“It’s not just a matter of water being cut off. When the only sewage treatment plant in the area stops working, really bad things start happening. For example, without water, there are no hospitals,” he said. “I saw a lot of this during my time leading the COVID response team. There’s this interdependence in the basic functioning of society.”
UnDisruptable27 will focus on reaching communities beyond the reach of Washington DC-based policy debates and the Information Sharing and Analysis Centers (ISACs) that represent the U.S. infrastructure sectors. The project aims to communicate directly with those working on the ground in America’s critical infrastructure and collectively confront the reality that a cybersecurity-related disaster could impact their day-to-day operations.
“Some people think that if a data breach occurs, there’s no long-term impact because you get services like privacy protection for a certain period of time and life goes on,” says Megan Stifel, chief strategy officer at IST. “There’s an expectation that, OK, things are just going to continue the way they are. So we’re very interested in addressing this issue and thinking about how to approach critical infrastructure security with maybe new approaches.”
Corman notes that cybersecurity incidents are commonplace, but when one actually affects them, business owners and infrastructure operators are often spooked and caught off guard. Meanwhile, when government agencies try to impose cybersecurity standards or partner on defense initiatives, communities often balk, perceiving it as intrusive or overreach. For example, last year the U.S. Environmental Protection Agency was forced to backtrack on new cybersecurity guidelines for water systems after water companies and Republican lawmakers sued over the initiative.
“Trade groups, lobbyists, owners and operators are allergic to oversight and say over and over again, ‘Voluntary is preferable. We do it ourselves,'” Corman said. “They’re really trying to do the right thing, but people are shocked that there could be any disruption and feel it’s completely unexpected. So I can only assume that the people who feel the pain of our failures aren’t being included in the conversation. They should understand the risks inherent in this level of connectivity. We’ve tried a lot of things, but we haven’t tried to treat people equally.”
UnDisruptable27 will be launched this week and made widely known to BSides attendees and other conferences such as Black Hat and Defcon, which run through Sunday in Las Vegas. Corman said the goal is to combine the hacker ethos with a plan to essentially recruit volunteers and work with creative collaborators to produce compelling content that will spur discussion and understanding. Information campaigns using memes and social media posts and more innovative ideas like narrative podcasts and reality TV are also being considered.
“We must prioritize the security, safety, and resilience of our critical infrastructure, including our water supplies, medical facilities, and public utilities,” Craig Newmark, the founder of Craigslist who funds UnDisruptable27 as a philanthropic organization, told WIRED. “The urgency of this issue demands that we influence human behavior through storytelling.”
