It may not be a household name to most Americans, but the U.S. Cybersecurity and Infrastructure Security Agency is vital to our national defense, responsible, in its own words, for leading “the national effort to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day.”
So, what did CISA’s director tell lawmakers about the cyber threat posed by China?
“This, I think, is the real threat that we need to be prepared for, and to focus on, and to build resilience against,” Jen Easterly told the Aspen Institute in Washington in June. “Given the formidable nature of the threat from Chinese state actors, given the size of their capability, given how much resources and effort they’re putting into it, it’s going to be very, very difficult for us to prevent disruptions from happening.”
Easterly is far from alone. On March 8, the five directors of the most senior intelligence agencies advised the Senate Select Committee on Intelligence that the Chinese Communist Party represents the leading threat to U.S. national security and leadership globally.
“China uses cyberattacks below the threshold of war to coerce its rivals,” according to a recent report by consulting firm Booz Allen. “For instance, it has targeted American critical infrastructure to deter U.S. involvement in Asia. China’s cyberattacks can affect government agencies, global corporations, and small businesses—either directly or via cascading risks.”
Indeed, the litany of infamous attacks linked to Chinese hackers reads like a greatest hits of cyber terrorism. They include the massive data breach at the federal Office of Personnel Management in 2015, the Equifax breach in 2017, an attack in 2021 on six state governments’ computer networks, and the theft of trillions in intellectual property from about 30 multinational companies.
This is all scary stuff. But the increasingly stealthy and dangerous activities linked to China beg the question of whether both the government and the private sector are truly taking these cyber threats seriously enough and sufficiently working to get ahead of future attacks.
I’m not sure we are.
I think back to a panel discussion I had with several governors a couple of years ago on the topic of emergency preparedness. The governors had much to say about their response plans for a hurricane, flood, or other natural disaster. But when I asked what they’d do in the event of a major cyberattack sabotaging key infrastructure, some adopted a deer-in-the-headlights gaze, while others muttered something to the effect of, “We’d call our CIO.”
Thankfully, this dynamic has improved significantly over the years since that conversation. Collaboration and cohesion between Homeland Security, Public Safety, Federal and State officials to build a comprehensive cyber response plan has increased, and these concerns are now considered and addressed beyond the walls of IT departments.
Even so, that anecdote confirmed for me that U.S. preparedness suffers from what could be called a visibility gap — the lack of total visibility and intelligence around all assets within their environment, which can prevent an organized, integrated approach to threat analysis, strategy, and information sharing among decentralized federal agencies, state and local governments and the private sector.
Take, for example, the findings of the bipartisan Cyberspace Solarium Commission charged with developing a strategic approach to cyber defense. The group’s executive director recently criticized the system for managing cyber risk among critical infrastructure sectors as obsolete and said it hampers private-sector cooperation.
What’s needed is a consistent, proactive, collaborative effort that brings the government and private sector together as much as possible. The private sector can’t wait for the government to lead, and vice versa. The time is now for holistic action by both.
Fortunately, some of this already is bubbling up.
CISA’s Shields Up program was launched in February 2022 to foster information sharing about cybersecurity threats, products, and other resources after Russia’s invasion of Ukraine. Agency director Easterly has said CISA could soon start a similar campaign focused on China.
This program is proving helpful so far in uncovering and understanding crucial risks, identifying attack vectors, recommending ways to shore up defenses, and containing any exploits.
Such work has become especially important as the growing use of interconnected devices—such as beacons and sensors used to control and operate power and gas supplies, nuclear power plants, oil refineries, and other critical systems—dramatically increases the potential areas for attackers to target.
Meanwhile, the National Institute of Standards and Technology (NIST), a Commerce Department office that develops cybersecurity best practices, recently announced a new initiative to work with the private sector and others in government to improve cybersecurity in supply chains.
And, though it’s not specific to cyber security, the Defense Department’s decision to explore ways to partner with commercial space companies to access their services during national security emergencies is another great example of how effective public-private sectors can be. The DoD is considering creating the space equivalent of the civil reserve air fleet, or CRAF, a program the Pentagon conceived 70 years ago to leverage commercial airlift capacity in emergencies.
The benefits of stronger public-private collaboration can even spill over into better awareness of the risks posed by artificial intelligence, which represents a new expansion of the attack surface. As generative AI advances, it creates troubling new scenarios such as a hacker creating convincing replicas of voice recordings and images that can be used for fraudulent activities such as identity theft and deepfakes.
Whether it’s dealing with the noted threat from China, or addressing the growing threat surface that AI technologies are now introducing, the country simply can’t afford information silos and disjointed, disorganized responses to important problems.
The emergence of a rapidly growing threat surface demands that our actions match our rhetoric. Our nation must go beyond the rhetoric and legacy approach to analyzing and discussing the challenge and instead embrace a model that focuses on outcomes and time to impact. While we take time to discuss, our adversaries are introducing the next threat.
The time is now for robust public-private collaboration and activation. We can’t afford otherwise.
Tom Guarente is Vice President of External and Government Affairs at Armis, an asset visibility and security company.