Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), warned today that the U.S. must do more to protect against cyber threats posed by attackers linked to the People’s Republic of China (PRC).
Easterly warned in a blog post that the PRC is likely to attempt “reunification” with Taiwan by the end of the decade, if not sooner – and reiterated statements she and other officials have made that China’s persistent attacks on U.S. critical infrastructure may be in preparation for a move against Taiwan. She wrote:
“Such action could be accompanied by disruptive attacks against ‘everything, everywhere, all at once:’ our transportation nodes, our telecommunications services, our power grids, our water facilities, and likely much more—all with the goal of inducing societal panic and deterring our ability to marshal military might and citizen will to expend American blood and treasure in defense of Taiwan.”
Easterly’s post comes five days before she and CISA Deputy Director Nitin Natarajan are set to depart as the second Trump Administration is sworn in. CISA has engaged in a flurry of initiatives during the transition period – and one piece is expected to be a final cybersecurity executive order from outgoing President Joe Biden, which would have to be signed this week if it is to get done.
Easterly: Tech Products Must Be More Secure
Easterly said CISA has had success evicting PRC-linked threat actors from government networks and the energy, transportation, water and telecommunication sectors, and the agency has deployed resources “across nearly 7,000 critical infrastructure organizations” to help improve security.
However, she noted that “what we have found is likely just the tip of the iceberg. This unrelenting PRC campaign underscores the urgent need for robust cyber defense and vigilance across public and private sectors.”
Easterly made an impassioned plea for more secure product development, noting that product vulnerabilities have “made it easy” for cyber attackers.
“Indeed, the PRC is largely taking advantage of known product defects,” she wrote. “The truth is that the technology base upon which our critical infrastructure depends is inherently insecure, because of decades of misaligned incentives that prioritized features and speed to market over security. That must stop. Technology companies must help ensure the PRC and other adversary threat actors cannot exploit defects in technology products to target our critical infrastructure. These weaknesses—and the resulting risks to our national security—can only be addressed at scale by companies building and selling products that are secure by design.” [Emphasis Easterly’s]
Critical infrastructure organizations also need to do better, she said.
“Every critical infrastructure organization should double down on their commitment to resilience,” Easterly wrote. “CEOs, Boards, and every business leader must recognize that they own cyber risk as a business risk and a matter of good governance. They must expect disruption, continually testing the continuity of critical systems and functions to ensure they can operate through disruption and recover rapidly from an attack.”
CISA’s recent high-profile activities also serve to underscore the agency’s value even as its future in the new administration is uncertain.
Biden Plans Sweeping Cybersecurity Order
This week is also expected to bring a final cybersecurity executive order from Biden, which would call for strengthening the federal government and contractors from PRC actors and other cyber threats.
Stronger standards for software and cloud security, more secure federal networks and authentication, third-party risk management, digital identities, improved BGP security, and promotion of AI-powered security technologies are some of the items that could be in the final order. The order is also expected to give CISA additional authority to enforce cybersecurity standards.
