164. Why the U.S. Government Should Fund Cybersecurity Efforts to Protect Power Grid
FBI Director Christopher Wray, while speaking at the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville, Tennessee, in April, warned that U.S. critical infrastructure is a prime target of the Chinese government. “The fact is, the PRC’s [People’s Republic of China’s] targeting of our critical infrastructure is both broad and unrelenting,” he said. Wray also noted that the immense size and expanding nature of the Chinese Communist Party’s hacking program isn’t just aimed at stealing American intellectual property. “It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” he said. Wray noted that during the FBI’s recent Volt Typhoon investigation, the Bureau found that the Chinese government had gained illicit access to networks within America’s “critical telecommunications, energy, water, and other infrastructure sectors.” Some cybersecurity experts have likened this activity to an act of war, although NATO hasn’t defined it as such just yet. In any case, it is a serious threat to national security. “In this country, critical infrastructure is operated by the private sector, most of which are publicly traded companies,” said Alex Santos, CEO of Fortress Information Security, a company that specializes in cyber supply chain security for organizations that operate critical infrastructure including utilities and government agencies. Santos was speaking as a guest on The POWER Podcast. “Somehow, the private sector has taken on the responsibility to defend these acts of war, which I was always taught is the responsibility of the government,” he said. “I think what’s really the point here is that the government is asking us to do more. We’re being attacked more by the adversaries. Regulations are coming in. It’s becoming more and more complicated with technology change. And, our budgets are being cut,” said Santos. Thus, while Wray can be commended for pointing out the national security problem Chinese hackers present to critical infrastructure, his words fall flat if the government doesn’t put its money where its mouth is, Santos suggested. That’s not to say money isn’t being spent by the U.S. government. “The government is spending a lot on cybersecurity to help companies, but it’s going to research and universities,” Santos said. “How many research studies do we need to tell us that cybersecurity is a problem? How many research studies do we need to tell us that we don’t have enough cybersecurity workers? How much research do we need to give us 10 recommendations for how to increase the capability of our cybersecurity workforce? At some point, we need to actually do the work.” Santos suggested money could be better spent helping companies repair vulnerabilities or by getting small businesses to install basic security precautions like endpoint protection and network monitoring. “Does the government study how to build a tank or do they build tanks?” Santos asked rhetorically. “The government builds tanks and they buy bullets,” he answered. “So, think of it that way. We need to buy more tanks and bullets, and less research studies on which tanks, how many tanks, what kind of tanks—tanks with wheels, tanks with tracks—you know, let’s buy some tanks,” he said.