China Has Put America’s Critical Infrastructure in the Crosshairs, We Must Fight Back
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), in collaboration, have issued a new advisory about the highly sophisticated Chinese threat actor group known as “Volt Typhoon.” The FBI Director Christopher Wray told Congress recently that Volt Typhoon, operating under the direction of the Chinese Communist Party (CCP), deployed malware set to “destroy or degrade” America’s civilian critical infrastructure.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” Wray said in his testimony. With all due respect to the FBI Director, his message was simply a lot of scary talk with no solutions to the problem. Right now, it’s just another unfunded mandate.
Now here’s what the FBI doesn’t tell you (and is the frightening part)—most CISOs don’t have the money budgeted to buy the solutions they need.
Let’s make this clear—the CCP is in our routers, modems, and internet-connected security cameras intending to build a botnet capable of attacking and crippling the U.S. Unfortunately, the security teams on the front lines of vital services like transportation, commerce, clean water, and electricity lack many of the tools and resources needed to fight them off.
Besides the concerns about hardware, the problem is software may well be even worse. Our researchers at Fortress Information Security looked at the Software Bills of Materials (SBOMs) for more than 200 software products commonly used by U.S. electric companies. Our team found that 90% of that software contained component contributions from developers saying they were based in Russia or China. We found software with Russian or Chinese-made code is 2.25 times more likely to have vulnerabilities and three times more likely to have critical vulnerabilities – the easiest vulnerabilities to exploit and most likely to allow damage to hardware.
Awareness of the problem is not enough. We need to show a commitment to solving the problem. Cybersecurity requires deliberate resources. Resources equal dollars.
To fight back against this and other threats from hostile nation-states, we need aggressive investing in cybersecurity solutions. That means making sure software is secure by design. It means vulnerability management solutions that verify patches and maintenance updates, so we never have another SolarWinds attack.
Additionally, best-in-class security requires evaluating products and vendors. Last month, we learned of a 73-year-old Missouri contractor who won nine government contracts with lower bids that must now go to prison. His crimes—after saying his parts would come from “domestic sources,” the contractor used parts from China and other countries to keep his prices low.
Notably, he provided data on parts deemed “essential to weapon system performance or the preservation of life or safety of personnel” to what the Justice Department called “foreign individuals or entities.” We can’t continue to trust all parts of the critical infrastructure and defense supply chains without first verifying.
Critical infrastructure security is national security. We must fund cybersecurity the way we’d pay for our most critical weapons. Defense spending on state-of-the-art weaponry like aircraft, tanks, and boats can cost hundreds of millions of dollars. Imagine what could be done with $100 billion to bolster Cyber Supply Chain Risk Management (C-SCRM). Increased investment, security-first policies, and private-sector innovation will allow us to fend off threats from our most determined and advanced adversaries.
Throwing money at problems doesn’t create solutions. But when mature and viable commercial technologies are mitigating cybersecurity risk in the private sector—we should listen. Fostering change to how our federal agencies solve their cybersecurity challenges requires alterations to procedures and a commitment to invest smartly.
Investing in solutions that are collaborative, comprehensive, and conclusive is absolutely critical. Not solely chasing the shiny object of the day, whether that be artificial intelligence, machine learning, or a cyber force. There is a place for all these technologies in tackling the government’s cyber security needs, but above all what is needed is a commitment to invest the resources in funding and personnel.
—Alex Santos is the Co-founder and Chief Executive Officer of Fortress Information Security, a cybersecurity firm with a mission to secure critical infrastructure.