This Month in Critical Infrastructure: February 2024
Edited by Pieter van Wassenaer
In our February Round-Up for 2024, we delve into a series of critical developments in cybersecurity and geopolitics that spotlight the ongoing efforts to safeguard the digital and physical infrastructure of the United States amidst rising challenges. From bolstering election security measures ahead of a contentious election season this November to enhancing national defense collaborations and confronting agricultural cybersecurity threats, this month’s coverage reflects a wide-ranging approach to addressing evolving threats. Additionally, we explore a legislative proposal (the DETECT Act) aimed at setting new standards for drone technology use and reveal the intricate dynamics of international cyber espionage activities as we look into the disruption of yet another international hacker network.
Elections Security Ramps Up
With the U.S. presidential election less than 10 months away, federal agencies are gearing up to bolster the country’s election-related infrastructure. CISA faces unique challenges this election cycle as it works to meet its responsibilities to protect election infrastructure while dealing with increasing pressure from Congress.
CISA deployed additional election security advisors in several regions this month, expanding a program it established last July. The agency also unveiled #Protect2024 , a new initiative to support state and local election officials through guidance and resources.
Growing scrutiny and pressure from Republican lawmakers increases the challenge. Framing their opposition as a civil liberties issue, some conservative lawmakers have called to defund the agency for what they claims is “collusion ” with Big Tech companies to censor everyday Americans. Some observers speculate the controversy may led several external partners to pull out of the Joint Cyber Defense Collective .
A key ruling last year preventing CISA from contacting tech companies and the growing opposition to monitoring for disinformation has led several social media platforms to pull back on their efforts to moderate political posts. Meta announced last week that it will stop recommending political content to users on Threads and Instagram but has declined to specify how it defines “political content .” Elon Musk, who is personally and openly opposed to the federal government’s counter-mis-and dis-information efforts, already cut X’s disinformation and election integrity team last year. ?
CISA’s ability to respond to misinformation surrounding its election security activities, while countering very real domestic and foreign threats, is dependent Congressional funding—funding that anti-CISA legislators are threatening to cut during yet another polarizing election year Despite these challenges, CISA remains the go-to source for other agencies and for private sector partners to receive guidance on cybersecurity issues, and its responsibilities will continue to increase . CISA’s prominence in the eyes of the current administration and within the critical infrastructure protection community are growing, whether the opposition in Congress likes it or not.
JCDC Moves Forward with 2024 Priorities as Critics Highlight Room for Growth
Launched in 2021, CISA’s Joint Cyber Defense Collaborative (JCDC) has become a central node in the federal government’s efforts to fortify national security and leverage the knowledge of cybersecurity experts in the private sector, and a recent panel discussion at the Center for Strategic & International Studies (CSIS) highlighted some of the challenges and growing pains facing the initiative.
Panelists stressed the importance of tougher security protocols to protect federal cyber infrastructure and opportunities for CISA to grow in its role as the “nerve center” of the public-private partnership. Noting that the JCDC was “still in its infancy,” Jeff Spaeth, the Veterans Affair's Deputy CISO, acknowledged that there are some kinks that still need to be worked out. Other panelists urged federal agencies to participate more fully in the JCDC and share more timely threat intelligence with CISA on indicators of potential compromise, as well as breaches and hacks from major private vendors, citing the two Microsoft breaches in 2023 and the Citrix vulnerability exploited in October of 2023.
The JCDC also faces criticism from private sector contributors , who acknowledge the benefit of partnering with major companies like Google and Microsoft, but argue that the JCDC has not been staffed with enough technical experts to effectively analyze information gathered from these partnerships. Some members of the JCDC, including nonprofit cyber defense group the CTI League, have also been caught in the crossfire of conservative backlash to CISA’s work, despite having no involvement in the effort to combat misinformation that has drawn the ire of Republicans.
The announcement of the JCDC’s 2024 priorities signifies a strategic shift from CISA, prioritizing a forward-looking approach focused on preemptively addressing emerging threats from technological advancements. The implementation and success of these priorities will be a test for the young Collaborative as it faces criticism surrounding its operational effectiveness and technical expertise.
Addressing the criticism of the JCDC and implementing the new priorities will require a concerted effort from CISA to enhance collaboration among federal agencies within the JCDC, the refinement and utilization of information-sharing mechanisms, and the leveraging of the technical expertise of private sector members. Jeff King , the principal deputy chief information officer at the Treasury Department, said that while “the ingredients are there,” CISA needs to focus on making the JCDC a “repeatable and reliable apparatus.”
If CISA prioritizes fostering collaborative efforts to implement its 2024 priorities, the JCDC will be indispensable in securing our nation’s cyber capabilities.
Proposed Legislation Solidifies Federal UAS Guidelines?
by Ashley Hopko
New proposed bipartisan legislation, nicknamed the DETECT Act , aims to address cybersecurity risks posed by federal use of unmanned aerial vehicles (UAS) through the creation of mandatory guidelines. Officially titled the Drone Evaluation to Eliminate Cyber Threats Act of 2024, the legislation calls for the National Institute of Standards and Technology (NIST) to develop required cybersecurity practices for agencies operating UAS. Bill sponsors Senators Mark Warner, D-VA and John Thune R-SD first introduced the bill earlier this month.
“This legislation will establish sensible cybersecurity guidelines for drones used by the federal government to ensure that sensitive information is protected while we continue to invest in this new technology,” Warner said in a press release . Warner also expressed support for domestically produced UAS on his website, alluding to CISA’s recent guidance concerning use of Chinese-manufactured Unmanned Aircraft Systems .
If passed, this law would require at least one federal agency to pilot NIST’s guidelines before requiring all federal agencies that utilize civilian UAS to follow the guidelines as well. The draft didn’t specify which agency(s) would pilot the guidance.
Complimentary to the NIST guidelines, the bill also requires Office of Management and Budget and contractors who supply UAS to report any known or newly discovered security vulnerabilities.
Agency acquisitions of UAS that don’t meet NIST guidelines would also be forbidden, with waivers in certain situations, such as use with tribal and territorial partners who may have different agreements about federal funding.
A facet of this bill also includes expanding implementation of the Green UAS frameworks of the Association for Uncrewed Vehicle Systems International (AUVSI), which provides things like cybersecurity for non-military UAS and supply chain management suggestions.
Read more: https://fedscoop.com/new-legislation-would-give-nist-drone-cybersecurity-responsibilities/
China’s Volt Typhoon Preps for a Cyber Storm Against US Critical Infrastructure
Attention on Chinese cyber espionage reached new heights this month after a public cybersecurity warning revealed that hackers have embedded themselves within U.S. infrastructure for up to five years. According to the advisory, a People’s Republic of China (PRC) state-sponsored criminal organization known as Volt Typhoon lurked on IT networks of key infrastructure, awaiting opportunities to exploit unknowing victims in the communications, energy, transportation systems, and waste and wastewater systems sectors across the United States.
Reporting on the exploitation highlights the stealthy nature of the hackers’ tactics, masking their presence so that even the owners of infrastructure companies did not know they were hacked. Chillingly, the advisory states that the hackers’ targets and behavior were “not consistent with traditional cyber espionage or intelligence gathering operations.” Attacks at this scale and with such novel methods suggest this incursion would give the PRC the opportunity to launch attacks on infrastructure across the United States at will.
The advisory was co-published by six US government agencies including CISA, NSA, FBI, and allied intelligence partners from Australia, Canada, New Zealand, and the United Kingdom. CISA stated in a release accompanying the advisory that the data and information gathered on the hacks “strongly suggest the PRC is positioning itself to launch destructive cyber-attacks,” the effects of which “would jeopardize the physical safety of Americans and impede military readiness in the event of a major crisis or conflict.”
The advisory comes amid ongoing warnings from U.S. intelligence officials about Chinese surveillance of and disruptions to critical infrastructure, as well as an announcement from the White House that President Biden will dedicate $20 billion to fortifying cybersecurity in maritime infrastructure. The funding is part of an executive order that directs port operators using cranes manufactured by China’s state-owned ZPMC to address software and hardware vulnerabilities that have let the cranes collect information linked to U.S. troop deployment, logistics, and sustainment. The executive order would also require the reporting of maritime cyberattacks to the U.S. Coast Guard Cyber Command, which will share them with CISA and other government agencies covering regulated facilities and vessels.
In alignment with the infrastructure hacking advisory, CISA and partners released the complementary Joint Guidance , which provides guidance for organizations to detect techniques that hackers such as Volt Typhoon use, including the “living off the land” method that let hackers remain undetected for years. CISA emphasized that this cyber camouflage will require a multipronged approach to mitigate, especially given that, according to CISA Director Jen Easterly, the Volt Typhoon threat “is likely the tip of the iceberg.” Yet, with increased vigilance and proactive investigation on every front, U.S. critical infrastructure owners and operators can position themselves to root out threats before they materialize.
Law Enforcement Takes Aim at Critical Infrastructure Hacks
February was an eventful month for international law enforcement agencies and their efforts to disrupt cyberattacks on critical infrastructure, with the U.S. Treasury Department issuing sanctions against several Iranian officials and an international coalition of police agencies orchestrating their own hack against the LockBit ransomware group.
The Treasury Department’s sanctions against Iranian officials affiliated with the cyber arm of the Islamic Revolutionary Guard Corps came in response to a series of hacks against critical infrastructure targets late last year, including at least one water utility in Pennsylvania . The hack included victims in multiple states and multiple sectors and was centered on Iranian exploitation of an Israeli-made programmable logic controller commonly utilized in industrial settings. Although the (publicly known) consequences were relatively minor, the disruption highlighted the importance of CISA’s on-going emphasis to empower “target rich, resource poor ” infrastructure systems that have real life or death importance.
The campaign against LockBit has similar geopolitical dimensions with real-world, local stakes. Based in Russia, LockBit first gained notoriety in 2020 for launching cyberattacks—in which infected systems were encrypted and data held for ransom—against a range of targets in the United States and around the world, including critical infrastructure. By 2023, LockBit had become the most prolific ransomware outfit in the world , racking up more than $120 million in ransom payments.
On February 20, however, an international coalition led by the United Kingdom’s National Crime Agency announced that it had seized control of LockBit’s website, servers, and decryption keys as the U.S. Department of Justice unsealed indictments against two Russian nationals—only for the group to announce that it had restored operations and was back in business five days later.
In the broader context, February’s law enforcement victories against nation-state-backed cyber criminals were noteworthy but ephemeral. Russia and Iran are already two of the most sanctioned nations on Earth, and the swift return of LockBit —like Hive, Conti, and BlackCat before it—illustrate the many challenges inherent in the cyber domain. Nevertheless, the increasing tempo of law enforcement action and growing realization of the potential consequences of cyberattacks on critical infrastructure indicate that momentum may finally be gathering for a new and more forceful approach .
How Foreign Drones Affect the Landscape for Modern Warfare
Drones are altering the dynamics of modern warfare through their technological advancements and strategic functions. Foreign adversaries are using drones to conduct military surveillance and obtain critical intelligence to survey potential attack vectors to gain advantages over opponents. Notably, after a recent deadly drone strike in Jordan, the Pentagon and the Biden Administration held Iranian militia responsible for the attack and for supplying the Iran-manufactured drones. Although the exact model is unknown, a U.S. official revealed that it was probably a Shahed attack drone that Iran previously provided to the Russian military in the war against Ukraine . These types of drones are mass-produced, affordable, and easily accessible, reshaping the landscape of modern warfare.
It is likely that Shahed Aviation Industries Research Center (SAIRC) designed and built the drone used in the recent attack. SAIRC’s manufacturing efforts have significantly increased over the past five years due to a series of conflicts, foreign policy, and an extensive history of testing and deploying drones. Iran’s drone war tactics date back to the 1980s and was an effort fueled by a lack of access to resources needed to purchase, develop, and maintain a refined air force. According to U.S. intelligence , SAIRC has close ties to the country’s Islamic Revolutionary Guard Corps Aerospace Force (IRGC ASF) and has provided drones to Russian forces to target Ukraine’s infrastructure and coordinate attacks. The Iranian government delivered Shahed-136 drones to Russia’s military, which were first seen in battle in the fall of? 2022. In addition, a Ukrainian commander cited a Shahed drone destroying some of their ground artillery equipment and highlighted that they had not been previously used outside the Middle East.
Aviation analysts and drone specialists are also monitoring the evolving landscape of Iranian drones in modern warfare, noting their cost-effectiveness and how their attacks are forcing those under threat to reconsider their defense strategies. Additionally, their unique flight paths make them harder to detect and harder to jam, which amplify their effectiveness on the battlefield and compels some military forces to relocate their bases. The constant attacks emphasize that inexpensive Iranian drones prove to be a strategic military advantage and are challenging many combat capabilities.
Drones and the New Landscape of Agricultural Cybersecurity Risk Management
A bipartisan group of legislators introduced the Farm and Food Cybersecurity Act in late January to help insulate the agricultural and food sectors from cybersecurity attacks by directing the Secretary of Agriculture to oversee periodic cross-sector, cross-agency, and intergovernmental cybersecurity exercises and threat assessments. Backed by multiple agricultural trade groups, this legislation aligns with congressional efforts to mitigate cyber risks to rural food and water supplies and, more broadly, illustrates the Biden administration’s commitment to safeguarding the nation’s cyber landscape .
Crucially, the U.S. Department of Agriculture identified cybersecurity as a “foundational shared service ” because farmers and industries increasingly rely on modern technologies to enhance and protect agricultural production. The collection, analysis, measurement, sharing, and reporting of cybersecurity data will be integral to maximizing the sector’s cyber resiliency . For instance, the Food and Agriculture Information Sharing and Analysis Center (ISAC) was reestablished in May 2023, the USDA Office of the Chief Information Officer (OCIO) converted the Information Security Center (ISC) into the Cybersecurity and Privacy Operations Center (CPOC) , and the USDA has begun to organize a yearly cybersecurity expo that brings together agricultural experts to discuss the threats they confront. In sum, these efforts illustrates a growing national awareness of adversaries’ capabilities to undermine national security.
Adversaries have already exploited these vulnerabilities. In May 2021, the Russian hacker group REvil conducted a ransomware attack on JBS , one of the largest meat processing companies in the world. While the immediate impact made headlines—the company paid the attackers $11 million—the long-term landscape of cybersecurity risks in agriculture will continue to evolve for decades to come.
For instance, farmers are using drones to enhance agricultural yields through sophisticated analytical tools. Companies develop proprietary drone software designed specifically to meet farmers’ diverse needs, software that contains known and unknown vulnerabilities. While drones do not pose significant physical risks to American agriculture, the myriad cybersecurity threats are only now coming into focus. For instance, hackers can sabotage farmers’ trust in drones by manipulating or deleting the data upon which farmers rely to manage their farms. They can also target directly the agricultural analytics consulting companies themselves, which are often hired by farmers to analyze and summarize the datasets to inform their decision making. Adversaries can also secretly monitor and exploit the sensitive data without attacking anything, thereby positioning farmers and the technologies they use as proxies within broader geopolitical conflicts.
As nations come to terms with these new risk vectors, policy makers and administrative officials are beginning to ask how they can enhance the nation’s agricultural resiliency while simultaneously ushering in a “smart” future .?