disruptions, thinking, responses, and rumors of war. We spoke directly to the CISO community, aiming to articulate the very real risks that these disruptions pose to their businesses and communities. Following the talk was where the real discussion happened: we brought national security leaders and the cybersecurity community together to have a raw, urgent conversation about where the world is, where it’s headed, and what we can do about it. That conversation really validated this approach… and the urgency with which we need to do it.

In July, I joined ABC News live on the night of the CrowdStrike incident to weigh in on the breaking news. During the interview, something emerged in me: we have failed the public. ‘We’ being the public-private partnership of the cybersecurity experts and the cybersecurity policymakers. How have we failed them? For 30 years, we’ve allowed people to falsely believe it’s safe enough to connect water, wastewater, and other critical infrastructure entities to the naked internet… and it’s not. I want to do something about it.

Q: You call “UnDisruptable27” a working title. What’s the story behind the name? 

A: I agonized over what to call this. The public is meeting us ice cold. We don’t want to be sensationalist, we don’t want to sound like Chicken Little, telling everyone that ‘the sky is falling.’ The question becomes: how do you raise the alarm without being alarmist? 

UnDisruptable27 tries to start from a positive place. I liked that the goal, the North Star, the destination should be that we want to be undisruptable. That no matter what a foreign state does, it should not affect our access to water, food, power, or emergency care. 

We are not nearly in a place where we could be undisruptable. We’re unlikely to even be undisruptable by 2027. But I want to aim high. I want to force the hard conversations to say, what would have to happen for these attacks and adversaries to have no effect on our communities? 

And maybe, we decide that the infrastructure is disruptable, but the community is not… maybe we can take a punch and get back up again. Maybe we come up with alternatives, develop crisis management plans, create contingencies, or become less dependent on the water from our town and find alternative supplies.

Q: UnDisruptable27 joins a deep bench of organizations and efforts committed to bolstering the resilience of our lifeline critical infrastructure. Where does the project fit in? 

A: UnDisruptable27 is not instead of, but rather built upon, even supercharges, existing efforts.  Some of which are my own, including I Am The Cavalry and CyberMedSummit.org. Some of which are hacker collectives like the Cyber Threat Intelligence League, w00w00, ICS Village, Biohacking Village, and the Aerospace Village. And some of which are volunteer cyber Civil Defense initiatives supported by Craig Newmark like the Berkeley Center for Long-Term Cybersecurity and the Consortium of Cybersecurity Clinics, the Cyber Peace Institute’s CyberPeace Builders, Aspen Institute, GCA…. There are so many allies and initiatives and there’s a lot of positive momentum in the cybersecurity defense world. And there are new ones emerging. During hacker summer camp this year, Jake Braun announced DEF CON Franklin Project, which wants to do white glove matchmaking to connect willing and able hackers with water facilities and K-12 schools in need of assistance. 

How I see UnDisruptable27 is that it can be a unifying, urgent call for action that takes a systems approach. I want this project to become a rallying cry that informs, influences, and inspires the public. As we create demand, initiatives like the Cyber PeaceBuilders network or the Franklin Project could help introduce entities on a local level. The Consortium of Cybersecurity Clinics could find remote means to connect owners and operators of critical infrastructure with university resources, even if they don’t live in the same area. Each of the grantees of the Cyber Civil Defense initiative could find ways for their steady state initiatives to “lean in” to this moment. 

In the vein of our Cavalry “stone soup” approach – one in which everyone brings a different ingredient and the more people that help, the more impactful the output – UnDisruptable27 also takes things up to the “organization of organizations” level. Our aim is to tap into the full potential of the philanthropic and altruistic ranks. 

And maybe we’ll get a situation where the whole is greater than the sum of its parts. Maybe this North Star, this urgency, this hyper-focus on lifeline needs like water, food, power, and emergency care, can make these great initiatives even greater.

Q: What’s next for UnDisruptable27? And how can others get involved? 

A: I want to meet people where they are, understand their frame of reference, and give them fit-for-purpose assistance, drawing from a wider range of skills. This is not just about policy people talking to technology people. UnDisruptable27 is for everyone. 

Once we’ve met people where they are in their communities and learned their love languages, we are going to try different stories and narratives through working with creative arts teams. We’ll think about ways to reach people. And it may be different per stakeholder group, right? Messages that resonate with owners and operators of critical infrastructure will differ from those that we use to reach municipal leadership or our neighbors. 

So we want to hear from you: owners and operators of critical infrastructure, local elected officials, members of the public, helpful hackers and technologists… anyone who’s interested in getting involved. Learn more about us at undisruptable27.org and send us a request to join our Slack channel at [email protected].