‘We know they’re on the network,’ CISA official says of nation-state actors infiltrating U.S. critical infrastructure
The U.S. government and its allies are increasingly worried about China’s theft of intellectual property through cyberattacks. But even more alarming, according to cybersecurity experts who spoke at the Billington State and Local Cybersecurity Summit in Washington, D.C., on Tuesday, is China’s use of artificial intelligence for espionage and the threat nation-state adversaries pose to U.S. critical infrastructure.
“In the last six months, our incident response effort has confirmed that [People’s Republic of China] cyber actors have been on our critical infrastructure networks for in some cases up to the last five years,” Andrew Scott, associate director for China operations at the Cybersecurity and Infrastructure Security Agency, told audiences during a panel titled “China in Your Digital Backyard.”
“They have the access that they need, and if the order was given, they could disrupt some services in this country right now,” Scott added.
‘On the front lines’
In February, CISA released an advisory warning critical infrastructure organizations that China-backed Volt Typhoon compromised the IT systems of communications, energy and transportation sectors, as well as water and wastewater systems across the United States.
“People’s Republic of China state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” the advisory stated, referencing the growing concern that China may invade Taiwan.
Some government IT officials at the Washington event expressed skepticism that these cyber incidents, though concerning, would have an outsized impact on state and local government operations and pushed back against what one audience member called “fear-mongering.”
But TJ Sayers, director of intelligence and incident response at the Center for Internet Security, the Upstate New York nonprofit that runs information sharing and analysis operations to support government agencies, said state and local governments can’t afford to be complacent.
“State and local governments are right on the front lines of defending cyberspace in the United States,” Sayers said. “We can’t get accustomed to only fighting the day-to-day fight against ransomware and ignore these other techniques that our adversaries are using to penetrate [IT systems]. I think that becomes really important as we look at how we can work together.”
‘From event to recovery’
Unlike ransomware groups, whose attacks against the public sector are growing in frequency, and whose sole aim is to extract money from state and local governments, nation states’ pre-positioning spy tactics have more destructive goals, Scott said.
“When we talk about the societal-panic goal here, the worst case outcome that we’re concerned about is not a one-off event,” Scott said. “It is not a single hospital, it is multiple sectors simultaneously being disrupted, with services being out. So imagine the impact of having multiple water utilities out, multiple communication entities out, multiple energy providers out in your region or in your state. That’s the strategy that we see, and those are the sectors that we’ve confirmed compromised.”
Often operating with limited cybersecurity budgets, state and local governments can make ideal targets for cybercriminals looking to infiltrate networks undetected. Dave Frederick, assistant deputy director for China at the National Security Agency, said during the panel discussion that agencies are also sometimes not prepared to respond to cyberattacks.
“I can’t emphasize enough how useful tabletop exercises for executive leaders can be if run correctly,” Frederick said. “It’s kind of almost part of our genetic makeup at the Department of Defense.”
CISA says tabletop exercises, the role-playing activities in which organizations respond to simulated cybersecurity scenarios in preparation for real threats, can help agencies improve their malware detection and responses to cloud compromise, flooding or denial of service attacks, among others.
Scott echoed Frederick’s suggestion for incident response training, saying built-in network defense can only go so far without additional cybersecurity knowledge.
“If you experience a disruption, do you have backups? Do you test those backups? How do you manage your identity? Are you able to reset your identity and your environment pretty quickly? What happens if critical services that you rely on are disrupted and how do you restore those services manually or otherwise?” Scott said, rattling off the necessary chain of questions that he and his team frequently pose to IT officials responsible for cybersecurity in the public sector.
“These things really matter to get from the event to recovery.”