Congress told how Chinese attackers plan to incite ‘societal chaos’ in the US – Source: go.theregister.com

Chinese attackers are preparing to “wreak havoc” on American infrastructure and “cause societal chaos” in the US, infosec, and law enforcement bosses told a US House committee on Wednesday.

“The fact that PRC hackers are targeting our critical infrastructure, water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems — and the risk that poses to every American requires our attention,” FBI Director Christopher Wray told the House Select Committee on competition with China.

The hearing coincided with the FBI’s confirmation that it obtained search warrants and issued a remote kill command to wipe Volt Typhoon’s botnet after the Chinese crew infected hundreds of end-of-life routers and attempted to break into American critical infrastructure targets.

After breaking into victims’ routers the Volt Typhoon crew evades detection by using legitimate IP addresses and credentials, plus other tools to communicate with their spymasters and move throughout the target environment.

Such incidents are no longer a “theoretical threat,” added US Cybersecurity and Infrastructure Security Agency Director Jen Easterly, noting that CISA has seen Volt Typhoon “burrowing deep into our critical infrastructure to enabled active attacks in the event of a major crisis.”

This is a world major crisis halfway across the planet, could well endanger the lives of Americans here at home, through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, the crippling of our transportation modes, all to ensure that they can incite societal panic and chaos, and to deter our ability to marshal military might and civilian will,” she added.

Earlier reports suggested that American government officials were worried that this nation-state group was biding its time and planning to disrupt military installations, utilities and internet service providers if China invaded Taiwan and the US provided support for the island nation.

“Their aim is clear: In the early stages of a conflict, they want to disrupt our military’s ability to mobilize, and to impact the systems that allow us to thrive in our increasingly digital world,” said Harry Coker Jr, director of the Office of the National Cyber Director. This puts critical infrastructure owners and operators, the vast majority of whom are private organizations, “on the front lines,” he added.

But in addition to attacking US energy grids or water systems, which would likely incite a kinetic war, China also has less overtly destructive cybertools at its disposal including disinformation, spread via TikTok and other social media, and AI capabilities such as deepfakes intending to sway US elections.

These aren’t easy problems to solve. As Wray has repeatedly noted — and did again in front of the House panel — Chinese cyber spies outnumber the FBI’s cyber agents 50 to one. 

• FBI confirms it issued remote kill command to blow out Volt Typhoon’s botnet
• We know nations are going after critical systems, but what happens when crims join in?
• Five Eyes and Microsoft accuse China of attacking US infrastructure again
• US cyber spymaster calls TikTok China’s ‘Trojan horse’

The US agency directors also told lawmakers the US needs better partnerships and threat-sharing between the private sector and the government, as well as government agencies setting clear cybersecurity requirements and providing assistance to victim organizations. 

In addition to these challenges, there’s the ongoing cybersecurity skills shortage, which Coker said includes half a million open infosec jobs.

Fixing these problems also requires holding software companies liable for buggy products, according to Easterly. This is a battle cry that Easterly repeated during her CISA tenure. The agency wants vendors to make their tech “secure-by-design,” so it’s safe out of the box, and this responsibility isn’t passed on to businesses and end users.

“Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology that has led to incentives where features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion,” Easterly told the House subcommittee. 

“Technology manufacturers must ensure that China and other cyber actors cannot exploit the weaknesses in our technology, to saunter through the open doors of our critical infrastructure to destroy it,” she added. “This has to change.” ®