As simmering tensions in East Asia rise to a boil, the recent discovery of a Chinese penetration of the U.S. military’s telecommunication systems in Guam should be setting off alarm bells across the executive branch and in the halls of Congress. Though Chinese penetration of U.S. networks for espionage has been well documented for more than two decades, the targeting of critical infrastructure represents a significant escalation by China and highlights critical vulnerabilities the Department of Defense (DoD) needs to immediately address.
Though the United States tends to view warfare as a challenge for the military to confront, our enemies have a vastly different outlook.
America’s adversaries are always eager to deny or degrade our military’s ability to mobilize globally and execute national security objectives at scale. The war in Ukraine, saber-rattling in the South China Sea, and a U.S. presidential election on the horizon further exacerbate geopolitical tensions. Lately, they have succeeded by exploiting vulnerabilities in operational technology (OT) devices that control much of our critical infrastructure.
The recent discovery of Chinese malicious code embedded in the telecommunications systems used by the U.S. military in Guam, which is home to three strategic U.S. bases, sent waves through the national security community. The Chinese Communist Party (CCP) currently uses cyberspace to achieve espionage and intellectual property theft objectives. However, they aspire to use malware hidden in our critical networks to disrupt our response to a future CCP invasion of Taiwan. This cannot be overstated: denying the availability of weapon systems in the garrison is as effective as destroying them on the battlefield.
Now is the time to shore up the DoD’s Control Systems (CS) and OT security and build resiliency across the department’s vast digital landscape.
Critical Infrastructure in the Crosshairs
Over the last decade, critical infrastructure has increasingly become a target for adversarial nation-states and sophisticated criminal actors due to ubiquitous vulnerabilities within legacy OT systems and the lack of security control standards among most Internet of Things (IoT) devices.
Prominent examples of critical infrastructure cyber breaches include the 2013 cyberattack on the Bowman Avenue Dam in New York by Iranian hackers, the 2021 cyberattack on the Discovery Bay water treatment plant in California by a former employee, the 2021 ransomware attack on Colonial Pipeline by the Russia-linked Darkside Group, and the 2022 compromise of the Oldsmar, Florida water treatment facility serving the Tampa metropolitan area in the days leading up to the Super Bowl. This list continues to grow because critical infrastructure represents a lucrative target with a high margin of success.
Many of the same vulnerable devices, systems, and applications used across critical infrastructure entities that support the civilian population are found on our military bases at home and abroad. On the most basic level, every military base requires an uninterrupted power supply, telecommunications, and medical, water, and sewage treatment support. Many mission-critical assets cannot go offline without severe consequences to the readiness of our global military force spread across more than 800 installations spanning seventy countries and territories.
Congress Expects Accountability
Congressional concerns regarding the DoD’s lack of visibility into its mission-critical assets and its inability to secure its critical infrastructure are documented by a series of government reporting requirements dating back seven years. A few highlights include: Section 1647 of the Fiscal Year (FY) 2016 National Defense Authorization Act (NDAA) requested insight into the cyber vulnerabilities of weapon systems; Section 1650 of the FY2017 NDAA directed a pilot program to understand better options that could defend CS against cyber intrusions; Section 1639 of the FY2018 NDAA mandated that CS/OT be included in the secretary of defense’s (SECDEF) Cyber Scorecard; Section 1643 of the FY2019 NDAA required the secretary of defense to designate a single official responsible for the DoD’s CS/OT.
Most recently, Section 1505 of the Fiscal Year 2022 NDAA requires the DoD chief information officer to address cybersecurity readiness this November by documenting the department’s ability to secure its mission-critical assets and operational infrastructure against defined standards and objectives to protect CS/OT assets. This provision is critical to defining the requirements for future funding from Congress and implementation by January 1, 2025.
With the DoD on the hook to show progress, many across the department have pointed to the operational prototype platform “More Situational Awareness for Control Systems” (pronounced “MOSAICS”), as the pathfinder to deploy a “zero trust” strategy for the department’s industrial control systems at scale. However, the president’s FY24 budget request for building a MOSAICS-like architecture is just a few million dollars and remains in its early prototype stage.
To put this into perspective, the largest U.S. banks spend an annual average of 10 percent of their budgets on cybersecurity, often surpassing $1 billion per bank. The contrast is striking.
What Must Be Done
Government leaders must acknowledge that catastrophic failures may occur if cybersecurity continues to be underfunded. More robust budget submissions are needed to cover, at a minimum, more secure communications and the continuous monitoring and remediation of vulnerable devices. Doing so immediately will help minimize the danger to our military forces of adversaries exploiting known vulnerabilities at home and abroad.
The DoD must move beyond simply studying the CS/OT cybersecurity problem and immediately begin implementing capabilities through existing programs, where possible, and new investments where no program exists.
Additionally, Congress should hold hearings during this session to better understand the DoD’s plan and funding requests to safeguard its critical infrastructure. Testimony from senior DoD officials and CS/OT private industry cybersecurity experts will give committee members the answers to spur the action required to establish cyber resiliency across the DoD’s mission-critical CS/OT. This cannot wait.
As a nation, we must demand accountability for safeguarding our mission-critical infrastructure and action from our legislators and DoD leaders.
National security is at stake.
Alison King is the Vice President of Government Affairs at Forescout Technologies. She served on the United States Cyberspace Solarium Commission as the Strategic Communications and Legislative Affairs Director. Forescout is an Executive Member of the OT Cyber Coalition.
Michael McLaughlin is Co-Chair of the Cybersecurity and Data Privacy Practice Group at the law firm of Buchanan Ingersoll & Rooney, PC. He is co-author of Battlefield Cyber: How China and Russia are Undermining our Democracy and National Security and previously served as senior counterintelligence advisor for United States Cyber Command.