It’s no longer enough to say aloud that we understand that U.S. critical infrastructure is at risk. It’s not enough to acknowledge the problem and yet continue to practice security by obscurity—a fatal flaw in this context.
Our adversaries have made strategic and tactical shifts in their aggression against our critical infrastructure. China-linked Volt Typhoon has embedded offensive digital weapons on military networks and other critical infrastructure with experts surmising that China’s hope was to activate those time bombs in the event of military conflict. Russia’s Sandworm has made no bones about its ability to compromise operational technology with custom-built malware frameworks that have caused power outages in Ukraine and have been used in concert with kinetic attacks.
The risk in the U.S. is amplified because so much of our critical infrastructure is privately owned. While our military and diplomatic policies may keep us from crossing the red lines of compromising private-sector entities elsewhere, that is clearly not the case for our adversaries. They likely view the private sector as a natural extension of our national security apparatus; they don’t understand—or care—about the public-private distinction.
This is why I say it’s time to move beyond mere acknowledgement of the problem. Perhaps it’s a failure of imagination on our part to properly strategize defense against these threats. The attack against Change Healthcare exposed the fragility of one incredibly vital critical infrastructure sector. The greatest digital disruption in the history of the healthcare industry happened because of an attack that impacted centralized billing. The adversary understood its options in achieving a desired effect without directly targeting hundreds or thousands of healthcare delivery organizations.
The Colonial Pipeline attack may have started out as a ransomware campaign, but adversaries observing the panic and psychological impact from a temporary fuel outage could learn plenty. These types of lessons learned may be guiding this strategic shift: it’s not entirely about disrupting necessary services, but perhaps there’s more value in eroding confidence in critical infrastructure. Russia and China are extremely skilled at understanding outcomes and strategically building from those opportunities.
During the recent Nexus Conference, former White House cybersecurity coordinator Chris Inglis said the Russians and Chinese intend to hold the U.S. at risk in every possible way and understanding our dependence on digital infrastructure, that is one way to hold us at risk. This is a powerful message, and we’re starting to see some of that play out right now. Advanced persistent threat groups like Volt Typhoon and Sandworm are no longer chartered with just espionage and feeding their respective industry and economy with trade secrets; they’ve moved on and changed the risk calculus to include undermining our confidence in our digital infrastructure and economy.
Cyberspace is a level playing field for our adversaries who cannot match us militarily or economically. Cyberattacks that sow chaos coupled with misinformation and disinformation campaigns are powerful equalizers for our adversaries. This is what’s enabling their shift in tactics; it’s born out of a strategy. Less than a decade ago, there’s very little chance you’d see such activity as Volt Typhoon’s brazen embedding of attack tools on critical networks. This is incredibly escalatory behavior, yet they’ve concluded that the benefits outweigh the risks for them.
This is the context under which security leaders today should be developing policies and focusing investments. The red lines being crossed include attacks impacting civilian population. Yet the private-public-military distinction isn’t in the view of our adversaries; they see critical infrastructure as part of a particular objective or capability they wish to impact. Therefore, every enterprise, every supply chain provider, every entity within the 16 critical infrastructure sectors is a target.
We need deterrence in cyberspace; formally agreed upon norms of behavior similar to what’s been established with regard to nuclear deterrence. In developing that deterrence, we have to understand the thinking and behaviors of our adversaries and what their way forward might be, rather than developing policies and tactics based on our experience and predictable response to actions.
There are easily definable red lines, yet we clearly haven’t deterred adversaries from crossing them. And while China/Volt Typhoon seems to be the first to have taken a giant escalatory step over them, you can be sure others such as Russia, Iran, and North Korea will be watching our response and shifting strategy and behaviors accordingly. Without deterrence, we’ll not only see more of this activity, but a deep erosion of trust in our digital capabilities and faith in our institutions.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
