Government agencies and critical infrastructure entities are not prepared for a cyber conflict with China, according to a new draft report from a subcommittee of the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Advisory Committee (CSAC).
The draft report – “Building Resilience for Critical Infrastructure” – aims to help CISA prioritize and align cybersecurity and resilience efforts for the threats posed by the People’s Republic of China.
Before it can be finalized, the report will be presented and voted on by the full committee at CSAC’s quarterly meeting on Friday.
The report keys in on the importance of resiliency, noting that “improving cyber defense can help shrink attack surfaces and reduce risk, but a focus on the resilience of critical entities and functions is ultimately necessary.”
The subcommittee said that CISA should prioritize a short-term focus – before 2027 –on resilience measures that can be quickly implemented and on enhanced defense and improved coordination.
The report also finds that third party risk from dependencies outside of designated critical infrastructure has the potential to amplify scale and severity of attacks. The subcommittee specifically mentioned the July Crowdstrike incident that caused widespread Windows outages.
The draft report includes four recommendations for CISA.
The CSAC is calling on CISA’s Joint Cyber Defense Collaborative (JCDC) to work with Sector Risk Management Agencies (SRMAs) to ensure resilience and contingency planning for future cyber conflicts with China. Specifically, the recommendation says JCDC should sponsor sector-specific and cross-sector exercises to test coordination, communication, and contingency planning during a cyber conflict with China.
The report also recommends that JCDC continue to provide robust threat intelligence that includes risk mitigation solutions, along with threat actor attributions and technical threat indicators.
The CSAC also recommends that CISA increase the engagement of the vendor community and smaller Systemically Important Entities (SIEs) in cyber defense efforts by identifying critical third parties in the cross-sector risk assessment and designating them as SIEs; investing in security and resilience outcomes at smaller SIEs through Federal grant-funded cyber-in-a-box services; and building a mentorship program to tap more mature, resourced SIEs to work with smaller SIEs on cybersecurity uplift.
Finally, the report recommends that CISA measure the impact of advisories on Volt Typhoon and other related threat actors by working with partners to collect targeted data. Specifically, the recommendation says CISA should ask SRMAs to determine receipt, adoption, and impact of CISA advisories within their sectors broadly; and calls on the Cyber Safety Review Board to review whether CISA advisories were effective in providing timely and actionable information for critical infrastructure to defend against Chinese cyber threats.
Three additional reports will be presented to CISA Director Jen Easterly by CSAC subcommittees at Friday’s meeting including the topics of secure by design, strategic communications, and open source security.