CISA's new strategy to mitigate threat of "formidable" Chinese cyber-adversaries

America’s Cyber Defense Agency has set out new plans to defend the nation's critical national infrastructure from a Chinese scorched Earth cyberattack designed to drag the US to its knees.

Jen Easterly, the outgoing director of CISA (the Cybersecurity and Infrastructure Security Agency) has warned that state-linked threat actors may be planning cyberstrikes on "everything, everywhere, all at once".

It's feared that President Xi Jinping is almost certain to achieve his dream of "reunifying" Taiwan with the mainland peacefully or by force before the end of the decade.

This could involve an armed invasion, or a blockade of the Taiwan Strait accompanied by attacks on US power grids, water facilities, transportation nodes and telecommunications services.

These attacks would be designed to "induce societal panic and deterring our ability to marshal military might and citizen will to expend American blood and treasure in defence of Taiwan", Easterly wrote.

Rules of engagement: A new approach to combatting Chinese threat actors

Before CISA set out new guidelines on protecting America against cyber-incursion, it warned that although China is a "sophisticated, well-resourced, and formidable cyber adversary" the methods it uses to exploit critical infrastructure are not.

"Why? Easterly asked. "Because in many cases, we’ve made it easy for them. Indeed, the PRC is largely taking advantage of known product defects. The truth is that the technology base upon which our critical infrastructure depends is inherently insecure, because of decades of misaligned incentives that prioritized features and speed to market over security. That must stop.

"Technology companies must help ensure the PRC and other adversary threat actors cannot exploit defects in technology products to target our critical infrastructure. These weaknesses—and the resulting risks to our national security—can only be addressed at scale by companies building and selling products that are secure by design."

CISA called on companies to address the "clear and present danger" by following new guidelines:

• Every victim of a cyber incident should report it to CISA.
• Businesses should establish a relationship with their local CISA team and enroll in its free services.
• Critical infrastructure organisations should "double down on their commitment to resilience". CEOs, boards and business leader should assume breach and commit to continual testing of critical systems and functions to ensure they can operate through disruption and recover rapidly from an attack. 
• Every technology manufacturer and software producer should design, build, test, and deploy their products using the practices outlined in our joint Secure by Design guidance.

"Together, we can outpace our adversaries and achieve a more secure and resilient future," Easterly wrote.

Battling Salt Typhoon and Volt Typhoon

CISA has spent two years "laser-focused" on battling "China’s cyber aggression" in both espionage and disruption campaigns.

This includes Salt Typhoon's attacks on US telco networks, which focused on surveillance, intercepting sensitive communications, and gathering intelligence.

It also encompassed the response to a Volt Typhoon campaign that targeted US critical infrastructure, aiming to disrupt or disable essential systems and highlighting China’s strategy of preparing for potential conflict by sabotaging operational stability.

Despite China’s use of living-off-the-land techniques to conceal their activities within native operating system processes, CISA’s expert threat hunters have successfully detected these actors and supported critical infrastructure partners in removing them.

Easterly revealed that the US Government was able to combat Salt Typhoon because CISA threat hunters had previously detected the same actors in public sector networks. This information, along with industry tippers, enabled investigators to access images of actor-leased virtual private servers, providing visibility into the campaign and allowing CISA to notify and provide technical assistance to private sector victims.

CISA's work to address the Volt campaigns was recognised in the Congressional Record of June 27, 2024, by Representative Mark E. Green of Tennessee, Chairman of the House Homeland Security Committee. 

“I rise to honour a team of highly skilled cybersecurity professionals for their invaluable service to the United States," he said. "While few know their name or see their work, the Threat Hunting team saved millions of Americans from a devastating series of cyberattacks.

"Volt Typhoon, a malicious state-sponsored cyber actor connected to the People’s Republic of China (PRC), repeatedly targeted critical U.S. infrastructure. By prepositioning cyber threats within critical infrastructure networks, Volt Typhoon was poised to launch destructive cyberattacks of immense proportions against the U.S. The Cybersecurity & Infrastructure Security Agency (CISA) confirmed that the malign group compromised critical infrastructure organizations in communications, energy, transportation systems, and water and wastewater systems.

"In a moment of crisis, the PRC could devastate American communities. Through the vigilance, dedication, and hard work of the Threat Hunting team, Volt Typhoon was detected and evicted from many of these critical infrastructure organizations. Despite Volt Typhoon operating in a pattern of behavior inconsistent with traditional cyber espionage, they were no match for our best and brightest.

"Using their expertise, this unique group of specialists shared Volt Typhoon’s tactics, techniques, and activity with the public, ensuring that the malign group could no longer operate in the dark. Americans owe much to these patriots, though their work often goes unnoticed. This team deserves our deepest gratitude."

CISA is now hard at work identifying and removing PRC cyber actors from critical sectors including energy and telecommunications, with expert teams stationed in every state. It also offers services like CyberSentry and Attack Surface Management, which help to secure under-resourced businesses against intrusions.

A playbook for countering AI cybersecurity threats

CISA has also released the AI Cybersecurity Collaboration Playbook, a new guideline paper released by the Cybersecurity and Infrastructure Security Agency (CISA) which aims to promote strong cooperation and information exchange throughout the artificial intelligence (AI) ecosystem to counteract cybersecurity threats.

Through the Joint Cyber Defense Collaborative (JCDC), the playbook offers a structure for AI developers, adopters, and providers to freely exchange cybersecurity-related information with CISA and its partners. The goal of the playbook is to improve AI systems’ resilience.

The playbook offers:

• Guides on how to voluntarily share information related to incidents and vulnerabilities associated with AI systems. 
• Details of the action CISA may take after receiving shared information. 
• Strategies for collaboration to raise awareness of AI cybersecurity risks across critical infrastructure.

Commenting on the new rules and guidelines,Dr Andrew Bolster, senior research and development manager (data science) at Black Duck, told Machine: "The publication of the AI Cybersecurity Collaboration Playbook (AICCP) continues the integration of AI software systems into overarching guidance such as the NIST Cybersecurity Framework (CSF), the National Cyber Incident Response Plan (NCIRP), and Cybersecurity Incident & Vulnerability Response Playbooks (with which the AICCP shares a lot).

"This continuing integration demonstrates the US government's commitment (along with their private and international partners) to empowering secure innovation with AI by only making relatively small extensions to existing software security practices such as the Secure Software Development Framework (SSDF).

"These extensions in vulnerability reporting and disclosure guidance, while relatively modest, provide critical visibility to security researchers and downstream consumers as to the level of security maturity being applied around and within these AI capabilities, particularly around what AI models and tools are used, and the data used to train/validate such systems.

"There is particular emphasis on systems developers understanding the relationships and dependencies between their systems and other Open Source or Third Party models, packages, and data, which aligns with similar findings from our recently released BSIMM15 report, which reported a 22% increase in security organisations adopting and automating the management of their Software Bill of Materials (SBOM)."

The playbook was shaped by the insights and expertise of approximately 150 AI specialists from government, industry, and international partners who participated in two dynamic tabletop exercises.

Omar Santos, Distinguished Engineer, Cisco, said: "This collaboration between government and industry is essential for building a robust response to the complex and evolving landscape of AI security threats."

"By bridging gaps and fostering direct collaboration across sectors, this playbook empowers each of us to contribute to a more secure AI ecosystem—one that’s built not just to respond to threats but to stay ahead of them," added Malcolm Harkins, Chief Security & Trust Officer at Hidden Layer.

Palo Alto also contributed to the playbook and called for dedicated investment in "processes, collaboration, and tools to secure the AI infrastructure that will underpin our digital way of life," said Daniel Kroese, VP Public Policy and Government Affairs.

Diana Kelley, CISO of Protect AI, added: "This playbook is an essential tool for helping organizations navigate the complexities of deploying AI safely and understanding how to respond quickly to AI-related incidents.

Have you got a story or insights to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn