The Continuing Vulnerability of US Critical Infrastructure

The vulnerability of the 16 US critical infrastructure sectors is no secret. FBI Director Christopher Wray recently spotlighted this issue with a sense of urgency. On April 18, Wray spoke at the Vanderbilt Summit on Modern Conflict and Emerging Threats.  

“... The fact is the PRC’s [People’s Republic of China] targeting of our critical infrastructure is both broad and unrelenting,” he said in remarks prepared for delivery.  

Volt Typhoon, a PRC state-sponsored actor, was discovered lurking in critical infrastructure for years. Considering increasing tension over Taiwan, the PRC’s presence in US critical infrastructure portends potentially devastating consequences. “The activity is nothing new, but the impact could very well be,” Stephen Moore, vice president and chief security strategist at cybersecurity company Exabeam, tells InformationWeek.  

How could the PRC’s cyber activity impact critical infrastructure? Where are the biggest vulnerabilities? And how do the government and private sectors need to pivot to face this real-time threat? 

Threats to Critical Infrastructure  

Intellectual property theft has been a key goal of the PRC’s cyber espionage activity. But the focus on critical infrastructure has a different motive. “You don’t go into critical infrastructure to steal data. You don't go into critical infrastructure for IP. You go into critical infrastructure because you intend to cause damage either now or sometime in the future,” says Michael McLaughlin, principal of government relations and cybersecurity and data privacy practice group co-leader at law firm Buchanan Ingersoll & Rooney.  

Related:Another Cyberattack on Critical Infrastructure and the Outlook on Cyberwarfare

If China and the United States escalate their conflict over Taiwan, China could leverage its position in critical infrastructure to cripple the US’s military response and directly impact citizens.  

“They [are] positioning themselves within our water systems, our telecom, our energy sector -- all 16 sectors are at risk here -- to be able to be in a position that if … an event took place … they could really hold us hostage from a civilian perspective,” says Alison King, vice president of government affairs at cybersecurity company Forescout. 

Vulnerabilities in Critical Infrastructure  

Critical infrastructure, as the name suggests, is vital to everyday life. So, why is it so vulnerable to threats from nation state actors like the PRC? The answer lies, in part, in the age of the infrastructure.  

“If you think about a water treatment facility, the electric grid, the lifecycle for all of these major capital-intensive investments that are necessary, that perform an operational function, the lifecycle for these items is 25 years or more. They are generational compared to IT,” King points out. 

Related:CISA Rolls Out Program to Protect Critical Infrastructure From Ransomware

Older systems like these often run on outdated technology that cannot adopt modern cybersecurity and access controls, making them vulnerable to intrusion and cyberattacks.  

Critical infrastructure organizations have also connected their systems to the internet. “The sheer volume and variety of IoT has created this huge influx of endpoints, or access points, within critical infrastructure networks, and that just means that the attack surface for an adversary to be able to infiltrate a network has just grown significantly,” says King.  

Plus, the software supply chain poses a risk for critical infrastructure, just as it does for any organization. Third-party vulnerabilities and malicious software components expose critical infrastructure organizations to threat actor activity.  

Brian Fox, cofounder and CTO at Sonatype, a software supply chain management company, notes that open-source software vulnerabilities are a major consideration. He offered Log4Shell, a critical vulnerability discovered in Log4j, as an example. This vulnerability led to widespread fallout in 2021. Yet, years later many systems using Log4j remained unpatched. In December 2023, BleepingComputer reported that approximately 38% of applications using the Apache Log4j library are still using a vulnerable version.  

Related:Report Calls Out ‘Inadequate’ Approach to Protecting US Infrastructure

“If you extrapolate that out across the industry at large, it just shines a light on the fact that we’re not doing a good enough job solving these problems,” says Fox 

Any software, open-source or not, can have vulnerabilities, but these bugs are not the only concern. Malicious software components can expose critical infrastructure organizations to risk as well.  

“We’ve been tracking for the last seven years a massive explosion of what we call intentionally malicious components,” Fox shares.  

Earlier this year, a backdoor discovered in the XZ Utils data compression software sparked widespread concern. “If that got into Linux distributions [and] were pushed far and wide, it would literally affect nearly everything,” says Fox. The malicious code was caught early, but this kind of activity is unlikely to be unique.  

Addressing the vulnerabilities in critical infrastructure is no simple matter. “Part of that is just the nature of the complexity these environments. Part of it’s a staffing and education issue. We just don’t have enough people,” says Moore. “It’s an asymmetric problem.” In his recent comments, Wray shared that for every one person included in the FBI’s cyber personnel there are at least 50 Chinese hackers.  

Defending Critical Infrastructure  

Most of the nation’s critical infrastructure is owned and operated by the private sector, but solving the problem cannot be the private sector’s job alone, or the government’s job alone. “This isn’t an FBI problem. It’s not a US Cyber Command problem. This is an everybody problem,” says McLaughlin.  

Companies operating critical infrastructure need an awareness of the vulnerabilities and a commitment to mitigating risk. That means implementing basic cyber hygiene and attempting to understand where that risk lives in their systems. What is exposed to the internet? What protections are in place? How does the software supply chain introduce risk, and what are vendors doing to reduce those risks?  

Government agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and nonprofit organizations like Information Sharing and Analysis Centers (ISACs) provide free resources for critical infrastructure. 

Beyond free resources, there are questions about the role government should play in protecting critical infrastructure. On the one hand, it acts as a regulator. For example, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is going through the rulemaking process. Under CIRCIA, covered entities will be required to report certain cybersecurity incidents and ransomware payments to CISA.  

Regulation is vital, but is it enough? Arguments can be made for incentivizing cybersecurity rather than penalizing critical infrastructure organizations that become victims of cyberattacks.  

“There are a lot of ways to incentivize, not only regulation (the stick), but through carrots like tax breaks for cyber enhancements,” says Steve Winterfeld, advisory CISO at Akamai Technologies, a cloud computing, security, and content delivery company.  

The cyber threats coming from the PRC are going to continue. “If the Chinese want to get into a network, they have zero days at their disposal. They have very advanced tools. They have the strategic patience. They’re going to be able to get in,” McLaughlin warns.  

In the face of that reality, resilience is essential. “My peers, my fellow CISOs, as I'm talking to them, it’s less about that perimeter defense and it’s [more] about finding that threat that got inside … and eliminating and minimizing that dwell time,” says Winterfeld.  

Critical infrastructure needs cyber resilience plans that enable them to discover persistent adversaries -- adversaries often using living off the land techniques -- and to continue operating if and when these threat actors decide to strike.  

Achieving that kind of resilience will require collaboration between the public and private sectors. “… We need to build a strong defense, and that’s solid partnerships -- as we've discussed, the very foundation of our work confronting Beijing,” Wray said at the Vanderbilt event.