While much of Washington was transfixed recently by Meta CEO Mark Zuckerberg apologizing at a Senate hearing to families who had lost loved ones to online harassment, the national security community’s attention was focused on another Capitol Hill gathering related to digital malfeasance.
The country’s four top cybersecurity officials—the newly appointed National Cyber Director and the heads of U.S. Cyber Command, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA)—delivered a dramatic message to a House panel: the country’s critical infrastructure is under cyberattack from the Chinese government.
FBI Director Christopher Wray said that the Chinese Communist Party’s (CCP) multi-pronged assault on the U.S. economic and national security was the defining threat of a generation.
What was especially interesting about the hearing to cybersecurity professionals was not that the message was new. The U.S. government has long experienced foreign governments, including the Chinese government, attempting to (and sometimes successfully) breach critical infrastructure systems. In 2018, for example, the then-Director of National Intelligence, Dan Coats, said: “The warning lights are blinking red on cyber attacks.” Similarly, protecting critical infrastructure has been the pillar of every national cyber strategy of the 21st Century.
What has changed is that the capability of the Chinese cyber actors has grown and that the last couple of years have taught us that countries with adversarial interests to the United States and our allies are willing to change their strategy and deploy aggressive actions.
Risk management approach front and center
To meet this potentially material change in China’s cyber posture toward the U.S. demands a renewed focus by the defense community, one that is better tied to the goals of critical infrastructure and supply chain security and resilience. It should be a risk management approach centered on the idea of prioritization and collaboration.
To do that, policymakers need greater precision to define what a cyber attack on critical infrastructure is (and isn’t). Thousands of companies assert that they are part of the critical infrastructure in the United States, and many of those companies see adversarial interest in causing cyber harm to their operations. For national defense purposes, we can’t afford to treat all of these as “attacks” on critical infrastructure if we are going to continue to define such attacks as off-limits and ones that require response. Doing so runs the risk of America’s efforts being seen as hollow or as hyperbolic.
Instead, from my perspective, an adversary attack on critical infrastructure needs to have one of two characteristics.
The first is when an adversary uses cyber means to attack the functioning of a critical system or cause physical or digital harm that has real-world impacts. We still have seen very few of those types of attacks in the United States, but they certainly have been rampant in the Russian war against Ukraine.
The second has been more common—when illegal and aggressive cyber tactics are used to introduce malware or exploit vulnerabilities, which has the effect of shutting down critical services even when those services were not necessarily the target. Examples include the 2021 Colonial Pipeline IT system attack, which caused the pipeline to cease operations as a spillover impact of losing the IT systems. Another was the 2017 NotPetya attack in Europe, which led to the shutdown of port operations in the Midwest. In both cases, adversary attacks caused critical infrastructure harm, which might not have been the original intent, but which was undeniable.
It is these two types of attacks that need to be articulated as off-limits to the Chinese government and, if they were to occur and be linked to Chinese actors, treated as escalations in conflict. It is also these types of attacks that should be the priority to defend against from a U.S. national cybersecurity posture.
Priorities should be on critical systems, supply chains
While it is important that businesses of all types are “shields up” in their cyber defenses and take cyber risk seriously, from a national perspective defense priorities need to be critical systems and supply chains that contribute to National Critical Functions (NCFs).
NCFs, as defined by CISA, are those “functions of the government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on national security, national economic security, national public health or safety, or any combination thereof.”
One of the most important National Critical Functions is the provision of materiel and operational support to defense, and it is in this area that prioritizing the cyber risk from the Chinese government should be laser focused. In addition, other focuses must include critical functions such as electricity, communications, water supply, transportation and cloud computing and data management that enable defense operations and are crucially important for American strength. And there is evidence that the Chinese government would consider targeting them.
Civil support to national defense authorities
It is not the Defense Department that maintains many of these; nor is it the Defense Department that has primacy in defending the systems. Instead, these functions are largely delivered by the private sector and are dependent on a variety of information and communications and operational technologies as well as a diverse supply of materials and chemicals.
I’ve come to think of this as “civil support to defense authorities,” which depends on greater collaboration in planning and shared incentives—particularly around supply chains.
Cyber resilience flips the traditional approach to defense on its head, and it is crucial that there are structures, business agreements and analysis and information sharing to support collaborative planning and investment in defense and resilience by private companies as well as the U.S. government.
These can’t be one-time fixes, however. They need to be sustained and practiced. We are in an era where strategic competition is veering toward strategic conflict. The response to that demands focus and breaking down barriers to collaboration.
