Chairman Franklin, Ranking Member Amo, thank you for the opportunity to testify before you today. I am Joshua Corman, Executive in Residence for Public Safety and Resilience at the Institute for Security and Technology and the principal investigator for the UnDisruptable27 project. I have spent the bulk of my career trying to reduce our dependence on undependable technology, especially in life-safety sectors “where bits and bytes meet flesh and blood.” Today’s hearing is a key opportunity to examine how the United States’ research and development ecosystem can support one of the most foundational elements of our critical infrastructure: water and wastewater systems.
To put it succinctly, these systems are highly vulnerable, yet they are foundational to key functions of our society. In other words, through our over-dependence on undependable technology, we have created the conditions such that the actions of any single outlier can have a profound and asymmetric impact on human life, public safety, economic stability, and national security. We have not yet paid the price for our failure to design securely, but the threat environment is rapidly worsening. Government is not the only answer, but it is an important part of the answer, including with respect to the research and development ecosystem. To meaningfully reduce our risk, we will need to embrace novel research approaches.
To understand just how vulnerable our systems are, consider the fact that most water systems use operational technology that was never designed to be connected to the internet. The industrial control systems that control pumps can have software or firmware that is difficult to patch. They often lack core architectural design elements that would allow for secure configuration. And the workforce that operates these utilities is often equipped with minimal cybersecurity training and lacks access to the tools and services that could help.
Fortunately, what we have not yet seen is threat actors taking advantage of water system vulnerabilities at scale. Other sectors of the economy (e.g., healthcare delivery) have been ravaged by ransomware and widespread data theft, but water has, to date, largely avoided being in the crosshairs.
Unfortunately, that is changing, and unlike previous adversaries who sought data or money, our foes now seek to disrupt and destroy lifeline critical functions. People’s Republic of China’s army units have hacked U.S. water facilities. Whether to directly impede military mobilization or cause civilian panic during crisis or conflict, these military units are taking advantage of the vulnerability of our water infrastructure to hold us at risk. Pro-Iranian government hackers are also targeting U.S. companies as part of the ongoing conflict, and they have a history of hitting water targets. What’s more, advances in large language model capabilities also risk exposing water systems to new types of threat actors. Despite concerns about a coming AI-driven cybersecurity crisis due to a rapid increase in the number of identified, and weaponized, vulnerabilities in code, zero industrial control system vendors were included in Project Glasswing, Anthropic’s early access program.
In the face of this rapidly rising risk, I created UnDisruptable27 (U27). U27 is an applied research project intended to answer the question: before a potential 2027 hybrid conflict, with the time and resources we have, are there familiar, affordable, pragmatic, and timely ways to increase the resilience of our most-consequential water utilities against destructive cyber attacks affecting their most consequential customers? With funding from Craig Newmark Philanthropies, we are working with hospital communities across the nation—and the water systems who support them—to apply engineering solutions that will meaningfully mitigate the impact of cyber attacks.
Our goal at U27 is to innovate narrowly so that we can replicate widely. This kind of hands-on approach, at the nexus of engineering, computer science, and public policy, is critical for helping both the sector itself and the sectors that depend upon it. Water utilities face significant funding challenges, making investments in resilience—particularly for national security reasons—hard to justify. These funding challenges, in turn, also make it unlikely that the private sector will develop solutions. Unless or until incentives change this dynamic, the responsibility for developing solutions to help the ecosystem boost its resilience falls to academia, civil society, and government labs.
Co-creation is essential. The types of solutions we are after must fit the operational constraints of water system owners and operators, as well as the broader funding limitations within the sector. They also must be designed to scale across the 53,000 community water systems across the nation.
To that end, the Committee should consider creating or supporting programs in systems engineering that are specifically designed to reduce national security and public safety risk. The Committee should also consider how to strengthen the pipeline between researchers and the Water and Wastewater Systems Sector Risk Management Agency team at the Environmental Protection Agency and grant program managers. More broadly, the Committee should continue to support social, behavioral, and economic research in cybersecurity, including by creating a specific cross-directorate program within the National Science Foundation to address this intersectional area of research. Finally, the Committee should support programs that examine cross-sector dependency mapping, including detailed examinations of supply chains.
