Lawfare Daily: The Military’s Operational Technology Cyber Vulnerabilities

[Intro]

Jim Dempsey: We are talking dependency on private sector contractors, who themselves then, in their products and services, are dependent upon these industrial control devices and these operational technology systems, which are vulnerable.

Justin Sherman: It's the Lawfare Podcast. I'm Justin Sherman, contributing editor at Lawfare and CEO of Global Cyber Strategies, with Andy Grotto, founding director of the Stanford Program on Geopolitics, Technology, and Governance, and Jim Dempsey, a senior policy advisor to that program and a lecturer at the UC Berkeley Law School.

Andrew J. Grotto: If we want the utility to provide an extra level of resilience beyond what its business interests would support to meet, you know, a national policy need, you know, involving, you know, a higher degree of resilience for military installations because they need to, you know, potentially, you know, project power overseas. Well, that, that's a gap, right? And that gap's not gonna fill itself.

Justin Sherman: Today we're talking about the U.S. military's domestic cybersecurity vulnerabilities and operational technology, how adversaries could exploit them and what the future of this landscape holds.

[Main Episode]

We are gonna speak today, as we heard in the introduction, about your excellent recent study, which was published at the end of 2025 in the Cyber Defense Review, linked as always below this episode, which is titled, “Ensuring the Cyber Resilience of Critical Infrastructure Serving Domestic Military Installations: Questions for Senior Leadership.” Since, of course, this is the Lawfare Podcast. I'll also note that listeners can find an excellent summary piece of said study published on Lawfare as well. So to jump right in, to start by framing for us, A, what motivated you to write this study in the first place, and then, B, some of the high level questions you were seeking to address by doing so.

Andrew J. Grotto: Thanks Justin. It's really good to be here and looking forward to talking about a topic that has certainly bothered me for well over a decade now. When I came to Stanford in 2017, I'd spent the previous several years as the senior director for Cyber Policy and the National Security Council, you know, was very, very concerned.

Then again, you know, 10+ years ago about the ability of adversaries to surveil and penetrate American critical infrastructure. OT, operational technology, presents a different set of challenges than IT when it comes to security. This is something that we can maybe go a little bit deeper into further into the program, but, you know, applying all the insights and lessons from IT to OT directly isn't as straightforward a proposition.

You know, fast forward nine years and an opportunity came along to a partner with the Army Cyber Institute at West Point. To look at, in particular, the critical infrastructure cybersecurity posture around U.S. military, specifically army installations. And you know, this was before the public revelations about the Volt Typhoon, you know, a series of attacks you know, the Chinese PLA intrusions on critical infrastructure. And we set about to try to, you know, understand what risk management looks like from the perspective of both the local army installation as well as the critical infrastructure providers who provide them with services pursuant to procurement contracts.

Again, with an eye towards trying to, you know, you know, if not solve at least make some headway on this problem that I think has really dogged American cyber policy, again, going back at least, you know, 10+ years.

Justin Sherman: There's a lot to dive into in the study, so perhaps we can sort of break this up into various components.

Before you get into assessing the current state of some of the risks you, Andy, were just speaking about, how did you both go about mapping the army's critical infrastructure dependencies, including how did, in this case, how does one go about finding those dependencies and the sources you use to sort of inform that assessment?

Andrew J. Grotto: We had a great graduate student working with us as a research assistant. And we challenged her to essentially find out what she could about the critical infrastructure dependencies of two army installations in particular. Using open source, you know, online and other resources.

You know, the kinds of resources that, that a threat actor without access to intelligence or any other proprietary sources would have access to. And we asked her to focus on these two installations, electricity, natural gas, water and freight rail dependencies. You know, she looked at you know, materials posted on the installation's websites, on the Pentagon's website as well.

You know, local, state and federal environmental and other reports on the installation or their critical infrastructure providers you know, government databases, you know, so for example, the U.S. Energy Information Administration has this energy atlas which includes a map of electric generation facilities and transmission lines.

And, you know, she used you know, some of the search capabilities to, to discover OT systems online. You know, she was able to put together a very detailed description, you know, of the installations, critical infrastructure dependencies, including maps descriptions of specific equipment even supply chain dependencies.

In fact, in one case she was even able to identify one of the provider's use of a specific industrial control system that had a known vulnerability in it which was later patched. We estimate it took her probably about 20 to 30 hours to develop each of these dossiers, but you know, obviously an adversary, a resource, a well-resourced adversary, could spend a lot more time than that and compile dossiers that go much deeper, including drawing on their own intelligence sources.

And by the way we, you know, we don't really address in our report the reasons for why so much information about critical infrastructure is readily available from public sources, suffice it to say it is.

Jim Dempsey: I did a little bit of my own knocking around as well, Justin, and there are good reasons why a lot of this information is public.

Government contracts are public, so when a utility gets a contract to supply water, electricity, or natural gas or any other service. For good and just reasons that contract is public. Companies often issue press releases when they get new contracts, either to be a supplier or to do construction of critical infrastructure on a military installation, they'll issue a press release.

So for a variety of good reasons, there's a lot of public information. There's water quality reports for army installations, which basically indicate where the army installation gets its water. So across the board sector by sector, there's a lot of information out there, and as Andy said, we're not even talking about what an adversary could obtain by illegal means.

We, we were just talking a hundred percent open source.

Andrew J. Grotto: And U.S. military installations in the United States are dependent on civilian critical infrastructure. Almost without exception, right? You know, the, whether it's an army installation different service you know, they sit within a community, and you know that same community's power water, you know, water treatment rail will also service the installation.

And so that means in essence that these installations are purchasing these services from critical infrastructure providers, which is to say they're contractors. They're contractors who for whom the government is not their only customer, right. You know, they also provide services to their local communities who also have an interest, by the way, in understanding water quality and having, you know, information available to them to hold their critical infrastructure service providers to account.

So, so a lot of good reasons for the information to be public, but I think the key point to really hammer here is that the Pentagon in the United States is deeply reliant upon civilian critical infrastructure for a vast array of essential services.

Jim Dempsey: This point that Andy's making about the dependence on private sector contractors is relevant whether you are purchasing electricity from a generation and distribution network outside the fence, or whether you have a generation capability on the base itself.

Because in both cases, whether you're bringing in electricity as almost every base is on a transmission line or whether you're generating it on base, the company that has built the infrastructure is the same company. Everything that's on base is built by a contractor and in many cases, everything that's on base is owned and operated by a contractor.

So the same point applies. We're talking dependency on private sector contractors who themselves then in their products and services are dependent upon these industrial control devices and these operational technology systems, which are vulnerable.

Justin Sherman: All really important points. I mean, as you're saying, we'll come back to some components of this, but you mentioned Andy, the PLA, right. And I think that's a great point too, because we hear, rightfully so, about the incredible sophistication of threat actors like Volt Typhoon and what they're doing in our infrastructure, and at the same time, maybe it loses some of what you're both saying, that yes, the Chinese have very sophisticated capabilities.

At the same time, a lot of the baseline information about what bases might be dependent upon in terms of infrastructure is just out there in the open. So, but this is a great segue, Jim.

So give us that overview then of—what are those dependencies that you found, right? What does that look like across energy, across water systems and other categories of critical infrastructure you were investigating?

Jim Dempsey: The theme of the Army Cyber Institute Project that we got funding under to do this work, the theme of that overall project was resiliency. What is—and readiness.

What is the readiness of our war fighters? Can we deploy the military assets that we have in the United States, which we depend upon in the case of any major conflict anywhere in the world; can we rapidly and efficiently in a timely fashion get those troops and tanks and other resources on rail cars and on ships in order to protect them abroad. Can the planes take off? Can the ships leave harbor?

And in all of these cases, all of those forces, all of those war fighters depend upon some very fundamental things. Electricity, water, wastewater treatment, natural gas, rail, transportation, telecommunications, so some very mundane things are critical to you know,

Secretary Hegseth has emphasized lethality, and lethality depends upon the best and most efficient and most resilient drones and ships and tanks and weapon systems. But it also depends upon the same things that all of us depend upon in our daily lives. Water, power, gasoline, natural gas, wastewater, treatment and disruption in any of those, it's, there's no doubt would impede the ability to readily deploy America's war fighting resources.

Justin Sherman: Let's talk then about the risks facing all of the infrastructure you just mentioned. So in this study, you write that operational technology or OT systems are uniquely vulnerable, whether as you alluded to, they're on base or they're off base. And we'll get in my next question to specific flaws and classes of flaws that these systems are known to exhibit.

But first, to focus on the actors that are interested in threatening the systems in the first place. One, what are U.S. adversaries doing in the OT and cyber intersection? And two, what kinds of cyber activity or capability development are we talking about here, right? Is this sort of well distributed in the range from pure information exfiltration to outright disruption? Is it pretty heavily skewed one way or the other?

Jim Dempsey: Well, as Andy said the warnings that—the recognition that adversaries are infiltrating our domestic critical infrastructure that's been well known now for years.

2018, CISA issued an alert that Russia was found in U.S. critical infrastructure. 2020, CISA and the NSA warned that cyber actors had shown their willingness to conduct malicious cyber activity against critical infrastructure in the U.S. by exploiting internet accessible OT. May 2024, U.S. and allied agencies warned that pro-Russian activists had were targeting and gaining remote access to OT systems in North America and European water, wastewater dams, energy, food and agriculture sectors.

October 2024, Iranian cyber actors. April 2024, report from Mandiant and Russian hackers had infiltrated a Texas water facility. February 2024, federal agencies warned that cyber actors sponsored by the PRC had prepositioned themselves on networks of U.S. critical infrastructure with the goal of conducting disruptive or destructive cyber-attacks.

So there has been an a, a steady drumbeat of these reports over the years, which are not, and they're not talking in hypotheticals. The reports are reports of finding the bad guys in our network, and of course we saw last year, one of the most consequential of these, and one of the most remarkable of these, which was the PRC infiltration of the U.S. Telecommunications Network, including access to massive amounts of call detail records, as well as some interceptions of actual live communications.

So, and then just a month ago December, another alert by CISA and partner agencies, a dozen European agencies joined in this as well as the Australians and the Canadians, pro-Russian activists conduct opportunistic attacks against U.S. in critical global critical infrastructure.

The interesting point about that one is the report was basically saying these guys are relatively unsophisticated. They're these sort of hybrid hacktivists, sort of pro-Russian, tolerated by this, or outright supported by the Russian government conducting attacks against critical infrastructure. And these were not the APTs, these were not the advanced persistent threat attackers using, though, minimally secured internet facing virtual network connections to gain access to OT control devices, water, wastewater, food, agriculture industry.

So a very, again, not hypothetical very long running problem, very well known that adversaries are positioning themselves.

And I guess again, we, maybe we jumped over one point. An awful lot of U.S. cybersecurity policy in the past 20 years, if not longer, has been focused on information technology—data, bits and bytes that are, you know, the digital equivalent of papers and reports and documents.

We're talking here though about operational technology, which are devices that control, not reports and papers and documents, et cetera, not information, not personal data. They control things. They control physical things, the valves, the switches, the other controllers that are central to dams, water, electricity, manufacturing. Every manufacturing plant in the country today of any size is highly automated and is controlled by those machines are controlled by industrial systems and the technology of those industrial control systems, that's. what is also vulnerable.

And that's where the adversaries, in addition to stealing all of our information, both intellectual property as well as government secrets—the adversaries are targeting this technology that controls physical processes.

Andrew J. Grotto: No, no country, you know, tolerates espionage, right?

Governments try to fight it. They try to you know, prevent it from happening. But, you know, even when it does happen, you know, there's sort of a, you know, a sense among governments that okay, you know, nation-states spy on each other, and that is, you know, maybe not, you know, tolerable is a matter of policy, but we all sort of, you know, wink, wink nod that, yeah, okay, you know, we're all gonna spy on each other.

What makes the intrusions into OT, especially, you know, power, like, you know, water systems like that, different is, you know, there is no real intelligence value to breaking into those networks, right? There's no classified information there, right. There’s, you know, it's not documents and data that the bad guys are after.

It's the ability to then or in the future, hold that asset at risk for disruptive purposes. And so, you know, attacks on OT are escalatory in a way that, that, that espionage is not, again, we don't tolerate espionage. We try to prevent it from happening, but it's just different than would be acts of sabotage.

The, you know, if you look at threat reports put out, you know, by, by, you know, groups like Dragos and others who track OT security threats, the incidents is going up. You know, Jim alluded to this.

Further complicating matters is the fact that as IT, information technology, and OT become more integrated, more embedded, attacks on IT can trickle over into disruptive impacts on say, manufacturing. You know, this has happened a few times even recently, you know, for the beer drinkers of the world, Asahi Brewing in Japan had their brewing operations disrupted for a period of time because of a ransomware attack against their IT systems. You know, Jaguar Land Rover in the UK also, you know, had a five-week manufacturing outage because of an IT ransomware attack.

Again, you know, these are all attacks on IT spilling over into OT, or at least having an impact on physical operations. But even those are different than the types of attacks that, that Jim and I have been focused on, which is, you know, OT attacks focused on specifically critical infrastructure where there is no discernible, you know, intelligence collection rationale.

The only reason why an adversary would break into these systems is to hold them at risk.

Justin Sherman: I'm very glad you made that point. Undoubtedly, we all are tired, I don't know how long folks have been trying to draw out those distinctions you're saying, and yet we still hear those getting conflated, including just the other day, a mainstream article I was reading on, you know, how are we gonna stop our adversaries from doing XYZ cyber espionage thing?

And I thought, okay, there's lots of problems with this sentence, including the word “stop.” So, but that's a, once again, we're transitioning well here. So what are then some of those major flaws in OT systems? Are there ones that concern you most from the military perspective? Are there, whether it's water, energy, something else, are they pretty, to be a bit reductive about it, equally vulnerable? Are there ones that really stand out as having particularly egregious flaws or potential impacts of exploitation of those flaws?

Jim Dempsey: I think the risk reaches across sector, and in part it reaches across sector and sectors, whether it's transportation or water or electricity or natural gas.

They are in a way, to the extent they are networked, to the extent that these devices are connected to the internet will, get to that in a second, but to the extent that these infrastructures are dependent upon operational technology and these industrial control devices, then these infrastructures are equally vulnerable.

In part because these devices and these features and these functions apply across infrastructures—that the particular industrial control device, a particular sensor, may be common across a wide range of applications. And we're seeing that this technology, this operational technology, these controllers these sensors which collect the data and then the net networks that transmit the data to some central point, and then it gets analyzed and can be acted upon either with or without human intervention that these networks of devices are phenomenally vulnerable.

January 22^nd, CISA, the Cybersecurity and Infrastructure Security Agency, which has a whole function devoted to industrial control systems. January 22nd, CISA released eight separate advisories on eight separate kinds of industrial control devices made by all the leaders. Johnson Controls, their iSTAR configuration utility, Rockwell Automation, Schneider Electric, quasi-household names. I don't, maybe not household, not used to others, but these are very big, very common companies who have devices in lots and lots of industries, as well as other companies that to me at least, aren't.

Eight, eight advisories of vulnerabilities on, on one day. Back on January 14th, for example, CISA issued one advisory on a Siemens set of products, industrial edge devices. The advisory listed over 60 separate Siemens products or product versions that had a particular category of vulnerability. And what are these vulnerabilities? Some of them are remarkably fundamental. Not infrequently, these OT devices use default passwords or have no password protection. Others do not protect the integrity of messages during transmission.

So you've got a sensor, and then you've got a processor and then an actuator that acts upon that information. But if the channel of communication between the sensor in the field and the control function at some central location, if that communication itself is not encrypted, then it's vulnerable and the bad guy can change that and send bad data to the system and every, everything is toast from then on.

So no passwords, no encryption or software vulnerabilities, a lot of these industrial control devices, even though they control physical functions and processes, they are software based. And what was remarkable to me as I dug in on this, 'cause, you know, I've written a lot about software liability and the vulnerability of software, particularly in information technology systems, but when I, what I learned when I started diving into the operational technology side of things, the OT devices have exactly the same types of vulnerabilities that the IT systems have. Buffer overflow, for example, one of the CISA alerts issued yesterday on a device Johnson Controls devic, buffer overflow, common well known and avoidable flaw well known in software documented, I think for—people started talking about buffer overflow, I think 50 years ago.

One industrial control product that was the subject of assisted advisory two years ago had four software vulnerabilities attributable to weaknesses on the list of the 25 most dangerous software weaknesses. You know, it's Mitre compiles a list of software weaknesses and it ranks them in terms of how dangerous they are. These are all, again, well known. The list is a lot of repeats on the list from year to year. This one product had four different software vulnerabilities.

One, one more data point. Microsoft reported in 2023, that 78% of industrial network devices monitored by Microsoft defender for IOT, 78% of these devices had known vulnerabilities.

And then on top of that, even if they do have security features, humans installing them often override or bypass the security features. So we've got a serious, widespread problem.

Justin Sherman: I want to draw this out a little further 'cause I love one of the examples you included in the study of the very dynamics you're talking about. And then we'll move on.

But just briefly, one of those examples to illustrate this problem is you say in the study, is that we need to forget the myth of the air gap, referring to when a system is not internet connected and therefore in some view that therefore it's, you know, unhackable or something like that.

Can you draw that out? Why is this a myth that severing internet connectivity will render these systems entirely secure?

Jim Dempsey: It's not that severing the connectivity will render them secure. It's that in reality they are rarely severed.

The sort of standard line about OT, what has been for decades: ‘Oh, don't worry. That device, that system, that industrial control process, it's not connected to the internet, so the bad guys can't get it. It is air gapped. It is cut off from the internet.’

And again, and again, and again, when we did this research, Andy and I heard, forget it, that the benefits of internet connectivity, the benefits by the way of connecting your IT network and your OT network are so great that it's unavoidable. And even though you may have a policy or a guideline, don't connect. Don't connect. Devices get connected.

And we cannot assume, even if you assume, or even if supposedly the device is not accessible by the internet, in most cases it turns out that when the, a really good, assessor goes in there, they'll find connections, often magnitudes greater numbers of connections than the system operator thinks they have.

Andrew J. Grotto: And, you know, there, there tailwinds to this trend of, you know, connecting OT to broader networks are strong. If you think about, you know, all the, you know, excitement about using AI, for example, to optimize electricity, distribution and transmission in the United States, the only way to do that is if the systems are connected, right?

I mean, that's just the reality, you know, so we're perhaps in a, in an early phase of, you know, a push to connect even more of the, these OT assets to the internet, again, to derive all sorts of significant benefits. You know, it's worth reminding folks that, you know, cybersecurity risk management is an optimization problem, right?

If you don't, if you wanna avoid cyber risk altogether, like, don't buy a computer, don't, you know, don't use digital technologies, but obviously you know that's a pretty extreme measure. You forgo all the benefits. And so, you know, it comes down to an optimization problem.

And one of the challenges that both Jim and I have been thinking about for a long time is, you know, who decides what the right balance is, right? Does an individual company, an individual critical infrastructure provider decide for itself, this is my risk appetite, or does the government have an opinion on this?

Jim has used this great phrase about critical infrastructure, cyber regulation in the United States as kind of this patchwork quilt. You know, some sectors have no requirements. Some do, but there's certainly no uniform set of expectations and problems emerge if, you know, we think about, you know, from the standpoint of a U.S. army installation, its vision for what its resilience needs are, could very well be different than the privately owned critical infrastructure operator.

And, you know, if you think about, you know, sort of basic, kind of microeconomic terms, like externalities, right? And in essence, you know, if we want the utility to provide an extra level of resilience beyond what its business interests would support to meet, you know, a national policy need, you know, involving, you know, a higher degree of resilience for military installations because they need to, you know, potentially, you know, project power overseas.

Well, that, that's a gap, right? And that gap's not gonna fill itself. The incentive for the private provider has to come from somewhere. And one way that that Jim and I argue one source is procurement, the government's procurement power. And, you know, using that to sort of close that gap between what an, a national policy level of resilience looks like versus what the, you know, again, the privately owned critical infrastructure providers, business interests are when it comes to resilience.

Justin Sherman: Let's talk about procurement in a moment. I wanna sort of break down part of the way you describe the responses that are ongoing to this set of issues, both quote unquote “inside the fence” and quote unquote “outside the fence.”

So with respect to systems inside the fence, you write that the Department of War is implementing what is called the Energy Resilience Program, and then with respect to OT systems that lie outside the fence, you mentioned the sort of patchwork landscape of cybersecurity regulations and standards. So what do those two look like? What is that energy resilience program doing? And then what do you think the landscape does or does not do with respect to sufficiently protecting this infrastructure outside the fence?

Jim Dempsey: So it's not like the depart—I mean, the Department of War is well aware of this problem. They totally are aware of their dependency on privately owned and operated, or municipally owned and operated, critical infrastructure and that their bases receive a lot of critical infrastructure from off base utilities.

So what the military has been trying to do and spending billions of dollars in building more on base capacity, particularly electricity and water. More on base capacity under what they call the Energy Resilience Program. Billions of dollars.

Here's the problem. Camp Lejeune—Marine Corps base, obviously—gave a contract to expand its on base electrical generation capability, including a solar, and as Andy says, suggested more broadly, a very sophisticated, a load management system that connects all the devices. And the goal is to have ability to live off the grid for 14 days to sustain critical operation.

So every military installation in the United States is under this mandate, flowing from Congress, to achieve islanding, it's called. You island off the base from its dependency on the public utility outside the fence. So what did Camp Lejeune do? It had to go to the public utility outside the fence, Duke Power, in order to build the inside the fence on base electrical grid.

And what did Duke Power do? They bought and installed batteries made in China that had internet connectivity. So in the effort to island off the base and to make the base self-sustaining, basically the Marine Corps and its contractor Duke Energy had imported the vulnerability on base. And that is what said to us, we need to look at the procurement power and how it is being used.

The utility on base, all the operations on base fall outside of really any regulatory structure. It's not FERC regulated. It's not regulated by EPA, as Andy said. There's, there is no regulation of the cybersecurity of water drinking water and wastewater treatment.

And what exists for pipelines only covers the big pipelines following the colonial incident. Doesn't really cover the last mile that carries the natural gas to the base. The electricity, same thing. The Federal Energy Regulatory Commission working in a sort of self-regulatory, co-regulatory process with industry, has very detailed and sophisticated cybersecurity standards for the bulk electric power system.

But again, it doesn't really, it doesn't apply to what's on base and it doesn't really address some of the last mile distribution questions. And so at the end of the day, really the only power in the absence of Congress acting to actually regulate these critical infrastructures, the only lever and but a potentially strong lever that the government has is the procurement power.

But while there are government procurement standards for information technology, and any government contractor in the country is now under this CMMC, Cybersecurity Maturity Model Certification process, for their IT systems, there's no similar system of regulation through the procurement process for operational technology.

Justin Sherman: I feel like we're noticing a theme here. We throw operational in front and suddenly we're relatively lacking. I want to get also to kind of the future threatscape in a second, but just quickly give us what is the rundown on the procurement set of levers that are available, and then which ones do you think are best positioned to be used to strengthen OT cybersecurity?

Jim Dempsey: So obviously, the government can, in its contracts, require whatever it wants to require, and it does obviously set standards, pretty stringent standards, for the IT systems that it procures itself and now it is reaching to the IT systems owned and operated by the contractors in fulfilling any kind of government contract through the CMMC.

So the government could do the same thing for operational technology. The government has for its facilities, something called a UFC document, which is supposed to be a Unified Facilities Controls—it sets criteria. I looked at that in detail, and on some of the key points, it's pretty open ended.

It has a sentence saying you should not connect OT systems to IT systems. But if you do, be careful. Literally, that's almost exactly what it says. And it doesn't say how to do that and doesn't say what you do from a risk management perspective, recognizing that you are likely to have connections and there's really not much out there.

You know, we've, we're in this middle of this massive, and I think, the price tag is $5 billion, of ripping and replacing the Huawei and ZTE switches from the telecommunications backbone to get the Chinese devices out of the telecommunications network. Although Salt Typhoon didn't attack Chinese devices, they attacked Western made devices that were vulnerable in order to get in, which is an interesting problem and an interesting illustration of the lack of regulatory action on that, telecommunications side, but on the energy side, we have a lot of Chinese products. Lots and lots of Chinese equipment has been imported.

And so what, first we need and what we recommend in the paper is—first we need an inventory. The start of any cybersecurity program is inventory. What's on your network? What's connected to your network? An inventory to determine: is Camp Lejeune the only domestic installation that has Chinese made products on base in critical infrastructure? I'm guessing it probably isn't, but it would be nice to find out. I think right now no one really knows how many China-made products are on U.S. military basis in critical infrastructure.

And then secondly, whether the products are China-made or not, we need some really deep look and careful look at the connections of the current devices. And then we need a document that can be incorporated in contracts the way that NIST documents on it are incorporated in documents. So again, on the IT side, when the government purchases IT or when its contractor uses IT, even if the government's not purchasing IT, if the government is purchasing a tank or takes something unclassified—still, we have a strict requirement, 110 separate controls roughly applied to the IT systems of contractors. We have nothing on the OT side.

My understanding is that something has been drafted or is in a process or there's a process to try to come up with something—that needs to be accelerated. We need, in my view quite strongly, I believe that we need to have some criteria for contractors on the OT side, similar to what we have on the IT side.

Andrew J. Grotto: It, you know, in so far as that the Pentagon sees a gap between the level of resilience needed to meet national policy, national defense needs versus the level of resilience that a critical infrastructure operator finds acceptable, you know, in procurement contracts, it needs to, you know, make that clear and then specify, okay, you know, what do you, the contractor need to do, to meet that higher need, and that, that's where the standards come into play. It's hard to, you know, chart that course.

You know, Jim and I are both lawyers, right, as lawyers, right. It's hard to, like you, you can wave your hands about, you know, doing better. But unless you've actually got language in the contract that gives both parties some guidance on where the provider needs to be, the odds of success, of the provider achieving that, hitting that market are pretty low.

And then, and this piece, you know, I think is in some ways, more and more impactful on the practical reality of incentivizing better security in the part of critical infrastructure. And that is who's gonna pay for it? Right? You know, and you know, the government's gotta be prepared to pay for a higher level of resilience, right.

If it wants infrastructure operators to invest more in security. It's gotta be prepared to pay for it. And many of these critical infrastructure sectors, you know, think water as an example, right? They operate on razor thin margins. I mean, you know, they're not making, they're not making money.

And so, any additional requirement put on them that requires investment on their part is going to be tough for them to meet just as a, just as a reality. And I think one, you know, one, one of the reasons why I think it's been so hard to have a coherent kind of national level policy debate about, okay what level of resilience do we think critical infrastructure across the bar needs to hit, is all these questions about who, who pays for it?

I'll offer this as a hypothesis. I think if the government, Congress, the executive branch, were willing to pay for example, you know, the water sector, which, you know, vehemently objected to EPA’s kind of tentative foray into cybersecurity standards a few years ago, I think if the EPA was in a position to say, we want you to do more and we're going to help you by you know, furnishing resources. I think it's a completely different conversation, and I don't think we end up where we are in today, which is the water utilities suing the government, EPA getting scared, pulling the guidance back, and then obviously having the Supreme Court intervene later to drastically reduce the government's general ability to regulate.

Justin Sherman: Well, speaking of policy will or perhaps political will, where do you think the department is most likely to move or not move in the next year or two ahead. And then when you think about the future threat space, we've heard sort of the core cluster of typical U.S. adversaries mentioned throughout this conversation.

I imagine China's, if not at the top, pretty high on that list, but how do you then, in addition to what the department might do, think about what adversaries might be doing in the coming years that concerns you the most in this area?

Andrew J. Grotto: Well, Jim alluded to the CMMC program. These are the new cybersecurity requirements that the Pentagon requires for all contractors.

Those are now in effect, and I think, you know, over the coming, you know, 12 months, both the Pentagon and its contractors are going to gain a ton of experience in how procurement requirements for cybersecurity intersect with kind of both, you know, the realities of service provision, but then also the cost questions.

I'm actually feeling more optimistic than I have in a while about the prospects for the Pentagon really picking up this OT security issue because, you know, as Jim mentioned, it's not like leadership's not aware of it. It's really, I think a question of how and if the Pentagon were to take, you know, Jim and my advice and conduct an inventory.

I think that's a first step. I think Jim's absolutely right that they will not like what they find. That's our prediction. You know, that creates a lot of room for again, a discussion not only of what are the types of OT standards that providers need to implement in order to achieve a satisfactory level of resilience.

But then, okay how do we create the market and investment conditions to, to fulfill those requirements? Again, a lot of that comes down to who's gonna pay for it and, you know, and which, which obviously has a budget dimension to it. And so the Congress will play a huge role as it often does in shaping the Pentagon's IT broader digital technology operations.

Justin Sherman: That's all the time we have Andy. Jim, thanks for joining us.

Jim Dempsey: Pleasure.

Andrew J. Grotto: Thanks Justin.

Jim Dempsey: Thanks.

[Outro]

Justin Sherman: The Lawfare Podcast is produced by the Lawfare Institute. If you want to support the show and listen ad-free, you can become a Lawfare material supporter at lawfaremedia.org/support. Supporters also get access to special events and other bonus content we don't share anywhere else.

Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Allies, the Aftermath, and Escalation, our latest Lawfare Presents podcast series about the war in Ukraine.

Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja and our audio engineer of this episode was Cara Shillenn of Goat Rodeo. Our theme song is from Alibi music. As always, thank you for listening.