The effort — dubbed “UnDisruptable27” — launched this month, and it intends to spread its cyber preparedness message to municipal leaders, critical infrastructure owners and operators, and the public, said Josh Corman, the project’s leader and an executive in residence for public safety and resilience at the Institute for Security and Technology. That message is to bolster defense against cyber attacks on emergency medical care and hospitals, water and wastewater systems, power, and the food supply chain.
The project chose 2027 for a deadline because U.S. officials believe China could attack Taiwan by then — sparking conflict, given U.S. support for Taiwan. Such conflict is likely to include a cyber component, Corman said.
U.S. officials have discovered China-backed hacking group Volt Typhoon in U.S. water and electricity systems, where they believe it’s pre-positioning itself to cause disruptions should tensions between the U.S. and China heat up. China might intend its presence in the networks to be a deterrent against U.S. aid for Taiwan in advance of a conflict, or to disrupt critical infrastructure on a limited scale as a “warning shot,” Corman said. In a full conflict, China could look to cause widespread disruptions, and nation-states are likely to try more destructive attacks than cyber criminals, who just want to be paid.
The U.S. has made progress on cybersecurity but needs to do more, faster, Corman said. Recently, Politico reported on cybersecurity experts saying that U.S. efforts to combat Volt Typhoon have not made a significant difference against the threat.
Corman said existing cybersecurity conversations and supports aren’t reaching everyone. The federal government, information sharing and analysis centers (ISACs), and others offer cybersecurity resources to critical infrastructure, but many entities still don’t use these. Others don’t realize the gravity of the threat, while some lack the money to join ISACs or the cyber expertise to act on the information they share, he said.
Smaller entities can be left out of larger cyber conversations, too. For example, Corman pointed to the Environmental Protection Agency’s March 2023 attempt to incorporate cybersecurity evaluations into the sanitation surveys that public water utilities regularly undergo. Several national water-sector organizations pushed back on this idea, and three states challenged it in court, prompting the EPA to retreat.
Corman said some local utilities and town officials aren't aware of these events or conversations, suggesting a communication disconnect between them and their sector’s leading trade associations and federal officials.
“When I go to my local community water and wastewater, or town leadership across the state where I live, they've never heard of the EPA asking for this,” Corman said. “They didn't vote yes or no to it; it just doesn't get to them.”
His project aims to bridge these gaps and raise those entities’ awareness of threats and of available resources from federal government and think tanks. The effort also intends to provide advice and, ideally, inspire a “whole-of-society approach.” Its outreach could include creating “storytelling” materials like visuals, videos, tabletop simulations and even escape rooms.
To be effective, UnDisruptable27 needs to frame cyber concerns in ways that speak to each group’s priorities. For example, hospitals often prefer to spend on hiring than on cybersecurity, Corman said, but they can be receptive when cybersecurity is presented as a necessity for preserving the technology that helps employees amplify their impacts.
As for the residents it hopes to reach, UnDisruptable27 wants them to plan for cyber-enabled disruptions just as they would for natural disasters. That might mean storing some water, in case hackers interrupt access, for example.
UnDisruptable27 is in the beginning stages. It just received a financial investment from Craig Newmark Philanthropies that’s expected to support up to one year of operations for a pilot project. That pilot will create messaging and engagement focused on water and health care, and it will highlight health-care dependency on reliable access to water.
The project has started recruiting for volunteers and is currently developing job descriptions for full-time hires. Next month, it will work to formalize partnership agreements. Its first few months are expected to include testing different messaging materials and exploring ways to scale efforts.
