FBI director fires critical infrastructure hack warning citing legacy tech and vendor complacency

The director of the FBI has warned of the imminent threat to OT environments posed by Chinese hackers, who are ramping up efforts to bring down the US power grid, oil pipelines and water systems in the event of a conflict.

Director Christopher Wray was speaking at a US government subcommittee on China and the Chinese Cyber Threat yesterday, attended by the heads of the FBI, ONCD, CISA and NSA.

Wray cautioned that Beijing-directed hacking networks were not just focussed on political and military targets.

“We can see from where they position themselves across civilian infrastructure, that low blows aren’t just a possibility in the event of conflict, low blows against civilians are part of China’s plan,” he said.

The hearing comes at a time of heightened tensions between the US and China over the status of democratically-governed Taiwan, which held its elections last month.

Secure by design

Before Wray’s testimony, law enforcement officials revealed that last month, they obtained a court order that authorised them to gain access to servers infiltrated by Volt Typhoon, a hacking network backed by the Chinese government.

The group has targeted a range of critical infrastructure systems, often by infiltrating small businesses, contractors, or local government networks.

In her opening statement before the house Jen Easterly – director of US government backed cyber watchdog, CISA – said the nation’s infrastructure had become an easy target for hackers because the technology base underpinning it was “inherently insecure”.

She called for technology companies to take more responsibility to ensure that vulnerabilities didn’t happen in the future.

Easterly added “For decades software developers have been insulated from responsibility for defects in their products.

“This has led to misaligned incentives that prioritise features and speed to market over security, leaving our nation vulnerable to cyber invasion. That must stop. They must build and deliver products that are secure by design.”

Commenting on the testimony, former US National Security Division director under the Bush administration, and current CEO of Tenable, Amit Yoran added that vendor complacency over security could amount to negligence:

“This is a sobering warning from the US government’s top cyber security leaders about a clear and present danger. They’re not talking about potential data breaches and PII. We’re being told in the strongest possible terms that strategic adversaries are specifically and deliberately going after the vital services that underpin our daily lives. Action here needs to be a top priority.

“We didn’t know, we didn’t expect this, we didn’t take action, are all euphemisms for negligence.”

In December last year at Black Hat Europe, the UK’s new cyber chief, Ollie Whitehouse called for greater efficacy among vendors and expressed concerns over enterprises’ legacy tech mountains.

ENDS