Chinese targeting of U.S. infrastructure
In her opening statement to the House Select Committee on Strategic Competition between the U.S. and the Chinese Communist Party, Cybersecurity & Infrastructure Security Agency (CISA) Director Jen Easterly spoke about CISA’s efforts to protect the nation from the preeminent cyber threat posed by the People’s Republic of China. CISA has long been focused on cyber threats from China, but in recent years they have observed a deeply concerning evolution in Chinese targeting of U.S. infrastructure.
In her comments, Easterly warned, “Specifically, Chinese cyber actors, including a group known as ‘Volt Typhoon,’ are burrowing deep into our critical infrastructure to be ready to launch destructive cyber-attacks in the event of a major crisis or conflict with the United States. This is a world where a major conflict halfway around the globe might well endanger the American people here at home through the disruption of our gas pipelines; the pollution of our water facilities; the severing of our telecommunications; the crippling of our transportation systems — all designed to incite chaos and panic across our country and deter our ability to marshal military might and citizen will.”
Easterly also noted the threats are not theoretical. Leveraging information from the government and industry partners, CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water and telecommunications.
“What we’ve found to date is likely the tip of the iceberg. Given the malicious activity uncovered by CISA, NSA, FBI and industry partners, we are acting now, knowing that this threat is both real and urgent,” said Easterly.
There was no mention of the financial services sector at this point, but I’m sure we’re on the radar as well.
The big takeaway for me, as I listened to Easterly’s statement, was the call — or blame — to technology companies to develop more secure software and applications. I don’t know if I completely agree, but it’s certainly hard to argue when we continue to have these global security events like MOVEit. I’ve been reporting on MOVEit for what feels like a year. In January I received the dreaded data breach letter from my dental insurance company.
On June 1, 2023, the Company learned unauthorized actors exploited a vulnerability affecting the MOVEit file transfer software application. Immediately after being alerted of the incident, the Company launched a thorough investigation and took steps to contain and remediate the incident. On July 6, 2023, their investigation confirmed that the company information on the MOVEit platform had been accessed and acquired without authorization between May 27-30, 2023. On Nov. 27, 2023 after their investigation, they determined my personal information was affected. They notified me on Jan. 29, 2024! And guess what my prize is? I get 24 months of credit monitoring.
So in this situation, where does the blame lie? The company for not updating/patching their systems and software? Progressive Software, the makers of MOVEit, for not continuously testing their product against security threats?
We’re very fortunate, the Texas Bankers ISAO has a partnership with International Association of Certified ISAOs (IACI). IACI was formed back in 2015 to advance information sharing in the private sector. We share the threat intelligence and security advisory reports on a daily basis with our Slack group. I feel confident we are getting it faster than any other organization.
Bottom line, someone from your organization needs to participate in one of these information sharing organizations. If not the TB-ISAO, there are several others available.
More importantly, take action on the information you receive. Take it back to your security team and ask “Are we good?” or your MSP, “Are we safe?”
If you want to participate in the Texas Bankers ISAO, please reach out to me. We provide this information at no additional costs to your TBA membership. IACI also provides some additional services like BIN monitoring and domain/email monitoring. Once again, it does not cost anything.
[email protected] • 512-334-0934