Chinese state-sponsored hackers are positioning themselves to be able to take down vital U.S. resources at a moment’s notice and the U.S. must be prepared to deal with that threat, top Federal government officials told lawmakers today during a House Select Committee on the Chinese Communist Party (CCP) hearing.
Security officials have long sounded the alarm regarding China’s offensive cyber capabilities, but testimony from today’s hearing underlines the substantial level of concern at the top of the U.S. government about the threat CCP hackers pose to critical infrastructure — such as water treatment plants, electrical grid, oil and natural gas pipelines, and transportation systems — nationwide.
“When I described the CCP as a threat to American safety… I meant that quite literally,” FBI director Christopher Wray said. “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike.”
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, echoed Wray’s testimony by saying that CCP attacks on U.S. businesses or critical systems are aimed to “induce societal panic.”
“It is Chinese military doctrine to attempt to induce societal panic in their adversary,” she said, pointing to the May 2021 Colonial Pipeline attack as a small-sized version of what a large-scale attack to U.S. critical infrastructure would look and feel like.
“Imagine not one pipeline, but many pipelines disrupted and telecommunications going down so people cannot use their cell phone. People start getting sick from polluted water. Trains get derailed. Air traffic control systems, port control systems are malfunctioning,” Easterly said. “This is truly an everything, everywhere all at once scenario.”
Wray stressed that the threat from CCP hackers is not a theoretical, and “requires our attention now.”
Wray told lawmakers that the FBI had recently worked with partners to identify Wi-Fi routers infected with malware originating from a Chinese government-sponsored hacking group dubbed the Volt Typhoon.
“The Volt Typhoon malware enabled China to hide … pre-operational reconnaissance and network exploitation against critical infrastructure … steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous,” Wray said. “So, working with our partners, the FBI ran a court-authorized, on-network operation to shut down Volt Typhoon and the access it enabled.”
While this disruption was significant, “it’s not the end of the story when it comes to countering malicious cyber efforts by the Chinese government,” Wray said.
The Federal government has made some investments in shoring up its cyber defenses including building out the U.S. cyber workforce and pouring additional funding into key agencies.
Wray said that the FBI continues to leverage its expertise in cybersecurity, criminal investigation, and weapons of mass destruction along with its private and public sector partnerships and relationships with international allies to tackle the CCP cyber threat. But investment is central to sustaining the effort against this threat, the director said.
“The budgets that emerge from the discussions underway now will dictate what kind of resources we have,” Wray said.
Gen. Paul Nakasone, commander of the United States Cyber Command, appearing in his final Capitol Hill hearing before his last day on the job set for Friday, explained that a key tool the U.S. has in its arsenal is Section 702, a provision of the FISA Amendments Act of 2008. He urged lawmakers to protect from the potential threat they must renew Section 702.
The controversial government surveillance program got a four-month extension under the National Defense Authorization Act for fiscal year 2024. The program expires on April 19.
“Section 702 is the most important authority that the National Security Agency uses every single day to keep Americans safe and to secure our nation,” he said. “To consider that we would return to the days before Section 702 where we couldn’t connect the dots is almost inexplicable to me.”
Nakasone added that the surveillance authority under Section 702 “balances civil liberties and privacy and the requirements of our national security.”
However, according to Easterly, all of these efforts underway by the Federal government are not enough to deter the CCP’s threat to U.S. critical infrastructure.
This is because the vast majority of U.S. critical infrastructure is privately owned and operated, leaving government officials to rely on cash-strapped municipal governments and industry executives to strengthen cyber defenses for systems that often are insecure.
“The truth is the Chinese cyber actors have taken advantage of very basic flaws in our technology,” Easterly said. “The technology underpinning our critical infrastructure currently is insecure because of decades of software developers not being held liable for defective technology that has led to incentives for features and speed to market had been prioritized against security, leaving our nation vulnerable to cyber invasion.”
Easterly called on technology manufacturers to ensure that China and other cyber actors cannot exploit the weaknesses in technology that allows them “to saunter through the open doors of our critical infrastructure to destroy it.”