National Security Implications of American Water's Cybersecurity Breach and the current Democratic Administration

Seven years ago, American Water underwent a critical assessment to ensure compliance with the DFARS 252-7012 contract requirements. This assessment, conducted by the commercial department of a cybersecurity firm, produced essential compliance documentation, including a Gap Analysis identifying vulnerabilities, a System Security Plan (SSP) detailing the system design, and a Plan of Action and Milestones (POAM). This sensitive documentation was transmitted and stored on an unencrypted server, exposing it to potential interception and unauthorized access.

Fast forward to October 8, 2024, American Water disclosed in a regulatory filing that hackers had breached their computer network. The company stated it was “currently unable to predict the full impact” of the breach. This incident raises severe national security concerns, particularly the possibility that a nation-state threat actor (NSTA) may have maintained access to American Water’s network for seven years. The unsecured transmission and storage of compliance documentation, including detailed vulnerabilities and system design, could have provided the NSTA with a comprehensive roadmap to infiltrate and exploit the system.

The breach resulted in a temporary suspension of customer billing, but the PRIMARY OBJECTIVE OF THE NSTA COULD BE CATISTROPHIC!

American Water is the largest regulated water and wastewater utility company in the U.S., serving over 14 million people across 14 states and 18 military installations. The company manages more than 500 water and wastewater systems in approximately 1,700 communities in states including California, Georgia, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maryland, Missouri, New Jersey, Pennsylvania, Tennessee, Virginia, and West Virginia.

During the initial assessment, the most sensitive information—Intellectual Property (IP)—was identified. This included location maps and access details for the public water system infrastructure serving each of the 18 military installations. Such information is critical, as it outlines the physical and operational frameworks that support national defense infrastructure.

Why American Water? In a 2019 LinkedIn post, it was highlighted that a DFARS assessment was performed for a Department of Defense (DOD) prime contractor deemed as “operationally strategic infrastructure in times of conflict.” This contractor supplies water to 13 U.S. military bases. The assessment deliverables included the System Security Plan, Plan of Action and Milestones, and customized Policies and Procedures to meet compliance requirements.”

With the advent of AI technologies like ChatGPT, querying information such as “What commercial company supplies water to 13 of the US military installations?” readily identifies the American Water Military Services Group as the key supplier. This underscores the accessibility of critical information through advanced AI tools, potentially exacerbating security vulnerabilities.

Conclusion: National Security Threats and Regulatory Oversight The release of the 32 CFR final rule highlights the national security threats posed by the Cybersecurity Maturity Model Certification (CMMC) program. Since 2021, the current Democratic Administration and the DOD have facilitated the inadvertent loss of Intellectual Property (IP) by releasing sensitive documents like System Designs, POAMs, Gap Analyses, System Vulnerabilities, Controlled Unclassified Information (CUI), and Federal Contract Information (FCI). These releases have been managed through Memoranda of Understanding (MOU) with commercial companies overseen by Cyber-AB.

This scenario implicates the 57 companies listed as C3PAOs on the Cyber-AB marketplace, potentially holding them liable for transmitting and storing information that POSES THREATS TO NATIONAL SECURITY.

The intersection of commercial service provision, regulatory compliance, and cybersecurity vulnerabilities presents a critical challenge to safeguarding national infrastructure and maintaining the integrity of military operations.

Key Points:

• American Water supplies water to 13 U.S. military installations, making it integral to national defense infrastructure.
• The disclosed information included detailed vulnerabilities and system designs, which could be exploited to undermine military water infrastructure.
• Regulatory and compliance frameworks like DFARS and CMMC are critical BUT have vulnerabilities in how sensitive information including CUI, CTI and FCI is handled and stored.
• Cyber-AB and the associated 57 C3PAOs companies on its marketplace COULD face potential liability for national security threats stemming from data breaches and inadequate cybersecurity measures.

This situation underscores the urgent need for robust cybersecurity practices, especially for companies that support critical national infrastructure and military operations. Ensuring the protection of sensitive information is paramount to maintaining national security and preventing adversaries from exploiting vulnerabilities within essential service providers.