Blunting the Risks of Private-Sector Ownership of CI

Depending on whom you ask, the private sector owns anywhere between 50% and 85% of critical infrastructure in the United States. This can impose a number of well-understood cybersecurity hurdles, starting with different regulatory rigor than the public sector, a lack of resources especially in smaller communities, and surely in some corners a prioritization of profit over abstract security risks and threats. 

Since the Colonial Pipeline attack demonstrated how a ransomware incident against enterprise systems could disrupt fuel delivery for millions, the federal government has taken steps to sharpen the risk management efforts of CI owners and operators. Through executive orders and national strategies, the government has described the risks and defensive measures to blunt those threats. 

Yet without oversight and enforcement, the division between private- and public-sector ownership of utilities, water treatment facilities, and other sectors, remains a sticking point in locking down what would be prime targets for state-sponsored adversaries. 

Volt Typhoon Puts Face on CI Threats

Let’s look at the Volt Typhoon threat actor, believed to be affiliated with China’s People’s Liberation Army (PLA). Their charter, according to U.S. officials and cyber threat intelligence investigators, appears to be to entrench themselves in U.S. critical infrastructure in order to disrupt the U.S.’ ability to communicate and respond in the event of military conflict with China. Disruptions of power, water, and other critical services at any kind of scale would also sew chaos among the American public during a potential time of conflict. 

Volt Typhoon’s activities have been closely studied by cybersecurity experts within the government and private sector. It has compromised the IT networks and systems in sectors such as water, energy, and transportation in the continental U.S., and in Guam. Leaders in the government assert this group is not like other advanced persistent threat (APT) entities that specialize in espionage; Volt Typhoon instead is positioning itself on IT networks in order to move laterally to disrupt OT assets using among other things, living-off-the-land techniques. LOTL is a means by which the group uses standard and legitimate tools on the victim’s network and abuses their functionality to move laterally and carry out malicious activity. 

Volt Typhoon puts a real face on the threat to critical infrastructure in the U.S., and in many cases, private-sector owners of CI would be on the front lines of tangential military activity. A recent Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party hearing equated the Volt Typhoon activity with placing bombs on American bridges and telecommunications equipment. The members called it an “outrageous threat to the homeland,” and for once not a hypothetical scenario, whose sole purpose is preparedness to impact U.S. infrastructure and sow chaos not only within the military, but also society.

Key Recommendations to Secure Critical Infrastructure

The U.S. government has prioritized public-private information sharing as one step to combat this threat. CISA’s Joint Cyber Defense Collaborative (JCDC) united hundreds of public and private partners organizations, creating a layered defense against threats to critical infrastructure. The 2024 JCDC priorities emphasize a need to defend against APT operations first and foremost. 

The JCDC calls out specifically that APTs are no longer solely espionage entities, but are focused on destructive cyberattacks with real-world impacts (expect an update this year to the National Cyber Incident Response Plan to further focus on this aspect of CI defense). The government seems intent on putting the onus on private sector owners fully collaborating in areas on threat intelligence sharing, risk mitigation, and other mutually beneficial information that reduces risk. 

CI owners should also raise their cybersecurity hygiene practices to acceptable levels. It continues to be that case that most incidents kick off with commodity malware and exploits against known vulnerabilities for which there are patches and mitigations available. Weak authentication, and poor configurations (such as exposing critical infrastructure directly to the internet rather than behind a firewall and/or secure remote access solution) continue to enable actors to pour through the fluid perimeters of our CI. 

Finally, while better hygiene resolves many issues, we cannot take our eye off emerging technology, and the enhanced risks things as AI introduce to critical infrastructure. Generative AI threats include simplifying the construction of phishing messages for threat actors, the creation of deep fakes, and misinformation campaigns. 

Defenders, meanwhile, can also deploy AI and natural language processing models to query systems about their exposure to vulnerabilities and in-the-wild attacks, which systems are patched, what known exploits and malware samples can impact their specific systems, and more. Data from security systems—including action based on past alerts—can be leveraged by advanced security systems to simultaneously reduce the number of noisy alerts analysts must engage with, and at the same time increase the speed of which they’re fed actionable alerts and measures can be taken to reduce risk. 

This could be a big outcome of private-public partnerships, and certainly requires a long road of cooperation and collaboration. But as Volt Typhoon has demonstrated, our adversaries are already taking advantage of our cybersecurity shortcomings, and the time has arrived to proactively address these threats.