Science and TechData Privacy and Cybersecurity

Actions

US infrastructure is vulnerable to Chinese cyberattack, officials warn

Digital interconnection has revolutionized our lives, but with it come vulnerabilities that can be exploited on a national scale.
Posted
and last updated

The digital age revolutionized life on Earth and connected people in ways never seen before. With that connection, though, come vulnerabilities that can be exploited and potentially affect critical infrastructure in America — everything from the safety of the water we drink, to how we get around.

Americans love their vehicles: More than 115 million cars and trucks hit the road in the U.S. every day

What if suddenly, though, there was no gasoline to be found?

That is what happened at some gas stations in 2021. Long lines of cars and fuel shortages greeted drivers across multiple states, after a ransomware cyberattack disabled the Colonial Pipeline. It's a more than 5,000-mile-long system that carries gas used by tens of millions of drivers.

"Colonial Pipeline is the biggest one of those transport routes," said Jim Krane, a fellow in energy studies at Rice University. "It takes about 2.7 million barrels a day of refined products from Texas to the Northeast."

A criminal syndicate carried out the Colonial Pipeline cyberattack and attempted to extract a ransom from the company. It is a real-world example of how hacks have the potential to disrupt our daily lives. U.S. intelligence officials said the pipeline attack may be just the beginning: They say they are watching China.

"It is Chinese military doctrine to attempt to induce societal panic in their adversary, and arguably the Chinese government got a little bit of a taste of this in the aftermath of the ransomware attack on Colonial Pipeline, May of 2021," said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA).

In a recent Congressional hearing, federal officials warned lawmakers that China is looking to target critical infrastructure across the country.

"Now, imagine that on a massive scale. Imagine not one pipeline, but many pipelines disrupted. Telecommunications going down, so people can't use their cellphone," Easterly said. "People start getting sick from polluted water. Trains get derailed. Air traffic control system, port control systems are malfunctioning. This is truly an everything, everywhere, all at once scenario."

FBI Director Christopher Wray echoed that stark warning.

"Let's be clear: Cyberthreats to our critical infrastructure represent real world threats to our physical safety," Wray said during the hearing.

FBI: New cyberthreat from China targets home internet routers
U.S. Homeland Security sign

FBI: New cyberthreat from China targets home internet routers

The FBI says the attacks target older routers with outdated security made by Cisco and NetGear. They recommend updating your router.

LEARN MORE

So how can we best address it?

Experts tells Scripps News that the issue is complicated by the fact that a large portion of U.S. critical infrastructure is run by private companies.

"Eighty-five percent of America's critical infrastructure is in the hands of the private sector," said Scott White, an associate professor and director of the cybersecurity program at George Washington University. 

White said part of the issue is that private enterprise is often in charge of its own cybersecurity.

"We tend not to use punitive legislation to bring these individuals or organizations into some type of cybersecurity portfolio. Other nations, even Western nations, will use legislation. The United States tends to try to incentivize organizations or companies in becoming cyber-compliant to certain standards," White said. "Sometimes it works and sometimes it doesn't."

U.S. Senate bill 2251 — a cybersecurity act introduced last summer — would help modernize cybersecurity efforts, but only across federal agencies. Private enterprise remains a different matter.

"Cybersecurity operates under this kind of emergency room mentality: There's always a fire that needs to be put out," said Nick Merrill, director of the Daylight Lab at the Center for Long-Term Cybersecurity at the University of California-Berkeley. 

He said the online threat posed by Chinese hackers is real.

"We all buy a lot of cheap stuff on Amazon that's made in China. Quite a lot of it is connected to the internet, connected to our home networks, and all of those are also potentially vectors for pre-positioning for an attack," Merrill said. "So, you know this is something that people in cybersecurity have had their eye on for quite some time."

Merrill added that there are some potential cyberattacks that concern him the most.

"Here's a scenario that I spend most of my time worrying about — which is, you try to use your credit card and it doesn't work," Merrill said, "and, actually, no one's credit card works. Really, the internet is off for most purposes and society grinds to a halt."

Cybersecurity experts said that as critical infrastructure becomes more automated — less reliant on humans to run things and more reliant on computers — the greater their vulnerability to an attack.