UnDisruptable27 Project Wants to Shore Up Critical Infrastructure Security

What would a worst-case scenario look like for your town? The power grid going out, leaving your community without electricity for days on end? A disruption to the local water supply? Or a cyberattack on the emergency medical response system and medical facilities, leaving people stranded, without access to care during life-threatening situations? 

These are the kinds of scenarios that UnDisruptable27 seeks to prepare for – cyberattacks against critical infrastructure in local communities across the United States – focusing on four principal areas: water and wastewater, emergency medical care and hospital services, food supply chains, and local power supplies. 

The program is led by the Institute for Security and Technology (IST), a nonprofit think tank that seeks to connect the technology world and the public sector. The program, which kicked off this summer in a pilot, is funded by a $700,000 grant from Craig Newmark Philanthropies as part of the organization's Cyber Civil Defense initiative. The initial phase will focus on the nexus of water and emergency medical care. The project is spearheaded by Josh Corman, executive in residence at IST and co-founder of I Am The Cavalry and CyberMedSummit. 

"Whether it's food or shelter or warmth, everyone relies on infrastructure to live. Bad actors know that, too. This isn't alarmism. It's a very real threat our country faces today," says Craig Newmark, philanthropist and founder of Craigslist and the Cyber Civil Defense Initiative. "It's all of our jobs to push governments and utilities and companies to be better on this stuff. That means extra work for maybe understaffed IT, and they can get very annoyed with me, [but] OK, if it helps prepare for the worst. In the meantime, I'm putting my money where my mouth is."

The project's initial phase involves engaging stakeholders and listening to their concerns and limitations, whether they're financial, technical, or a combination of the two, says Megan Stifel, chief strategy officer at IST.

Like the scramble to prepare for Y2K, the UnDisruptable27 initiative benefits from having a tangible timeline, whether any specific threats materialize, Stifel says. 

The call-to-action was spurred by public hearings earlier this year, when Congress and US government cybersecurity leaders explored the potential threats to infrastructure posed by China's Volt Typhoon group and other state-sponsored actors. The project's goal is to make critical infrastructure supporting basic human needs "undisruptable" by 2027. 

"We are seeing more disruptions, larger disruptions, longer disruptions, and more public life- and safety-affecting disruptions. And that's not OK. That trajectory is unsustainable," says Corman. He calls areas like water and power delivery systems and other infrastructure "target-rich and cyber-poor," meaning they represent a massive attack surface yet lack the resources to adequately protect themselves from cyberattacks. 

"If we see hybrid conflict on top of the disruption trend that we already see, the average citizen is not prepared," Corman says. "We don't want panic, and we don't want preppers, but what we do think is no one should be blindsided or surprised by this, and we can make choices between now and an era of potential heightened geopolitical context or conflict context."

To help stress the need and get the public onboard, UnDisruptable27 is taking a page from the natural disaster preparedness playbook and leveraging communications strategies and narrative to influence communities to prepare. 

"We really haven't reached the public, and that's why the public continues to be disrupted and surprised every time there's a CrowdStrike or NotPetya or an Ascension Health," Corman says. "So we're going to go down to meet owners and operators of these critical infrastructure sectors, municipal leadership in the last mile in these communities, and possibly ... even citizens directly for this education campaign. And what that means is we have to meet them where they are."

The group chose to initially focus on the intersection of water and health care because it's already in the public eye, according to Corman. 

One potential resource for local communities could come in the form of help from the Consortium of Cyber Security Clinics, a network of university-based clinics that train students to do direct engagement with under-resourced organizations that need help regarding their cybersecurity maturity. While in its early phases, Corman and UnDisruptable27 will identify areas of need and connect with municipalities and utilities. In later stages, the group hopes to partner with the clinics to connect those needing help with resources. 

Smaller organizations in local communities are incredibly vulnerable, says Sarah Powazek, program director of public interest cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. These under-resourced communities can provide very attractive targets for cyberattackers, and projects like UnDisruptable27 have the potential to have significant impact.

"I think that the most important institutions to protect aren't always the largest," Powazek says. "I think we're really missing this network of care at the community level. And I think we're missing a strategy to help them protect themselves in a long term sustainable fashion. And I think that the UnDisruptable project is going to be one of many initiatives that is needed to help serve these institutions."

What would a worst-case scenario look like for your town? The power grid going out, leaving your community without electricity for days on end? A disruption to the local water supply? Or a cyberattack on the emergency medical response system and medical facilities, leaving people stranded, without access to care during life-threatening situations? 

These are the kinds of scenarios that UnDisruptable27 seeks to prepare for – cyberattacks against critical infrastructure in local communities across the United States – focusing on four principal areas: water and wastewater, emergency medical care and hospital services, food supply chains, and local power supplies. 

The program is led by the Institute for Security and Technology (IST), a nonprofit think tank that seeks to connect the technology world and the public sector. The program, which kicked off this summer in a pilot, is funded by a $700,000 grant from Craig Newmark Philanthropies as part of the organization's Cyber Civil Defense initiative. The initial phase will focus on the nexus of water and emergency medical care. The project is spearheaded by Josh Corman, executive in residence at IST and co-founder of I am The Cavalry and CyberMedSummit. 

"Whether it's food or shelter or warmth, everyone relies on infrastructure to live. Bad actors know that, too. This isn't alarmism. It's a very real threat our country faces today," says Craig Newmark, philanthropist and founder of Craigslist and the Cyber Civil Defense Initiative. "It's all of our jobs to push governments and utilities and companies to be better on this stuff. That means extra work for maybe understaffed IT, and they can get very annoyed with me, [but] OK, if it helps prepare for the worst. In the meantime, I'm putting my money where my mouth is."

The project's initial phase involves engaging stakeholders and listening to their concerns and limitations, whether they're financial, technical, or a combination of the two, says Megan Stifel, chief strategy officer at IST.

Like the scramble to prepare for Y2K, the UnDisruptable27 initiative benefits from having a tangible timeline, whether any specific threats materialize, Stifel says. 

The call-to-action was spurred by public hearings earlier this year, when Congress and US government cybersecurity leaders explored the potential threats to infrastructure posed by China's Volt Typhoon group and other state-sponsored actors. The project's goal is to make critical infrastructure supporting basic human needs "undisruptable" by 2027. 

"We are seeing more disruptions, larger disruptions, longer disruptions, and more public life- and safety-affecting disruptions. And that's not OK. That trajectory is unsustainable," says Corman. He calls areas like water and power delivery systems and other infrastructure "target-rich and cyber-poor," meaning they represent a massive attack surface yet lack the resources to adequately protect themselves from cyberattacks. 

"If we see hybrid conflict on top of the disruption trend that we already see, the average citizen is not prepared," Corman says. "We don't want panic, and we don't want preppers, but what we do think is no one should be blindsided or surprised by this, and we can make choices between now and an era of potential heightened geopolitical context or conflict context."

To help stress the need and get the public onboard, UnDisruptable27 is taking a page from the natural disaster preparedness playbook and leveraging communications strategies and narrative to influence communities to prepare. 

"We really haven't reached the public, and that's why the public continues to be disrupted and surprised every time there's a CrowdStrike or NotPetya or an Ascension Health," Corman says. "So we're going to go down to meet owners and operators of these critical infrastructure sectors, municipal leadership in the last mile in these communities, and possibly ... even citizens directly for this education campaign. And what that means is we have to meet them where they are."

The group chose to initially focus on the intersection of water and health care because it's already in the public eye, according to Corman. 

One potential resource for local communities could come in the form of help from the Consortium of Cyber Security Clinics, a network of university-based clinics that train students to do direct engagement with under-resourced organizations that need help regarding their cybersecurity maturity. While in its early phases, Corman and UnDisruptable27 will identify areas of need and connect with municipalities and utilities. In later stages, the group hopes to partner with the clinics to connect those needing help with resources. 

Smaller organizations in local communities are incredibly vulnerable, says Sarah Powazek, program director of public interest cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. These under-resourced communities can provide very attractive targets for cyberattackers, and projects like UnDisruptable27 have the potential to have significant impact.

"I think that the most important institutions to protect aren't always the largest," Powazek says. "I think we're really missing this network of care at the community level. And I think we're missing a strategy to help them protect themselves in a long term sustainable fashion. And I think that the UnDisruptable project is going to be one of many initiatives that is needed to help serve these institutions."