US needs to take China’s cyber-threat to US infrastructure more seriously

The Chinese Communist Party is accelerating its capabilities to launch a large-scale cyber-attack against U.S. critical infrastructure in the next three years. We must do more planning, preparing, and practicing our response across industry and government.

Rather than focus on discrete incidents that can be managed, we need a fundamentally new approach that handles threats more like natural disasters, with implications to regional and national stability.  

President Xi Jinping has tasked the People’s Liberation Army to be ready to invade Taiwan by 2027. During his Senate confirmation hearing to serve as Indo-Pacific Commander, Pacific Fleet Commander Admiral Samuel Paparo emphasized that this date was somewhat arbitrary, reflecting the 100th anniversary of the PLA’s formation. An attack could actually occur sooner.

The Intelligence Community’s 2023 threat assessment added that these attacks would not be limited to military systems, but also our nation’s critical infrastructure designated by the Cybersecurity and Infrastructure Security Agency (CISA) as “lifeline sectors:” energy, transportation, water, and communications. Per the assessment, “such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.” CISA Director Jen Easterly reinforced these themes in her recent testimony to the House Select Committee on Strategic Competition.

The threat is not only unequivocal, but tangible. The FBI recently disrupted Chinese nation-state hackers, operating under the codename “Volt Typhoon,” in their targeted campaign against critical infrastructure networks. The group had established a covert network of hacked systems that gave it a national platform to manage attacks on industrial systems.

This week, several U.S. federal agencies as well as allied cyber agencies in Australia, Canada, New Zealand, and the United Kingdom issued a joint cybersecurity advisory on the malicious Volt Typhoon cyber activity, as well as joint guidance to provide threat detection information and mitigations.

However, most of the ongoing policy debate fixates on the past. A series of decade-old executive orders and policy directives created our current ecosystem of sector risk management agencies and the incident response role of CISA and the FBI. Current proposed reforms focus on small changes to existing policies and the layering of new programs on top of old. Given the articulated threat, these actions are woefully inadequate.

Instead, we must dramatically increase our capacity to respond to cascading failures of the systems that underpin American life. A 100-foot tsunami is coming, and we’re rearranging sandbags on the ground.

Utilities must prepare and practice disconnecting their control systems from Internet-facing networks. Modern industrial control systems are digital, and in most cases manual-mode operation is impossible indefinitely. However, it is feasible to operate critical infrastructure systems without an Internet connection for several weeks at a time. A breaking of these links prevents PLA hackers from activating destructive code and gaining new accesses. It’s the sure-fire way to disrupt the command-and-control signals they have designed to destroy our systems.

We must incentivize utilities to prepare for such a attacks. The federal government should expand its current grant programs to fund operations planning, tools to defeat adversaries, and practice exercises. Similarly, the government should be funded and authorized to coordinate and manage a recurring series of drills in major population centers. Tools exist to translate realistic adversarial threats into exercises.

Sustaining isolated operations is also challenging because it requires more engineers to manage increasingly complex systems, and for certain functions, trained surge capacity is needed. With targeted training programs, national guard units or a civilian reserve corps could be brought to bear.

Regardless of the path, training programs must be operationalized immediately and regularly rehearsed to meet the threat timeline.

Because major population centers often span state borders and encompass a heterogeneity of utilities across sectors, multijurisdictional mutual-aid agreements should be examined and expanded. This will help surge engineering capacity across utilities and also improve our responses to larger-scale cyber campaigns.

The clock is ticking, leaving us little time to prepare. Congress and the Biden administration must immediately act to fund and implement preparation, exercises, and training programs to increase our capacity to respond and recover from catastrophic attacks on critical infrastructure.

Charles Clancy, Ph.D., is the chief technology officer at MITRE, a not-for-profit research and development company. He was previously the Bradley Distinguished Professor of Cybersecurity at Virginia Tech and started his career at the National Security Agency.