ALGORITHMIC WARFARE CYBERSECURITY
U.S. Ability to Withstand Chinese, Russian Cyberattacks Questioned
Defending power plants, pipelines and water treatment facilities from cyber threats could play a key role in a future conflict, as the United States’ great power rivals have made the ability to target these essential services a warfighting priority.
In May, the Cybersecurity and Infrastructure Security Agency issued an advisory regarding a “cluster of activity of interest” associated with a People’s Republic of China state-sponsored cyber actor known as Volt Typhoon.
“Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide,” the advisory said. Microsoft stated it had “uncovered stealthy and targeted malicious activity” by Volt Typhoon across communications, manufacturing, transportation, maritime and other sectors, and that the threat actor intended to conduct espionage and maintain access to critical networks.
And it’s not just China. The United States’ “peer and near-peer adversaries … have capabilities against our critical infrastructure,” said Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center. “And not only do they have capabilities against our critical infrastructure, but those capabilities are now part of their doctrine for combined arms.”
In its “Annual Threat Assessment of the U.S. Intelligence Community” published in February, the Office of the Director of National Intelligence said Russia is “particularly focused on improving its ability to target critical infrastructure … in the United States as well as in allied and partner countries,” while China is “almost certainly” capable of launching cyberattacks on key U.S. services such as oil and gas pipelines or rail systems.
“If Beijing feared that a major conflict with the United States were imminent, it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide,” the report said. “Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic and interfering with the deployment of U.S. forces.”
Adversaries crafting battle plans that include targeting domestic infrastructure “is a huge shift from 10 or 15 years ago where we’re just kind of groping in the dark from a capability perspective,” Bristow said during a panel discussion at an Association of the United States Army event in June. The United States and other Western countries generally “consider going after the civilian population off limits, right? We play by rules. Those rules are not universally held … and our adversaries plan to use these types of [effects-based] operations in order to change our political calculus.”
Bristow brought up a hypothetical scenario of China invading Taiwan, “and then all of a sudden water treatment plants are getting hacked at home and putting too much chlorine in water and that kind of stuff. They’re hoping that it will de-focus us from supporting our allies and partners in a way that we’ve committed to. And this is a huge departure from a policy perspective and how we have to actually look at our defense, because now everything’s on the table.”
As the technology advances, the effects of cyberattacks are becoming “more and more kinetic,” said Patrick Murphy, former Army undersecretary. Past ransomware attacks shut down hospitals in England and similar cyberattacks could lead to patient deaths, he said.
With the majority of U.S. critical infrastructure controlled by the private sector, “we have to do a better job of building public-private partnerships,” Murphy said — a sentiment Bristow shared.
Adversaries attacking critical infrastructure in different ways “requires us to look for new ways to partner,” Bristow said. The U.S. military doesn’t “own and operate this critical infrastructure,” but “we have to figure out ways that we can help secure it in ways that won’t have that impact on the political calculus and the people.”
In its fiscal year 2024 budget request, the Defense Department is requesting $13.5 billion for cyberspace activities, which include increasing the “defense of U.S. critical infrastructure and defense industrial base partners against malicious cyberattacks,” according to department budget documents.
Along with building up public-private partnerships, the nation must take a more active approach to defending critical infrastructure from cyber threats, said Lt. Gen. Maria Barrett, Army Cyber Command commander.
When it comes to cyber defense, the United States must “move on from prevention — let’s get to kill chain,” Barrett said. “Can we detect it?
Can we respond to it? Can we recover from it?”
Given the likelihood of future cyberattacks on critical infrastructure, “what you do after it happens is really what’s going to matter,” she said.
“The attack surface is so broad here that training people to now look at those types of things and building those teams to get after the kill chains is really where we want to be.”
The Army is “thinking through that challenge” of defending not just the critical infrastructure on its own bases, but also “outside [the base’s] fence line in the community,” she said. “Contestation is not just going to be within the theater of operations. It will be in the homeland, and we need to prepare for that.”
Barrett said going forward a key question will be: is a cyberattack on critical infrastructure an act of war?
“This is something that we actually have to grapple with,” she said. “Is it a military problem? Is it a Department of Homeland Security problem? Is it an FBI problem? We might answer to all of those, ‘Yes.’ But we do have to figure this out.” ND