Cybersecurity professionals warned Congress on Tuesday that America’s water systems are not prepared to ward off complex digital threats, including from Chinese and Russian hackers.
Among the lifeline sectors of water, energy, communications and transportation, the water sector is the most vulnerable and under-resourced to fight off cyber trikes, according to Charles Clancy, senior vice president at the MITRE Corporation.
Mr. Clancy, who is also the think tank’s chief technology officer, said the U.S. water sector needed to prepare for large-scale cyber conflict and take more targeted measures to fight off hostile forces in a crisis. He noted Chinese President Xi Jinping has ordered his military to be prepared for military action against Taiwan as early as 2027.
“The U.S. military is kicking its response planning into high gear, but the U.S. may be existentially unprepared to defend its critical infrastructure for what would undoubtedly be an initial wave of attacks, followed by a sustained cyber campaign targeting U.S. infrastructure,” Mr. Clancy warned in written testimony to the House Homeland Security subcommittee overseeing cyber affairs.
Mr. Clancy said America needed to begin piloting, exercising and planning for scenarios requiring isolated operations across the critical infrastructure sectors.
The water sector is so poorly prepared, Dragos CEO Robert Lee told lawmakers, that it cannot use the free cybersecurity tools his company provides.
Mr. Lee told lawmakers his company gave its products and training for free to U.S.-based utility providers with under $100 million in annual revenues and he found they were not equipped to accept the help of his Community Defense Program.
“To use any technologies most of the water municipalities need basic infrastructure upgrade,” Mr. Lee said in his prepared testimony. “Even a one-time cost of $3,000 on hardware and networking gear would be completely out of budget for these organizations and require a city council vote on the topic of cybersecurity that they do not likely understand.”
Examples of poor cybersecurity in the water sector abound: Last month, a hacking activist group linked to Russia posted a video on the platform Telegram showing the manipulation of water tanks in Texas, according to Mr. Lee. The video suggested the hackers manipulated the tank water level indicators, which remotely turned on the pumps.
MITRE, which operates federally funded research and development centers, and Dragos, which secures industrial controls systems, are not the only ones sounding the alarm on the nation’s water supply.
Microsoft warned that America’s water systems were easy targets for cyberattackers in a December report. The tech giant partnered with the nonprofit Cyberspace Solarium Commission 2.0 to review the problem and met with federal agencies and private entities to understand hacking threats.
The report warned that the lack of regular maintenance and updates in the water and wastewater sectors made them “especially vulnerable to exploitation.”
Rep. Carlos Gimenez, Florida Republican, said one solution might be to take sensitive technology systems offline.
“The vulnerability comes from the fact you’re tied to the internet — anybody can attack you from anywhere in the world,” Mr. Gimenez said at Tuesday’s hearing. “If you have a closed system, [an] intranet, they can’t attack you from anywhere in the world because you’re a closed system.”
“And we could not operate it,” Mr. Lee interjected.
Mr. Lee said operational technology systems were built in a manner that makes moving things offline a bad idea and, instead, digital defenders needed to focus on dealing with risk while staying online.
Mr. Gimenez told Mr. Lee that the Chinese Communist Party may have 50 people working on cyber for every single American doing the same, echoing recent testimony from FBI Director Christopher A. Wray.
“You’ll never be able to out-resource them, OK? So shouldn’t we develop walls that are really hard to penetrate?” Mr. Gimenez said. “If you’re somehow attached to the internet, you are bound to fail. We are bound to fail.”
Mr. Lee said he still liked America’s odds.
“I’m an Air Force and [National Security Agency] alum, sir. I would take one of ours for 50 of theirs any day,” Mr. Lee said.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.