Washington prepares for a worst-case scenario of attacks on critical infrastructure.
A transnational effort produced stark revelations about the extent of China’s malicious cyberactivities last week, with indictments and sanctions against Chinese government-linked hackers accusing them of targeting foreign government officials, lawmakers, politicians, voters, and companies. The accusations, made by the United States, United Kingdom, and New Zealand, centered mainly on espionage and data theft but also involved what U.S. officials and experts said is an alarming evolution in Chinese cybertactics.
While the main indictment against seven Chinese nationals was brought by the U.S. Justice Department, the Treasury Department’s Office of Foreign Assets Control announced sanctions on two of those individuals and a company linked to China’s Ministry of State Security for targeting U.S. critical infrastructure sectors, including a Texas energy company and a defense contractor that makes flight simulators for the U.S. military.
“What is most alarming about this is the focus is not on data theft and intellectual property theft but rather to burrow deep into our critical infrastructure with the intent of launching destructive or disruptive attacks in the event of a major conflict,” Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said in an interview.
CISA defines critical infrastructure sectors as those whose destruction would have a “debilitating effect” on the economy, national security, public health, and safety, dividing them into 16 categories including communications, defense, manufacturing, energy, agriculture, water, and transportation.
The highest-profile attacks on those sectors in recent years—against the Colonial Pipeline, meat production giant JBS, and government system operator SolarWinds—have been attributed to groups in Russia. But U.S. agencies last year found malware in systems in Guam, home to key U.S. military bases, that they linked to a Chinese hacking group known as Volt Typhoon. Easterly said they have found more examples since then.
“We’ve actually spent time with our hunt teams finding Chinese cyberactors in our critical infrastructure and eradicating them,” she said. “The threat is not theoretical.”
Experts said the increased Chinese activity doesn’t so much reflect an enhancement of capabilities as it does a shift in willingness and focus amid growing competition with the United States. “I think they’ve become increasingly brazen, to the point where the U.S. government finds it necessary to call out that behavior in public,” said Katie Brooks, the director of global cybersecurity policy at Aspen Digital.
Defending U.S. critical infrastructure systems from malicious cyberactors is “magnificently difficult,” said Thomas Pace, the co-founder and CEO of the cybersecurity firm NetRise who previously led cyber-response and detection teams for the U.S. Energy Department. They are vastly spread out, and many run on older systems that were not built with cybersecurity in mind and by private entities that don’t have the government’s wherewithal.
“You have a massive resource problem—the idea that you’re going to have a water municipality in Mobile, Alabama, stop the Chinese from getting in, there’s no world where that’s true,” Pace said.
Brooks described the U.S. infrastructure landscape as “target rich, resource poor.”
The Biden administration has made cybersecurity and defense a priority, attempting to set baseline mandates for industries that would require them to ensure cybersecurity protections.
The idea is to “empower individual agency regulators to set minimum cybersecurity standards and enforce them,” said Anne Neuberger, the U.S. deputy national security advisor for cyber and emerging technologies. “I think the average American assumes that we have minimum cybersecurity protections in place at their hospital, at their water system,” she said. “It’s interesting how much resistance there has been and really how much the president has just changed the game because he recognized that it was unsustainable.”
Much of the problem lies in updating and upgrading outdated systems governing critical infrastructure. CISA and Easterly have repeatedly stressed the importance of making online systems “secure by design,” advocating additional legal protections for companies that integrate cybersecurity into the production of their systems. While that movement has gained momentum in the past year, it mainly focuses on newer systems, while significant gaps remain in older ones.
“While [China] is a sophisticated cyberadversary, many of the methods that it has used to break into critical infrastructure are not, because we’ve made it easy for them. They’re taking advantage of known product defects,” Easterly said. “It has to be prioritized that some of that legacy technology is deprecated.”
Although China is becoming a far broader threat for America’s cyberdefenders, other U.S. adversaries continue to pose significant challenges. Russian-speaking ransomware groups—which cut off access to online systems unless they are paid huge sums of money—were linked to an attack in late February on a leading insurance payments platform, Change Healthcare, which led to payment systems going down at hospitals and pharmacies around the country.
Russian state-backed hackers were also blamed for breaches of core systems at tech giants Microsoft and Hewlett Packard Enterprise this year. And late last year, cyberattackers linked to Iran compromised water systems across “multiple U.S. states,” according to a joint advisory by U.S. and Israeli agencies.
“I’ve described it as an ‘everything, everywhere, all at once’ scenario—you could see multiple disruptive attacks on critical infrastructure, and that’s something that we need to be sure that the American people and our critical infrastructure owners and operators are prepared for,” Easterly said.
In a letter to state governors last month, U.S. National Security Advisor Jake Sullivan and Environmental Protection Agency head Michael Regan warned of potential cyberattacks on water systems around the country, which they said are “an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.”
Neuberger said multiple sectors suffer from similar vulnerabilities. “In the health care sector’s case, hospitals and health care institutions rank among the lowest across sectors in terms of their cybersecurity protection, which is ironic because the impact of their disruption is the most significant,” she said, adding that the range of targets that adversarial hackers are willing to go after has also expanded. “We used to believe that criminals would leave hospitals alone. Hospital attacks are up 80 percent in the last quarter of 2023.”
Neuberger said the administration is likely to roll out additional cybersecurity requirements for hospitals and health care providers, particularly those participating in Medicare and Medicaid. “We have requirements for how quickly blood has to be cleaned up if spilled in a hospital. We need to have requirements for how quickly a critical patch has to be patched,” she said. Attacks like the one against Change Healthcare serve as a wake-up call to companies, she added, “because they see that this could happen. Theoretical risks become real.”
Another priority has been ensuring that companies and local authorities know what to do in the event of an attack. Last week, CISA published new proposed rules on cyberincident reporting for critical infrastructure that would require companies to report major cyberattacks to the agency within 72 hours and any ransom payments within 24 hours.
“This is not a matter of preventing. This is really a matter of building the resilience so that we can deal with these disruptions, we can respond to them, we can recover rapidly and continue to provide services to the American people,” Easterly said.
Efforts by adversaries to disrupt U.S. systems are likely to further escalate in the months leading up to November’s presidential election—along with potential efforts by China and Russia to influence the election, which the U.S. intelligence community has warned about. “I think any of these threat actors are looking for vectors of instability,” Brooks said. “So elections, definitionally, while hopefully free, fair, and democratic, are also destabilizing in many senses because they present the possibility of a change in power.”
Beyond shoring up domestic defenses, Washington is also working to bolster international cyberpartnerships and alliances, as with last week’s coordinated actions against China by the United States and the United Kingdom, followed closely by New Zealand. More than a dozen countries have signed on to CISA’s Secure by Design commitments, while the Biden administration’s International Counter Ransomware Initiative, launched in 2021, has grown to include more than 60 countries.
“The first component of our strategy has been to set rules of the road and build international alliances, because there’s one global internet, and the only way to tackle threats is to do it with partners,” Neuberger said.
“It is absolutely vital,” Easterly said. “There are no borders in cyberspace, and many critical infrastructure owners and operators are global companies.”
The global approach also includes offensive cyberactions against adversaries, which was one of the key pillars of the Biden administration’s National Cybersecurity Strategy released last year. “Offensive cyberoperations, much like the defensive, have to be integrated into our geopolitical goals,” Neuberger said. “The president has made clear that cybersecurity and emerging technologies are fundamental national security geopolitical issues, which has enabled the administration to be more aggressive in integrating defensive and offensive cyberoperations into a larger strategy.”
Neuberger declined to comment on specific offensive cyberactions but said the United States and its allies must use offensive capabilities in a more considered manner than their adversaries might.
“I would note that defense and offense are closely linked because before launching an offensive attack, one must consider what comes next in terms of the adversary’s response,” she said. “It’s much easier to be on the attack. An attacker has to find one open window. A defender has to lock down every door and every window.”
Energy News Beat