ICS Village, in partnership with the Institute for Security and Technology, Crowell LLP, and the National Security Institute, presents Critical Effect DC, a critical infrastructure-focused conference connecting policymakers, members of civil society and academia, and OT/ICS stakeholders.
Critical Effect DC is the evolution of the Hack the Capitol conference, now in its 8th year. This year, the event prioritizes timely, solution-driven content with a sense of urgency, focusing on initiatives that can be implemented in the next two years. Join us on June 12 and 13 to hear from members of Congress, emergency management, top tier media, stakeholders from water, emergency healthcare, power, food supply, and national security experts.
When
Thursday, June 12, 2025 —
Friday, June 13, 2025
Where
Crowell and Moring LLP
1001 Pennsylvania Avenue NW
Washington, DC 20004
Hosts
About Critical Effect DC
As an evolution and extension of the conference known as “Hack the Capitol,” Critical Effect DC is a two day, multi-track conference committed to bridging the gap between technical experts and policy professionals.
Why this sense of urgency? Learn more about this year’s focus with a video from the IST project UnDisruptable27:
For media inquires or other questions, please contact [email protected].
Returning this year: Workforce Development Day!
This part of the conference is dedicated to training underrepresented populations—including college students, military veterans, women, and minorities—providing hands-on experience and connecting them with training programs and job opportunities in ICS/OT security.
Critical Effect DC ’25 speakers
Track I: Critical Mass
Policy, strategy, and governance-focused panels and presentations, including keynotes and fireside chats by leading government officials.
Agenda: June 12, 2025
| 8:30 am | Networking and coffee |
| 9:00 am | Opening Remarks Bryson Bort, ICS Village and Joshua Corman, IST |
| 9:05 am | Fireside Chat Representative Nick Begich III (AK) and Bryson Bort, ICS Village |
| 9:35 am | Why Critical Effect? Why Now? Bryson Bort, ICS Village and Joshua Corman, IST |
| 10:00 am | Rethinking Cybersecurity: From Volt Typhoon to Resilience by Design Despite decades of investment—billions spent on cybersecurity tools, training, and advanced hardware—our systems remain fundamentally vulnerable. The Volt Typhoon campaign, a stealthy infiltration of U.S. critical infrastructure attributed to a nation-state actor, is the latest warning sign: our adversaries are outpacing our defenses. Why, after all this effort, are we still broken? This panel brings together leaders from government, industry, and academia to examine the root causes of these persistent vulnerabilities. Is the issue rooted in complexity, poor adoption of best practices, or fundamental design flaws? Have we prioritized compliance at the expense of innovation. Moderator: Mehdi Tarrit Mirakhor, Associate Professor, Department of Information and Computer Sciences, University of Hawaii Panel: Kevin E. Greene, Chief Security Strategist at BeyondTrust; Kirk Lawrence, Section Chief, Secure by Design, CISA/DHS; Adam Robbie, Head of OT Threat Research, Palo Alto Networks |
| 11:00 am | No Water, No Hospitals: Emergency Response Under Fire China’s 2027 intentions toward Taiwan are fast approaching and US Water is in the crosshairs. Volt Typhoon’s credible threat of disruption and destruction of water infrastructure has immediate risks to public safety, human life, and national security. In peacetime, this Public-Private-Partnership’s participation remains a single digit %. As we face hybrid conflict this panel will surface and test assumptions regarding cross-sector, cascading failure. We will also discuss some of the findings and recommendations of UnDisruptable27- focussed on the resilient continuity of operations at the intersections of water and access to emergency care. Moderator: Josh Corman, Executive in Residence for Public Safety and Resilience, Institute for Security and Technology (IST) Panel: Jonathan Horowitz, Deputy Head Legal Department, International Committee of the Red Cross (ICRC); Kevin Morley, Manager, Federal Relations, American Water Works Association (AWWA); Blake Scott, Senior Public Health Emergency Preparedness Planner, Coconino County Health and Human Services; Jennifer Lyn Walker, Director of Infrastructure Cyber Defense, WaterISAC |
| 12:00 pm | Lunch |
| 1:00 | Keynote Congresswoman Robin Kelly (IL-2) |
| 1:15 pm | Practicing for Disaster: MITRE’s Multi-Sector CyberSecurity Exercise Recently MITRE hosted a groundbreaking exercise bringing together approximately 200 participants from 70 organizations across five metro areas, including federal, state, and local governments, emergency managers, and industry representatives from sectors like pipelines, electricity, IT, communications, and rail. The exercise focused on enhancing national resilience during a protracted cyber conflict affecting multiple critical infrastructures. This presentation will provide an overview of the exercise and then Mark will sit with panelists from Industry and Emergency Management to discuss insights gleaned. Moderator: Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center, MITRE Panelists: Sharla Artz, AVP, Security and Resilience Policy, Xcel Energy; Charles R. Goodwin, Commissioner, Department of Emergency Communications & Management, Worcester, MA; Tariq Habib, CISO, New York Metropolitan Transit Authority; Robert Morgus, Sr. Adviser, Risk and Resilience, Berkshire Hathaway Energy |
| 2:10 pm | Code in the Combine: Protecting Agriculture in the Age of Cyber Conflict This panel will examine the growing cybersecurity risks to the U.S. food and agriculture sector, with a particular focus on how increased digital connectivity—spanning AI-powered automation, refrigeration logistics, and supply chain coordination—has created new vulnerabilities with national security implications. This session will also emphasize the importance of public-private information sharing, and how legacy legislative tools—like the Cybersecurity Information Sharing Act of 2015—must be updated and reauthorized to reflect today’s complex and evolving threat landscape. Moderator: Matt Hayden, Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience Policy and Vice President of Cyber and Emerging Threats, General Dynamics Information Technology Panel: Scott C. Algeier, Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC) and Founder, President, and CEO, Conrad, Inc.; James Johnson, CISO, John Deere; and Jiwon Ma, Senior Policy Analyst, Center on Cyber and Technology Innovation, Foundation for Defense of Democracies |
| 3:05 pm | The Future of Cybersecurity Policy and Regulations: A Multiverse Approach The panel will focus on a discussion exploring diverse cybersecurity and privacy regulatory models, conceptualized as potential timelines within the cyber policy multiverse. We will delve into various frameworks, including traditional command-control regulations, impact/performance-based models, outcome-based regulations, and self-regulation standards, to envision the future landscape of cybersecurity policy. Moderator: Evan Wolff, Partner, Crowell & Moring LLP Panel: Megan Stifel, Chief Strategy Officer, Institute for Security and Technology; Jeanette Manfra, Global Director of Risk and Compliance, Google Cloud; Randy Sabett, Special Counsel, Cooley LLP; and John Woods, Partner, Sidley Austin LLP. |
| 3:55 pm | Closing remarks |
| 5:00 pm – 7:00 pm | Reception The City Club, 555 13th St NW, Washington, DC 20004. Light hors d’oeuvres & drink ticket available. |
All times listed are in Eastern Time.
Agenda: June 13, 2025
| 8:30 am | Networking and coffee |
| 8:55 am | Opening remarks Bryson Bort, ICS Village, and Josh Corman, Institute for Security and Technology (IST) |
| 9:45 am | Keynote Representative Rich McCormick (GA-7) |
| 10:00 am | Peace through Cyber Strength – What Needs to Change in U.S. Cyber Posture Moderator: Lucian Niemeyer, CEO, BuildingCyberSecurity.org Panel: Christopher Cleary, President, Military Cyber Professional Association; Matt Hayden, Former Assistant Secretary of Homeland Security for Cyber, Infrastructure, Risk and Resilience Policy and Vice President of Cyber and Emerging Threats, General Dynamics Information Technology; Michael G. McLaughlin, Co-Leader, Cybersecurity and Data Privacy Practice Group and Principal Policy Advisor, Buchanan Ingersoll & Rooney PC; Mark Montgomery, Senior Director, Center on Cyber and Technology Innovation, Foundation for Defense of Democracies |
| 11:00 am | Conveying the Looming Threat of Critical Infrastructure Hacking The idea that malicious hackers could cause blackouts, water contamination, food shortages, or healthcare disruptions from their keyboards has gone from a sobering hypothetical to an urgent reality in recent years. With so many news topics competing for public attention, though, how should journalists approach coverage of potentially calamitous digital and cyber physical threats? Moderator: Lily Hay Newman, WIRED Panel: Maggie Miller, POLITICO; Andy Greenberg, WIRED |
| 12:00 pm | Lunch |
| 1:00 pm | Cyber Policy Shark Tank Beau Woods, I Am the Cavalry, Hackers on the Hill, and Stratigos Security Learn more and apply at https://hackersonthehill.org/critical-effect/. |
| 2:00 pm | Closing remarks Bryson Bort, ICS Village, and Josh Corman, Institute for Security and Technology (IST) |
All times listed are in Eastern Time.
Track II: Strategic Effect
A series of half-hour individual sessions, each of which will dive deep into leading issues in ICS security. Topics include the corporate, legal and regulatory environment, and specific technical or operational details.
Agenda: June 12, 2025
| 8:30 am | Networking and coffee |
| 10:00 am | A Typhoon in a Teacup? Critically Evaluating Reporting on High Profile Threats For over two years, US and “Five Eye” entities have focused significant attention on the threat posed by an activity cluster initially identified by Microsoft as “Volt Typhoon.” Linked to People’s Republic of China (PRC) cyber operations, Volt Typhoon is notable for effective, persistent use of living off the land behaviors via proxied command and control (C2) infrastructure to target civilian and dual-use critical infrastructure entities. The entity has been described as the most concerning threat to US infrastructure and interests by multiple commercial and government entities – yet for all this attention specifics on the group and their operations remain maddeningly scarce in public, available reporting. Joe Slowik, Dataminr |
| 10:30 am | Cybersecurity Threats and Policy Implications for Battery Energy Storage Systems The integration of battery energy storage systems (BESS) across critical infrastructure is a cross-sector resilience issue with direct implications for national security, industrial stability, and public safety. BESS now supports communications towers, hospitals, military installations, data centers, and electric vehicles, making its security a strategic imperative. As these systems become deeply embedded in critical operations, cyber vulnerabilities in BESS can create cascading disruptions across multiple sectors, threatening infrastructure reliability and operational continuity. Dr. Emma Stewart, Idaho National Laboratory (INL) |
| 11:00 am | “When the well is dry, we know the worth of water”: A firsthand account of a DEF CON Franklin volunteer supporting water utility critical infrastructure This presentation features the firsthand experiences of a DEF CON Franklin volunteer, supporting a small town’s water utility critical infrastructure. This ongoing ethnography of communication documents my first 6 months exploring conceptual deception models with this water utility, to deter attackers and influence attackers’ real and imagined perceptions of the vulnerability and defense of this water utility’s critical infrastructure. This rare account reflects the growing efforts to find alternative ways to protect critical infrastructure, especially for local and state critical infrastructure network teams that often lack resources and support. Tim Pappa, Walmart Global Tech |
| 11:30 am | Fortifying DoD Operational Technology: Securing the Cyber Battlefield Against Nation-State Threats Nation-state and cyber adversaries are exploiting operational technology device vulnerabilities, including trojanized hardware embedded in critical infrastructure, DoD facilities, and supply chains, undermining military readiness before kinetic conflict begins. From ransomware crippling pipelines to malware in industrial safety systems, cyber threats now shape the battlefield. To maintain dominance, federal and industry enterprises must secure OT with Zero Trust architectures, tamper-resistant firmware, and continuous monitoring. Supply chain integrity checks and intelligence-sharing with industry and allies are critical to countering embedded threats. This talk will analyze real-world intrusions and outline strategies to harden OT—because in modern warfare, securing OT is mission-critical. Kathryn Wang, SandboxAQ, and Alison King, Forescout Technologies |
| 12:00 pm | Lunch |
| 1:15 pm | All hands on deck needed for Everything Everywhere All At Once With increasing reconnaissance from APTs into critical infrastructure there is a clear disconnect in OT incident response planning from a wide scale (Everything Everywhere All At Once) attack on American infrastructure. Join Andrew Dettmer as he discusses how he prepares a utility for such an attack, and how vendors, nonprofits (such as the Civilian Reserve Information Sharing and Analysis Center), and government are all needed to prepare better defenses and build a nationwide incident response plan. Andrew Dettmer, Black and Veatch and Katrina Rosseini, CR-ISAC |
| 1:35 pm | The Volt-Bolt: UnDisruptable27 & The work to be done over the next 18 months Josh Corman, Institute for Security and Technology (IST) |
| 2:05 pm | No Sector is an Island While the focus for most entities has been to look inward when improving their cybersecurity posture, Sectors, Regions, and Communities also need to understand how critical infrastructure sectors impact each other. More and more, the critical lifeline sectors rely on each other to have robust risk and resiliency programs. This conversation will discuss some of these dependencies from a Water Sector perspective, and ask the attendees to think more strategically about cyber resilience. Andrew Krapf, Loudoun Water |
| 2:35 pm | Military Mobility Depends on Secure Critical Infrastructure A direct military engagement between the United States and a near-peer adversary would require the swift mobilization and deployment of a sizable U.S. military force. Moving troops and equipment efficiently over land, sea, and air is essential to America’s ability to project power, support partners and allies, and sustain forces to fight and win wars. Alongside the U.S. military’s own assets, commercially owned and operated critical infrastructure enables this military mobility. Civilian-owned rail networks, commercial ports, and airport authorities will handle transportation of the majority of servicemembers and materiel during a significant, rapid mobilization. Mark Montgomery, Center on Cyber and Technology Innovation, Foundation for Defense of Democracies |
| 3:05 pm | Individual and Regional Healthcare Impacts of Cyberattack Natalie Sullivan, George Washington University |
| 3:35 pm | Securing America’s Water Systems: Engineering-Based Approaches to Cyber Resilience This presentation examines the critical interdependence between US drinking water systems and vital services including healthcare facilities, firefighting capabilities, and other critical infrastructure. We’ll outline practical, engineering-focused approaches to achieve cyber resilience without heavy reliance on traditional cybersecurity technologies that remain out of reach for many utilities. Most community water systems (CWSs) in the US operate with limited funds and technical expertise to implement, maintain, and effectively utilize complex cybersecurity solutions. However, these same utilities typically have access to internal and external resources with deep understanding of water process engineering. Gus Serino, I&C Secure, Inc |
| 5:00 pm – 7:00 pm | Reception The City Club, 555 13th St NW, Washington, DC 20004. Light hors d’oeuvers & drink ticket available. |
All times listed are in Eastern Time.
Agenda: June 13, 2025
| 9:00 am | Networking and coffee |
| 10:00 am | What’s the worst that could happen? Cyber Consequence Analysis for Critical Infrastructure Often, the professionals charged to protect critical infrastructure from cyber-attack aren’t well versed in the operational impacts which could result from such an attack. Without that understanding, the defensive strategy for cybersecurity of these critical functions lacks operational context and key defenses and defenders necessary to successful defense and resilience may be overlooked. This talk will arm attendees with critical insights and questions that can be asked to unlock this awareness and enhance cybersecurity plans into critical function assurance plans. Cyber-Informed Engineering gets cybersecurity defenses and operational resilience working smoothly together. Virginia Wright, Idaho National Laboratory (INL) |
| 10:30 am | Critical Infrastructure Security as a Key Enabler for Resilience Critical Infrastructure by definition is deemed important for a Nation. Like with other aspects (hurricanes, earthquakes etc.) that pose a significant risk to Critical Infrastructure, gaps in OT Security can lead to cutting off access to key resources such as Power, Water or Oil, even possibly unacceptable loss of life & property. However, a systematic approach to addressing those gaps would enable resilience, and reduce the severity of the impacts even if other nation-states are waging an active cyber-campaign. This presentation focuses on the low hanging fruit (best practices for reducing risk as well as decreasing impact) to address and resolve the major gaps in OT Security. Vivek Ponnada, Frenos |
| 11:00 am | Securing Rural America: Supporting Electric Cooperatives of all Sizes The National Rural Electric Cooperative Association (NRECA) supports electric co-ops of all sizes and varying cybersecurity maturity. NRECA’s cybersecurity program works to implement programs that support each of these co-ops with their unique requirements. Project Guardian, NRECA’s Co-op Cyber Goals, and other initiatives are just some of the ways NRECA meets co-ops where they are to support their cybersecurity programs. This talk will discuss the cutting-edge ways NRECA is delivering for its members. Adrian McNamara, National Rural Electric Cooperative Association |
| 11:30 am | Understanding Today’s Cyber Threat Landscape FBI Intelligence Analyst Gabrielle Ma will provide an overview of the current, increasingly complex cyber threat landscape facing a variety of critical infrastructure sectors. She will also discuss the importance of information sharing and partnering in securing operational technology and building resilience. Gabrielle Ma, FBI |
| 12:00 pm | Lunch |
All times listed are in Eastern Time.
Track III: Tactical Mastery
Also known as the Beer-ISAC, this featured series of half-hour individual sessions is dedicated to peer-to-peer information sharing.
Agenda: June 12, 2025
| 9:00 am | Networking and coffee |
| 10:00 am | Secure By Default: Closing the Loop Secure by Default in many respects is the ultimate objective for cybersecurity professionals – to have products and systems delivered to the end user in a state without undue risk overshadowing. Recently we have heard from multiple governments around the planet on this topic through such papers as Secure by Design and Secure by Demand. But how do we close the loop? How do we drive the concept of security to be the default state for our ICS solutions? ISA/IEC 62443, the cyber standard for the ICS industry, is addressing this need. Andrew Kling, Schneider Electric |
| 10:30 am | Impact-Centric Cyber Resilience Quantification (CRQ): Estimating Cyber-Physical Damage at Scale For multi-site organizations, understanding facility-specific cyber-physical damage risk is critical for making informed investments in security controls and insurance. This session introduces a methodology designed to estimate financial exposure from cyber-induced physical damage at scale. By leveraging property insurance data, AI-driven facility classification, and historical precedent analysis, this approach provides a structured way to assess inherent risk at arm’s length with limited data on security controls in place. Through a case study on poultry production, attendees will explore how targeted cyber-physical risk modeling enhances resilience planning, supports executive decision-making, and ensures smarter resource allocation across geographically distributed assets. David White, Axio, Daniel Brown, Axio, and Brendan Fitzpatrick, Axio |
| 11:00 am | Stop Applying IT Fixes to OT Problems: The OT Security Wake-up Call OT environments are not like data centers & trying to secure them with IT tools is like trying to play a vinyl record on a CD player (same goal, ineffective tech). From visibility & vulnerability management to risk response, OT demands specialized strategies that prioritize continuity & control. Join us as we explore how traditional IT security can actually increase risk in ICS environments. You’ll walk away with a clear understanding of why OT requires purpose-built solutions, how to avoid the most common (& costly) missteps, & what it really takes to keep operations running safe & secure. Debbie Lay, TXOne |
| 11:30 am | Crown Jewels Analysis for Control Systems To help assess risks to missions from cyber and non-kinetic threats, organizations need repeatable processes to analyze how failure or compromise of an asset could degrade or cause failure of a critical mission. Assets are people, physical entities, or information located either within or outside the United States and employed, owned, or operated by domestic, foreign, public, or private sector organizations. The Crown Jewels Analysis process provides a repeatable approach to capturing knowledge from organizational Subject Matter Experts, documenting known dependencies, and prioritizing assets based on their criticality to mission. Cedric Carter, MITRE |
| 12:00 pm | Lunch |
| 1:15 pm | Blowing up gas stations for fun and profit Since the war(s) broke loose last year, a lot has been said about cyberwarfare, attacks on critical infrastructure, ICS/OT vulnerabilities, you name it. In this talk, we are going to talk about a specific set of ICS: Automated Tank Gauging (ATG) systems. These systems control the safe storage and management of fuel in critical infrastructures like gas stations, military bases, airports and hospitals. We will discuss multiple (10) zero-day vulnerabilities that expose these systems to catastrophic risks, from environmental hazards to significant economic losses. Despite past warnings, thousands of ATG systems remain online, unprotected, and vulnerable to exploitation. This track will talk about past ATG research, the new vulnerabilities found and their technical details, demonstrating how they can be exploited to gain unauthorized control over ATG systems. In the end, we will dive into our quest to cause physical damage remotely, in hopes of blowing up (our) gas station. Pedro Umbelino, Bitsight |
| 1:35 pm | Better Attack Surface Management: What Attackers See That You Don’t Attack Surface Management is the foundation upon which ICS security stands. Drawing from both real-world threats and attack emulation exercises against critical infrastructure environments, we’ll examine the ICS attack surface from an attacker’s perspective and uncover common gaps they abuse, as well as actionable steps to identify and reduce those risks. Learning how to truly define your attack surface now is crucial to protecting our critical infrastructure. Ray Blasko, BreakPoint Labs |
| 2:05 pm | Defending the Digital Core: Cyber Ranges and the Future of Operational Technology Security Cyber Ranges |
| 2:35 pm | Bridging the Gap: ICS Cybersecurity Awareness and Public Education Laura Scherling, Columbia University |
| 3:05 pm | Resilience Now: Translating How Different Sectors Mitigate the Risk of Legacy Infrastructure Matthew Rogers, CISA |
| 3:35 pm | Hunting the Intruder: Detecting and Mitigating Rogue Master Devices in ICS Industrial environments have many assets, sensors, actuators, controllers, and PLCs. How can we ensure new assets are monitored to prevent errors, espionage, and sabotage? This talk explores these threats and solutions. You’ll learn about master-slave roles, rogue masters, and how to detect them. Andre Vianna, Norsk Hydro |
| 5:00 pm – 7:00 pm | Reception The City Club, 555 13th St NW, Washington, DC 20004. Light hors d’oeuvers & drink ticket available. |
All times listed are in Eastern Time.
Agenda: June 13, 2025
| 9:00 am | Networking and coffee |
| 10:00 am | Cyber-Physical Digital Twins for Intrusion Detection This presentation will provide an update on ongoing research on digital twins (DTs) for better cyber intrusion detection. DTs are detailed physics-based models of real systems, enhanced with historical data to improve accuracy. They predict equipment failures, optimize performance, and analyze new conditions. By adding data layers from control systems and cyber-communications interactions, these enhanced DTs offer insights into equipment responses to control signals. Creating an attack library and comparing it with DT responses helps cyber defenders quickly identify potential attacks. Jason Hollern, Electric Power Research Institute (EPRI) |
| 10:30 am | Operationalizing MITRE EMB3D: Threat Modeling to Create and Acquire Secure-by-Design Devices How can threat modelling be used to make more secure device acquisition decisions, build more secure devices, and conduct and communicate research findings? In this talk we will explore how MITRE EMB3D, recently updated to include technical Mitigations, is being used by security practitioners across multiple sectors to better secure the embedded device and operational ecosystems. Jack Cyprus, MITRE and Wyatt Ford, Red Balloon Security |
| 12:00 pm | Lunch |
All times listed are in Eastern Time.
What is Cyber Policy Shark Tank?
In the Cyber Policy Shark Tank, cyber policy innovators pitch solutions to Congressional staffers who have the tools, influence, and track record for putting ideas into action. From legislation and hearings to informal outreach, public statements, and letters, the potential policy actions are as diverse as the challenges they aim to address. With the opportunity to gain not only support but also strategic partnerships and guidance, participants can showcase their knowledge of Legislative levers of power, passion, and ingenuity while taking proactive, positive steps to address some of the most challenging global issues today.
On January 9, 2025, Hackers on the Hill hosted the first ever instance of the Cyber Policy Shark Tank, with five brave innovators pitching five experienced sharks. These cyber policy ideas were bold and innovative, with the sharks providing helpful and candid feedback. The presentations sparked further collaboration between public policymakers and the cybersecurity researcher community.
On June 12-13, 2024, at the Critical Effect 2025 conference in Washington, DC, we will showcase another set of innovators and original ideas. Apply by May 30 to see if your ideas make it into the Cyber Policy Shark Tank!
The rules are simple, the impacts can be meaningful
You have 3-4 minutes to touch on the problem, a specific step that can address it, what to expect if successful, and what you need from the Sharks to make it happen. Sharks have 7-8 minutes to ask questions, suggest tweaks, and offer to invest their time, energy, and political capital alongside you – the cyber policy innovator – to make it happen.
The primary goals of the event are to help the cybersecurity researcher and practitioner community exercise their practical understanding of how to use public policy to achieve desired effects. The time constraints and Q&A from Sharks is meant to ensure participants can articulate the value of their ideas to public policy decision-makers quickly and clearly. The investments the Sharks are willing to make give participants the best chance to see their idea put into action. Drawing from a diverse pool of Sharks offers participants the ability to find at least one willing to invest – as long as they are focused on achievable goals using authorities, levers, and targets that Congressional staffers have at hand.
In addition, the Sharks will award points for each pitch, with prizes given for the best idea and the one most likely to end in disaster (as judged by the Sharks). Ideas will be evaluated for bestness with the following scoring system – which is also a good guide for what the Sharks will look for in order to figure out who they want to work with.
- 4 points for using the right levers, targets, and authorities of the Legislative branch (formal or informal)
- 3 points for how likely the idea is to address the problem it sets out to
- 3 points for its feasibility or likelihood to be implementable
- 1 point for creativity – yes, this event goes to 11 😎
How to enter and what to expect
General submissions will open Monday, May 19 and close Friday, May 30, at 23:59 Eastern time. At that time, we will announce the opening and closing via social media and email. All are welcome to enter. Submitters will be required to provide their name (or handle/alias), contact information, title of the idea, a brief description, and a 1-page (no more than 600 words) decision brief covering the relevant information. More details on each of these sections will be provided in the form.
We will notify selected cyber policy innovators on Friday, June 6. Further detail on the format of the pitch sessions, names of some of the Sharks, and timing of next steps will be sent at this time. Selected innovators can then practice their pitch, refine the 1-pager (if necessary, due noon on Wednesday, June 11), and research the sharks they may be pitching.
Preliminary rounds will be held (virtually or in person, TBD) on Thursday, June 12. Each innovator will present their ideas to Sharks, in a preliminary round. This provides Sharks and organizers the opportunity to downselect the best candidates, and gives innovators the opportunity to get feedback on the ideas, whether they’re selected for the final round or not.
Three finalists will be notified the evening of Thursday, June 12, after the preliminary rounds have been completed. Innovators can incorporate feedback and polish the pitch (any updates to the 1-pager are due by TBD the following day), so it is stage-ready.
The final round of the three top pitches from preliminaries will be conducted live as the last session of Critical Effect, June 13, 2025. The format will be similar to the preliminary round, with different Sharks and a little additional time provided for the pitch and Sharks’ response, if possible. The session will conclude with an announcement of results and presentation of fabulous prizes to the winner.
While you’re free to submit a pitch on any topic you’d like, since Critical Effect focuses on cybersecurity impacts to life, safety, and national security, ideas centered on those themes are most likely to move forward.
Who are the Sharks?
Like with the TV show, your goal is to get one (or more) Sharks to invest in your idea. Will you try to persuade one of them a lot or all of them a little? Will you propose something ambitious and inspiring or bite-sized for a quick win? Those decisions lie with you – and we recommend you do some of your own digging to figure out how you want to present to them. The identities of the Preliminary and Final Round Sharks will be announced closer to the event.
The Sharks are a mix of current and former Congressional staffers. They are all people who have the ability to help you get your idea into action, and they are all people who have a track record of doing so. They are not just there to judge you – they are there to help your ideas succeed.