Chinese Cyberthreats Underscore Need for State and Local Action

Chinese Cyberthreats Underscore Need for State and Local Action - The discovery of Chinese malware deeply embedded in computer networks connected to U.S. military bases—which one congressional official called “a ticking time bomb”—should be a major national security wake-up call.

Chinese Cyberthreats Underscore Need for State and Local Action

Chinese Cyberthreats Underscore Need for State and Local Action

Commentary

The discovery of Chinese malware deeply embedded in computer networks connected to U.S. military bases—which one congressional official called “a ticking time bomb”—should be a major national security wake-up call.

The Chinese malware may have the ability to shut off civilian power and communications infrastructure that military bases rely upon to operate—putting the wider civilian population at risk.

Typical malware attacks are often used to hold vital personal or professional data ransom. The Chinese malware can apparently be used in a much more hostile and damaging way. Experts interviewed by The New York Times say “disruption, not surveillance, appears to be the objective” of these latest cyber penetrations.

The placement of this malware is a calculated move on the part of the Chinese Communist Party (CCP), harkening back to Sun Tzu’s admonishment that “the skillful leader subdues the enemy troops without any fighting.”

As a report for the U.S. Air Force Electromagnetic Defense Task Force (EDTF) explains, the U.S. military could be completely “subdued” in the event of a long-term outage of the electrical grid.

Unfortunately, it is very possible that malware and other forms of cyberattack can be used to create very long-term damaging effects on our life-sustaining infrastructures—such as the grid.

For example, in 2007, a group of U.S. government and power industry engineers conducted an experiment at the Idaho National Laboratory to demonstrate that a large electric generator, such as those used in the grid, can be destroyed by remotely turning it off and then back on rapidly. The vulnerability was given the term “Aurora,” and unfortunately—despite our own military spending time, money, and expertise to develop hardware mitigation technologies for it—our electric power industry and other critical infrastructures are still open to such an attack 16 years later.

Worrisome Timing

The timing of these recent Chinese cyberattacks is also strategic—and worrisome.

The CCP is ramping up its military to prepare for a blockade or invasion of Taiwan. Recent naval drills, including a “cross-sea troop transport exercise,” displayed China’s growing capability to invade the main Taiwanese island of Formosa or its other territorial islands. The Chinese People’s Liberation Army Navy also recently conducted a dangerous naval maneuver toward the U.S. Navy that "violated the maritime ‘Rules of the Road’ of safe passage in international waters,” according to the U.S. Indo-Pacific Command.

As The New York Times noted, if the CCP is able to slow the U.S. response to a Chinese invasion of Taiwan by cutting off communications to key military bases in the Asian region and elsewhere, that could help the Chinese take Taiwan by force. Col. (Ret.) John Mills likewise warned that the malware could be targeting American shipyards, ports, and radars to do the same.

Were the malware used to turn off power and communications, even temporarily, it would present a major escalation in terms of cyberwarfare.

One way to respond to the planting of malicious cyberwarfare is through deterrence, with the United States conducting similar types of cyber operations to demonstrate a comparable capability. But there are limited data available on the effectiveness of deterrence in preventing cyberwarfare because of its inherent deniability and the difficulty in attributing such attacks.

Since deterrence against cyberwarfare is unreliable at best, it is necessary to defend our systems and our society against this threat. Unfortunately, despite numerous petitions from grid security advocates, there is still no requirement by the federal government for the electric utility industry to defend against malware. In 2017, the Federal Energy Regulatory Commission (FERC) said it would "decline” to mandate measures to detect, mitigate, and remove malware from electrical grid systems.

State and Local Action Needed

Given the lack of will at the federal level among industry leaders and regulators, more will need to be done locally to protect our critical infrastructures and to prepare in the event of such an attack. Louisiana state Sen. Barry Milligan has authored multiple forms of legislation to protect his state’s critical infrastructure from nefarious Chinese tech companies that serve as entry points for Chinese cyberwarfare—setting an example for state leaders across the United States.

Local and state preparedness has traditionally been central to efforts to defend and increase the survivability of the populace against threats to the U.S. homeland.

While the federal government has largely abandoned the effort to promote significant preparedness, there is no reason why communities cannot fill in the gap. A recent report from the Center for Security Policy argued for reestablishing the U.S. civil defense effort, which was prevalent during the early part of the Cold War when the effectiveness of deterrence was also untested. Civil defense requires mobilizing the civilian population to prepare to respond in the event of attacks against the homeland. These efforts should include preparations for long-term, widespread power outages that might occur from a deliberate cyberattack.

Fortunately, the Department of Homeland Security’s Cyber Infrastructure Security Agency (CISA) formed the Resilient Power Working Group (RPWG) to assist. Consisting of members from across numerous federal agencies, state and local governments, nonprofit organizations, and private industry, the RPWG created the “Resilient Power Best Practices for Critical Facilities and Sites,” a document that “supports emergency and continuity managers with guidelines, analysis, background material, and references to increase the resilience of backup and emergency power systems during all durations of power outages.”

The seriousness of this most recent Chinese malware threat should raise concern for all Americans—especially those in uniform and those who own, operate, and regulate our critical infrastructures.

Given the increasing aggressiveness of communist China toward kinetic warfare in the Pacific, the CCP’s rapidly increasing threats to American critical infrastructure, and the slow federal response, it would be prudent for states and communities to adopt more aggressive measures to mitigate these threats and prepare their populations. Every state and community taking these steps will contribute to the overall defense of the nation.