During a House Homeland Security Committee hearing in July, Rep. Andrew Garabino (R-NY) spoke about zero-day programs, which are malicious pieces of software unknown to cybersecurity experts until they are activated.
00:00Without objection, the chair may declare the committee in recess at any point.
00:04The purpose of this hearing is to examine the evolution of cybersecurity threats to the U.S. critical infrastructure
00:09following discovery of the Stuxnet malware 15 years ago.
00:14We will highlight the importance of securing operational technology, or OT, to bolster critical infrastructure resilience.
00:20I now recognize myself for an opening statement.
00:2215 years ago, the world learned of Stuxnet, a computer worm that forever altered the cyber threat landscape.
00:33Regarded as the world's first digital weapon, it was designed to target industrial control systems.
00:39It was used against Iran's nuclear program, reportedly destroying 1,000 centrifuges at the Natanz Enrichment Plant.
00:47Malware or malicious software has existed since at least the 1970s.
00:50However, Stuxnet was different from its predecessor.
00:54The discovery of it demonstrated both the physical impact of malware and raised important questions about cybersecurity defense and offense.
01:02These are issues we continue to face today.
01:05It revealed the significant impact that offensive cyber tools can have on critical infrastructure.
01:10It also demonstrated the importance of securing operational technology.
01:13By exploiting key vulnerabilities in industrial control systems, it proved that cybersecurity is not only an IT issue,
01:20cyber security threats can affect critical infrastructure we depend on daily, from water treatment to energy facilities.
01:28The cybersecurity threat landscape continues to expand, and we need to make sure our cyber professionals are prepared to defend both IT and OT.
01:36Doing so will strengthen the public and private sector's ability to rapidly respond to threats.
01:40Since discovering Stuxnet 15 years ago, cybersecurity threats to critical infrastructure have drastically evolved and spread beyond just malware.
01:51We now see various cyber capabilities being used to hack critical infrastructure, including phishing, social engineering, denial of service attacks, and more.
01:59While cyber attack vectors have grown and matured, malware is still of great concern.
02:05Malware comes in many forms, such as key loggers, spyware, viruses, and ransomware, with ransomware comprising one-third of all cyber attacks in 2024.
02:14The interconnected nature of our networks, devices, and infrastructure means that critical infrastructure owners and operators now experience far more attacks than when Stuxnet was unleashed,
02:24and zero-day vulnerabilities are far from being eliminated.
02:27Strengthening domestic cybersecurity resilience remains a key priority for this committee.
02:34Considering the sophisticated cybersecurity threats we now face, we are once again reminded of the importance of reauthorizing two key authorities ahead of their expiration this year,
02:43the Cybersecurity Information Sharing Act and the State and Local Cybersecurity Grant Program.
02:48Reauthorizing SIS of 2015 will ensure we keep encouraging rapid and trusted information sharing among public and private sector entities,
02:55and extending the State and Local Cybersecurity Grant Program will make sure that states and localities have reliable funding to strengthen their cybersecurity posture.
03:03It is also worth examining that state of the Iranian cyber threat and potential impact Stuxnet had on Iran's cybersecurity posture.
03:12According to Nozomi Network's labs, cyberattacks from Iranian threat actors surged by 133% in May and June of 2025.
03:22An active Department of Homeland Security National Terrorism Advisory System notice also emphasizes the need to remain on high alert to Iranian cybersecurity threats to U.S. critical infrastructure.
03:32Iran has embraced the targeting of critical infrastructure.
03:36The Islamic Revolutionary Guards Corps' affiliated actors have recently targeted OT such as U.S. industrial control systems in key sectors such as water and health care.
03:46I look forward to examining the current threats facing U.S. critical infrastructure and enduring significance of Stuxnet with our panel of expert witnesses today.
03:54Today, today's witnesses represent a range of perspectives, and I thank you all for contributing to our discussion about this pivotal moment in history of cybersecurity.
04:02I'm confident that your testimony will help us form a better understanding of today's digital weapons and the state of U.S. critical infrastructure resilience.
Be the first to comment