Lawfare Daily: The Military’s Operational Technology Cyber Vulnerabilities - The Lawfare Podcast

Summary6 min read

The Lawfare Podcast Summary: The Military’s Operational Technology Cyber Vulnerabilities

Date: January 27, 2026
Host: Justin Sherman (Lawfare)
Guests: Andy Grotto (Stanford Program on Geopolitics Technology and Governance), Jim Dempsey (UC Berkeley Law School)

Overview

This episode discusses the cyber vulnerabilities in U.S. military operational technology (OT) systems, especially those critical to domestic military installations. Drawing on a major recent study (“Ensuring the Cyber Resilience of Critical Infrastructure Serving Domestic Military Installations”), the conversation explores the dependence on civilian infrastructure, the unique risks posed by OT, known adversary activity (focusing on the Chinese PLA and others), systemic regulatory gaps, and challenges/opportunities in procurement and future policy. The episode offers actionable recommendations and an inside view into the cyber risk landscape confronting military and national security decision-makers.

Key Discussion Points and Insights

1. Motivation and Scope of the Study

Andy Grotto shares his longstanding concern about adversaries surveilling and penetrating American critical infrastructure, noting increased OT complexity versus IT:

“OT operational technology presents a different set of challenges than IT...applying all the insights and lessons from IT to OT directly isn’t as straightforward.” (03:51)
The study partnered with Army Cyber Institute at West Point, pre-dating major public revelations about Volt Typhoon Chinese PLA intrusions on critical infrastructure.
Key research question: How do local Army installations and their critical infrastructure providers understand and manage risk? (03:48)

2. How Vulnerabilities Are Mapped

Research used only open-source methods to identify critical dependencies (electricity, water, rail, etc.) at two Army installations.
- Findings:
  - Significant public data is available via government contracts, press releases, environmental reports, and federal databases.
  - A detailed infrastructure map (30 hours/investigation) is possible without proprietary access.
  “There’s a lot of information out there. And as Andy said, we’re not even talking about what an adversary could obtain by illegal means. We were just talking 100% open source.” — Jim Dempsey (08:25)

3. Military Installations’ Dependence on Civilian Infrastructure

“US military installations...are dependent on civilian critical infrastructure almost without exception...” — Andy Grotto (09:33)
Even on-base generation is often built, owned, and/or operated by contractors, compounding vulnerability to OT flaws. (10:48)

4. Adversary Activity and Threat Landscape

Multiple years of unambiguous government warnings: Russian, Iranian, and Chinese state actors—plus “unsophisticated,” activist, or proxy groups—are already in U.S. infrastructure.

“These reports are not hypotheticals…they are reports of finding the bad guys in our network.” — Jim Dempsey (15:21)
OT attacks are escalatory and fundamentally different from espionage:

"There is no real intelligence value to breaking into those networks...It’s the ability to then or in the future hold that asset at risk for disruptive purposes." — Andy Grotto (20:54)
Integration of IT and OT means even conventional IT ransomware can force operational shutdowns (e.g., Asahi Brewing, Jaguar Land Rover). (21:27)

5. Core OT Vulnerabilities

Vulnerabilities are widespread, fundamental, and cross-sectoral:
- Default/no passwords
- Unencrypted communications between sensors/controllers
- Software flaws like buffer overflow
- Known vulnerabilities in widespread products (e.g., Siemens, Schneider Electric, Rockwell Automation)
Human factors: Installers/users often disable or override built-in security. (29:06)
Nearly 80% of industrial network devices tracked by Microsoft in 2023 had known vulnerabilities. (29:03)

6. The ‘Air Gap’ Myth

Simply disconnecting OT from the Internet is rarely true in practice.

“The benefits of internet connectivity...are so great that it’s unavoidable…Devices get connected. And we cannot assume...that the device is not accessible by the Internet.” — Jim Dempsey (34:19)
Trend toward increased OT interconnectivity, especially with AI and optimized operations. Risk management becomes optimizing risk vs. benefit. (35:42)

7. Regulatory Gaps: Inside vs. Outside the Fence

Inside the Fence:
- The Department of Defense (DoD) is spending billions to build “islanded” (self-sustaining) infrastructure, but often imports same vulnerabilities via contractors.
- Case: Camp Lejeune used internet-connected Chinese-made batteries installed by a civilian provider; the intended security is undercut. (39:33)
Outside the Fence:
- Regulatory landscape is a “patchwork,” with some sectors unregulated (water, last-mile pipelines), others covered by self/co-regulation (bulk power).
- OT is generally not included in procurement standards (unlike IT, which now enforces CMMC controls). (43:42)

8. Procurement as a Policy Lever

Government could, but (so far) largely does not, use procurement contracts to mandate OT security standards.
- First step: Inventory what’s already on bases (“Right now, no one really knows how many China made products are on US military bases in critical infrastructure.” — Jim Dempsey (44:06))
- Recommend: Develop and incorporate OT security language akin to existing NIST IT procurement requirements.
“We need...criteria for contractors on the OT side similar to what we have on the IT side.” — Jim Dempsey (47:56)
Success depends on providing resources to providers that operate on thin margins (e.g., water).

“If the government, Congress, the executive branch were willing to pay...I think that’s a completely different conversation.” — Andy Grotto (50:19)

9. The Road Ahead: What’s Next?

The CMMC program (currently IT-focused) may eventually inform OT requirements as experience accumulates.
Both guests are cautiously optimistic: Pentagon leadership is aware, threat urgency is high, and the first step—an actual inventory—may unearth shocks that provoke real change.
Major roadblock: Who pays for improved resilience—the government or private utilities? (51:54)

Notable Quotes & Memorable Moments

Addressing the “security myth” of disconnection:

"Forget it, that the benefits of Internet connectivity, the benefits by the way of connecting your IT network and your OT network are so great that it’s unavoidable. And even though you may have a policy or a guideline, don't connect...devices get connected." — Jim Dempsey (34:19)
On the regulatory patchwork:

“Jim has used this great phrase about critical infrastructure cyber regulation in the United States as kind of this patchwork quilt.” — Andy Grotto (36:43)
On why adversaries target OT:

“Attacks on OT are escalatory in a way that espionage is not.” — Andy Grotto (20:41)
On the need for procurement reform and inventory:

“First we need and what we recommend in the paper is first we need an inventory. The start of any cybersecurity program is inventory. What's on your network, what's connected to your network?” — Jim Dempsey (45:08)

Timestamps for Important Segments

Framing the Study, Motivations & Approach: 03:48 – 06:16
Findings from Open-Source Dependency Mapping: 06:16 – 09:33
Military’s Civilian Infrastructure Reliance & Vulnerabilities: 09:33 – 11:56
Survey of Adversary Intrusions and Policy Blindspots: 15:21 – 20:11
Nature and Prevalence of OT Vulnerabilities: 23:50 – 29:31
The Air Gap Myth and Interconnectivity Realities: 33:45 – 35:42
“Inside the Fence” and “Outside the Fence” Security Programs: 38:43 – 43:42
Procurement Power and Policy Recommendations: 44:06 – 48:13
Future Outlook: Will, Obstacles, and Urgency: 51:18 – 53:40

Final Takeaways

This episode underscores a critical national security concern: U.S. military and national defense rely on a civilian-run, vulnerable, and poorly regulated patchwork of operational technology systems. Adversaries are already present in domestic critical infrastructure, regulatory controls lag behind current technological and threat realities, and current solutions are incomplete or import new risks (as with connected Chinese-made components). Concrete, urgent steps—like comprehensive inventory, targeted procurement standards, and funding for improved resilience—are needed to address what the guests view as a pervasive, well-understood, but insufficiently prioritized set of risks.

Loading summary

Transcript52 lines

[00:01]
Jim Dempsey
We're in on the ground in 100.
[00:02]
Andy Grotto
Countries, sadly not on holiday, but we've got a sunscreen on anyway because whether it's Tokyo or Toronto, we're monitoring markets, tracking trends and decoding consumer behavior so you don't have to. Euromonitor International gives you global market intelligence with local nuance. Visit euromonitor.com where everywhere you need to.
[00:28]
Sponsor/Advertiser Voice
Be is your dog's food. Created to maximize your dog's quality of life or to extend the food's shelf life, it's time to make the switch to sundaes. Sundaes was founded by a veterinarian and mom, Dr. Tori Waxman, who got tired of seeing so called premium dog food full of fillers and synthetics. So she designed sundaes, air dried real food made in a human grade kitchen using the same ingredients and care you'd use to cook for yourself and your family. Every bite of sundaes is clean and made from real meat, fruits and veggies with no kibble. That means no weird ingredients you can't pronounce and no fillers because your dog deserves food made with care, not in the interest of cost cutting. You just scoop and serve. No freezer, no thawing or prep, no mess. Just nutrient rich, clean food that fuels their happiest, healthiest days so you get more of them to share together. So, so go right now to sundaysfordogs.com acast30 and get 30% off your first three orders. Or you can use code acast30 at checkout. That's 30% off your first order at sundaysfordogs.com acasT30 or use code acasT30 at checkout.
[01:46]
Jim Dempsey
We're talking dependency on private sector contractors who themselves then in their products and services are dependent upon these industrial control devices and these operational technology systems which are vulnerable.
[02:03]
Justin Sherman
It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies, with Andy Grotto, founding director of the Stanford Program on Geopolitics Technology and Governance, and Jim Dempsey, a senior policy advisor to that program and a lecturer at the UC Berkeley Law School.
[02:25]
Andy Grotto
If we want the utility to provide an extra level of resilience beyond what its business interests would support to meet, you know, a national policy need, you know, involving, you know, a higher degree of resilience for military installations because they need to, you know, potentially, you know, project power overseas, well, that's a gap, right? And that gap's not going to fill itself.
[02:50]
Justin Sherman
Today we're talking about the US Military's domestic cybersecurity vulnerabilities and operational technology, how adversaries could exploit them, and what the future of this landscape holds. We're going to speak today, as we heard in the introduction, about your excellent recent study which was published at the end of 2025 in the cyber Defense Review. Linked as always below this episode, which is titled Ensuring the Cyber Resilience of Critical Infrastructure Serving Domestic Military Installations. Questions for Senior leadership Since of course, this is the Lawfare podcast, I will also note that listeners can find an excellent summary piece of said study published on Lawfare as well. So to jump right in, start by framing for us a what motivated you to write this study in the first place and then b some of the high level questions you were seeking to address by doing so.
[03:48]
Andy Grotto
Thanks Justin. It's really good to be here and looking forward to talking about a topic that has certainly bothered me for well over a decade now. When I came to Stanford in 2017, I'd spent the previous several years as the Senior Director for Cyber Policy in the National Security Council. You know, was very, very concerned then again, you know, 10 plus years ago, about the ability of adversaries to surveil and penetrate American critical infrastructure. OT operational technology presents a different set of challenges than IT when it comes to security. This is something that we can maybe go a little bit deeper into further into the program, but you know, applying all the insights and lessons from it to OT directly isn't as straightforward a proposition. Fast forward nine years and an opportunity came along to a partner with the Army Cyber Institute at West Point to look at in particular the critical infrastructure cybersecurity posture around US military, specifically army installations. And this is before the public revelations about the Volt Typhoon, you know, a series of attacks. You know, these are the Chinese PLA intrusions on critical infrastructure. And we set about to try to understand what risk management looks like from the perspective of both the local army installation as well as the critical infrastructure providers who provide them with services pursuant to procurement contracts. Again, with an eye towards trying to, if not solve, at least make some headway on this problem that I think has really dogged American cyber policy. Again, going back at least 10 plus years.
[05:47]
Justin Sherman
There's a lot to dive into in the study, so perhaps we can sort of break this up into various components before you get into assessing the current state of some of the risks in the Andy were just speaking about, how did you both go about mapping the Army's critical infrastructure dependencies, including in this case, how does one go about finding those Dependencies and the sources you used to inform that assessment.
[06:17]
Andy Grotto
We had a great graduate student working with us as a research assistant and we challenged her to essentially find out what she could about the critical infrastructure dependencies of two army installations, in particular using open source online and other resources, the kinds of resources that a threat actor without access to intelligence or any other proprietary sources would have access to. And we asked her to focus on these two installations. Electricity, natural gas, water and freight rail dependencies. She looked at materials posted on the installation's websites, on the Pentagon's website as well. You know, local, state and federal environmental and other reports on the installation or their provider, their critical infrastructure providers, you know, government databases, you know, so for example, the U.S. energy Information Administration has this energy atlas which includes a map of electric generation facilities and transmission lines. And you know, she used, you know, some, some of the, the search capabilities to discover OT systems online. She was able to put together a very detailed description of the installation's critical infrastructure dependencies, including maps, descriptions of specific equipment, even supply chain dependencies. In fact, in one case, she was even able to identify one of the providers use of a specific industrial control system that had a known vulnerability in it which was later patched. We estimate it took her probably about 20 to 30 hours to develop each of these dossiers. But you know, obviously an adversary, a resource, a well resourced adversary could spend a lot more time than that and compile dossiers that go much deeper, including drawing on their own intelligence sources. And by the way, we don't really address in our report the reasons for why so much information about critical infrastructure is readily available from public sources. Suffice it to say it is.
[08:25]
Jim Dempsey
I did a little bit of my own knocking around as well, Justin, and there are good reasons why a lot of this information is public. Government contracts are public. So when a utility gets a contract to supply water, electricity or natural gas or any other service for good and just reasons, that contract is public. Companies often issue press releases when they get new contracts either to be a supplier or to do construction of critical infrastructure on a military installation, they'll issue a press release. So for a variety of good reasons, there's a lot of public information. There's water quality reports for army installations, which basically indicate where the army installation gets its water. So across the board, sector by sector, there's a lot of information out there. And as Andy said, we're not even talking about what an adversary could obtain by illegal means. We were just talking 100% open source.
[09:34]
Andy Grotto
And US, US military installations in the United States are dependent on civilian critical infrastructure almost without exception. Right. You know, whether it's an army installation, different service, you know, they, they sit within a community, and that same community's power, water treatment, rail will also service the installation. That means, in essence, that these installations are purchasing these services from critical infrastructure providers, which is to say they're contractors. They're contractors for whom the government is not their only customer. They also provide services to their local communities, who also have an interest, by the way, in understanding water quality and having information available to them to hold their critical infrastructure service providers to account. So a lot of good reasons for the information to be public. But I think the key point to really hammer here is that the Pentagon in the United States is deeply reliant upon civilian critical infrastructure for a vast array of essential services.
[10:49]
Jim Dempsey
This point that Andy's making about the dependence on private sector contractors is relevant whether you are purchasing electricity from a generation and distribution network outside the fence or whether you have a generation capability on the base itself. Because in both cases, whether you're bringing in electricity, as almost every base is on a transmission line, or whether you're generating it on base, the company that has built the infrastructure is the same company. Everything that's on base is built by a contractor. And in many cases, everything that's on base is owned and operated by a contractor. So the same point applies. We're talking dependency on private sector contractors who themselves then, in their products and services are dependent upon these industrial control devices and these operational technology systems, which are vulnerable.
[11:57]
Justin Sherman
All really important points. I mean, as you're saying, we'll come back to sub components of this. But you mentioned Andy, the pla, and I think that's a great point too, because we hear, rightfully so, about the incredible sophistication of threat actors like Volt Typhoon and what they're doing in our infrastructure. And at the same time, maybe it loses some of what you're both saying that, yes, the Chinese have very sophisticated capabilities. At the same time, a lot of the baseline information about what bases might be dependent upon in terms of infrastructure is just out there in the open. But this is a great segue, Jim. So give us that overview then, of course, what are those dependencies that you found? Right. What does that look like across energy, across water systems and other categories of critical infrastructure? You were investigating the theme of the.
[12:48]
Jim Dempsey
Army Cyber Institute project that we got funding under to do this work. The theme of that overall project was resiliency and readiness. What is the readiness of Our war fighters? Can we deploy the military assets that we have in the United States which we depend upon in the case of any major conflict anywhere in the world? Can we rapidly and efficiently, in a timely fashion, get those troops and tanks and other resources on rail cars and on ships in order to protect them abroad? Can the planes take off? Can the ships leave harbor? And in all of these cases, all of those forces, all of those war fighters depend upon some very, very fundamental things. Electricity, water, wastewater treatment, natural gas, rail transportation, telecommunications. So some very, very mundane things are critical to. You know, Secretary Hegseth has emphasized lethality. And lethality depends upon the best and most efficient and most resilient drones and ships and tanks and weapon systems. But it also depends upon the same things that all of us depend upon in our daily lives. Water, power, gasoline, natural gas, wastewater treatment. And disruption in any of those it there's no doubt, would impede the ability to readily deploy America's war fighting resources.
[14:31]
Justin Sherman
Let's talk then about the risks facing all of the infrastructure you just mentioned. So in this study you write that operational technology or OT systems are uniquely vulnerable, whether as you alluded to, they're on base or they're off base. And we'll get in my next question to specific flaws and classes of flaws that these systems are known to exhibit. But first to focus on the actors that are interested in threatening the systems in the first place. One, what are US adversaries doing in the OT and cyber intersection? And two, what kinds of cyber activity or capability development are we talking about here? Right. Is this sort of well distributed in the range from pure information exfiltration to outright disruption? Is it pretty heavily skewed one way or the other?
[15:21]
Jim Dempsey
Well, as Andy said, the warnings that the recognition that adversaries are infiltrating our domestic critical infrastructure, that's been well known now for years. 2018 CISA issued an alert that Russia was found in US critical infrastructure. 2020 CISA and the NSA warned that cyber actors had shown their willingness to conduct malicious cyber activity against critical infrastructure in the US by exploiting Internet accessible OT. May 2024 US and allied agencies warned that pro Russian activists were targeting and gaining remote access to OT systems in North America and European water, wastewater, dams, energy, food and agriculture sectors. October 2024 Iranian cyber actors. April 2024 Report from Mandiant. Russian hackers had infiltrated a Texas Water Facility. February 2024 Federal agencies warned that cyber actors sponsored by the PRC had pre positioned themselves on networks of US critical infrastructure with the goal of conducting disruptive or destructive cyber attacks. So there has been a steady, steady drumbeat of these reports over the years, which are not, and they're not talking in hypotheticals. The reports are reports of finding the bad guys in our network. And of course we saw last year one of the most consequential of these, one of the most remarkable of these, which was the PRC infiltration of the US telecommunications network, including access to massive amounts of call detail records, as well as some interceptions of actual live communications. And then just a month ago December, another alert by CISA and partner agencies, A dozen European agencies joined in this, as well as the Australians and the Canadians. Pro Russian activists conduct opportunistic attacks against US in critical global, critical infrastructure. The interesting point about that one is the report was basically saying these guys are relatively unsophisticated. They're these sort of hybrid activists, sort of pro Russia tolerated by the outright, supported by the Russian government, conducting attacks again against critical infrastructure. And these were not the apts, these were not the advanced persistent threat attackers using, though minimally secured Internet facing virtual network connections to gain access to OT control devices. Water, wastewater, food, agriculture, industry. So a very, again, not hypothetical, very long running problem, very well known that adversaries are positioning themselves. I guess again, maybe we jumped over one point. An awful lot of US cybersecurity policy in the past 20 years, if not longer, has been focused on information technology. Data, bits and bytes that are, you know, the digital equivalent of papers and reports and documents. We're talking here though about operational technology, which are devices that control not reports and papers and documents and etc. Not information, not personal data. They control things. They control physical things, the valves, the switches, the other controllers that are central to dams, water, electricity, manufacturing. Every manufacturing plant in the country today of any size is highly automated and is controlled by those machines, are controlled by industrial control systems. And the technology of those industrial control systems, that's what is also vulnerable. And that's where the adversaries, in addition to stealing all of our information, both intellectual property as well as government secrets, the adversaries are targeting this technology that controls physical processes.
[20:11]
Andy Grotto
No country tolerates espionage. Governments try to fight it, they try to prevent it from happening. But even when it does happen, there's sort of a sense among governments that okay, nation states spy on each other. And that is maybe not tolerable as a matter of policy, but we all sort of wink, wink, nod, nod that, yeah, okay, we're all going to spy on each other. What makes the intrusions into ot especially Power, water, systems like that. Different is there is no real intelligence value to breaking into those networks. There's no classified information there. Right? It's not documents and data that the bad guys are after. It's the ability to then or in the future hold that asset at risk for disruptive purposes. And so attacks on OT are escalatory in a way that espionage is not. Again, we don't tolerate espionage. We try to prevent it from happening, but it's just different than than would be acts of sabotage. If you look at threat reports put out by groups like Dragos and others who track OT security threats, the incidence is going up. Jim alluded to this. Further complicating matters is the fact that as IT information technology and OT become more integrated, more embedded, attacks on IT can trickle over into disruptive impacts on say, manufacturing. This has happened a few times, even recently for the beer drinkers of the world. Asahi Brewing in Japan had their brewing operations disrupted for a period of time because of a ransomware attack against their IT systems. Jaguar Land Rover in the UK also had a five week manufacturing outage because of of an IT ransomware attack. Again, these are all attacks on IT spilling over into ot or at least having an impact on physical operations. But even those are different than the types of attacks that Jim and I have been focused on, which is OT attacks focused on specifically critical infrastructure where there is no discernible intelligence collection rationale. The only reason why an adversary would break into these systems is to hold them and hold them at risk.
[22:59]
Justin Sherman
I'm very, very glad you made that point. Undoubtedly we all are tired. I don't know how long folks have been trying to draw out those distinctions. You're saying, and yet we still hear those getting conflated. Including just the other day in a mainstream article I was reading on how are we going to stop our adversaries from doing XYZ cyber espionage thing. And I thought, okay, there's lots of problems with this sentence, including including the word stop, but once again we're transitioning well here. So what are then some of those major flaws in OT systems? Are there ones that concern you most from the military perspective, whether it's water, energy, something else, are they pretty to be a bit reductive about it? Equally vulnerable, are there ones that really stand out as having particularly egregious flaws or potential impacts of exploitation of those flaws?
[23:51]
Jim Dempsey
I think the risk reaches across sector and in part IT reaches across sector and sectors, whether it's transportation or water, electricity or natural gas. They are in a way to the extent they are networked, to the extent that these devices are connected to the Internet, we'll get to that in a second. But to the extent that these infrastructures are dependent upon operational technology and these industrial control devices, then these infrastructures are equally vulnerable in part because these devices and these features and these functions apply across infrastructures that a particular industrial control device, a particular sensor, may be common across a wide range of applications. And we're seeing that this technology, this operational technology, these controllers, these sensors which collect the data and then the networks that transmit the data to some central point and then it gets analyzed and can be acted upon either with or without human intervention, that these networks of devices are phenomenally vulnerable. On January 22, CISA, the Cybersecurity and Infrastructure Security Agency, which has a whole function devoted to industrial control systems. January 22, CISA released eight separate advisories on eight separate kinds of industrial control devices made by all the leaders, Johnson Controls, their so called I Star Configuration Utility, Rockwell Automation, Schneider Electric, Quasi household names. I don't, maybe not household names to others, but these are very big, very common companies who have devices in lots and lots and lots of industries as well as other companies that to me at least aren't but eight advisories of vulnerabilities. On one day back on January 14, for example, CISA issued one advisory on a Siemens set of products, industrial edge devices. The advisory listed over 60 separate Siemens products or product versions that had a particular category, a vulnerability. And what are these vulnerabilities? Some of them are remarkably fundamental. Not infrequently, these OT devices use default passwords or have no password protection. Others do not protect the integrity of messages during transmission. So you've got a sensor and then you've got a processor and then an actuator that acts upon that information. But if the channel of communication between the sensor in the field and the control function at some central location, if that communication itself is not encrypted, then it's vulnerable and the bad guy can change that and send bad data to the, to the system and everything is toast from then on. So no passwords, no encryption or software vulnerabilities. A lot of these industrial control devices, even though they control physical functions and processes, they are software based. And what was remarkable to me as I dug in on this, because, you know, I've written a lot about software liability and the vulnerability of software, particularly in information technology systems, but when I what I learned when I started diving into the operational technology side of things, the OT devices have exactly the same types of vulnerabilities that the IT systems have. Buffer overflow. For example, one of the CISA alerts I issued yesterday on a device Johnson Controls device Buffer overflow. Common well known and avoidable flaw. Well known in software documented, I think, for 50 people started talking about buffer, buffer overflow, I think 50 years ago. One industrial control product that was the subject of Assisted Advisory two years ago had four software vulnerabilities attributable to weaknesses on the list of the 25 most dangerous software weaknesses. In other words, MITRE compiles a list of software weaknesses and it ranks them in terms of how dangerous they are. These are all, again, well known. The list is a lot of repeats on the list from year to year. This one product had four different software vulnerabilities. One more data point. Microsoft reported in 2023 that 78% of industrial network devices monitored by Microsoft Defender for IoT, 78% of these devices had known vulnerabilities. And then on top of that, even if they do have security features, the humans installing them often override or bypass the security features. So we've got a serious, serious, widespread problem.
[29:32]
Sponsor/Advertiser Voice
Deleteme makes it easy, quick and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everybody vulnerable, more and more online partisans and nefarious actors will find this data and use it to target their political rivals, civil servants, and even outspoken citizens posting their opinions online. Take it from me, I have been the subject of such online activity. It's nothing pleasant. But with Delete Me, you can protect your personal privacy and, and the privacy of your business and the people around you from doxing attacks before sensitive information can be exploited. So, as you know, I have an active online presence. I do some provocative stuff. I shine lights on Russian embassies. I do express my opinion multiple times a week in various formats, including the Situation column on this site. And you might not know it. You might think I'm just, you know, flamboyant and don't care. But actually my privacy is really important to me. I don't release all classes of information about myself. There are things that I don't want to be part of the public conversation about me and my ideas. I've been a victim of identity theft or harassment. Never doxing yet, but you know, there's always tomorrow. And if you haven't, you probably know someone who has. Delete Me can help. So take control of your data and keep your private life private by signing up for Deleteme now at a special discount for Lawfare listeners. Get 20% off your Delete Me plan when you go to JoinDeleteMe.comLawfare20 and use the promo code Lawfare20 at checkout. The only way to get 20% off is to go to JoinDeleteMe.com Lawfare20 and enter the code Lawfare20 at checkout. That's JoinDeleteMe.com LawFair20 code Lawfare20.
[32:00]
Jim Dempsey
If you're an H Vac technician and a call comes in, Grainger knows that.
[32:04]
Sponsor/Advertiser Voice
You need a partner that helps you find the right product fast and hassle free. And you know that when the first problem of the day is a clanking blower motor, there's no need to break a sweat. With Grainger's easy to use website and.
[32:16]
Jim Dempsey
Product details, you're confident you'll soon have everything humming right along.
[32:21]
Sponsor/Advertiser Voice
Call 1-800-GRAINGER clickgrainger.com or just stop by.
[32:25]
Jim Dempsey
Grainger for the ones who get it done.
[32:29]
Justin Sherman
Well, the holidays have come and gone.
[32:31]
Jim Dempsey
Once again, but if you've forgotten to.
[32:33]
Justin Sherman
Get that special someone in your life a gift, well, Mint Mobile is extending their holiday offer of half off unlimited wireless.
[32:40]
Jim Dempsey
So here's the idea.
[32:41]
Justin Sherman
You get it now, you call it.
[32:42]
Andy Grotto
An early present for next year.
[32:44]
Justin Sherman
What do you have to lose? Give it a try@mintmobile.com Switch limited time.
[32:49]
Sponsor/Advertiser Voice
50% off regular price for new customers. Upfront payment required $45 for three months, $90 for six month or $180 for 12 month plan taxes and fees. Extra speeds may slow after 50 gigabytes per month when network is busy. See terms coming off a GLP1 and looking for a weight loss solution that actually lasts the this new year research shows up to 40% of weight lost on GLP1s comes from lean muscle, slowing metabolism and making weight regain almost inevitable. Prolon's five day Fasting mimicking diet offers a drug free way to get and keep results. It activates fasting pathways to trigger fat, focused weight loss, protect muscle and rejuvenate cells. No injections, no guesswork, just real results. Get 15% off plus a bonus gift when you subscribe at Prolonlu. That's prolonlife.com start.
[33:45]
Justin Sherman
I want to draw this out a little further because I love one of the examples you included in the study of the very dynamics you're talking about and then we'll move on. But just briefly, one of those examples to illustrate this problem is you say in the study that we need to forget the myth of the air gap, referring to when a system is not Internet connected and therefore in some view that therefore it's unhackable or something like that. Can you draw that out? Why is this a myth that severing Internet connectivity will render these systems entirely secure?
[34:19]
Jim Dempsey
It's not that severing the connectivity will render them secure. It's that in reality, they are rarely severed. The sort of standard line about OT has been for decades. Oh, don't worry. That device, that system, that industrial control process is not connected to the Internet. So the bad guys can't get it. It is air gapped, it is cut off from the Internet. And again and again and again. When we did this research, Andy and I heard, forget it, that the benefits of Internet connectivity, the benefits by the way of connecting your IT network and your OT network are so great that it's unavoidable. And even though you may have a policy or a guideline, don't connect, don't connect, devices get connected. And we cannot assume, even if you assume, or even if supposedly the device is not accessible by the Internet, in most cases, if it turns out that when the a really good assessor goes in there, they'll find connections, often magnitudes greater numbers of connections than the system operator thinks they have.
[35:42]
Andy Grotto
And there are tailwinds to this trend of connecting OT to broader networks are strong. If you think about all the excitement about using AI, for example, to optimize electricity distribution and transmission in the United States, the only way to do that is if the systems are connected, right? I mean, that's just the reality. So we're sort of perhaps in an early phase of a push to connect even more of these OT assets to the Internet again to derive all sorts of significant benefits. It's worth reminding folks that cybersecurity risk management is an optimization problem, right? If you don't, if you want to avoid cyber risk altogether, like don't buy a computer, don't, you know, don't use digital technologies. But obviously you know that that's a pretty extreme measure. You forego all the benefits. And so, you know, it comes down to an optimization problem. And one of the challenges that both Jim and I have been thinking about for a long time is, you know, who decides what the right balance is, right? Does an individual company, an individual critical infrastructure provider decide for itself this is my risk appetite, or does the government have an opinion on this? Jim has used this great phrase about critical infrastructure cyber regulation in the United States as kind of this patchwork quilt. Some sectors have no Requirements. Some do, but there's certainly no uniform set of expectations and problems emerge. If we think about from the standpoint of a U.S. army installation, its vision for what its resilience needs are could very well be different than the privately owned critical infrastructure operator. If you think about basic microeconomic terms like externalities, and in essence, you know, if we want the utility to provide an extra level of resilience beyond what its business interests would support to meet, you know, a national policy need, you know, involving, you know, a higher degree of resilience for military installations because they need to potentially project power overseas. Well, that, that's a gap, right? And that gap's not going to fill itself. The incentive for the private provider has to come from somewhere. One way that Jim and I argue, one source is procurement, the government's procurement power, and using that to close that gap between what a national policy level of resilience looks like versus what again, the privately owned critical infrastructure providers, business interests are when it comes to resilience.
[38:43]
Justin Sherman
Let's talk about procurement in a moment. I want to sort of break down part of the way you describe the responses that are ongoing to this set of issues, both quote, unquote, inside the fence and quote, unquote outside the fence. So with respect to systems inside the fence, you write that the Department of War is implementing what is called the energy Resilience program. And then with respect to OT systems that lie outside the fence, you mention the sort of patchwork landscape of, of cybersecurity regulations and, and standards. So what do those two look like? What does that energy resilience program doing? And then what do you think the landscape does or does not do with respect to sufficiently protecting this infrastructure outside the fence?
[39:33]
Jim Dempsey
So it's not like the Department, I mean, the Department of War is well aware of this problem. They totally are aware of their dependency on privately owned and operated or municipally owned and operated critical infrastructure and that their bases receive a lot of critical infrastructure from off base utilities. So what the military has been trying to do and spending billions of dollars in building more on base capacity, particularly electricity and water, more on base capacity under what they call the energy resilience program, billions of dollars. Here's the problem. Camp Lejeune Marine Corps Base obviously gave a contract to expand its on base electrical generation capability, including a solar and as Andy says suggested, more broadly, a very sophisticated load management system that connects all the devices. And the goal is to have ability to live off the grid for 14 days to sustain critical operations. So every military installation in The United States is under this mandate flowing from Congress to achieve islanding. It's called you island off the base, from its dependency on the public utility outside the the fence. So what did Camp Lejeune do? It had to go to the public utility outside the fence, Duke Power, in order to build the inside the fence on base electrical grid. What did Duke Power do? They bought and installed batteries made in China that had Internet connectivity. So in the effort to island off the base and to make the base self sustaining, basically the Marine Corps and its contractor Duke Energy had imported the vulnerability on base. And that is what said to us we need to look at the procurement power and how it is being used. The utility on base. All the operations on base fall outside of really any regulatory structure. It's not FERC regulated, it's not regulated by epa. As Andy said, there is no regulation of the cybersecurity of water, drinking water and wastewater treatment. And what exists for pipelines only covers the big pipelines following the colonial incident. Doesn't really cover the last mile that carries the natural gas to the base, the electricity. Same thing. The Federal Energy Regulatory Commission, working in a sort of self regulatory co regulatory process with industry, has very detailed and sophisticated cybersecurity standards for the bulk electric power system. But again, it doesn't apply to what's on base and it doesn't really address some of the last mile distribution questions. At the end of the day, really the only power, in the absence of Congress acting to actually regulate these critical infrastructures, the only lever, but a potentially strong lever that the government has is the procurement power. But while there are government procurement standards for information technology, and any government contractor in the country is now under this CMMC Cybersecurity Maturity model certification process for their IT systems, there's no similar system of regulation through the procurement process for operational technology.
[43:43]
Justin Sherman
I feel like we're noticing a theme here. We throw operational in front and suddenly we're relatively lacking. I want to get also to kind of the future threatscape in a second, but just quickly give us what is the rundown on the procurement set of levers that are available and then which ones do you think are best positioned to be used to strengthen OT cybersecurity?
[44:07]
Jim Dempsey
Obviously the government can in its contracts require whatever it wants to require. And IT does obviously set standards, pretty stringent standards for the IT systems that IT procures itself. And now it is reaching to the IT systems owned and operated by the contractors in fulfilling any kind of government contract through the cmmc. So the government could do the same thing for operational technology. The government has for its facilities something called a UFC document, which is supposed to be a unified facilities controls, sets criteria. I looked at that in detail and on some of the key points it's pretty open ended. It has a sentence saying you should not connect OT systems to IT systems, but if you do, be careful. Literally that's almost exactly what it says. And it doesn't say how to, how to do that and doesn't say what you do from a risk management perspective, recognizing that you are likely to have connections and there's really not much out there. You know, we're in this middle of this massive and I think price tag is $5 billion of ripping and replacing the Huawei and ZTE switches from the telecommunications backbone to get the Chinese devices out of the telecommunications network. Although Salt Typhoon didn't attack Chinese devices, they attacked Western made devices that were vulnerable in order to get in. Which is an interesting problem and an interesting illustration of the lack of regulatory action on the telecommunications side. But on the energy side we have a lot of Chinese products. Lots and lots of Chinese equipment has been imported. And so what first we need and what we recommend in the paper is first we need an inventory. The start of any cybersecurity program is inventory. What's on your network, what's connected to your network. An inventory to determine is Camp Lejeune the only domestic installation that has Chinese made products on base in critical infrastructure? I'm guessing it probably isn't, but it would be nice to find out. I think right now no one really knows how many China made products are on US military bases in critical infrastructure. And then secondly, whether the products are China made or not, we need some really deep, deep look and careful look at the connections of the current devices. And then we need a document that can be incorporated in contracts the way that NIST documents on IT are incorporated in documents. So again, on the IT side, when the government purchases it or when its contractor uses it, even if the government's not purchasing it, if the government is purchasing a tank or take something unclassified, still we have a strict requirement, 110 separate controls roughly applied to the IT systems of contractors. We have nothing on the OT side. My understanding is if something has been drafted or is in a process or there's a process to try to come up with something that needs to be accelerated. We need, in my view quite strongly, I believe that we need to have some criteria for contractors on the OT side similar to what we have on the IT side.
[48:13]
Andy Grotto
Insofar as that the Pentagon sees a gap between the level of resilience needed to meet national policy, national defense needs, versus the level of resilience that a critical infrastructure operator finds acceptable, you know, in procurement contracts. It needs to, you know, make that clear and then specify, okay, you know, what, what do you, the contractor, need to do to meet that higher, higher need? And that's where the standards come into play. It's, it's hard to, you know, chart that course. You know, Jim and I are both lawyers, right? As lawyers, right? It's hard, it's hard to, like, you can wave your hands about doing better, but unless you've actually got language in the contract that gives both parties some guidance on where the provider needs to be, the odds of the provider achieving that, hitting that mark are pretty low. And then this piece, I think, is in some ways more impactful on the practical reality of, of incentivizing better security in the part of critical infrastructure. And that is who's going to pay for it, right? And the government's got to be prepared to pay for a higher level of resilience. Right? If it wants infrastructure operators to invest more in security, it's got to be prepared to pay for it. And many of these critical infrastructure sectors think water, as an example. They operate on razor thin margins. I mean, you know, they're not, they're not, they're not making, they're not making money. And so any additional requirement put on them that requires investment on their part is going to be tough for them to, to meet just as a, as a, just as a reality. And I think what you. One, one of the reasons why I think it's been so hard to have a coherent kind of national level, the policy debate about, okay, what level of resilience do we think critical infrastructure across the board needs to hit is all these questions about who pays for it. I'll offer this as a hypothesis. I think if the government, Congress, the executive branch were willing to pay, for example, the water sector, which vehemently objected to EPA's kind of tentative foray into cybersecurity standards a few years ago, I think if the EPA was in a position to say, we want you to do more and we're going to help you by furnishing resources, I think that's a completely different conversation. And I don't think we end up where we are today, which is the water utilities suing the government, EPA getting scared, pulling the guidance back, and then obviously having the Supreme Court intervene later to drastically reduce the government's general ability to regulate.
[51:19]
Justin Sherman
Well, speaking of policy will or perhaps political will, where do you think the department is most likely to move or not move in the next year or two ahead? And then when you think about the future threat space, we've heard sort of the core cluster of typical US Adversaries mentioned threat throughout this conversation. I imagine China's, if not at the top, pretty high on that list. But how do you then, in addition to what the department might do, think about what adversaries might be doing in the coming years that concerns you the most in this area?
[51:54]
Andy Grotto
Well, Jim alluded to the CMMC program. These are the new cybersecurity requirements that the Pentagon requires for all contractors. Those are now in effect. And I think, you know, over the coming, you know, 12 months, both the Pentagon and its contractors are going to gain a ton of experience in how procurement requirements for cybersecurity intersect with kind of both, you know, the realities of service provision, but then also the cost questions. I'm actually feeling more optimistic than I have in a while about the prospects for the Pentagon really picking up this OT security issue because as Jim mentioned, it's not like leadership's not aware of it. It's really, I think, a question of how and if the Pentagon were to take Jim and my advice and conduct an inventory. I think that's a first step. I think Jim's absolutely right that they will not like what they find. That's our prediction. That creates a lot of room for, again, a discussion not only of what are the types of OT standards that providers need to implement in order to achieve a satisfactory level of resilience, but then, okay, how do we create the market and investment conditions to fulfill those requirements? Again, a lot of that comes down to who's going to pay for it and which obviously has a budget dimension to it. And so the Congress will play a huge role, as it often does, in shaping the Pentagon's IT broader digital technology operations.
[53:41]
Justin Sherman
That's all the time we have, Andy. Jim, thanks for joining us.
[53:45]
Jim Dempsey
Pleasure.
[53:45]
Andy Grotto
Thanks, Justin.
[53:46]
Jim Dempsey
Thanks.
[53:50]
Justin Sherman
The Lawfare Podcast is produced by the Lawfair Institute. If you want to support the show and listen ad free.
[53:56]
Jim Dempsey
Free.
[53:56]
Justin Sherman
You can become a Lawfare materials supporter@lawfairmedia.org support supporters also get access to special events and other bonus content we don't share anywhere else. Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Allies, the Aftermath and Escalation. Our latest Lawfare Presents podcast series about the the War in Ukraine. Check out our written work@lawfaremedia.org the podcast is edited by Jen Patia and our audio engineer of this episode was Kara Schillen of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.
[54:47]
Sponsor/Advertiser Voice
Feeling heavy and depleted after the holidays, Prolon's five day fasting mimicking diet makes it easy to reset reset your body habits and energy heading into the new year. Developed with USC's Longevity Institute, Prolon is a nutrition program that works at the cellular level to rejuvenate you from within, supporting fat loss, glowing skin and sharper focus. It's a simple, science backed way to turn intentions into action. No injections, no guesswork, just real results. Get 15% off plus a bonus gift when you subscribe@prolonlife.com start that's Prolo Start.