CISA ‘Secure by Design,’ Cyber Hygiene Are Key Amid China Threats

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the FBI and the White House are calling on federal agencies to collectively increase efforts to counter imminent cyberthreats from Chinese state-affiliated groups, agency leaders said during a Select Committee Hearing on China’s Cyber Threat to U.S. last week.

Cooperation, data collection and proactive resiliency, they said, are critical to keeping systems safe from intrusions associated with China.

“There’ve been enormous strides made over the years, not just amongst all three of our agencies, but between our agencies and state and local election officials, secretaries of state, to try to prevent cyber interference, for example, in our electoral system,” FBI Director Christopher Wray said during the hearing. “We’re also concerned about the ways in which misinformation, disinformation warfare, if you will, from a foreign adversary and cyber attacks can work in tandem.”

CISA Director Jen Easterly said her agency is working with partners to understand and counter the growing threat from Chinese hacking groups.

“The threat is not theoretical. Leveraging information from our government and industry partners, CISA teams have found and eradicated Chinese intrusions in multiple critical infrastructure sectors, including aviation, water, energy, transportation,” Easterly said. “Based on this information, this is likely just the tip of the iceberg.”

During opening remarks, Wray said the FBI “identified hundreds of routers that had been taken over by Volt Typhoon,” a Chinese-state sponsored hacking group, that allowed access to critical infrastructure like the energy, water and transportation sectors.

Wray’s announcement raised questions from committee members about the potential for election interference. The officials cited the importance of cooperation between the public and private sectors and increased education about cyber hygiene.

“I think it’s important for the American people to understand the enormous amount of work done with our partners in the federal government, but also at the state and local level and industries to improve the security and resiliency of our election infrastructure,” Easterly said.

Easterly referenced the need for increased and persistent “cyber hygiene,” or the steps that businesses need to take to understand their infrastructure and vulnerabilities.

CISA’s “Shields Up” campaign advises various groups like families and CEOs on basic principles to quickly detect and respond to incidents. For organizations, CISA also advises reducing the likelihood of an attack in the first place.

Easterly called attention to CISA’s “secure by design” framework, a key concept she sees impacting how organizations and the public views technology.

“We need to ensure that individual consumers are also aware that they need to be asking for products that are secure by design,” Easterly said. “We are making things too easy for our adversaries.”

Committee member Rep. Shontel Brown asked the officials about the administration’s efforts to increase the cyber workforce and the benefits of diversity to combat these threats.

White House National Cyber Director Harry Coker highlighted the nearly half a million open cyber jobs and his administrations’ recent implementation of the National Cyber Workforce and Education Strategy as one of many solutions created to help fill those jobs. The strategy focuses on the importance of investing in workforce programs and expanding opportunities for the American public to learn more about digital literacy skills.

“What we’ve been doing lately has not been working,” Coker said. “We need to make sure there is an opportunity to serve our nation in cyber.”