journal"

continues. host: joining us is mark montgomery with the foundation for defense of democracies senior director at the center on top -- on cyber technology and innovation and is the senior advisor for the cyberspace solarium commission. thank you for joining us. a couple of things about your organization, what is the foundation and particularly when it comes to cyber issues, what is your main point of interest? guest: the foundation for defense of democracies is a nonpartisan nonprofit think tank that looks at a number of security issues, and it specifically has three centers, one on military power, one on economic power and one on cyber and technology innovation. i run the cyber and technology innovation center and we really focus on how we make our critical infrastructure more secure both from nationstate

adversaries and criminal actors. host: when it comes to your other title, the cyberspace solarium commission, what is that specifically? guest: it was set up by the fiscal year 2019 national defense authorization act because senators like john mccain were becoming increasingly uncomfortable with our ability to deal with cybersecurity threats, particularly below use of force, otherwise threats done by nationstate criminal actors that did not engender a response from the united states. what senator mccain came to the conclusion was that the theory was not working throughout all of cyberspace. that the lower level malicious actors were able to do whatever their damage to our critical infrastructure. he did what any congressman would do and set up a commission. the reason he believed in this is that he has been working for

10 years to get cybersecurity more secure through working with the executive branch or legislative changes and it was not held -- not happening. working with republicans and democrats and a commission was set up and senator mccain, really a smart man on how to get things done. he made sure that we had four congressional members on the commission. senator angus king, an independent who caucuses with democrats. senator ben sasse, a republican. jim landsman, a republican -- a democrat. and a republican from wisconsin. in addition we appointed four executive branch managers to bring the information in, the fbi, the deputy director -- secretary of defense and deputy secretary of homeland -- of homeland security. in addition we had six outline

-- outside experts, the ceo of companies or government officials, think tank leaders. they were supported by the staff that i led that studied the cybersecurity problem and mccain said you have one year to come back with real solutions which is a fast turnaround rate. in nine months be produced a report that we issued in march, 2020. we put out additional papers looking at additional issues. we spent the last 18 months, fiscal year 2021 and 2022 trying to turn the recommendations of that commission into law and we have been highly successful. we had 82 original recommendations, 50 were legislative and we have accomplished between 60 and 80% of those recommendations. they are either in law or being carried out by the executive branch which is a high strike rate. the commission itself stood down over the weekend, it reached its

natural length by congress, and we are now setting up a non-governmental organization led by the same congressman, same outside experts, and i am serving as director again and it is a 501(c)(3), a nonprofit advocating for implement those original reports. host: as far as the issues we hear a lot of them, many are common to americans including ransomware. you focused on cyber security when it comes to water systems. what got your interest in this? guest: that commission pointed out there were three or four of our critical infrastructures by presidential executive order. president biden came and showed us this list and said stay away from these critical infrastructures. but we looked at those 16 and several of them concerned us

greatly. one was pipelines, another was water and a third was health care provision. the commissioners asked a bunch of us in different think tanks to take a look at some of these issues in detail. the water one concerned me and the reason i took it up personally is because i think that water is a critical infrastructure that is the nexus of national security, economic stability and public health and safety. water is in all of the ways to become a global superpower. it enhances, informs, and enables critical infrastructure. energy relies heavily on water as a cooling medium and it system so if water is not functioning in a certain region it is likely that rapidly thereafter energy production will not be functioning. seeing this as a critical infrastructure and the weakest

link in these critical infrastructures. we went and took a study on it. host: because the op-ed talks a lot about the specifics that you highlight the experiences of one small town in florida. what is that experience and what does it say about the larger issue of cyber threat towards a water system? guest: the event we highlight was in oldsmar for, florida -- oldsmar, florida just before the super bowl. what happened was a malicious cyber actor, still not identified, had gotten into the system probably through either a pre-existing flaw, or the delivery of pfishing, but that has not been revealed by the fbi. they were able to manipulate the system. what this person targeted was unusual in the sense that she or he did not try to turn the system off and ransomware back

control of the system or lockout the operators. they decided to change the chemical injection settings so the amount of lye, which controls the acidity of water, initially at low levels it makes the water more appropriate to drink and at high levels it can make the water poisonous or detrimental to health. and, began to attempt to increase the level of lye in the water. fortunately, the malicious actor was doing this at the same time and was moving around the systems at the same time an operator was sitting at the console. this operator was able to see this inappropriate activity going on. he sought twice. the first time he did not do anything about it in the second time he reported to its -- to his bosses and they were able to stop this potentially harmful change in the chemistry but it

was just a random act of luck that we were able to stop this. i am glad that we were lucky that it points to the fact that our systems are vulnerable to malicious acts by either criminal actors or nationstates. there is a number of other examples. water has not been exploited at the same way that banks have because criminals are going to rob money and there is a much more lucrative path to success. what are critical infrastructure is exceptionally vulnerable to cyber penetration. host: our guest is with us until 8:45 and if you want to ask about the vulnerabilities that he talks about and highlights you can call 202-748-8000 for democrats. 202-748-8001 four republicans. 202-748-8002 for independents. you can also text us at

202-748-8003. talk about the water aspect that also vulnerable systems. what makes them vulnerable, generally. guest: generally, i will go with water and then take it out generally. what makes us vulnerable in the water industry is that there are two elements, how much does the industry spend on it cybersecurity? the second is how well does the government agency that is paired with that engine -- industry support it. if both of those are strong you are in good shape. i will give you an example in financial services. the banks have learned that we are really susceptible and we are being targeted heavily by cyber criminal actors, so some banks are spending upwards of $700 million a year on cybersecurity. that is more than most federal

agencies except the department of defense, that is more than most countries. an individual u.s. bank will be spending that. they are fairly high -- very highly supported by heavily regulated industry and supported by the department of treasury, that is a marriage that leads to very high cybersecurity. now, you cannot say that about the tens and thousands of banks of america but you can broadly say across the industry and specifically about the biggest banks. when you get down to water, water utilities are generally more than, i think it is 88%, are publicly owned and operated by your county, town, some kind of local government organization which is not the definition of an organization that will be rich with excess funds or able to rapidly give a grant or funding to solve a developing security issue. they are very much covered by rates that they are allowed to

chars, violent -- charge, bonds to raise money, it is a slow mechanism. the complicating factor is about two decades ago we began to heavily automate the water industry, otherwise take the man and woman out of the loop and make the valve, pump, and chemical injection system operate by computer order. at the time there did not appear to be a cybersecurity threat, so the savings were invested in other areas. 20 years later there is a big cybersecurity threat and we have heavily automated these systems. we do not have the excess funds to pay for them. the industry itself has got to do more and spend more money on cybersecurity. in that regard, the government, the sector risk management, the environmental protection agency has not been properly resourced or organized to support the

utilities in the cybersecurity effort. the epa is a big federal agency with lots of important roles and spends its efforts on important issues like removing the lead-based piping in our water systems and working on climate change issues. they have not focused through multiple administrations on a bipartisan way and they have not focused on cybersecurity. as a result they are ill-prepared to support a weak industry in terms of cybersecurity. and the best example of this is their office of water cybersecurity probably has under five people in it. when you compare that there are 55,000 water utilities and 55,000 wastewater utilities, five people trying to help 70 -- 75,000 bureaucratic organizations. what you have to get is a good government support agency married with a good and well-funded industry, that is when you will have tight

cybersecurity. host: mark montgomery with the foundation for the defense of democracies and senior director of the center on cyber and technology innovation. if you want to ask him about cyber concerns and technologies that you are worried about, you can call him or send us a text at 202-748-8003. james, washington, d.c., independent line, you are the first up. caller: thank you. my question is that is our energy grid at risk as well? the second question, how do we move forward with legislation and get our legislative branch to act on this because it seems like we are now in the 21st century and they should've been taking care of in the 1990's, to be honest with you. guest: those are two great questions. energy is in a better position and a couple of reasons drive that. a lot of energy is privately owned and not publicly owned and

they have the ability to adjust rates which may not always be in a comfortable thing as a utility payer, but allows them to respond to these issues more agile he. -- agily. it is more attentive 15% electrical facilities versus the 88% in water. the department of energy has been an exceptionally good risk management agency. they have an assistant secretary that deals with cybersecurity, which happened during the trump administration. the biden administration has not appointed anybody and the secretary of energy indicated that they might drop this and yorty of that draw. democrat and republican senators have pushed back about that. they do make sure there is enough funding for the organization, 20 to 30 times the size of its water equivalent when it should be about the same

size. so i feel better about energy but that does not mean that energy is secure, it just has the opportunity. there are still vulnerabilities, the same kind of fbi, nsa, department of homeland security report that came out about water, the warning that caused us to write the op-ed. we have had similar warnings in the energy sector. they are under assault from criminal actors, particularly ransomware, but from nationstates that implant mao weller into the electrical grid. -- malware into the electrical grid. an energy is tied to water. if the water fails energy is in trouble. as far as action, the legislature -- the u.s. congress has done more in the past two years than in the previous 20 years.

i would consider the last three years of cybersecurity a bonanza. there have been 40 laws passed and three years ago, 60 two years ago and 40 last year. there was some independent bills and cybersecurity passed within the bipartisan infrastructure plan. so, they are doing something. you are correct in saying that they have not done everything that they need to do. in fact in our report we detailed three or four different areas where legislative action is still required and i will give you a specific one. one of the things that is extremely disappointing and frustrating is that while we do set aside $14 billion, that is over a five-year period, so about 3 billion a year in very specific grants water utilities,

cybersecurity is allowed to compete with those but what they are competing with is that we tell a water utility that you can spend this grant money on droughts, on severe weather issues, natural disasters, rising sea level or cybersecurity so your basic glee telling the water utility you can -- and you are basically telling them that they can spend it on signs the apocalypse or cybersecurity and most of them are spent on the signs of the apocalypse. cybersecurity is easy to ignore in the short term but the long-term failure to fund upgrades leads to a long road as if you are having a drought and rising seawater -- sea levels are a natural disaster. you need to have cyber sorry -- cybersecurity unique funding, and that is all the utility can spend it on to ensure that the

utility identifies risks in the system beyond their ability to fund a repair. they have a place to go for a grant or low-interest loan depending on the size and attributes. host: that is some of the recommendations that your organization makes when it comes to government giving more power to the epa and the risk management agency directly -- directing some of those programs and directs the cybersecurity and infrastructure security to support water structures and increase the federal government support as well. ian in winter park, florida. republican line. caller: hello. mr. montgomery, i want to thank you for being here. it is very -- i really appreciate being able to talk to you. and, so i am an ecf graduate and i have been in central florida for quite some time and i will

say that the water here has been abysmal for quite some time, and i am curious in your personal opinion what can the central florida environments do to improve the water here? it has been really -- it is absolutely terrible for quite some time. host: in florida. mr. montgomery let me take that as a step further -- further as part of the system you are speaking of. how modern our systems at critical locations? how would you describe that? guest: the caller had a great point, it is inconsistent and on there are some very small what are utilities that have a real challenge in upgrading and improving the quality of drink ability and also the security of the systems.

when i say there are 50,000 drinking water facilities in america, over 40,000 serve communities of less than 3000 people. you can imagine with just getting the payments from the 3000 people and a small profits, there is almost no room for long-term investment. really, that is where the government has got to come in. when you set up a system like this, where something is distributed as it is, and the government has to come in and help a little. water, like energy and transportation are one of the things where the government provides the backbone to private sector and public utilities, so let me talk about one of our recommendations and how it could help. we have a program, the department of agriculture has a program called the circuit rider program. i imagined the marlboro man on a

horseback riding around the west. this is what mom-and-pop and really small water utilities that serve rural areas and they are not on horseback. they are probably in an f-150 driving around and giving advice. the problem is is the advices how should my piping be laid down and was the pressure on this manifold and stuff like that. but probably not breaking out their computer and giving cybersecurity advice. we recommended a program small in terms of cost but it will make a big impact which is to fund 50 cybersecurity circuit riders and this is with the national water association that championed this. they are one of the associations. but now you have 50 guys, men or women, servicing these rural or farmland areas that are in a

prius driving up and showing up with our computer and saying let me run some penetration. to make sure that you are not subject to ransomware. these small systems are vulnerable to small ransomware criminal -- criminals as big programs are. we could run that for $5 million a year and enhance smaller industries and get the water & -- the cybersecurity of the water on par with some of the issues with the circuit rider program. host: clark in florida as well. democrats line. caller: i for sure have a lot of care about cyber, but i also have a lot of care about industries, pollution, runoffs, sewers, and i think it is a much

bigger problem. he personally i would rather have -- me personally, i would rather have that monitored and money going in that direction. host: ok, let us hear from debbie in silver spring, maryland. democrats line. caller: good morning mr. montgomery and "washington journal." as a tax credit and public service since water is tied to energy, why do not all of the oil companies pay for it? why is that not regulated through the department of energy as a mandatory servicing tax? host: ok. guest: i do think that the use of the water is generally associated with energy production. and they do pay for the water they get as a cooling medium, so

there is the requirement. how much to charge for it will be determined, but the truth is that the water utilities have not been putting the money they have into cybersecurity, so i'm not sure that increasing that rate would increase water cybersecurity unless you we -- in less we lean on these facilities and say you got the benefits of automation and you have a lot less people standing watch and operating valves and pumps. particularly in these large terms of size rural systems. they will have valves and pumps that are 20 or 30 miles away from the headquarters of the distribution manifolds. near the reservoirs and such. that has been automated. the benefits that they have, they need to make investments in cybersecurity. and, i would like to keep management of this with the epa. they are responsible for all of

the elements of water and they do do work on the cleanliness and the leadpipe abatement and they do a lot of great work at the epa, they just need to come up to speed for the cybersecurity issue. host: we saw to trillion dollar infrastructure bill passed by government -- congress and signed into law by the president. how much is that dealt with cybersecurity issues? guest: that is a great point, the president said yes talking points. this does a lot with resilience in cybersecurity. it is one of the very first appropriations bills that highlight cybersecurity specifically, so that is a win. here's where it is less of one. in the 1.2 trillion, there was 2 billion worth of cybersecurity and when you do that mathematically that is two over

1200 over 0.1%. it was great that it was called out but it was a pretty small percentage overall. what it did was it gave specific money to the cybersecurity, and infrastructure security to a critical agency and the department of homeland security and it is the quarterback of the federal government's cybersecurity response. they work with every federal agency and every private sector and the national cyber director at the white house. there kind of that quarterback workhorse issues and they were given $5 million worth of funds for different things to do including what is called a cyber response and recovery fund, which is for providing money after the fact, after there has been some kind of cyber event or crisis to help restore systems

rapidly and get them up and going. it is an important thing that our commissioner had been asking for for two years. it also provided $1 billion to state and local governments for cybersecurity of their ip systems. some of that can go towards water. by not having a direction to do it in the law, probably much less than we hope will go to that. that will go to the cybersecurity and i.t. modernization of state and local governments. this was noticed during the covid response when an excessive number of people were applying to unemployment that the state and local systems were under duress because they were outdated. they are also unsecure. the money for serious cybersecurity, a lot of that will be spent on i.t. modernization which will improve security a little not efficiently. and so, that is in there. finally in their is the money, -- in there, is the money, $14

billion, or grant programs for water utilities. my concern is that cybersecurity with -- was thrown in with the four signs of the apocalypse. at least historically, cybersecurity is an add-on, the money does not spent and it has a lot to do with how the utilities think but also how the epa is organized to handle them. host: ryan in michigan. independent line. caller: good morning pedro and mr. montgomery. benton harbor recently learned that the water in our county was worse than flint when flint had their crisis. we are about an hour and 15 minutes from flint. so what i want to ask is that i do not see the urgency that is coming in at all, so i want to

know how that system works with the money that just get spent on infrastructure, how are we following the money to make sure that we are getting the proper response as we should, and in the future, that this does not happen again that the system needs to start getting down and looking at the infrastructure whether it is 100 years from now or whatever because i know the infrastructure has not been touched and probably 100 years. host: thank you. guest: i will say one quick thing, having studied the infrastructure bill closely there is money for those sorts of things also. the epa in a bipartisan way has been trying to identify needed investments in water

infrastructure, and there is a significant backlog of hundreds of billions of dollars if you look back at the latest studies. there is a a lot of money in this infrastructure bill and appropriations for the epa. i think this administration is taking that seriously. host: pat in new jersey. republican line. caller: hello, i am a former i.t. person and my question is why are these systems closed to outsiders? why don't you have a list of extremely limited people able to access the systems to make changes? thank you. guest: that is a great question, and i will tell you, it is -- they should be close. they need to be connected to the internet because they are talking to systems downrange.

but what is generally happening, the most likely source of penetration by the malicious actor is spear pfishing -- phishing, emails to the operators that enable a piece of malware by clicking on the link and the adversary is in the system. in general there are three things you can do that will make you 99 points that -- 99.9% secure. a complex password, multifactor authentication, and do not answer emails from nigerian princes or more typically, do not go spear phishing. if you do does -- if you do those three things, you aren't going to make yourself and the company and your water utility more secure. unfortunately those are not practiced often.

multifactor authentication is not required but those are the kind of things that i think would drive and improve cybersecurity. host: from stephen in salem, oregon. independent line. caller: good morning, can you hear me? host: you are on. caller: for once, someone i would like to talk to. i would like to say the cool thing about sustainable energy and the water and the thing that goes with it is that it is off the grid and eliminates having to develop a cybersecurity plan for it ands and works between te

gornociations. they can provide that standard and use the department of homeland security and most importantly the national information standards of technology -- the national institute for standards of technology and they provide a ton of standards, recommended standards for different pieces of technology. those together can develop the water sector cybersecurity standards and work together,

consult with different stakeholders, and eventually, build themselves towards a regulatory regime if necessary. if you get -- if you can do it through a joint oversight that would be great. the epa is years if not a decade away from being in a position to regulate this industry because of their current lack of investment in organization. that is kind of how i see that government industry oversight going. it has to be heavy industry led for the first decade. host: chris in louisiana. s democrat -- democrats line. caller: mark, i want to mention something. in your explanation, it seems that from my understanding that the epa is a malfunctioning

. the more i listen to you explain a lot of things and when it comes to what they are doing i keep hearing how they are not doing this when they could be doing that, and they need to be doing this and they need this and that. this is a malfunctioning organization. what i am thinking is that folks in washington who sit on these different who are in control of the epa, they need to go in there and i would say restructure everything and replace people if necessary because mark, this is so important. i will give you an example. host: we are a little bit of time and i apologize for that. go ahead. guest: that is a great point. i would sharpen it a little bit. the epa is doing a lot of things well. they are doing this poorly because they do not resource for it and as the caller said they

are not organized. i would recommend reorganizing and funding them. the trump administration had an increase from 8 million to 10 million and the button and administration recommended an increase. the real amount needed is between 45 million and $50 million. you cannot do that in one year, you do not triple an agency's budget in a year that is like burning money in an oil barrel. but over the next three to five years grow this office to be the support element to the private sector that they are required to be by law as a sector risk management agency and the answer that they can provide us with those citizens good oversight. we want a high-performing cybersecurity program and then get the support from the places i mentioned, get a little bit of support from the department of energy where they have expertise, and i think that is

the solution. that is slow money in the overall epa budget but it requires money and organization to get it right. host: mark montgomery you can find their website at fdd.org. thank you for your time.