Last week, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert to critical infrastructure owners and operators across the United States to be vigilant for potential Chinese cyberspace operations given heightened tensions between the two countries. This warning should be taken seriously given China’s advanced cyberspace capabilities and the deteriorating relationship between the two countries.
What does the CISA alert recommend, and why is it important to follow it?
Tactically, CISA recommends organizations should begin preparing for Chinese tactics, techniques, and procedures (TTPs) as outlined by the MITRE ATT&CK framework. See CISA’s alert for specific ATT&CK TTPs. In addition to preparing for China specific tactics and behaviors, the CISA alert recommends organizations take the following actions:
- “Adopt a state of heightened awareness. Minimize gaps in personnel availability, consistently consume relevant threat intelligence, and update emergency call trees.
- Increase organizational vigilance. Ensure security personnel monitor key internal security capabilities and can identify anomalous behavior. Flag any known Chinese indicators of compromise (IOCs) and TTPs for immediate response.
- Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see the Contact Information section in the alert).
- Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.”
AttackIQ’s Security Optimization Platform can deploy scenarios to mimic China-focused ATT&CK techniques to test and validate that enterprise security controls work as effectively and efficiently as possible to help organizations better defend themselves.
Why did CISA release this warning now?
The United States and China are in a moment of significant tension. The two countries share a range of vital national interests, including a secure Asia-Pacific region, a peaceful global economic order, and progress on climate change (on which the two countries have successfully cooperated in the past), yet the relationship has taken a turn for the worse over the last few years and communication and cooperation have broken down.
What brought us to today? Under President Xi Jinping, China has consolidated control over the Chinese Communist Party (CCP) and the People’s Liberation Army (PLA), placed over a million ethnic minority Uyghurs in concentration camps in Xianjiang and oppressed the people of Hong Kong, and turned Chinese technology companies into potential agents of the Chinese government in the United States. These actions occurred following China’s decades-long investment in military capabilities from shipbuilding to ballistic missiles to advanced capabilities in rail gun, space, and cyberspace capabilities — and all prior to the onset of the novel coronavirus. Today China is the pre-eminent long-term competitor of the United States in cyberspace as in other domains.
In response to China’s actions, the U.S. government has taken an increasingly hard-line, including by sanctioning the country for its actions against the Uyghurs, issuing indictments for cyberspace enabled intellectual property theft, and banning Chinese companies from operating in the United States. Importantly, in July U.S. Secretary of State Mike Pompeo declared that the decades of U.S. engagement with China have failed. While that specific sentiment is debatable, it indicates a major turn in the relationship.
What does this mean for diplomacy and cybersecurity?
Experts now speak of the United States and China “de-coupling” their relationship. The two countries have suspended most of their formal dialogues, leaving only emergency governmental talks and “track II” dialogues between officials outside of government, as Harvard scholar Julia Voo says on this week’s episode of Think Bad, Do Good. (Voo and her team have just released a new National Cyber Power Index, which found that the world’s two most cyberpowerful countries are the United States and China, respectively; we discuss the study on the pod.) The breakdown in diplomatic ties diminishes the two countries’ ability to cooperate on critical issues, from climate change to the coronavirus, and increases the potential for escalation. As former U.S. assistant secretary of state for East Asia Danny Russel recently said, “The buffer that has historically insulated the U.S.-China relationship, the presumption that the goal is to de-escalate and solve problems…has been stripped away.”
The good news is that neither side seems to seek a conflagration at this time. Still, cyberspace gives China a “gray zone” in which to operate below the level of outright conflict. Chinese cyberspace operators may try to manipulate data in advance of the U.S. presidential election or escalate intellectual property theft, as the CISA alert states. Organizations should do their best to prepare for potential attacks using the ATT&CK framework, by following the alert’s guidance, and by testing and validating that their security controls work as intended.
And on the world stage, leaders in both countries should do whatever they can to maintain peace and stability. This has been a difficult enough year as it is. The last thing anyone needs is escalating geopolitical tensions between the world’s two most powerful superpowers.