Congress Must Act to Deter Chinese Cyberattacks

Congress Must Act to Deter Chinese Cyberattacks

Following recent revelations about Chinese cyberattacks, Congress should take steps to ensure the integrity of critical infrastructure.

Recent Congressional testimony highlighted the takedown of a Chinese hacking syndicate exploiting critical infrastructure. The FBI director, the head of Cyber Command, the Director of the Cybersecurity and Infrastructure Security Agency, and the National Cyber Director unanimously underscored the “preeminent cyber threat posed by the People’s Republic of China” to the U.S. economy and national security.

FBI Director Christopher Wray testified that China is “actively attacking our economic security—engaging in wholesale theft of our innovation and our personal and corporate data,” “targeting our critical infrastructure—our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems,” and “positioning…to wreak havoc and cause real-world harm to American citizens and communities.” He added that “Low blows against civilians are part of China’s plan.”

While the federal government, often coordinating with the private sector, is heavily engaged in contesting Chinese actions, Congress should enhance the United States’ ability to defeat such actions by taking four key steps.

First, it should be recognized that many of the innovative American technological advances in fields such as artificial intelligence, quantum computing, additive manufacturing, and synthetic biology come from academia and small or startup businesses. Yet academic institutions and small and startup businesses lack the resources to undertake effective cybersecurity. Likewise, as the testimony underscored, the vulnerability of private sector critical infrastructure companies is all too clear. 

Congress could, however, enact legislation authorizing cybersecurity transferable tax credits for small and startup businesses, academia, and key critical infrastructures such as transportation, energy, and water. Tax credits are highly effective in supporting investments such as computer chips and renewable energy. Establishing such credits for cybersecurity would dramatically increase the ability of small and startup businesses, academia, and critical infrastructures to afford to protect the intellectual property and operations so critical to the economy and national security of the United States.

Second, as CISA director Jen Easterly described, Chinese attacks often “exploit defects in technology products to saunter into the open doors of our critical infrastructure.” These “open doors” facilitate data thefts underlying innovative technologies and intrusions into critical infrastructure operating systems. There are existing methodologies to achieve security by using software to operate and control key critical infrastructures. Formal methods include mathematical tools and secure coding standards that guarantee the absence of “open doors.” While these are well-established methodologies, they have not been broadly adopted because they are manpower intensive and difficult to scale to large, complicated software systems. 

However, recent advances in artificial intelligence, specifically large language models such as CHAT-GPT, show great promise in accelerating the generation and development of software. Combining the techniques of formal methods, secure coding, and AI-based code generation creates an opportunity for the government to support the private sector. Congress should require the Defense Advanced Research Projects Agency, the National Science Foundation, and others to establish priority programs to integrate secure coding and formal methods with AI-based code generation technologies to protect intellectual property and “secure by design” the operational technologies that control our critical infrastructures.

Third, while there has been valuable cooperation between the government and the private sector, those arrangements have been voluntary. As the war in Ukraine demonstrates, private sector engagement will be critical to ensuring the ongoing functioning of critical infrastructure in wartime and the functioning of state and local governments. 

Congress can meet this need by enacting legislation establishing an integrated corps of private-sector cybersecurity providers whose members would provide high-end cybersecurity in wartime to key critical infrastructures and, if requested, to states, localities, tribes, and territories (SLTTs). Such a program would engage many high-end cybersecurity companies working with CISA through its Joint Cyber Defense Collaborative. The program would be analogous to the Civil Reserve Air Fleet arrangements that long have been made with airlines to “augment Department of Defense airlift requirements in emergencies” and the arrangements that the Space Force is currently establishing with commercial space providers.

Fourth, the United States has a cybersecurity workforce shortage of approximately 700,000 jobs, significantly reducing the country’s ability to counter Chinese cyber-attacks effectively. The gap in the public sector is approximately 40,000 personnel, meaning that the current governmental cyber force would be insufficient to meet the rapidly increased cybersecurity demands in wartime. 

To respond to the broader needs, Congress should require the establishment of a program similar to that of the semiconductor industry to “synthesiz[e] and training to form a common baseline education program, launc[h] campaigns to attract new students and workers to the…industry, develo[p] new training methodologies, and accelerat[e] access to educational resources.” To meet wartime requirements, a “surge capability” of cybersecurity personnel should be established through the creation of a national cybersecurity civilian reserve corps and expansion of National Guard and military reserve cybersecurity capabilities. 

Such cyber reserves have been established in countries like the United Kingdom and Estonia with advanced cyber capabilities. In the United States, Section 1536 of the FY2024 National Defense Authorization Act establishes a pilot program for a “Civilian Cyber Reserve” for US Cyber Command, noting that the program should be accelerated and expanded to provide the necessary manpower. As in the United Kingdom and Estonia, civilian cyber reservists and cyber Guard members should be recruited based on their cyber knowledge and capabilities, not on standard military physical requirements.

China’s determined cyber attacks on the United States call for significant actions to enhance national resilience both now and in the event of conflict. The congressional actions described will significantly enhance the cybersecurity of the United States and should be legislated as promptly as possible.

Franklin D. Kramer is a distinguished fellow on the board at the Atlantic Council and a former assistant secretary of defense for international security affairs.

Robert J. Butler serves as the Managing Director of Cyber Strategies LLC and served as the first Deputy Assistant Secretary of Defense for Space and Cyber Policy.

Melanie J. Teplinsky is a senior fellow in the Technology, Law, and Security Program at American University (AU), Washington College of Law, and a faculty fellow at AU’s Internet Governance Lab. She also serves on the Board of Compiler Media, Inc.