Confronted with Chinese hacking threat, industrial cybersecurity pros ask: What else is new?
MIAMI — In recent months, U.S. intelligence officials have issued a series of pitched warnings about Chinese hacking operations targeting American critical infrastructure, but at a gathering last week of the world’s foremost industrial cybersecurity experts, the conversations among those charged with protecting these systems were anything but alarmed when it came to China.
Instead, conversations on panels and in hallways at the S4X24 conference focused on a lack of information from Washington about Beijing’s operations and what they believe are warnings from the intelligence community about an obvious threat from China that many in the industry regard as the status quo.
According to many in attendance at the conference, Chinese hacking operations targeting critical infrastructure entities like the electric grid and ports shouldn’t come as a surprise, and thinking otherwise would simply be naive.
Dale Peterson, a security pioneer who founded the S4 conference series, argued during one panel appearance that the Chinese hacking operations known as Volt Typhoon — which American intelligence officials believe aim to give China the ability to disrupt communications between the United States and Asia in the event of a conflict — are “not shocking” and “shouldn’t be overstated.”
“Why would you not pick strategic targets?” Peterson wondered aloud.
Peterson has been warning since 2013 that critical infrastructure entities are likely to be targeted by disruptive state-backed cyber operations, and he sees the latest warnings about Volt Typhoon as merely the latest development in a long-running story. “Volt Typhoon isn’t important,” he wrote last month. “The recognition and acceptance that this is the status quo is what’s critical.”
But this perspective frustrated others in attendance at the security confab.
Victor Atkins, the former lead for cyber intelligence at the Department of Energy, told CyberScoop that “as an industry or maybe as a sector, we’re getting a little complacent.” The industry’s “general malaise” regarding the threat posed by hackers leads too many security experts to dismiss recent alerts as something they already know.
But when intelligence officials warn of an unprecedented Chinese hacking operation, Atkins, now the global director of executive advisory services for industrial cybersecurity at 1898 & Co., wondered aloud if people really “know what this is.”
The warnings about the threat posed by China come at a time when industrial systems, such as water utilities, are being rapidly digitized, a trend that is likely to result in a higher volume of successful cyberattacks. At the same time, security is rarely prioritized, resulting in amateurish opportunistic attacks, like when Iranian hackers targeted an Israeli-made programmable logic controller and were able to breach a water utility in Pennsylvania because it failed to change a default password.
This trend toward digitization cuts across sectors. Today’s automobile companies are as much software companies as they are firms that shape steel and assemble physical components, and in this new era Atkins argues that treating cybersecurity as a wholly defensive enterprise is insufficient. The possible attack vectors are nearly endless, and it’s simply not feasible for owners and operators of critical infrastructure to defend themselves against China.
“The goal is not to keep the Chinese out — they’re in, and they have many, many dedicated resources over many, many years focused on just getting in,” Akins said. “The goal, now, is not to secure the environment; the goal is to survive an attack. And that is a different mentality.”
Atkins said he sees owners and operators “implementing what they can afford when they can, but I just don’t think it’s enough.”
There are also deeper divides between intelligence officials and those charged with protecting critical infrastructure from attacks by foreign states.
“The idea that this is a China and Russia problem is stupid,” argued Robert M. Lee, the CEO and founder of the industrial cybersecurity firm Dragos. “Every state actor worth their salt, including the U.S., is targeting industrial infrastructure.”
A former Air Force officer who participated in U.S. hacking operations, Lee finds the warnings from American intelligence officials “hypocritical.”
“You can’t sit there and clutch your pearls and say, ‘I can’t believe they’re doing what we’ve been doing,’” he said.
During a congressional hearing at the end of January, FBI Director Christopher Wray called the Chinese hacking campaign and China’s growing clout as “the defining threat of our generation.” In a subsequent advisory, U.S. and allied intelligence agencies warned that Chinese hackers have lurked in critical infrastructure networks for as long as five years, access that they might use to create “disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
Peterson argues that while the U.S. intelligence community’s most dire warnings are reserved for a hypothetical Chinese hacking threat, ransomware operations carried out by criminal groups are causing real harm today. An ongoing ransomware attack on a payment processor has crippled huge swathes of the U.S. health care system, and while Russia may allow ransomware groups to operate with impunity within its borders, such groups are primarily criminal rather than political actors.
“Either they’re going to be right and we’re going to see some big significant compromises or they’re going to have cried wolf,” Peterson said of the U.S. intelligence community’s warnings.
In the absence of Chinese operations disrupting the grid, cyber defenders would like more information from the federal government to help build appropriate protections. Grant Geyer, chief product officer of the cybersecurity firm Claroty, said it remains difficult to convince clients of the threat without overstating and sowing fear, uncertainty and doubt.
“What organizations need to understand is: How critical is our organization to national security? Based on that criticality, it’s not, ‘What do we need to do in general?’ It’s, ‘What do we need to do specifically?’” Geyer said. “Asset owners are also questioning the urgency they have to act on. It’s not that they’re not taking it seriously. But seriousness requires specificity.”
Cybersecurity experts continue to complain that the federal government remains too lax in its information sharing, an issue that the intelligence community has been working to address.
Marco Ayala, president of the Houston chapter of the InfraGard National Members Alliance, an information-sharing body, said he is tired of “turning on C-SPAN to find out, ‘Hey we may be breached, but we don’t know.'”
“In the current state, we’re getting a lot of stuff that is late to the game and late to the party,” he said, adding that he would like to see the government make better use of organizations like InfraGard and information-sharing and analysis centers to distribute information to vetted communities.
But sharing information about the current Chinese hacking threat is made more difficult by the fact that Beijing’s operations have been growing more quiet.
China has been interested in disruptive targeting of critical infrastructure as early as 2012, when CISA’s predecessor — the National Protection and Programs Directorate — and the FBI released an alert about intrusions into 23 U.S. pipelines. The Chinese-sponsored campaign relied on spearphishing emails and social engineering, including calling network engineers to request information related to security practices.
Volt Typhoon, by contrast, appears focused on stealth and long-term access.
Marty Edwards was director of the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team at the time the pipeline alert was issued. He said that because the intrusions by Volt Typhoon rely on living off the land techniques — the use of legitimate services already present on a breached system to carry out operations — traditional indicators of compromise are not as readily available. Instead, defenders have to look for anomalous behavior in networks, which is difficult at best.
That tactical shift by Chinese operators means that the government likely doesn’t have more to share with industry than it already has. “I don’t think the government’s hiding anything here. I think they genuinely don’t have additional information,” Edwards said.
Since tensions between the United States and China are unlikely to go away, at least one key industry official urged critical infrastructure operators in attendance to wake up to the fact that they are pawns in a much larger geopolitical game.
“What we’re really dealing with, but no one’s really talking about” is the “concept of cyber as mutually assured destruction,” said Megan Samford, vice president and chief product security officer for energy management at Schneider Electric. Many of China’s intrusions have been spotted, Samford argues, because China wants to be seen. “This is exactly how [mutually assured destruction] and nuclear warfare and nuclear proliferation works.”