Dear Fellow Protectors,
How can research and development improve the cybersecurity of water utilities? That was the question before the House Science, Space, and Technology Committee’s Subcommittee on Environment last week as Josh testified on our work building the UnDisruptable27 project.
From the outset, it was clear that our message was getting through on Capitol Hill. Nearly every Congressperson referenced the connection between water and healthcare delivery. One member from Texas even asked Josh to walk through how exactly a disruption to water could impact a specific healthcare facility in Houston! We came in expecting to do some educating about cascading failures due to dependencies, but the Committee members made plain that their focus on water was in part due to its foundational, cross-sector nature.
In listening to the testimony provided by Josh’s fellow witnesses, it’s also evident that policymakers are open to implementing non-cyber solutions to address cyber problems.
- Dave Hinchman, who leads a Government Accountability Office IT and cybersecurity team, emphasized sector governance and strategic planning as a core element of risk reduction.
- Ginger Wright, an Idaho National Laboratory program manager (and U27 volunteer!), spoke about the importance of Cyber-Informed Engineering and the use of unconnected devices, like a time delay relay, to prevent pumps from burning out due to a flood of commands.
- Nicole Tisdale, a key voice in the Cyber Civil Defense community, highlighted the looming workforce cliff for rural water: 57% of their operators intend to retire over the next ten years.
It was the perfect panel for validating approaches that don’t start at merely preventing access. As Josh said to the Committee: “The threat comes from cyber, but the solutions come from engineering. It’s not shields up. It’s connections down.”
To tailor our testimony to the members of the Science Committee, Josh included recommendations drawn from U27’s research design and methodology. After all, though we aim to scale broadly, we’re innovating narrowly to start. He noted that, for this crisis, we have to design for the world as it is, not the world we want. The systems causing the greatest risk are owned and operated by entities that are target rich and cyber poor. That’s where the focus needs to be.
He also testified that heroism only takes you so far. Unless and until we examine the incentives driving behavior, we will continue to fall behind. For us at U27, this means that we’re focused specifically on bridging the education, motivation, and enablement gaps.
You can read all of Josh’s testimony (Warning! It’s a 17-page PDF… we had a lot to say!) or watch the hearing on YouTube. Let us know what you think by dropping us a line at [email protected]. Better yet, email us to come join our Slack and stop by our next town hall, Thursday, June 4, at 1:00 pm EDT. Best of all, come see us in person by registering for Critical Effect DC, in just three weeks!
Joshua Corman
Executive in Residence for Public Safety & Resilience
Stephanie Ross
Managing Program Director for Public Safety & Resilience
Nicholas Leiserson
Senior Vice President for Policy
Critical Effect DC Conference
Join Us: June 17-18
Register now! Our two-day Critical Effect Conference is three weeks away. With 2027 getting closer, we are prioritizing ideas that lead to real, actionable impact.
ICYMI: We’ve announced our first few rounds of speakers for this year’s event–with many more to come! Speakers include:
- Nick Andersen, CISA Acting Director
- Christopher Cruz, Cyber Program Manager at the Virginia Fusion Center
- Joe Slowik, Cybersecurity Alerting Strategy Director, Dataminr
- Sheila Casserly, Director of Digital Policy, Americas at Schneider Electric
- Katrina Rosseini, Founder, KRR Ventures Advisory
- Craig Newmark, Founder, craigslist and Craig Newmark Philanthropies
Critical Effect DC provides a unique platform for leading voices in ICS and cybersecurity to engage with policymakers, think tanks, and the media, while facilitating hands-on experiences and encouraging informed, actionable discussions. Unlike most cyber-related events, our center of gravity is zeroed in on National Security & Public Safety / Human Life. Presented by ICS Village, in partnership with the Institute for Security and Technology’s UnDisruptable27 project and Akin.
When: Wednesday, June 17 – Thursday, June 18, 2026
Where: Akin, 2001 K Street NW, Washington DC 20006
How to join: Register on Eventbrite
Where We'll Be
- May 28: Stephanie will moderate a session at the West Region Cyber Civil Defense Summit, hosted by UC Berkeley in Scottsdale, AZ
- May 31-June 2: Josh will be co-presenting with Casey John Ellis at NaCICON – The History of Hacking/Cybersecurity Conference
- June 17-18: Critical Effect Conference in Washington, DC
- June 21-24: AWWA Annual Conference & Expo (ACE26), Washington, DC
- June 24: Healthcare ISAC annual TTX “Hobby Series” (feat. Water and Power)
- August 3-5: BSidesLV, I Am The Cavalry Track, Las Vegas, NV
- September 16: One-Day Tech Innovator-focused Critical Effect in Sacramento, CA
- TBD: Stay tuned for a TTX (tabletop exercise) in the Washington DC “beltway” area with all hospital association members
Where We've Been
- On April 13-15, the full IST team gathered for our annual offsite in Chicago. There, we collaborated with our AI and Strategic Stability teammates on BIG “disruptions to UnDisruptable27” such as Great Power dynamics with China, the Iran war, the VulnPocalypse Now!, and even an intense war-game TTX and scenario exercise.
- On April 16, Josh addressed the Irregular Warfare Center’s Military Medicine Summit at the Mayo Clinic in Minnesota, exploring the impacts of hybrid conflict on homeland healthcare capacity.
- On April 21, IST’s Chief Strategy Officer, Megan Stifel testified at a joint hearing of the Subcommittee on Border Security and Enforcement and the Subcommittee on Cybersecurity and Infrastructure Protection, where she drew lessons from IST’s work on cybersecurity to offer recommendations for fighting online scams, fraud, and digital extortion. Watch the hearing and read her testimony.
- On May 6, Josh participated in a healthcare-focused webinar with Censinet on potential disruptions to water & hospitals, including from a Taiwan conflict, as well as Iran and the AI VulnPocalypse.
- This May, we’ve been hard at work reviewing CFP submissions, announcing speakers, setting up agendas, and launching registration for Critical Effect DC. We can’t wait to see you there!
Our Media Diet
- “Would you feel comfortable with a stranger having direct access to your home at will, even if they didn’t steal or damage anything? Probably not. What if we told you that foreign militaries have similar access to U.S. civilian critical services, such as water and power?” With the help of The Studio, we’ve produced our latest animated short video explaining the problem… and what UnDisruptable27 is doing about it: Preparing for the Coming Storm.
- On April 16, IST released its 2025 Annual Report, which featured a spotlight on U27’s impact over the last year, as well as impact reports from other projects across the organization.
- “This is not just about data or money, this is about delayed, degraded care affecting patient care and even loss of life.” On April 30, Josh spoke to HealthInfoSecurity reporter Marianne Kolbasuk McGee about losses of life in hospitals that could stem from disruptions.
- The UK’s AI Security Institute released an evaluation of Claude Mythos Preview’s cyber capabilities. They found “continued improvement in capture-the-flag (CTF) challenges and significant improvement on multi-step cyber-attack simulations.”
- In a BioCatch blog, one author points out that the interesting problem with Claude Mythos lies in the behavioral gap. “Fraud detection that relies on past transactional behavior, outcomes, amounts, destinations, and frequencies rather than the interaction itself will likely prove less accurate when confronted by an adaptive AI agent.”
Previous editions
#5: Is Secure-By-Design too late for Lifeline Functions?
Is it too late for secure-by-design? That provocative question was at the heart of our presentation at the RSAC Conference this year. In UnDisruptable27's latest newsletter, we recap their mock debate, concluding that even though the best time might have been years ago, the second best time to implement secure-by-design is now.
#4: This is why UnDisruptable27 exists
In the aftermath of last week's attack on a U.S. medical device manufacturer by a pro-Iran regime hacktivist group, UnDisruptable27's newsletter reflects on its very reason for existence: "to ensure that our communities can take the punch that's coming, even if it's from our most capable foes."
#3: Innovate narrowly, scale widely
From working with small and local communities to connecting with policymakers, UnDisruptable27’s mantra is to innovate narrowly and scale widely. As the team continues working to identify potential communities for piloting our cyber-informed, engineering first approach, we’re turning our attention to the policy sphere.
#2: Save the Date for Critical Effect 2026
In the second issue of our newsletter, save the date for Critical Effect 2026, listen to the latest episode of Hack the Plan[e]t and other featured podcasts, and find out where to see us .
#1: Happy Holidays from U27
In the inaugural edition of the UnDisruptable27 newsletter, learn how to participate in FrostyVolt’25, where to find us, and what we’ve been reading.
