CISA pivots focus to China-linked threats against critical infrastructure

Dive Brief:

  • The Cybersecurity and Infrastructure Security Agency is sharply focused on threat activity tied to the People’s Republic of China as that country has become the top nation-state cyber adversary to the U.S. China is actively targeting more critical infrastructure, CISA Director Jen Easterly said Wednesday at the Secureworks Threat Intelligence Summit
  • China-linked threat actors have engaged in serious threat activity — such as the recent Volt Typhoon campaign — and have perfected living-off-the-land techniques that allow them to hide within existing digital infrastructure in preparation for future attacks, Easterly said. Critical industries like rail transportation, energy and oil and gas pipelines could face serious threats, particularly if some type of military conflict breaks out. 
  • “Even if we are aware of this threat, it may be difficult to find these actors in our infrastructure and so we have to work to ensure that our systems and our businesses and our networks are resilient,” Easterly said.

Dive Insight:

CISA has been heavily focused on protecting critical infrastructure and is moving quickly to engage with the cybersecurity and critical infrastructure communities to line up a number of initiatives to drive more robust intelligence sharing and sector-specific oversight. 

From a geopolitical standpoint, the agency has turned to more recent China-linked threats after a heavy emphasis on threats related to the Russia-Ukraine war

The agency is required to publish a notice of proposed rulemaking by March 2024 for the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The rule requires critical infrastructure providers to notify CISA within 72 hours of a significant cyber incident. 

That initiative is well underway as the agency strives to harmonize the collection of data so that organizations are not overwhelmed by various federal authorities making the same request after each cyber incident, Easterly said. 

The rule is not designed to embarrass or shame companies if they are targeted by a malicious attack. 

“This is entirely about rendering assistance to the victim, protecting that victim and then using that information in a way that allows us to provide early warning to other potential victims before they get hacked,” Easterly said.

The work on CIRCIA comes at a time when public companies are making significant upgrades to their incident response plans and cyber governance. The Securities and Exchange Commission passed a rule in that went into effect Sept. 5 that requires companies to report cyber incidents within four days of determining whether they are material to the company’s financial condition. 

Corporate boards and C-suite executives need to embrace cybersecurity as a serious business risk, just like any other material risk, and other parts of the business community, including rating agencies, should weigh in on how cybersecurity risk impacts business, Easterly said.