9 February 2024

National Accountability for U.S. Cyber Security and Safety Protections

Lucian Niemeyer

In the U.S. House of Representatives, the top leaders in the country responsible for programs to defend our Nation from global cyber threats testified on the successful actions of the Chinese Communist Party to imbed malware, dubbed by industry, Volt Typhoon, in the national infrastructure we rely on for our livelihood. House Members asked about Chinese motives, their intent, and the repercussions. The answers were alarming and dire, making headlines across the country. The Select Committee Chairman Mike Gallagher (R-WI) eloquently framed the existential nature of adversarial cyber threat noting that “This is not just a government problem. This is a whole of society problem,” and “This is not just strategic competition, but a strategic threat pointed at the heart of America. If we do not address this threat, then the Chinese will have the ability to turn off the lights for everyday Americans, shut down entire cities, and cause a massive loss of American lives.”

The Director of the Federal Bureau of Investigation, Christopher Wray testified that “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike,”

Chinese government-backed hackers, Wray said, are targeting things like water treatment plants, electrical infrastructure and oil and natural gas pipelines. The Chinese hackers are working “to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous...and let’s be clear: Cyber threats to our critical infrastructure represent real world threats to our physical safety.”

The Director of the Cybersecurity and Infrastructure Security Agency, Ms. Jen Easterly added, "Now imagine that on a massive scale. Imagine not one pipeline, but many pipelines disrupted and telecommunications going down so people can't use their cell phone. People start getting sick from polluted water. Trains get derailed. Air traffic control system, port control systems are malfunctioning," Easterly continued. "This is truly an everything, everywhere all at once scenario."

Chairman Gallagher captured the stark reality of the attack that we are no long dealing with hypotheticals – The Chinese action “is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants. There is no economic benefit for these actions. There is no intelligence gathering rationale. The sole purpose is to be ready to destroy American infrastructure, which will inevitably result in mass American casualties.”

Now, for the truly disturbing part. The Volt Typhoon malware in our Nation’s infrastructure was discovered in May 2023 by a private company, Microsoft, who determined that the malware had been active for two years since 2021. And yet, Director Wray testified that "Just this morning, we [the FBI] announced an operation where we and our partners identified hundreds of routers that had been taken over by the PRC state-sponsored hacking group known as Volt Typhoon. The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation and water sectors." Director Easterly further stated, “We are working with our public and private sector partners to understand Volt Typhoon’s targeting of U.S. critical infrastructure and to take coordinated defensive measures to mitigate this activity.”

Key take aways so far
  1. It took two years to discover this existential threat to our society from the CCP even though they’ve conducted cyber-attacks against US institutions and agencies for over a decade.
  2. We’ve known about volt typhoon since May 2023, and we are still trying to figure it out and fight it.
It gets worse - General Paul Nakasone, Commander, United States Cyber Command admitted that “one significant contribution in our ability to counter these threats is our relationship with the private sector. USCYBERCOM and NSA's partnerships with industry have underpinned the U.S. Government's ability to track, detect, and mitigate PRC's activity against U.S. infrastructure at scale.

Takeaway

We need private industry to find these existential threats to our society.

General Nakasone was asked an excellent question by Ranking Member, Raja Krishnamoorthi (D-IL) about USCYBERCOM’s capability to respond decisively - that unfortunately, the Congressman had to answer himself with ”a message to whomever who would intend to put malware in our critical infrastructure – first, We will attribute it back to you, if its activated, Secondly, that could be an Act of War, and Third, we will respond decisively.”

What should have been the follow-up question to Gen Nakasone – Is the Chinese volt typhoon cyber attack placing virtual bombs in our infrastructure above the threshold of war? If not, what is currently considered an act of war by this Administration in the cyber realm?

While the hearing effectively reviewed the specific event, the problem, and the risks, there was little discussion on the mechanisms to deter further foreign aggression, and who would be responsible for those actions. I’m not sure going on CISA.gov website and downloading free assessment tools rises to the level of a national response that would deter the CCP, Iranians, or other adversaries from carrying out a cyber attack. We need to stop hiding behind the observation that most of our national infrastructure is owned by the private sector. The Twin towers in New York City that came tumbling down on Sept 11, 2000, were also owned by the private sector. Should those owners have been responsible for defense against a terrorist attack? The organizations represented in the hearing have a collective responsibility to the cyber defense of our Nation’s infrastructure. Here are other questions that should have been asked, or can be submitted for the record, on how to ensure this type of threat does not persist.

Question 1. Who on that panel has the primary responsibility to protect our national infrastructure from the cyber threat and actions of a Nation-State?

Question 2. Do you consider the volt typhoon attack, which persisted since 2021 without discovery, to be a failure of carrying out that responsibility? If not, what is the threshold for failure?

Question 3. Who is accountable for this failure?

Questions 4. Is there an investigation underway to close the responsibility gaps to ensure an attack like this cannot happen again?

Question 5. How confident are the witnesses today that another malware is not embedded and lurking undiscovered in our Nation’s infrastructure? What is being done to raise that confidence?

Question 6. Should we continue to rely on actions and judgment of private companies to discover and reveal cyber attacks to critical infrastructure if it may not be in their self interest?

Question 7. Are actions underway to punish China for this attack and to deter China from carrying out another attack?

The questions to our national leaders need to be challenging and direct to match the compelling urgency of the issue. We cannot continue to talk about the problem. We need committed leaders and their organizations to fix problems now. As noted in the hearing “We must heed Xi Jinping’s own warning that “without cyber security, there can be no national security…This is a ticking time bomb aimed at the heart of our economy and our national security.”

No comments: