National Laboratory Ceases Monitoring of U.S. Critical Infrastructure for Cyberthreats
Expert reveals that funding holdup at DHS has left some critical infrastructure more vulnerable to novel cybersecurity attacks
WASHINGTON, July 23, 2025 – A major partner with the government’s CyberSentry program was no longer monitoring systems for zero-day cyberattacks.
Dr. Nate Gleason, program leader at Lawrence Livermore National Laboratory, told lawmakers on Tuesday that funding agreements between his organization and the CyberSentry program were bogged down at the Department of Homeland Security.
Those agreements allowed the National Laboratory to monitor operational technology infrastructure from participating entities and detect potential threats. The delay forced the lab to stop monitoring incoming data on Sunday.
Ranking member Eric Swalwell, D-Calif., appeared dumbfounded.
“You’re telling me, because you don’t have the funding, you’re not allowed to look at the data legally. That’s the problem,” Swalwell asked Gleason. “So theoretically, we have deployed sensors on critical infrastructure and there could be a malicious attack occurring right now that you are not legally able to see until the program is refunded?”
“That is correct,” Gleason said.
Although the Cybersecurity and Infrastructure Security Agency (CISA), which administers the CyberSentry program, also monitors these sites, their monitoring focuses on identifying already-known threats, though they can catch some novel attacks.
In response, Chris Butera, CISA’s acting executive assistant director for cybersecurity, told news site CyberScoop that its analysts continue to review the live sensor feed for signature hits and traffic anomalies, so the program’s baseline monitoring ‘remains fully operational’ even without the Lawrence Livermore National Laboratory’s deep‑dive analytics.
Lab’s advanced analytics uncover hidden threats
In contrast, Livermore uses advanced analytics and artificial intelligence to focus on detecting cyberattacks never seen before, such as those deployed by nation-states. In 2022, the lab detected Chinese surveillance cameras that had been secretly built into U.S. critical infrastructure systems. The lab developed tools to detect these cameras, and according to the laboratory, found hundreds of cameras on some individual networks.
Though CISA doesn’t publish a list of program participants, Gleason’s written testimony notes that “participants are from a wide range of critical infrastructure sectors including energy; water and wastewater; transportation; chemical; nuclear reactors, materials and waste; food and agriculture; dams; and critical manufacturing.”
In addition, some organizations have publicly signaled that they participate in the program, such as D.C. Water and Midcontinent Independent System Operator. Exelon Corporation, the largest regulated electric utility in the U.S., also noted that private companies used the CyberSentry program.
It is unclear what kind of cybersecurity systems, if any, these organizations have. When asked by Broadband Breakfast if there were other entities monitoring these systems, the company referred Broadband Breakfast back to Gleason’s testimony and declined to comment further.
Though the data was still being collected, it cannot be analyzed by Livermore until after funding was restored. Even if funding was restored soon, damage may still be done to U.S. infrastructure; according to Tatyana Bolton, executive director at the Operational Technology Cyber Coalition, once a network is breached, it can be nearly impossible to restore its security.
“We can’t guarantee that [China is] off the networks, even when we find them,” she told lawmakers. “We find them too late, we find them three years after the fact.”
Other than Swalwell, no lawmaker asked Gleason about the cut funding or its implications.
Witnesses warn of broader cyber vulnerabilities
The shutting off of monitoring systems was just one of many examples that witnesses brought up to lawmakers at the Tuesday hearing of the House Subcommittee on Cybersecurity and Infrastructure Protection.
“Let me be blunt, we are not prepared for a major attack on our critical infrastructure,” Robert Lee, CEO and co-founder of Dragos, said in his opening remarks. “We are not doing enough to prepare, and the results of continued failure could be catastrophic, including the loss of life.”
Witnesses stressed during the hearing, entitled “Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure,” that the U.S. was particularly vulnerable to attacks on its “operational technology.” The term refers to the software and infrastructure that control objects in the physical world, such as power plants and automated prison doors.
Lack of clear guidance and direction over what agencies have jurisdiction over cybersecurity has led to much of the confusion.
“I would think that if you map out who’s got what, who’s responsible for what, it would look like a bowl of spaghetti,” Rep. Carlos Gimenez, R-Fla., said. Bolton agreed with his assessment.
That confusion was on full display during the hearing. Lee told Rep. Morgan Luttrell, R-Texas, that the SANS Institute had a list of the top five things businesses should do to improve their operational cybersecurity. Just a few minutes later, Bolton noted that CISA had also released a top five guide for operational technology.
“Is it the exact same list [as the SANS Institute list],” Luttrell asked Bolton.
She responded by saying it was not. Luttrell threw his arms up in disbelief.
Expiring CISA law raises alarm
As vulnerable as U.S. cybersecurity is now, it may soon get worse. The law governing CISA passed in 2015 will expire in September if legislators don’t renew it. That law gives companies that choose to share information about cybersecurity attacks and their responses to them with the government liability protections.
Although there was bipartisan support to renew CISA 2015, Swalwell acknowledged that Congress probably would not be able to do it in time.
“There is a wide consensus that we don’t have time to do that [renew CISA 2015] now,” Swalwell said. “Congress will be in recess effective this week until after Labor Day, and then we will be right up against CISA’s expiration.”
Bolton explained that the effects of the law expiring would be dire.
“The estimates are that about 80-90 percent of information sharing would be cut off from the federal government,” she said.
Although the U.S. has not yet faced a Stuxnet-like virus, Kim Zetter, author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon and Georgetown adjunct professor, warned the committee that that could soon change.
“Those who have the ability haven’t until now really had the will to go after U.S. critical infrastructure,” she said. “And those who have had the will…haven’t necessarily had the ability. It doesn’t take much to marry those two together.”
“We’ve relied on the large nation-states, China and Russia, we’ve relied on them not having the will to target U.S. infrastructure,” she continued. “We’ve eliminated that gate, and they do have the will now potentially to go after U.S. infrastructure.”
Member discussion