White House: Threats to critical infrastructure are 'severe'
While the White House released the new National Cybersecurity Strategy last year to help combat threats to critical infrastructure organizations, attacks have continued.
SAN FRANCISCO -- During an RSA Conference 2024 keynote on Tuesday, White House representatives warned that the threat to critical infrastructure organizations is "severe" and persistent, particularly from Chinese nation-state threat actors.
Harry Coker, Jr., national cyber director at the White House, and Sue Gordon, former principal deputy director of national intelligence, presented the session titled " The State of our Cyber is Strong: The View from the White House." Coker and Gordon discussed Tuesday's release of the White House's second version of the National Cybersecurity Strategy implementation and provided an update on its progress.
The White House released version one of the strategy last year and one of the top pillars helped to address evolving risks against critical infrastructure. Over the past year, the government updated and implemented new requirements intended to protect those organizations such as the U.S. Security and Exchange Commission's four-day reporting rule. However, the risks have not only continued but worsened.
Nation-state threat groups, particularly those aligned with China, aren't conducting attacks against critical infrastructure solely for cyberespionage purposes, financial gain or intelligence gathering anymore, Coker warned. Their motivations are broader and more dangerous.
"The days of physical threats to our critical infrastructure are long gone. The cyber threats to critical infrastructure are severe and not going away," he said during the session.
One prime example of these "severe" threats revolves around the Chinese nation-state actor Microsoft tracks as Volt Typhoon. Coker highlighted a Jan. 31 hearing with the FBI, CISA and National Security Agency where he provided testimony about the threat posed by China to U.S. critical infrastructure.
During the hearing, U.S. agencies detailed how they disrupted a botnet campaign by Volt Typhoon where threat actors compromised hundreds of U.S.-based SOHO routers as part of a wider campaign against U.S. critical infrastructure organizations. They also revealed that Volt Typhoon hid in victim's IT networks and maintained access to some critical infrastructure organizations for at least five years.
During her hearing testimony, CISA director Jen Easterly emphasized Volt Typhoon actors intended to use that access for disruptive and destructive attacks in case of a conflict with the U.S. Coker echoed that sentiment during Tuesday's RSA Conference 2024 keynote.
"It was great to have that hearing because the American public and international public need to understand we are under unacceptable risk posed by malicious actors with regards to our critical infrastructure," he said.
Another RSA Conference 2024 session on Monday, which featured officials from other U.S. agencies, confirmed Volt Typhoon intrusions are ongoing. Coker urged each of the sector's risk agencies to have the cyber resources, personnel and expertise to work with the owners and operators of critical infrastructure. He stressed that he's confident the government is engaged in the right partnerships to help combat threats moving forward.
However, Coker said there is still plenty of work to accomplish, noting that some private sector organizations "look at cybersecurity as an inconvenience as opposed to an imperative."
He cited a recent workforce meeting held at the White House as an example of how cybersecurity is affecting an array of critical industries, including transportation, food and agriculture, education, and manufacturing.
Coker expanded on the persistent threat against the education sector in particular. To combat the disruptive attacks that threaten sensitive information and lead to school closures, Coker said the White House requested that K-12 school districts transition from .com or .org domains to .gov where "security is afforded to them." CISA was a strong operational partner lead in that area, he said.
Progress and challenges
To measure the effectiveness of the National Cybersecurity Strategy over the last year, Coker said they graded themselves and examined all their actions. "I'm pleased to announce we made collectively good progress, but we have to do more," he said.
One area he highlighted was ransomware, which according to several cybersecurity vendors reached record highs in 2023 in terms of the number of victims and payment amounts. Ransomware operators continue to adapt their evasion techniques and increase payment pressure with more brazen extortion tactics.
Coker said one of the federal government's priorities includes working to incentivize private entities to take action in a variety areas. He cited as an example the White House's software liability policy, which looks to hold technology companies accountable for shipping vulnerable products with known flaws and insecure configurations.
"How do we use that to make cybersecurity more secure and transfer the cost, frankly, from the end user to big tech and the software developers?" Coker said. "How do we implement [the shift to memory-safe programming languages]? There is an awful lot of legacy code that's going to be vulnerable, and we have to address that."
While Gordon applauded the federal government's newly implemented standards and requirements, she also said compliance with those standards won't be enough. It's vital that organizations understand the risk they are facing and the responsibility they owe the collective for action to be taken, she stressed.
"In a world where every technology is available to everyone, where we're living in a digitally connected world and of data abundance, national security is not the sole purview of the government. In fact, I would say that in 2024, disproportionally the private sector and private citizens are national security decisionmakers," Gordon said during the session.
Alex Stamos, chief trust officer at SentinelOne, also presented an RSA Conference 2024 session on Tuesday that delved into the importance of the federal government being on the same page to assist enterprises. While enterprises are urged to contact law enforcement following an attack, Stamos said the Biden administration's stance on cybersecurity makes that decision challenging.
"Half of the current administration sees companies as victims. The other half sees every victim as a criminal themselves. 'Oh, you deserve it. You should have done better. We're going to punish you until you get better,'" he said. "It's created this complicated situation for companies -- 'Who can I turn to, to help me with this?"
Arielle Waldman is a Boston-based reporter covering enterprise security news.