HSDF THE PODCAST
The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.
HSDF THE PODCAST
Critical Infrastructure Protection and Emerging Vulnerabilities Part 2
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Welcome to our “TUESDAY EDITION of HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum
In this episode, we discuss with leaders across government, labs, and industry about how AI changes cyber risk for critical infrastructure and why system-level consequences matter more than single-device vulnerabilities. We map practical ways to test, share, and deploy AI defenses while staying grounded in cyber hygiene, OT reality, and the workforce pipeline.
Featuring:
- Dr. Nate Gleason, Program Leader, Lawrence Livermore National Laboratory
- Matt Hayden, Vice President, Cyber and Emerging Threats, GDIT
- Seth McKinnis, Deputy Assistant National Cyber Director for Critical Infrastructure, Office of the National Cyber Director
- Kiersten Todt, Senior Vice President, Cybersecurity Partnership & Engagement, Mastercard
- Justin Doubleday, Reporter, Federal News Network (moderator)
This discussion took place June 10th, 2026, at HSDF’s Cyber Symposium
Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.
Why Skyfall Lab Exists
SPEAKER_03Yeah, I just want to turn to you because I know your Skyfall lab is things that we're talking about, both AI for cyber defense, AI machine learning for cyber defense, and how adversaries might use AI to target energy grid systems and things like that. So what can you tell us about that work, what you're learning, and how it could inform some of these national efforts that are ongoing? Absolutely.
SPEAKER_01So just uh a word of background, our our Skyfall laboratory is a capability that allows us to take the real physical hardware that exists in critical infrastructure systems, integrate it with our high-performance computing simulation environment so we can understand effects on individual real devices, but then understand how those propagate to system level scale, because we don't really care about effects on devices. We care about effects on systems. And so we've absolutely been using that to help understand AI and the role of AI in critical infrastructure. And actually want to maybe take a step back and broaden the thinking on that just a little bit because a lot of the focus has been on using AI to find vulnerabilities in software and devices. And that absolutely is something important to think about. But AI also helps upskill the adversary in a lot of different ways. One of the really important things about cyber attacks on critical infrastructure is bringing the right level of expertise to that problem. You have to understand how the cyber system works in order to get in and get your access. But if you don't understand how the underlying infrastructure system works, the effects you make are going to be random. If you look at a lot of the early attacks we've seen on critical infrastructure systems, they are break in, cause chaos, get out. The impact of that is a temporary disruption. You get someone in there who really understands how the power grid works, how a water system works, and they make the right manipulations, suddenly you're dealing with a whole different level of problem. And AI helps the adversary learn about those systems and can help them not only find their accesses, find their vulnerabilities, but design those attacks. And so when we think about AI and the use in critical infrastructure, we think about risk in four different categories. One is an important one, too, unintentional failure-friendly AI. We trust an AI system to run our systems. It hallucinates. You push it beyond its boundary, it messes up. That is a very real risk. Second mode of risk is adversary attacking the AI itself. So trying to cause your AI to make incorrect decisions, disrupt your training data, extract sensitive information from the AI models. Third category is what we were talking about before. It's the adversary using AI to design and execute their attack. And then the fourth category is we have to understand AI software. Software has its own vulnerabilities. And so thinking about the common libraries, the common components that are used in these AI models and thinking of them as attack vectors. We try to think about risks all four of those areas at the same time, understanding the true benefits of AI because it's not just a risk thing. It can have a lot of positive impacts as well.
Four Ways AI Raises Risk
SPEAKER_01And so our focus has been on working with, in particular, DOE Caesar and their AI Forts program to design, build, and deploy a series of test beds that address those risks. One of them focuses on understanding an AI model's susceptibility to manipulation and other adversary attacks on the AI itself. There's a second one that focuses on measuring and quantifying the functionality and performance of the AI model. How well does it perform the task it's designed to perform? And a third one that helps aid in the adoption of the AI. Basically, the simple way to think about it, it helps makes an AI show its work to competent humans who can then say, yes, it's coming to the right conclusion. And by the way, it's getting there for the right reasons so that we can build that confidence to use that in our systems.
SPEAKER_03And those test beds are operational today or being built out?
SPEAKER_01Various stages. So we've got uh uh one of them that is operational. We're actually starting to work with industry partners now to test their models. There are others that are in various stages of development, but we hope to get those out and connect with the asset owners and the capability owners very soon.
SPEAKER_03Interesting. Stay tuned on that.
Building AI Security Test Beds
SPEAKER_03One question that struck me as all of you were talking was just how, Matt, you said clearing houses, because there's multiple clearing houses. There's the federal one that's just starting to be built. I'm guessing maybe you're referring to like Project Glasswing from Anthropic and related efforts like that. I mean, how do those come together to effectively address this problem? Should they come together, or how are they coordinated?
SPEAKER_04Well, and right now it's not just domestic. There's international partners that are doing this. There's a global approach similar to the way MasterCard's taking this on. And there's a lot of information sharing that does kind of go from international body to industry and industry to home front. And so there is a lot of telephone game that goes on with those. The good news is there's a lot of people taking a lot of looks at this. And so the coordination is not perfect right now, but at least all the partners at the table all have each other's cell phone. So it's not, it's not an exclusive club to the extent that that information stays inside a bubble.
SPEAKER_03So the office of the national cyber director obviously in a position to kind of oversee a lot of those federal efforts at least and use the power of persuasion to bring in industry. I mean, what can you say about that effort to oversee this at a national scale?
Clearinghouses And Coordination Challenges
SPEAKER_02Yeah. I mean, I think to our earlier discussion around public-private partnerships, it takes both sides bringing sort of their best to the table, right? And that means maybe there's other pieces that flow into that of things that is just industry to industry working together and then they together bring their best or they're bringing individual pieces. But ultimately, you know, ensuring that that's given to, for example, from the critical infrastructure perspective in a clear, coherent way for how that infrastructure entity can prioritize and makes their own security decisions, right? So it's a good thing to have a plethora of different ways that industry and government are working together, but ensuring that those are all at the end of the day presenting a coherent message to the end user from a critical infrastructure perspective or a federal CISO perspective so they can make quicker, more effective decisions to protect their networks.
Sharing Threat Signals At Scale
SPEAKER_03The executive order also talks about making AI cybersecurity tools and services available to state local critical infrastructure. We've talked a little bit about how this can be leveraged to make up some security gains, address both the AI-driven vulnerabilities, but also just broader cybersecurity challenges. I want to ask the panel what might be most useful to entities like that could come out of this executive order from ONCD, from agencies like CISA and others to slow down to these entities. Pearson, any thoughts there?
SPEAKER_00Well, I'll talk about it from an industry side first. I think kind of just going off of what Seth was saying about how we coordinate and collaborate across infrastructure, industry, and government. It's, I think there's the responsibility as I sit in industry right now for industry to share what it's seeing. So from a MasterCard perspective, if we think about fraud, if we think about protection, which I think all of these things are now becoming linked, it's cyber-enabled fraud when we look at protection of critical infrastructure. So we're seeing work that we're bringing in AI to protect the payment ecosystem. So it's being able now to show red flags to financial institutions to say, hey, we're seeing a synthetic identity being used to open an account. Therefore, by preventing that, we're preventing a malicious actor from getting a foothold in the payment infrastructure. And then when we see that, we're able to flag those signals to other entities. So in sharing that, another way is being able to spot threat patterns in transaction decisioning. So MasterCard analyzes transactions and is able to signal to financial institutions when we're seeing not just synthetic identities, but when we're seeing transactions that are likely part of fraud. So I think from an industry side, it's getting at that source. We talked a little bit about supply chain security and we were talking about where the symptoms come from. Industry has a responsibility to look to identify the source and to help prevent and importantly share those indicators, not just of compromise, but of interest. One of the things that we talked about at CISA was we're not just sharing what we see from a compromise perspective, but we're seeing, we're seeing when we see an indicator of interest, when something might be happening. And I think that to Seth's point, you know, we've always said cyber is a team sport. You can't do one entity doesn't do this by itself. It's being able to share that. And I think what is fascinating right now is industry knows its sector very well. There are some sectors that can cut across and have that visibility, but government sits and is able to see cross-sector, which is also why I think I'm interested, particularly interested in the clearinghouse, because it's really looking at that cross-sector capability. So we have to be able to share these threat signals, importantly, getting to this place of not just what we're seeing and where the threats are, but where we think they're coming from.
SPEAKER_03Other thoughts? Yeah, tools and services. So just building off what Kirsten said.
SPEAKER_04I mean, the challenge is you have a lot of different opportunities with what you can see from the internet. Like the traditional human-centric security tooling we've done is vulnerability management, threat hunting, and attack service management have been one of the three most valuable techniques and tools we've seen that complements any good SOC, any good network security package. But when we start talking about the clearinghouse prioritizing a lot of speed and scale, we're actually going to need those at speed and scale. And so that action that we're looking to have driven, we need that clearinghouse to really be a home orchestration. That's the term for taking all of these collaborative efforts and producing group action. And that's where we're going to have a lot of incentives to use AI-shared tools that can both be disseminated by states, by CISA or other particular, like for example, energy has shared resources as well, their sector by sector resources that are available. I think that there you're going to start to see what used to be a challenge to share because it was so subject matter expert dependent, as a deep dive on vulnerabilities of my network, you're going to start to see AI-based tools that are genic that can actually be sent out and done to networks on behalf of others and have a privacy quotient to that as well, to where you actually do get to Christian's point about predictive prioritization and the ability to have an orchestration at scale to know that certain people are covered down on and certain people still have work to do.
Cyber Hygiene Versus The AI Craze
SPEAKER_03Is there a risk that we get caught up in this AI kind of craze? And we've been talking about cyber hygiene so much for the last five years, and we lose a little bit of focus on the basics, or can that happen in concert? I don't know if anyone has thoughts there.
SPEAKER_00Well, I think it has to happen in concert. I mean, we can't lose sight of cyber hygiene, but I do think, you know, we're talking about when Nate was saying upskilling, I thought he was going to talk about for our labor force, right? I mean, I know he was going some, but there is this both sides, right? So AI to help us with cyber hygiene. I think that, you know, is going back to the small business piece and small business and cybersecurity. I think AI to help small businesses, that's one of the key elements is cyber hygiene and how you can automate some of these defense tools and what that looks like. But these things can never happen in isolation. And so we have to be thinking about how they are working in concert.
unknownYeah.
SPEAKER_01And I think the importance of cyber hygiene is if you haven't taken care of the easy stuff, the adversaries aren't going to use their best stuff against you. So you got to raise the baseline and force them to at least try. So that's super important. I do want to come back to how we use AI on defense. And I think uh, you know, the simple way to say that the best defense against the bad guy with AI, we think about adversaries using AI to discover vulnerabilities and write exploits. You know, we have to think about how the good guys use AI to discover vulnerabilities and write patches. Where that gets challenging is in critical infrastructure systems, patching is not an easy thing to do. Just because you write a patch doesn't mean you can deploy that patch out into your system or that you'd even want to. And so you have to think of other compensating controls. So vulnerability comes out, an exploit's developed. Maybe you can't patch for months or years. So you write firewall rules, you write detection rules to detect those exploits that are coming in and try to contain that threat. And so a lot of the focus that we've been seeing is taking those AI tools and again helping to upskill and scale our workforce, just like you were mentioning. So one of the things that we're excited about is the ability to take threat hunting and take our expert threat hunters, code the way they look at systems into these AI models, and then hand that off to some of the smaller entities who maybe don't have that level of expertise. And you can take you're not going to take a novice and turn them into an expert, but you can take a novice and turn them into someone who's decent, or you can take someone who's decent and make them really good. And so using AI in that sort of way on the defensive way and investing in how we can use AI as defenders, not just the way the adversary is thinking about it, but how do we use it to secure our systems?
Securing OT Without Breaking Availability
SPEAKER_03I want to hone in on operational technology here because obviously it's such a key piece of critical infrastructure. And the same day that the AI security executive order was released, CISAR released an advisory on automated tank gauge readers and how they were being targeted. And that got a lot less press than the AI security executive order. Reading through it was also somewhat alarming that these types of technologies are being successfully targeted by adversaries in some cases. And so, Nate, maybe we can start with you because this is so much what the lab looks at. OT specifically, what are some of the key challenges and opportunities for securing those today that you're working on?
SPEAKER_01Yeah. So I mean, one challenge is what I mentioned before. The idea of rapid patching of OT just is not feasible. If you think about the confidentiality, integrity, availability triad, OT has traditionally focused very heavily on availability, the other two not as important because the idea was you know, that network's isolated. It's not connected to anything. We don't need to worry about security. That's not true anymore. You know, with the increasing conversions of IT and OT, and that doesn't necessarily mean your OT systems are connected to your IT systems, but means your OT systems use technology that's also used on IT networks in those OT systems. Security becomes a lot more important. Right now, if you can get on an OT network, a lot of times you can communicate directly with the physical devices on that network, issue them commands, they execute them. They don't have that questioning nature that devices we've learned to build into things that are on IT systems. They get a command, they follow it. And so it is very easy if you can get access to those networks to cause those disruptions. And so we need to think about how we build security into those OT systems without compromising availability. Because again, my desktop computer crashes, I just reboot it and I lose a minute or two of productivity. An OT system crashes, there are physical consequences that are not acceptable. And so trying to build in that security without compromising the availability concern is the biggest challenge with OT.
SPEAKER_03Seth, and your pilots with critical infrastructure, the defense critical infrastructure pilots, some of the work that's emerging on AI, how does OT factor into what you're looking at from your perch?
SPEAKER_02OT is a big piece. As Nay alluded to, we've seen more convergence between OT and IT over the years. Much of that OT, certainly not all of it, but a lot of it has been around for a very long time by design. They're high availability systems that are designed to work for 15 or 20 or plus years, and maybe people are using them even past end of life to keep with integrations with other systems they're having. And especially as we see sort of the innovation happening in the AI space, I think there's a unique opportunity to be able to say, hey, how do we help some of those small entities who have a lot of OG, maybe out of date? And also there's some new technologies to be able to help test. We're not going to be able to do that everywhere in the US all at the same time. But I think the pilots do have an opportunity. And the concept behind them is to say, hey, let's pick a particular set, pick some technology that we think public-private partnership, and say, let's test these on actual networks, see what works, and then help states, localities, critical infrastructure, help scale those to protect those systems, particularly those that are at the long tail, that are just not thinking day in and day out about what's the cutting edge technology that I could be used to protect my water system, my rural hospital, my local power utility that are not only key dependencies for their own communities, but also for maybe the defense installation that's in that area for a key dependency for other parts of critical infrastructure or other federal systems.
SPEAKER_00I think to add on to that, we've talked a lot about the interdependency across sectors. I think what Seth was talking through and Nate, we also have to remember that there's that interdependency to state and local level. And I think that's where OT really comes into play is making sure that the state and local governments, that the entities in this administration has really invested a lot in pushing resources to the state and local governments. I think that's going to be super important for the OT security and safety because there's a psychology to OT breaches when physical things get attacked. That really impacts how we're looking at security and safety as a nation and more globally. So that ability to work more closely with state and local governments on this IT OT convergence is becoming even more urgent than it's ever been.
Fixing The Cyber Workforce Pipeline
SPEAKER_03We have about 10 minutes for questions. We have some mics set around the room. Does anyone have a question? I can keep asking them to keep that. All right. Well, if something pops up, shout out. Whatever. But we wanted to talk about workforce, I think, as well as part of this panel. I know it's a big part of the cyber strategy. It's a big part of actually the AI security executive order mentions workforce hiring, I think, that the tech force. And when we talk about critical infrastructure, so disparate, so many different entities, I think we've often heard that they lack the workforce in many cases to address these issues. Nate, you just talked a little bit about what your lab is working on as far as pushing that type of AI-driven training. But how do we get around this problem of the cyber workforce, especially in today's day and age with AI-driven threats and other things? Seth, can you talk about the national cyber directors piece?
SPEAKER_04Yeah.
SPEAKER_02The president's directly said that like the cyber workforce in the United States is a national asset and it's worthy of investment, right? And I think in our work around cyber workforce, it's important to think through there's a lot of different capabilities that exist across the private sector, across various places in government, but there's not a clear cohesive way for putting yourself in the shoes of a small town individual, you're coming up out of maybe middle school or high school, you're like, I'm really interested in cyber. How do you then go from that to then gaining those skills, gaining those capabilities, maybe going into the government, going into a private sector, going back and forth between those entities, right? And so is part of the work around pillar six and the workforce really building what we call the cyber academy. And Sean and others in the National Cyber Director's Office have talked about this. But essentially the concept is how do you less like a brick and mortar academy, but what does that workforce pipeline look like to be able to ensure that it's local, that it's accessible, and that it works not only for talent here coming to, you know, government agencies like a CISA or an NSA or whatever, but also for those local utilities, for businesses who are also, you know, struggling to find the right people and ensure that there's a cohesive way that people can then cycle back and forth between the public and private fields without losing their security clearance, going through a bureaucratic process, right? How do we make that as streamlined as possible? So I'll mention three things. One, the academy is sort of that overall pipeline. The second is what we're calling the accelerator. And that's essentially like if you have an interesting idea, how do you then go to get pre-seed money to be able to build that into a workable prototype, right? Knowing that like this is something that we need to continue and accelerate that innovation and having a place that is an easy way to get that for innovative ideas. And then the last piece is around what we're calling the foundry essentially of like, how do you then for prototypes that work well, how do you scale those? How do you get those and help innovators get that to market? So I think it's pretty exciting because it sort of approaches the workforce problem from a few different angles, right? From both the accelerating innovation side, but also making it very easy and accessible for people who are either new into cyber or also want to add new skills and retool to be able to do that in a cohesive way across government and industry.
SPEAKER_03Anyone else just on the workforce piece?
SPEAKER_04So having 30,000 employees that are under the umbrella of technology at GDIT meant that we have to both blend use case experts with lifetime learners and technology expertise. And so that is a constant cycle where everyone on board has to have that perspective where they have to evolve their use case knowledge or the technology knowledge or both to be able to support a large amount of people and a large amount of companies and services at the same time. And so we work with academia, we work with the certifying entities to try and get an idea of like what is that pace watering down to? Like, is it 18 months you have to learn something new? Is it every two years that you have an expertise? What are the embed practices where if you have someone that has a very amazing skill that's working on a specific program, how do you lift and shift them to promote them into a more managerial executive position so they can bring more people into that expertise. Expertise, understanding. And it is a full-time job. It is not something that's taken lightly. And while AI does really help support the lifetime learning aspects as well as really poke at all those use cases for additional implementation, it is a challenge. There's candidly a gap between I just graduated high school or I just graduated college. How do I get that first one through three years of experience? And that is very difficult to get. So we're working with academia to try and do like, hey, can people start getting clearances through agencies at say freshman year and get them in that 1819 window to where they're expedited into the workforce with a lot of understanding and almost a journeyman approach with academia so that it's not just this cold start of, okay, I've got a computer science degree. How do I help? I mean, there's really a challenge getting that first rung in the door. And so that's where we're really focusing a lot of our energy right now.
SPEAKER_01I think it's even more of a challenge also because to really effectively work in this space, you need an interdisciplinary skill set. You can't come in with just one background. And this has been a big challenge for us, as I'm sure everyone is how do you find the people who have that background? We partner with universities as well and try to reach out. We haven't found programs out there yet that produce that interdisciplinary type of skill set. One of the things that we've started to do is we built a summer program where we bring in students from all over the country, various different backgrounds, and really introduce them to the problem of critical infrastructure cybersecurity. The idea is to get them hooked on how important of a mission this is, get the electrical engineer, the chemical engineer to talk with their cybersecurity colleague and work together. And over the course of the summer, really familiarize them with these sorts of problems so that hopefully when they finish school and they go to graduate, that they'll start looking to work in this space, whether it's with us, with other organizations, with the federal government. We've actually been pretty successful of once you get people hooked on the mission, they'll come. We sit out in the San Francisco area region. There's a lot of tech companies there who will pay obscene salaries for folks with skill sets. We want people to come to us, not for that, but because they think this mission is so important to the country. And so building that in while they're still in school is super important.
SPEAKER_00Just to add on to that, I think the investing in the Skills Academy is really important. MasterCard is working with a nice framework here globally in the EU, with Asia Pacific, Latin America, how we build that out internationally. I think the other piece, though, I'm a big proponent of the interdisciplinary approach to the workforce because I think it's how do we help individuals see the capabilities and the aptitudes that they have being relevant to the cyber workforce. And it's beyond being a computer scientist or an engineer. We need historians, we need politicians, we need social scientists, economists, psychologists, psychiatrists, all in this space. And the other piece, it's another way of looking at neurodiversity. I think one of the elements that has been so powerful about AI is that it is taking out some of those necessary qualities that we're investing in in engineering, but it's allowing others who may not have those aptitudes to be able to highlight the aptitudes that they do have to bring into that space. If you look at neurodiversity, we're seeing companies now that have neurodiverse workforces that are winning large government contracts to build AI algorithms to support this broader perspective and understanding. And so as we're thinking about building out the cyber workforce, it's not just investing in the computer scientists and the engineers that's obviously incredibly critical, but helping individuals at a young age see themselves in cyber, even if they're not going to go into that engineering perspective. Because if we're truly gonna look at these issues to build solutions and to solve problems, we have to make sure that we've got the commitment from this younger generation, but also to see themselves in how their aptitudes can feed into that. And I think that is a critical element for not just where we are today, but how we're building out the workforce for tomorrow.