Leslie Kainoa, the Cybersecurity State Coordinator assigned to the Cybersecurity and Infrastructure Security Agency (CISA), told the Joint Legislative Committee on Information Management and Technology that nation-state actors are actively probing U.S. critical infrastructure and quietly positioning inside networks to enable future disruptive or destructive attacks.

The committee heard that China-linked groups are among the most active adversaries, and that attackers often “live off the land” by using legitimate credentials and routine network activity to avoid detection. Ben Gresgeir, Oregon’s state chief information security officer, told lawmakers that while China accounted for a substantial share of observed malicious traffic, “Russia and everybody else is also a big contributor,” and the state tracks multiple foreign and domestic threat groups.

The warning was accompanied by concrete offers of help. Kainoa said CISA provides no-cost vulnerability scans, technical assessments, tabletop exercises, training and other services to critical infrastructure organizations, and emphasized that those services are available regardless of an organization’s size. She urged water utilities, transportation operators and communications providers to use CISA scans to identify and remediate internet-facing vulnerabilities.

Why it matters: committee members pressed officials for specific local implications — such as manipulation of water-treatment chemical controls, loss of remote control of valves, or simultaneous disruptions of water, transportation and power — and were told those scenarios are plausible and could cause localized environmental damage or hinder emergency response. The discussion linked national threat reporting to local readiness needs and funding gaps.

CISA’s state coordinator described an attack lifecycle in which adversaries gain initial access, remain covert for long periods, gather data and pre-position for destructive actions if geopolitical events trigger escalation. Gresgeir said Oregon has run an outreach campaign for the water sector, including 12 webinars and site visits; the state previously cataloged roughly 3,000 separate water-sector entities and is encouraging those entities to apply for federal cybersecurity grants to remediate “low-hanging fruit.”

Committee members repeatedly asked whether the state has evidence of attacks on autonomous vehicles or attacks specifically linked to trade tensions; officials said public, releasable data on those narrow points was not currently available but that they would follow up. On the volume of attempted attacks, the state CISO said the scale is large and sensitive and offered to brief lawmakers in a closed session; he told the committee that automated systems intercept “millions” of events and that agency-level intercepts are far larger than anecdotal counts.

Lawmakers pressed for clearer, statewide communication and for funding to help small water districts, special districts and municipalities close security gaps. Gresgeir recommended continued education, assessments and follow-on funding, noting that education alone reveals many mitigation needs that require dollars to fix.

The presentations concluded with committee members asking CISA and the state cybersecurity office to provide updated messaging that frames threats as global and multi‑actor rather than singling out one country, a request that CISA’s presenter acknowledged and said she would incorporate.

Ending: Officials encouraged local systems operators to visit CISA.gov to request vulnerability scans and assessment services, and offered to follow up with committee members on specific, non-public details in a closed session.