Critical infrastructure isn't ready yet to face China's cyber threat
China's hacking operations pose the biggest existential threat to the safety of U.S. critical infrastructure — but despite years of investment, the U.S. is far from nailing the cyber basics.
Why it matters: U.S. cyber officials warned Congress this week that China has shown a persistent interest in not only stealing state secrets, but also disrupting basic services, like access to clean water and electricity.
- Growing tensions between the U.S. and China — especially with a potential Chinese invasion of Taiwan on the horizon — have only exacerbated officials' concerns.
- Many critical infrastructure operators — which include major banks, small-town water utilities and even IT firms — are still struggling to enforce basic cyber hygiene, such as having a plan to keep software up to date and implementing multifactor authentication.
Threat level: If China-backed hackers were to take down U.S. critical infrastructure and hit a pipeline or water utility, officials have long said that would be considered an act of war.
- Officials fear that China is laying the foundation to launch destructive cyberattacks at the onset of a potential invasion of Taiwan.
Catch up quick: Chinese hackers have stepped up their attacks on U.S. services in the last year.
- Microsoft disclosed a breach in July in which suspected China-backed hackers accessed several government email accounts, including those belonging to Commerce Secretary Gina Raimondo and the State Department.
- China state-sponsored hackers are also believed to have targeted severe flaws in Ivanti's VPN products.
Yes, but: Despite years of warning and government investments, U.S. critical infrastructure remains woefully underprepared for China's cyber threats.
- Many critical sectors lack the staff and funding to get up to speed on the cyber threats they're facing, Stacy O'Mara, head of advanced cybersecurity solutions and partnerships for Google-owned Mandiant's public sector division, told Axios.
- Other operators are also still unaware of the government resources and partnerships they can tap to shore up their defenses, O'Mara added.
- "They don't necessarily understand or may not believe the intensity of the threat," she said.
Meanwhile, government watchdog reports have identified pitfalls in the federal government's approach to securing critical infrastructure.
- One in September found that federal information-sharing programs — where the government shares details about emerging threats — aren't always sharing details in a timely manner with operators.
- Another published nearly a year ago reported that the federal government had not implemented 57% of the 106 public recommendations for shoring up critical cyber defenses since 2010.
Between the lines: The vast majority of U.S. critical infrastructure is owned and operated by private entities — including cash-strapped smaller utility companies and industry organizations.
- Even the federal government's basic attempts to require cybersecurity audits or incident reporting have hit legal and legislative hurdles.
Zoom out: The U.S. government has successfully laid a foundation in recent years to help address the hurdles critical infrastructure is facing, O'Mara said.
- "In the last decade, I have not seen this level of collaboration around cybersecurity, not only within the interagency, within the United States government, but also within the private sector," O'Mara said.
What we're watching: The results of the 2024 U.S. presidential election will play a huge role in how China's hacking threats evolve.
- While the Biden administration has focused on cooling tensions between the U.S. and China, former President Donald Trump's China policy during a potential second term is still up in the air.