Friday, November 22, 2024

China’s Very Real Cyber Threat to Our Critical Infrastructure

Must read

Lights flickered, then darkened. The hum of appliances went silent. Air conditioning ceased.

Moments later, appliances chirped back to life, lights glowed and cooling air flowed.

And then again, nothing — silence, darkness and the type of stillness that quickly becomes stifling.


Before cell service stopped, news alerts had announced unexpected blackouts, even though the fall evening weather was sublime. And something about a blockade.

The beginning of a Tom Clancy thriller? Or a forewarning that a blockade of Taiwan by China could produce hurricane-aftermath-like effects in the U.S.?

The threat is not theoretical: Recent Chinese cyber espionage activity in the U.S. demonstrates its potential to cause domestic unrest through manipulation of our civilian infrastructure as a deterrent to the U.S. defending Taiwan should China blockade or invade the island nation, which China views as part of “one China.” China’s People’s Liberation Army (PLA) simulated such a blockade in October just as the southeastern United States was reeling from the devastation of hurricanes Helene and Milton.

In the wake of those storms, infrastructure everyone takes for granted failed. Power went out. Sewage systems overflowed. Water was unsafe. Internet and cell service were down.

And not only did physical infrastructure fracture, but dangerous fissures in social infrastructure quickly opened. With gasoline in short supply, tanker trucks required police escorts and gas stations required police presence, all to prevent theft and fights. Arrests for looting and unlicensed contractor activity were unprecedented. Disinformation following Helene was so pernicious that the Federal Emergency Management Agency established a web page dedicated to debunking it and had to suspend victim outreach efforts temporarily due to threats of violence.

The same day Milton made landfall, Oct. 10, conditions were right on the other side of the globe for a different type of storm to threaten a vulnerable populace. This storm would invade the waters around Taiwan and the sky above it.

Taiwan celebrated its National Day on Oct. 10, a public holiday that traces its origins to liberation from imperial rule. Taiwanese President Lai Ching-te delivered a National Day address during which he affirmed Taiwan’s sovereignty. Four days later and in direct response to Lai’s speech, the PLA staged Joint Sword 2024B, a military operation simulating a blockade of Taiwan and demonstrating multi-domain assault and invasion capabilities.

Those capabilities would certainly include cyber warfare directed not only at Taiwan’s military but also at its civilian infrastructure — and that of its allies, most notably the United States. That capability was demonstrated on Sept. 26, the same day Hurricane Helene struck Florida, when a storm with a different name — Salt Typhoon — hit the news. Salt Typhoon is the name given to the latest in a series of Chinese cyber attacks on U.S. critical infrastructure and assets. This time, Chinese cyber espionage operators gained access to American telecommunications systems and data.

Salt Typhoon was preceded by similarly dangerous Volt Typhoon, revealed in January this year. U.S. power and water systems were extensively penetrated by Chinese cyber attacks. As FBI Director Christopher Wray testified before a House committee, with Volt Typhoon “China is attempting to pre-position on U.S. critical infrastructure — setting up back doors to cripple vital assets and systems in the event China invades Taiwan and therefore, limiting our ability to assist Taiwan.”

Americans in the Southeast got a preview of the impact of such a move on China’s part with the swift loss of civilian infrastructure services and civility following hurricanes Helene and Milton. But hurricanes and other natural disasters do not hold critical infrastructure hostage. Adversarial nation-states do.

If the Joint Sword blockade of Taiwan had been real, the power, gas, water, sewer and cell service outages so many in the Southeast were experiencing at the same time the PLA navy encircled Taiwan could have been caused by “typhoons,” not hurricanes. Yet unlike service restoration following a hurricane, restoration following disruption due to Volt Typhoon-type malware could be conditional, not inevitable.

We need to be better prepared — and fortified — than we are. As utilities and local, state and federal agencies continue to recover systems and restore services following back-to-back hurricanes, national security considerations must be integrated into after-action reports and go-forward improvement plans. These would include:

• Assessing internal systems and those of external vendors for latent malware and remediating as needed.

• Identifying and hardening system access points and system-to-system handoff links with enhanced cybersecurity solutions.

• Providing improved ongoing cybersecurity awareness training to help keep cybersecurity risks and their mitigation top of mind for personnel, who often are unwittingly the weakest link in cyber defenses.

• Prioritizing physical infrastructure improvements and system redundancies that allow for continuity of operations and service even when functionality is impaired.

• Routinely conducting tabletop exercises that incorporate malign-actor attacks on systems while engaging in a process of continuous improvement that integrates lessons learned.

• And maintaining focus and budget prioritization on implementing these recommendations, even when the blue sky returns and the sun shines day after day.

Typhoons, after all, are as destructive to the infrastructure we rely on as hurricanes. But so are “typhoons.”

Christopher Hunter, a nonresident senior fellow with the Global and National Security Institute at the University of South Florida, is a former federal prosecutor with the U.S. Department of Justice and special agent with the FBI. He is an adjunct professor at the University of Tampa.


Governing’s opinion columns reflect the views of their authors and not necessarily those of Governing’s editors or management.

Latest article