The Biden administration is ramping up its efforts to secure America’s far-flung critical infrastructure amid ongoing concerns from top US officials that Russia and China continue to seek a digital foothold inside the networks of pipelines, ports and other targets – with the intention of gathering data or one day exploiting any access gained.
In a flurry of announcements this week, officials announced new cybersecurity mandates on the railroad and airline industries and fines for federal contractors who fail to report breaches. This second set of compulsory maneuvers follows cybersecurity regulations for US pipeline operators issued earlier this year, and a separate mandate that government contractors strengthen their networks.
The White House also announced last week that it is “working to deploy action plans for additional critical infrastructure sectors” after a 100-day push to improve cybersecurity in America’s balkanized electricity grid.
One senior defense official says that protecting the transportation and energy infrastructure that Americans – and the US military – rely on is a priority.
“Those have direct implications for how well we can execute our military operations in the future,” said deputy defense secretary Kathleen Hicks in an exclusive interview with CNN. “We believe that those are targets that a China or Russia would go after, when they’re thinking about military campaigns.”
China and Russia remain “the priority” focus for the Defense Department, Hicks said, “because they have so much capability, and then a secondary focus on Iran and others.”
US has been hit by a string of ransomware attacks
The push comes as US officials are also grappling with a string of ransomware attacks on critical infrastructure at the hands of cybercriminals, including an attack on Colonial Pipeline, which disrupted gas supplies on the east coast for the better part of a week in May.
Other, smaller hacks – like the February breach of a water treatment facility in Florida that raised treatment chemical levels in the water to potentially poisonous levels – have shown how some critical infrastructure sectors are better resourced to protect themselves than others. Big US electric utilities, for example, invest millions of dollars in cyber defenses, while small town water plants are often strapped for cash.
While the Department of Homeland Security is the lead agency working with private firms to improve their cyber defenses, Pentagon officials focus on protecting the defense industrial base from supply chain hacks and consider the cybersecurity aspects of future conflicts.
That’s a relatively new concern for the Defense Department, long focused on more traditional “kinetic” threats against the US – like terrorist attacks using conventional bombs, or even the nuclear threat from a rogue North Korea.
“That tying together of the homeland to military campaigns abroad is not something most Americans think about,” Hicks said. “And it’s not something for years, the Defense Department had to worry about.”
“That is a significant change,” she added.
But cybersecurity officials have long been concerned about Russian efforts to “preposition” against US critical infrastructure, Rob Joyce, head of the National Security Agency’s Cybersecurity Directorate, said at the Aspen Cyber Summit last week.
“We’ve seen them actively use disruptive effects around the globe. And we’ve seen evidence of prepositioning against US critical infrastructure,” Joyce said. “All things that can’t be tolerated and we need to work against.”
Some Russian hacking groups specialize in infiltrating critical infrastructure firms, both to collect information and, perhaps in some cases, to gain a foothold into networks in the event of a conflict, according to some US officials and private sector experts.