Cyber Pros Protecting US Critical Infrastructure
Summary
This Dark Reading Confidential podcast features Becky Bracken interviewing Dave Forbes (Booz Allen) and Frank Cilluffo (McCrary Institute) about the growing difficulty of defending US critical infrastructure from cyber threats. They use maritime ports as a case study to show how deeply interconnected and vulnerable systems are: ports handle huge portions of the economy, rely heavily on foreign-made equipment and legacy operational technology (OT), and form part of a “one connected battle space” an adversary can exploit.
The conversation highlights Volt Typhoon as an example of persistent, pre-positioning activity by the People’s Republic of China, discusses other nation-state and criminal threats, and stresses that the defence posture must shift from “if” to “when” — assume breach, focus on resilience, and take immediate, practical steps. Policy levers such as the reauthorisation of CISA 2015 and continued State and Local Cybersecurity Grant Program (SLCGP) funding are called out as urgent. The guests urge pilots, operational collaboration, trust-building between government and industry, and a national-level call to action.
Key Points
- Maritime ports are a prime critical-infrastructure use case: they influence about $2.1 trillion of the US economy and include national-security ports.
- Around 80% of port cranes and handling equipment are made by a Chinese company, creating supply-chain and hardware-dependency risk.
- Legacy OT systems (some installed decades ago) are now networked via IoT and other technologies, vastly increasing attack surface.
- Volt Typhoon illustrates nation-state pre-positioning and persistence — actors living off the land to enable future disruptive or destructive operations.
- The threat environment mixes nation-states (PRC, Russia, Iran, North Korea) and criminal groups; tools and TTPs are proliferating and becoming user-friendly.
- Two urgent policy items are near-term: reauthorisation of CISA 2015 (information-sharing liability protections) and continued SLCGP funding for state/local cyber defence.
- Defence should assume breach and prioritise resiliency for utilities, ports, schools, hospitals and other essential services.
- Operational collaboration (pilots, labs, Joint Cyber Defense Collaborative, NSA CCC) and trust-building between government and owner-operators are essential; trust takes time to build.
- Actions that organisations can take now: run short pilots (e.g. 120 days) for zero trust or asset visibility, share lessons, and scale effective solutions.
- Consequences for adversaries must be imposed across diplomatic, economic and law-enforcement instruments — defence alone is insufficient.
Why should I read this?
Look, this is not bedtime reading — it’s a wake-up call. If you care about continuity (your business, your local services, or the national supply chain), this episode spells out practical gaps and quick wins. It tells you where the real weak spots are (hello, ports and old OT), what’s already happening (Volt Typhoon), and what you can actually do next week to be less broken. Short version: don’t bury your head in the sand — do something useful and fast.
Context and Relevance
Why it matters: cyber threats to critical infrastructure now directly affect national security, economic stability and public safety. The convergence of legacy systems, widespread connectivity and advanced persistent actors shifts the problem from isolated incidents to a systemic, interconnected battle space. For security leaders, policy makers and infrastructure operators this means aligning procurement, operations and policy: fund the right programmes, pilot new defensive tech, and institutionalise everyday information-sharing and operational collaboration.
Broader trend links: increased nation-state activity, proliferation of ransomware and crimeware tools, and a policy window where CISA reauthorisation and state/local funding are pivotal. The conversation reinforces that technical fixes must be paired with resources, legal authorities and a national-level call to action.
Author’s take (punchy)
This is must-read-level material for anyone responsible for operational resilience. The podcast cuts past the noise: practical pilots, assume-breach posture, and urgent policy funding are the real levers. If you only do one thing after reading this — start a 120-day pilot for asset visibility or zero trust in a key OT environment and push for your state/local grant funding — you’re already ahead.
