HSDF THE PODCAST

Critical Infrastructure Protection and Emerging Vulnerabilities Part 1

Kevin Long

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 27:15

Welcome to our “TUESDAY EDITION of HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum

 In this episode, we map how AI is reshaping critical infrastructure cybersecurity, from identity-based break-ins to the shrinking window between a patch and an exploit. We also weigh what government, frontier labs, and industry can do together so small utilities and suppliers can defend at the same speed as well-resourced adversaries.

 

Featuring:

  • Dr. Nate Gleason, Program Leader, Lawrence Livermore National Laboratory 
  • Matt Hayden, Vice President, Cyber and Emerging Threats, GDIT
  • Seth McKinnis, Deputy Assistant National Cyber Director for Critical Infrastructure, Office of the National Cyber Director
  • Kiersten Todt, Senior Vice President, Cybersecurity Partnership & Engagement, Mastercard
  • Justin Doubleday, Reporter, Federal News Network (moderator)

 This discussion took place June 10th, 2026, at HSDF’s Cyber Symposium

Follow  HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security.  Visit the HSDF YouTube channel to view hours of insightful policy discussion.  For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

The Rising Stakes For Infrastructure

SPEAKER_04

We are going to talk about AI, of course. And I think more broadly, this notion of critical infrastructure protection has just gotten more and more high profile over the last five, six years at the very least. But AI is really animating a lot of the discussions today with the recent security executive order and of course the methos advancements and other advancements with these large language models and with these AI models. I'd love to just get the panel's initial viewpoints to level set a little bit. What are some of the biggest challenges when it comes to critical infrastructure protection and cybersecurity today as you see it? Kirsten, we can start with you and go down the line.

Fragmentation LLMs And Stolen Credentials

SPEAKER_00

Thank you. Well, and thanks very much for the opportunity to have this conversation. Looking forward to the perspectives on the panel. I think first we sort of need to step back and look at the threat. And I'll talk about this from the perspective of critical infrastructure. While MasterCard is not critical infrastructure in the United States, it is identified as critical infrastructure in some other countries, such as UK, Australia. But the idea of how we're underpinning the digital economic infrastructure and what we see, I think gives us visibility to share a little bit more about the threat. And I think as we see the threat, it's sort of looked at in two perspectives. Right now, we see a real challenge with fragmentation globally. And so the inability to share as readily telemetry and data. And we're seeing this both in commerce and defense. We see the acceleration of technology and innovation from a vulnerability perspective. And we see that with LLMs being used. Last year, Recorded Future had a state of security report from 2025 where they documented the first AI-powered ransomware prompt lock, where you saw LLMs being used to generate malicious scripts. But importantly, the most urgent threat is identity-centric failures, where we're seeing the opportunity to just log in and not break in, where you don't have to actually take down firewalls, you just need to steal credentials. So if we look at all of this, then what do we do? I think where MasterCard is positioned in 2025, we saw 175 billion transactions. But if you marry the insights that we see from the payments networks and the digital ecosystem with what we're seeing from recorded future and threat intelligence, we're able to identify emerging patterns. And I think that's where we get to this predictive intelligence piece because the vulnerabilities, as we've talked about, we're seeing the adversary pre-position itself on our networks. We're seeing patients being used against us. We're not able to see all of the pre-positioning. We know that it's there. But our ability to understand where the threats are, not just where they are, but where they're coming from, has never been more important. So as we're seeing what the threat environment is, particularly with critical infrastructure, being able to offer predictive intelligence, being able to say, we're seeing this threat, but we're seeing how the actor is pre-positioning for this country using these tools for the future, that helps us create more resilience and helps us to arm critical infrastructure globally to be more resilient against that threat.

National Cyber Strategy And Tech Debt

SPEAKER_04

Seth, the office of the National Cyber Director, just released a national cyber strategy a few short months ago, feels like forever ago. But critical infrastructure is, of course, a pillar under that strategy, pillar four, I believe. So how are you getting after that?

SPEAKER_02

So a couple of things. First, zooming out like critical infrastructure, as you all know as well as anyone across the White House, is a priority to say these underpin not only our national security interests, but also communities and towns across the country. And the number of times where that comes up in conversation, where it's like, what does this mean for water utility? What does this mean? It's top of mind. And I think you see that in the national cyber strategy to say, like, our critical infrastructure has what are the vulnerabilities and issues that we need to start tackling and continue to tackle. From the challenge side, I'd say a couple things and then zoom back out to the cyber strategy itself. First, I think the first challenge that we've repeatedly seen is that cyber adversaries don't really think twice before attacking critical infrastructure, right? Whether that's a nation state actor or a cyber criminal. We've seen that repeatedly, where we have an opportunity to really change their calculus and ensure that there's cost when they are targeting critical infrastructure in the US. And second, I think on the insecure technology and thinking of legacy systems as well, like those, there's a lot of tech debt that's been built up across critical infrastructure. Think of whether that's a large company or a small utility. There's a lot of opportunity to say what are the ways that we can continue to replace those with secure technologies that are built with security in mind and are built with the right defenses and depth in place. Because I mean, we can patch all day, we should get better at doing that, but ultimately, like we have to move to a more proactive posture. And I think it's really exciting to see the innovation that's happening in the AI space. But with that innovation and the amazing like automation that's happening, we also see that, you know, the existing patch lifecycle is sort of not working in the way it was. You can argue whether or not it was working a couple of years ago, but certainly is not working in the current moment, right? Like the ability for an organization to say, hey, I patch normal have vulnerabilities and I'll think about mediums and lows later just doesn't work in the current moment. And the ability to both leverage AI for defensive purposes and work faster and more effectively at speed, and also build in defense in depth is going to be really critical. And I think the reason why I mentioned those three is I think you see all of those woven through the cyber strategy, the pillars, right, around really shaping adversary behavior, as you said on pillar four, hardening critical infrastructure. And pillar three on the flip side is like we need to do the same thing for our own federal civilian networks, right? Like we don't need to just ask critical infrastructure to fix their issues. We need to eat our own dog food and ensure that we're doing that across our federal civilian networks and our national security systems. And we can't do that without the last two pieces of the strategy, which are one, ensuring innovation across, you know, think of AI, quantum, other emerging technologies. And last but not least, the workforce piece, right? Like none of this happens if we don't have smart humans and working with agents and other capabilities to be able to get after this. And all of those require us across government and across private sector be working together. None of those pillars can work, including the critical infrastructure side.

SPEAKER_04

I just want to stick with you really quickly. I think when the strategy came out, there was discussion about critical infrastructure pilots. And I'm wondering any updates to share? How are those

Pilots For Small Utilities

SPEAKER_04

progressing?

SPEAKER_02

Any details on those fronts? So on the pilot front, the concept behind that is to say there's a lot of critical infrastructure across the US, right? A lot of those are in that long tail where they're the proverbial local utility who does not have enough staff to be able to effectively defend themselves against a nation state actor for sure, not a fair fight. How can we come alongside and work between public and private sectors to bring and test innovative capability that they might not otherwise have access or easy access to and essentially help them to do that in a way that demonstrably changes their security posture? So let's say, hey, here's a white paper, have fun reading and translating this to your environment. But more, how can we go hand in hand with them to change the security posture in their environment in say a small water utility or a rural hospital or a key dependency for next to a military installation? So a few things I'd share there. One, we're already working on a couple of those. We have some more continuing to explore, but we've already seen some interesting work. You've probably seen Sis and some others talking about some of the work they're doing on defense critical infrastructure. So that's been part of the work that we're doing as well, because so many of these military installations have key dependencies that in many cases need a single voice and help from the federal government and from the private sector to be able to improve their security posture.

The Haves And Have Nots Gap

SPEAKER_04

Matt, you've been looking at this issue, working on this issue for a long time. Your former agency at CISA, now at GDIT. What do you think are some of the most pertinent challenges and opportunities in critical infrastructure, cybersecurity protection?

SPEAKER_03

So right now you've got an industry across when we start talking about critical infrastructure, it's really about things we all depend on for life safety and other national critical functions. Those are broken into currently haves and have-nots. There's the large enterprises that have very expensive tools that allow them to be dynamic when new threat information is provided. Those entities that can't react dynamically to new threat information are the problem. They are the ones that are going to be a part of that supply chain that doesn't have the money, the people, the speed, the scale to operate that way. There is another side of that sliding scale where technology is becoming cheaper, more available, available to be as a shared service to do that predictive aspect that we heard. I think predictive is where everybody wants to be. Like, how do I evaluate my system for trends and things that are coming? And in the past, that's been a very expensive question. And getting it to a point where is it a federal role? Is it a state role? But where can we start to probe and get that predictive analysis in place so that we can actually have real priorities in front of anyone that has any system that we depend upon? And so having that prioritization is going to be as key as the security tools that they have on site. And that's where we're looking at how do we start with states? How do we work with the federal government? How do we integrate those partnerships to where municipalities, where the small co-ops, the pipeline for the DIB, like all of those elements that make up the supply chain for what we do every day aren't necessarily built for advanced cyber threats. And so there's a lot going on in which we try to make automated decisions, automated predictive analysis, something that can be provided at scale to those individuals and services providers so that it's not as hazardous as it is today.

Layered Defense And Operating Through Breach

SPEAKER_04

And we're going to get into sharing information across that really diverse critical infrastructure sets of organizations that you mentioned, but I want to make sure we get to Nate here because you have a really interesting perspective from Lawrence Livermore. Of course, the test beds that you run. What can you tell us about what you're learning about threats to critical infrastructure, how to best defend against them?

SPEAKER_01

Yeah, well, Seth took the words right out of my mouth a few minutes ago. It is not a fair fight. We have nation-state level adversaries going up against critical infrastructure. The big, well-resourced utilities, the very small utilities. That's not fair. One of the places we do a lot of work with is the island of Guam, the territory of Guam. They have a very impressive group of folks there that try very hard, but they are also squarely in the target of our number one adversary. And so finding a way to help even that fight is critically important. The idea that we're going to build a system that's secure enough that the adversary can't get in just isn't realistic. Our nation-state level adversaries have too many resources at their disposal between network intrusion, supply chain compromise, close access operations, placing insiders, they will find a way to get in. And so our focus has been on using a layered defense approach to try to make it as difficult as possible at each step for the adversary to achieve their objectives. And it starts with understanding the critical infrastructure system. So understanding how the cyberpiece and the physical infrastructure come together to form a system, how those are interdependent from other sectors, particularly energy, water, transportation, communications. Those are the big four that we tend to care about the most. And then understanding how bad things can happen. If an adversary is trying to achieve a goal, where would they attack in your system? Where are the most likely targets? Where should you focus on looking for the adversary? Once we understand the system, we do our best to keep the adversary out. A lot of this is securing the supply chain, securing the software that comes into our system, securing the hardware and the devices that go into our systems. But then they're still going to get in. So how do we build advanced detection capabilities that can detect persistent threats? Again, our focus is not so much the attackers who come and try to lock up your system, deface your system, make a big splash. It's the China, it's the Russia who want to get into the system, burrow in, and just sit quietly and wait until they really need it. And then you'll find out, oh, my power doesn't work, or you know, the cranes and the ports don't work. Detecting those threats. And the piece of that is we're going to miss some. So how do we take advantage of the distributed diverse nature of critical infrastructure to build in resilience and build in the ability to operate through compromise? So even if part of your system is compromised, you're still able to accomplish your mission.

AI Executive Order And The Clearinghouse

SPEAKER_04

Let's talk about the AI security executive order because that gives us a lot to really consider and chew on. Of course, there is the 30-day review period that everyone is talking about. It also encourages AI developers to provide critical infrastructure entities with early access to AI systems to strengthen cybersecurity protections. Will some of those mechanisms that are now emerging from this security executive order, how can they be best effective to secure critical infrastructure against the threats that you have all talked about? And of course, now with this really quickening pace between vulnerability detection and exploit creation that AI is now creating. I'm curious if we can talk start with you again.

SPEAKER_00

I'll focus on one part of the EO, which is the clearinghouse, because I think this is a very interesting structure. When you first see it, it's this, well, are people going to share? And I would sort of push us back to the late 90s with the ISACs, the information sharing and analysis centers, when those were created by sector and there was this sense of, hey, you know, sectors aren't going to share information with their competitors. But what ended up happening was the threat environment evolved in such a way that it made that type of community and that type of exchange critical to security. It's this idea of collective defense. We're all better when we're working together. And I think if we push this forward from my time at CISA, there was the joint cyber defense collaborative. The JCDC was really about that operational collaboration. And in 2021, the log for shell incident was about entities sharing that information with CISA was actually somebody at CISA who developed the remediation from that information. And I think that's very critical. So when we think about this clearinghouse, the two pieces that I are really important are what we're all talking about is the cybersecurity environment, what we're facing from the challenges that hasn't really changed. What has changed is speed, right? At all costs, what we're seeing, the compression time from the identification, exploitation, remediation, that speed is unprecedented. There was an article talking about how Mythos exploited a vulnerability in under 31 minutes that went from a patch to being able to exploit it. So that compression time is something that we're all dealing with. And what this means is no entity and no sector is going to be able to do it by itself. And I think it's fascinating to think about the clearinghouse from a cross-sector perspective and how we're going to share that information and what collaboration looks like. Because the key now for the future is really going to be collaboration at speed, how we're sharing that information. So there are a lot of elements, and I think the AIEO is really talking about time when you look at the 30 days and other pieces. But from the perspective of industry, we have to be working together to understand where we're seeing the threats and importantly what we're doing and how we're going to share some of that remediation time. Because the compression between when we identify that exploit, when we're able to remediate, that is where the success comes from. And I know we'll get into this conversation about AI for defense and AI for good, but I think the piece here now is how industry is going to work together to be able to share that information and what we'll do with it to be stronger and to be more resilient.

Bringing Small Suppliers Into Sharing

SPEAKER_04

Any lessons from the creation of JCDC and other likewise efforts in terms of pulling in the have nots and critical infrastructure into these types of mechanisms because there are hundreds of thousands of entities out there. How do you find the right ones, get them the information, and then help them action it?

SPEAKER_00

It's a great question because I think supply chain security is going to be even more important with AI. I think one of the things that MasterCard is very focused on is helping small businesses. We all know that we're only as strong as the weakest link. I think COVID was a fascinating demonstration. You saw large manufacturing companies that were firewalled six ways to Sunday, but they came down because they had a small business who was not digitally resilient when we went all digital. I think it's looking at how do we build out that ecosystem of trust and how do we build out the ecosystem of security. So from the perspective of sectors, it's the responsibility of industry to bring in those businesses to invest in them. As MasterCard looks at working with small businesses, it's all about the connections within the digital supply chain and economic infrastructure. And it can't be discriminating. I mean, I think going back to the ISAC model, at first it was, well, we're only going to bring in the big companies. And it got to a place of, no, we've actually got to be bringing in everybody. I think the opportunity with AI means that we have the ability to be more inclusive. We'll talk about the challenges, but AI actually has the ability to help smaller businesses become stronger. If we use AI as a tool, they can become more secure. They can be brought into these conversations and but importantly brought into the structure of the sharing. And I think for all the things that when we're automating about remediation, when we're automating to protect, we can automate for the ability to actually secure offensively to secure in a more effective way. So the models, what JCDC has done and evolved over time, it's bringing in where we're going to find the greatest effort. But I think the better model are the ISACs and the sector-specific entities and then how we're working cross-sector to bring them together.

Open Source Security And Responsible Innovation

SPEAKER_04

So the National Cyber Director's Office is laced throughout that AI security executive order, a lot of important work there. What are you focused on specifically?

SPEAKER_02

So I think zooming out the exciting moment, right? When you see the innovation that's happening in the AI space, and I think, yes, they're important to think smartly about the security implications of that. But there's also, to your point, so many opportunities that come from both a security and innovation perspective. Every single top model right now is coming out of a US lab. And that's not something that we should take for granted, right? And I think from that perspective, what we really focused on in the EO is ensuring that it does two things. One, that it continues to accelerate that responsible innovation from US frontier labs. They can continue to do the good work that they're doing and ensure that we're doing that smartly. And also ensuring as we're doing that, that security is built with security in mind, right? And so as we look across both how those models are used in the EO, you'll sort of see a couple different categories, right? So you'll see our national security systems, you'll see our federal systems across the FSEB, and then you'll see critical infrastructure, right, in the broader community. I think those are very intentional from our perspective because those in many ways are the different ways that we can, from a security perspective, can use and accelerate those efforts. If you look at the federal civilian executive branch agencies or FSEB in the EO, working right now with CISA and OMB to say, how do we accelerate if you're a federal CISO to bring on additional tooling and to ensure that the tooling you have is working faster and more effectively, right? I think for too long, federal environments have dragged behind the private sector in terms of what their security and state of the art in terms of their security posture, defense and depth, et cetera. And that also includes bringing on additional AI tooling to be able to do those defensive measures at speed and also at add at scale, right? That's the other thing that I think AI is changing, the ability for a threat actor to do this at a different scale than they probably could if you're relying on human speed. On the critical infrastructure front, I think touch on two things. One, the clearinghouse. And I think the clearinghouse will be really important because when you see, especially across, say, for example, open source, right? How do we ensure that we're doing security scans across open source? We're not missing key packages and we're not wasting a bunch of tokens pointing it at the same three libraries, right? And then also when those vulnerabilities are found, how do we ensure that we've done a good job working again as a public-private voluntary partnership to do the right level of validation so that those maintainers are not completely overwhelmed with a mountain of vulnerabilities, only of which a small percentage of them are actually exploitable, for example, right? Doing that on the front end will really help us to build the right posture and improve the security of those. Open source is one example, but you could draw that out across different sectors, across different uses. And then I think on the framework piece that I would say, and I'll steal a line from Sean, the national cyber director, is like, this is really the first time that we've seen this level of kind of nation state level innovation capability come purely out of the private sector. And that means that it does have national security implications. And we want to work smartly again in a private or public-private context to say what are those national security implications? What are those implications for critical infrastructure? And how do we think about those smartly as the next set of models and the models after that come out to ensure that that's resulting in more innovation and more security and not the opposite

Prioritized Vulnerability Triage Plus Guardrails

SPEAKER_02

of it?

SPEAKER_04

Matt, we were talking about the new AI binding operational directive that CISA released just this morning. I know it's targeted at federal agencies, but it talks about shifting to more prioritized vulnerability management. More broadly, why is that concept important? How can we shift toward that for critical infrastructure as well?

SPEAKER_03

Good news about the federal binding operation or bods is that it's really not a smoke signal. Everybody gets an industry like, hey, you should do this too. Yeah. And so there is really a signal absent, a forcing function with these messages that CISA gets to put out. What this particular document outlines is as there are hundreds or thousands of vulnerabilities that come out of these clearinghouses, if there are priorities that are directed, these are the amount of days that the federal partners have to remediate and follow implementation on their system. So if it is something that is a known exploit that's being exploited, has access to the internet, is currently listed out of that clearinghouse, if it hits all three yeses, that's a three-day or less turnaround time. It gets to where if it's not on the internet or if it's not all the way on the system that can be accessed, not on the Kev list, it might be something that you can do with your next modernization effort. So it's a sliding scale on how prioritized things have to be based on things coming out of the clearinghouse. Now, we're used to a binding directive coming out saying there's a router that has to have this firmware. You know, this one is not that specific except to say this is going to be the rules of the road moving forward. And so it allows all of our socks across the country, all of our partners to say, okay, this is the new triage that we have to put in place for both risk management. Now, I will tell you anything that says anything in days, weeks, months, it is not going to satisfy a traditional CISO right now. They have seconds, minutes, a day. And so it's a government pace that they're putting realism behind, but at the same time, it's a live fire challenge that all critical infrastructure is going to have to deal with. So, as a product of, like, say, for example, the next Mythos or the next OpenAI, the next frontier model comes out and identifies a significant access vulnerability to a lot of our edge or endpoint devices. That's something that clearinghouse is going to have to then turn and be very loud about. To Kirst's point, they're going to have to have a megaphone. They're going to have to be out loud and proud about how everyone needs to approach this because they're not going to be able to push a patch to address it nationally, but they're going to need to have it because there are certain devices that are in almost 50% of critical infrastructure out there, especially when it comes to those edge devices. And so there is going to be a pressure balance on getting this out.

SPEAKER_00

One quick thing to that, because I think we've seen that some of the models are coming out with sort of safer models. We saw Fable and others with guardrails. And I think what's just really important, following off of what Matt said, is while the companies can put those in, it does not take away from the opportunity for those guardrails to be jailbrook. And so I think that we've got to really be thinking through all of this. It's great that that has to happen and commend the companies for doing that. But as we're thinking through this, the goal and the vision has to really be looking at always being ahead of the adversary and making sure that those safeguards are resilient, but that they're always improving.

SPEAKER_03

And from a national security systems perspective, even in that 30 day window, that's too late. Yeah. From a national security system, they have to be ahead of that. And so critical infrastructure gets a little bit of a lead time with the folks over at DOW and others hardening their systems in advance of what may come to have some lessons learned.