Defending America’s critical infrastructure against threats from the People’s Republic of China will be a major focus of cybersecurity operations in 2024, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said Feb. 12.
CISA’s warning came in the 2024 Priorities document released by the agency’s Joint Cyber Defense Collaborative, which CISA established in 2021 to “drive unified efforts across public and private partners” to accomplish its security goals. The JCDC includes participants from state, local and international governments, along with infrastructure operators, cybersecurity companies, service providers and other stakeholders from various critical infrastructure sectors.
JCDC called the 2024 priorities “a critical step in [our] maturation [because] for the first time, we are aligning our priorities under three broad focus areas” that will help CISA and other participants create their strategies and direct their resources:
-
- defend against advanced persistent threats (APT), particularly those backed by the PRC.
- raise the cybersecurity baseline.
- anticipate emerging technology and risks.
Discussing the first area, JCDC observed that many malicious cyber actors — notably those working for China — have pivoted from focusing on “espionage and data theft” to “destructive attacks designed to cause real-world harm.”
The document did not list any specific attacks or groups. However, in a blog post on the 2024 priorities, CISA Associate Director Clayton Romans noted that U.S. intelligence agencies saw a rise in APT activity targeting U.S. critical infrastructure.
Romans went on to call on JCDC to assist critical infrastructure organizations to prepare for malicious activity involving “living off the land techniques.” This is a clear reference to Volt Typhoon, a PRC-sponsored hacking group first identified last year but now believed to have been actively infiltrating U.S. infrastructure for “at least five years,” according to a recent CISA cybersecurity advisory.
Volt Typhoon’s malware has been discovered in the information technology environments of companies in the energy, communications, transportation, and water and wastewater sectors in the U.S. and its territories. The “living off the land” strategy refers to hiding inside a target’s system using only existing resources disguised as legitimate traffic, and CISA has expressed “high confidence” that the group hopes to move from IT networks to the utilities’ operational technology assets, potentially giving the PRC the ability to disrupt operations.
CISA Director Jen Easterly, along with FBI Director Christopher Wray and other cybersecurity officials, warned members of the House of Representatives’ Committee on the Chinese Communist Party last month that China’s strategy in a conflict with the U.S. or its ally Taiwan likely would include attempts to disable critical infrastructure and cause “societal panic” among the civilian population. (See China Preparing to ‘Wreak Havoc’ on US, Cyber Officials Warn.) At the same hearing Wray called Volt Typhoon “the defining threat of our generation.”
Ransomware, AI Also Key Topics
In addition to identifying and neutralizing APTs like Volt Typhoon, the JCDC’s priorities document emphasizes planning for major cyber incidents that could result when such actors are not intercepted in time. CISA’s goals for the year include updating the U.S. National Cyber Incident Response Plan, currently under development in coordination with the Office of the National Cyber Director and industry partners, to address “significant changes in policy and cyber operations” since the NCIRP originally was released.
Additional priorities include reducing the impact of ransomware on critical infrastructure. That topic reached new levels of urgency in 2021 with the hack of Colonial Pipeline, which caused the company to shut down a major source of petroleum products for the East Coast for several days.
Cybersecurity experts say ransomware attacks have become easier than ever because of the rise of the ransomware-as-a-service model, in which a core group develops and operates a ransomware package while recruiting affiliates to hack into networks and deploy the app. Users of this model include DarkSide, the group federal officials believe was behind the Colonial attack. (See Robb Says Collaboration Key to Maintaining Cyber Vigilance.)
The remaining priorities are to help state and local election officials secure their infrastructure against cyber threats, to encourage technology manufacturers to incorporate security into their designs and to reduce the risk of artificial intelligence to critical infrastructure. The last area includes the “Guidelines for secure AI system development” document, released by CISA and several of its international counterparts in November to provide guidance for AI developers on preventing security breaches in their technology.