China wants to target critical infrastructure like water facilities and energy grids, FBI director said
Chinese state-sponsored hackers have conducted widespread cyberattacks on critical American infrastructure in recent years, intending to give the country the ability to cause “a devastating blow” against the US, according to FBI Director Christopher Wray.
“The fact is, the PRC [People’s Republic of China] targeting of our critical infrastructure is both broad and unrelenting,” he told a security conference in Nashville on Thursday, describing China’s hacking programme as growing in strength.
“It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” he added.
Last year, security analysts at Microsoft identified mysterious code linked to communications systems in Guam, the US territory in the Pacific with a massive strategic air base.
Officials believe the code was the work of Volt Typhoon, a Chinese state-sponsored hacking group.
They don’t even need to run a separate network. The NSA has long since figured out a way to move secure data over an insecure network. The problem is that most of the US’s infrastructure is run by “for profit” companies. And since they are neither required, not is it profitable, to have robust security, they don’t. Instead, they do the bare minimum to be compliant with whatever frameworks they are required to. And since basically every one of those compliance frameworks is all about having the right documentation and never actually audit systems directly, their actual security is shit.
If you want companies to start taking security seriously, then we need GDPR style fines when companies get breached and are found to be running operating system and software which is years out of date. Compliance frameworks also need to get into the nitty-gritty details of OS and software configuration and not just “have a baseline”.