Recently, the U.S. House of Representatives introduced a bill designed to combat the cyber threat against critical infrastructure posed by nation states, and especially China.  Dubbed the “Strengthening Cyber Resilience Against State-Sponsored Threats Act,” the potential legislation would establish an interagency task force to address cyber-enabled threats to critical infrastructure and coordinate federal stakeholder agencies involved with its protection.  The task force would be responsible with providing Congress a classified report and briefing annually, as well as present findings and recommendations related to Chinese, and ostensibly, other nation state cyber activities.  The task force would be headed by the Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

As stated by Representative Laurel Lee, the purpose of the bill and the interagency task force is to implement “a focused, coordinated, and whole-of-government response to all of Beijing’s cyber threats, so no other actors succeed.”  Though it is difficult to argue against this strategy, it does raise questions if such a body is needed given the existence of similar interagency cyber centers.  Granted, the bill cites that the task force can coordinate with already existing task forces, working groups, and any other government entity involved in tracking Chinese and other cyber threats to “avoid redundancy,” the very creation of this task force seems to do just that.

For example, the FBI leads the National Cyber Investigative Joint Task Force (NCJITF), a body “comprised of over 30 partnering agencies from across law enforcement, the intelligence community, and the Department of Defense” and whose primary responsibility is to “o coordinate, integrate, and share information to support cyber threat investigations, supply and support intelligence analysis for community decision-maker.”  The Directorate of National Intelligence heads the Cyber Threat Intelligence Integration Center (CTIIC), a body that “analyzes and integrates cyber intelligence for decision-makers so they can act on the identified threats. CTIIC coordinates an IC-wide approach to mitigating and countering cyber threats.”  It certainly seems that these missions seem duplicative and overlapping.  Given the cyber missions of other departments and agencies, especially those in the IC, this task force seems yet another layer.

But perhaps the nuance in this task force as opposed to others is that it would be critical infrastructure focused, or that it would be nation-state focused.  Concerned about threats to critical infrastructure is gaining increasing importance given the fact how these entities touch all of our lives regardless of whether you are in the public or private sectors, and more reporting is emerging that state actors are looking to exploit these targets for advantage.  A recent report revealed that cyber attacks increased by 70% so far in 2024 further painting a bleak picture.  U.S. Transportation (ports), Water and Wastewater (water facilities), and Energy (power plants) sectors have all been targeted by suspected state actors, elevating awareness of potential catastrophic effects of a cyber-enabled event against them.  However, there are 16 critical infrastructures across 50 states making the critical infrastructure footprint quite expansive, and difficult to get a comprehensive security view around such a vast enterprise.  Add into the mix that not every state actor may be looking to target major critical infrastructure organizations (such as Iran in 2013 against a New York dam) and a difficult problem just became more complex.

What makes this task force particularly noteworthy is that even though it says its mandate will look at all state cyber threats against critical infrastructure, it will be dedicated at least for the immediate future on addressing Chinese cyber threats.  This is an interesting development driven by VOLT TYPHOON, a moniker assigned to extensive Chinese cyber reconnaissance designed to compromise targeted networks, many of them critical infrastructures, to maintain access and learn about the environment.  Recently, an unnamed senior U.S. intelligence official said that China could use such access for disruptive or destructive purposes, especially if relations deteriorated between Beijing and Washington over contentious issues like Taiwan.  What has raised the alarm about this activity is that it appears to have no intelligence value (note: this is debatable as mapping out a network environment is very much in line with collecting intelligence against a potential future target), as opposed as some of the other cyber espionage activities to which Beijing has been tied by the United States and other governments and industry organizations.  

And while there is legitimate concern that China appears to have progressed from focused on espionage to planning for hostile relations with the United States, it has not yet been tied to a purposeful disruptive act against a critical infrastructure (Note: China has been associated with similar activity against India.  A 2021 Mumbai blackout was rumored to have been from a cyber attack, possibly China-orchestrated, but no evidence was found that a cyber attack was in fact the catalyst for the disruption.).  This stands in stark contrast to Russia that has been tied to some of the more significant cyber attacks against critical infrastructures, in addition to infiltrating U.S. energy assets.  Based on Russia’s track record of using cyber attacks as political tools of punishment and coercion, and the current contentious relationship between Washington and Moscow over the Ukraine conflict, one would have thought Russia would be the first to be under this microscope.  It warrants scrutinization if the intention here is to create a separate task force for every adversarial state cyber actor.

Whether the bill passes or not remains to be seen.  But having yet another layer of cyber in an already cumbersome bureaucratic mess of overlapping missions and roles and responsibilities is akin to applying a new gloss to the same dusty playbook.  Instead of rehauling and reforming the current bloated structure, more money is being invested to grow the space, not make it more efficient.  Cyber missions are expanding, evidenced by increasing the size of U.S. Cyber Command’s hunt-forward teams and granting it more authorities, and potentially creating a new Cyber Force.  “More” seems to be the preferred course of action rather than taking a serious inventory and review of how the United States government should be countering today’s cyber threats based on its agencies, authorities, and responsibilities.  Such a cyber overhaul is needed to show maturation in the government’s understanding of how the cyber threat landscape has changed.  It would go far to eliminate needless redundancies, streamline processes, enhance and expedite reporting, and clarify what agencies are in charge of what areas and granting them the power to make those decisions.  It will also help identify what agencies have a primary role to play, and those who are merely supporting actors.