The Chinese Communist Party is accelerating its ability to launch large-scale cyberattacks against U.S. critical infrastructure over the next three years. We need to practice more planning, preparation, and response across industry and government.
We need a fundamentally new approach to dealing with threats such as natural disasters that affect regional and national stability, rather than focusing on individual incidents that can be managed.
President Xi Jinping has ordered the People’s Liberation Army to be ready to invade Taiwan by 2027. During his Senate confirmation hearing to head the Indo-Pacific Command, Adm. Samuel Paparo, commander of the Pacific Fleet, emphasized that the date was somewhat arbitrary, reflecting the nation’s 100th anniversary. Formation of the People’s Liberation Army. In reality, an attack could occur sooner.
The Intelligence Community’s 2023 Threat Assessment shows that these attacks are not limited to military systems, but also attack our nation’s critical infrastructure, which the Cybersecurity and Infrastructure Security Agency (CISA) has designated as “lifeline sectors,” namely energy, It added that transport, water and communications would also be covered. According to the assessment, “such attacks would be aimed at deterring U.S. military action by interfering with U.S. decision-making, causing social panic, and disrupting U.S. military deployment.” . CISA Director Jen Easterly emphasized these themes in her recent testimony before the House Select Committee on Strategic Competition.
The threat is not only obvious, it is palpable. The FBI recently thwarted a targeted attack on a critical infrastructure network by Chinese state hackers codenamed “Bolt Typhoon.” The group had established a secret network of hacked systems, providing a national platform for managing attacks on industrial systems.
This week, several U.S. federal government agencies and associated cyber agencies from Australia, Canada, New Zealand, and the United Kingdom will issue a joint cybersecurity advisory regarding malicious Bolt Typhoon cyber activity, as well as threat detection information and mitigation measures. announced joint guidance. .
But most of the ongoing policy debates are stuck in the past. A series of executive orders and policy directives spanning a decade shaped the current ecosystem of sector risk management agencies and the incident response roles of CISA and the FBI. Currently proposed reforms focus on small changes to existing policies and layering new programs on top of old ones. Given the clearly articulated threat, these actions are woefully inadequate.
Instead, we must dramatically increase our ability to respond to cascading failures in the systems that support American life. We’re rearranging sandbags on the ground because a 100-foot tsunami is coming.
Utility companies should prepare and practice disconnecting control systems from internet-connected networks. Modern industrial control systems are digital and, in most cases, operation in manual mode is permanently impossible. However, it is also possible to operate critical infrastructure systems without internet connectivity for weeks at a time. Breaking these links prevents PLA hackers from activating destructive code and gaining new access. This is a surefire way to jam the command and control signals they designed to destroy our systems.
We need to encourage power companies to prepare for such attacks. The federal government should expand current grant programs to fund operational planning, tools to defeat the enemy, and training. Similarly, governments should be given funding and authority to coordinate and manage a series of regular training exercises in major population centers. Tools exist to transform realistic adversarial threats into exercises.
Maintaining isolated operations is also difficult, as increasingly complex systems require more engineers to manage, and certain functions require trained surge capabilities. With targeted training programs, it is possible to deploy National Guard and Civilian Reserve units.
Regardless of the pathway, training programs should be operationalized immediately and rehearsed regularly to align with the threat timeline.
Because major population centers often cross state lines and public services are uneven across sectors, mutual aid agreements across multiple jurisdictions should be considered and expanded. This will improve engineering capabilities across utilities and improve their response to large-scale cyberattacks.
The clock is ticking and there is little time to prepare. Congress and the Biden administration must act immediately to fund and implement preparedness, exercises, and training programs to increase our ability to respond to and recover from catastrophic attacks on critical infrastructure.
Dr. Charles Clancy is the Chief Technology Officer at MITER, a nonprofit research and development company. He previously served as the Bradley Distinguished Professor of Cybersecurity at Virginia Tech and began his career at the National Security Agency.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.