.png)
12 hours ago
2
Government funding for a program that hunts for threats on America's critical infrastructure networks expired on Sunday, preventing Lawrence Livermore National Laboratory from analyzing activity that could indicate a cyberattack, the program director told Congress on Tuesday.
Nate Gleason leads a team at Lawrence Livermore National Laboratory (LLNL) focused on nation-state threats against critical infrastructure, and this includes the CyberSentry Program.
It's a public-private partnership, managed by CISA, that looks for malicious activity on IT and operational technology (OT) networks in America's energy, water, healthcare, and other critical facilities. This includes threats along the lines of China's Volt Typhoon and Salt Typhoon intrusions — network activity that may look like, or even start as, espionage, but ultimately enables the digital invaders to backdoor critical orgs and deploy cyber weapons to aid in a kinetic war.
Participating critical infrastructure owners and operators agree to place sensors on their networks, and Lawrence Livermore National Laboratory engineers monitor that data in real time. CISA then uses this information to create alerts for the broader US critical infrastructure sector.
"We're looking for threats that haven't been seen before, we're looking for threats that exist right now, in our infrastructure," Gleason told Congress during a House subcommittee hearing on "Stuxnet 15 Years Later" and how cyber threats to critical infrastructure have evolved.
Spoiler alert: they're worse.
A joint operation between the US and Israel created the Stuxnet malware and deployed it in 2010 to shut down Iran's nuclear fuel centrifuges. It's considered the first cyberweapon designed to cause physical destruction by targeting operational technology networks and industrial control systems (ICS).
Since then, OT cybersecurity company Dragos now knows of nine ICS-specific malware variants, CEO Robert Lee testified.
"Let me be blunt, we are not prepared or a major attack on our critical infrastructure … we are not doing enough to prepare and the results could be catastrophic, including loss of life," Lee warned.
CyberSentry goes dark
Worse, on Sunday, America lost a chunk of visibility into foreign spies sitting on critical networks or OT-specific malware because the Department of Homeland Security hasn't renewed CISA's funding to work with Lawrence Livermore National Laboratory on CyberSentry.
National labs are not legally able to operate without funding from a government agency, so our threat hunters stopped monitoring networks on Sunday
"Funding agreements … are still making their way through DHS processes and our work with CISA expired last Sunday," Gleason testified. "National labs are not legally able to operate without funding from a government agency, so our threat hunters stopped monitoring networks on Sunday."
The sensors are still deployed, and still collecting information about traffic on these networks, "we just aren't gathering the data that is coming in," Gleason said.
Neither DHS nor CISA immediately responded to The Register's inquiries about the funding, and if it would be renewed. We will update this story when we receive any responses.
CyberSentry has been in place since 2020, and during that time, Lawrence Livermore has supported it with its mega-compute power, providing analytics and using AI to detect never-before-seen attack techniques.
"As one example of program success: In 2022, we detected high-risk Chinese surveillance cameras that were stealthily built into US infrastructure systems," Gleason told US lawmakers.
- This is the FBI, open up. China's Volt Typhoon is on your network
- Why is China deep in US networks? 'They're preparing for war,' HR McMaster tells lawmakers
- Malware variants that target operational tech systems are very rare – but 2 were found last year
- Ex-NATO hacker: 'In the cyber world, there's no such thing as a ceasefire'
LLNL developed an advanced beacon detection tool to find more subtle threats and also reduce false positives, which was then deployed on critical infrastructure networks.
"Almost immediately, our analysis detected anomalous beacons on the OT networks of a participating company," Gleason said.
The national lab identified the beaconing device as a camera manufactured by the Chinese company Dahua, which the US Federal Communications Commission has designated as posing a significant threat to national security.
"Livermore developed a machine learning model to detect these devices at scale and deployed it," Gleason continued. "We found camera on most of the CyberSentry entities in some cases hundreds of them."
Gleason also detailed this discovery in his written testimony, and here's what he said happened next:
If this whole funding fiasco sounds familiar, it should. It echoes what happened with the Common Vulnerabilities and Exposures (CVE) program earlier this year.
The CVE program is also managed by CISA, funded through a DHS-approved contract, and administered by nonprofit research hub MITRE.
In April, the US government discontinued funding for MITRE to operate the CVE program before making a very last minute U-turn and promising another 11 months of cash.
Both of these programs provide critical services for network defenders, and allowing funding agreements to lapse shows the larger upheaval happening at CISA — and across the federal government as a whole.
"CISA can only function when it is fully staffed," US Representative Eric Swalwell, a California Democrat, said during the Stuxnet hearing.
While CISA "should not be free from reforms," he added, "currently it has lost approximately 1,000 employees since the DOGE cuts began to take place. That affects its ability to work with the private sector and be responsive." ®
