In June at the Aspen Institute in Washington D.C., Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly began what now seems to be a prolonged messaging campaign: a stark “Black Swan/Gray Rhino” warning of the inevitably of crippling cyberattacks on U.S. critical infrastructure. 

“China certainly would consider aggressive cyber attacks against U.S. critical infrastructure…I think that’s something we really need to internalize frankly.”

In her Aspen Institute remarks, Easterly first offered this assessment:  “Given the formidable nature of the threat from Chinese state actors, given the size of their capability, given how much resources and effort they’re putting into it, it’s going to be very, very difficult for us to prevent disruptions from happening,” she said. (1)

Last week, at the DEFCON31 Conference in Las Vegas, NV, Easterly reiterated and reinforced this message:

“I hope that people are taking seriously a pretty stark warning about the potential for China to use their very formidable capabilities in the event of a conflict in the Taiwan straits to go after our critical infrastructure.” (2)

She went on to say: “In the event of a conflict in the Taiwan Strait, China certainly would consider aggressive cyber attacks against U.S. critical infrastructure, whether that’s oil and gas pipelines, transportation…I think that’s something we really need to internalize frankly.” (3)

“…they have unwittingly come to accept that it is normal for new software and devices to be indefensible by design…”

Easterly’s messaging on the strategic vulnerability of critical Instructure runs parallel to the efforts of the CISA’s Secure by Design Initative, which was launched in a February article in Foreign Policy Magazine (co-authored by Easterly Eric Goldstein) entitled “Stop Passing the Buck on Cybersecurity Why Companies Must Build Safety Into Tech Products“: 

“Despite a global multibillion-dollar cybersecurity industry, the threat from malicious cyber-activity, from both criminal and state actors, continues to grow…These breaches included attacks that threatened public health and safety, with several hospitals across the United States forced to cancel surgeries and divert patients because they were locked out of their systems.

Over the past decade, adversaries of the United States have developed increasingly sophisticated offensive cyber-capabilities. As cybersecurity expert Dmitri Alperovitch has argued, “We don’t have a cyber problem. We have a Russia, China, Iran, North Korea problem.” Although the focus on malicious actors—whether nation-states or criminals—is important, cyber-intrusions are a symptom, rather than a cause, of the continued vulnerability of U.S. technology.

What the United States faces is less a cyber problem than a broader technology and culture problem. The incentives for developing and selling technology have eclipsed customer safety in importance—a trend that is not unique to software and hardware industries but one that has particularly pernicious effects because of the ubiquity of these technologies. As Americans have integrated technology into nearly every facet of their lives, they have unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.” (4)

What Next?

U.S. Hunts Chinese Malware That Could Disrupt American Military Operations (NYTimes) 

“Easterly addressed this recent report by Sanger and Barnes in her DEFCON31 remarks.”

Easterly’s comments come two weeks after the publication in the New York Times of a report by respected cybersecurity reporters David Sanger and Julian E. Barnes which has garnered much attention in many public sector security communities of practice:   

“The Biden administration is searching for malware it believes China has placed inside networks controlling critical infrastructure that supply military bases in the United States and around the world, according to U.S. military, intelligence, and national security officials. The malware could be designed to disrupt U.S. military operations in the event of a conflict, including if China moves against Taiwan.  The impact of any subsequent cyberattack could be much greater as the infrastructure upon which the military relies also often supplies the houses and businesses of ordinary Americans, according to U.S. officials” David E. Sanger and Julian E. Barnes report for the New York Times.

The Record confirmed that Easterly addressed this recent report by Sanger and Barnes in her DEFCON31 remarks: 

“During the DEF CON security conference this weekend, Easterly spoke alongside Transportation Security Administration (TSA) administrator David Pekoske about efforts to both address the country’s cybersecurity gaps and convince the hacker community to lend a helping hand.

Easterly did not hold back in describing the threat from China — openly confirming concerns raised by White House officials in a New York Times story last month about the potential for destructive cyberattacks during an invasion of Taiwan.” (5)

CISA’s Secure by Design Initiative

…defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future.”

CISA’s Secure by Design efforts are in line with the 2023 National Cybersecurity Strategy, which delineated “two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace,” stating that “in realizing these shifts, we aspired not just to improve our defenses, but to change those underlying dynamics that currently contravene our interests.  The two fundamental shifts are: 

1. Rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.
    
2. Realign incentives to favor long-term investments by striking a careful balance between defending ourselves against urgent threats today and simultaneously strategically planning for and investing in a resilient future. 

https://oodaloop.com/archive/2023/08/15/the-taiwan-scenario-and-cyberattacks-on-civilian-critical-infrastructures/

https://oodaloop.com/archive/2023/03/09/what-executives-need-to-know-about-the-annual-threat-assessment-from-the-u-s-intelligence-community/

https://oodaloop.com/archive/2023/08/08/seeking-input-on-strategic-objective-1-1-harmonizing-cybersecurity-regulations-of-the-national-cybersecurity-strategy/

https://oodaloop.com/archive/2023/07/21/doj-acts-on-national-cybersecurity-strategy-implementation-plan-with-fusion-of-cyber-crypto-crime-units/

https://oodaloop.com/archive/2021/11/22/scenario-planning-for-global-computer-chip-supply-chain-disruption-results-of-an-ooda-stratigame/