Easterly warns of destructive cyberattacks from China that could cause widespread outages

LAS VEGAS — The recent global technology outages caused by an update sent out from cybersecurity firm CrowdStrike should serve as a “dress rehearsal” for the kind of issues officials anticipate in the event of a destructive cyberattack by China-linked hackers, according to one of the top cybersecurity leaders in the U.S.

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said here Wednesday that escalating tensions between China and Taiwan have led Beijing to seek ways to launch destructive attacks against the island nation and its allies — including the U.S. 

“[This is] a world where a war in Asia will be accompanied by very serious threats for Americans. The explosion of pipelines, the pollution of water systems, the derailing of our transportation systems, the severing of our communications, specifically to incite panic and societal chaos and to deter our ability to marshal military might and citizen will.”

U.S. officials continue to search for and root out compromises caused by Volt Typhoon — a Chinese state-sponsored group that experts say intends to prepare for such attacks.

While the U.S. government is focused on preventing any destructive cyberattacks launched by China, at the BlackHat cybersecurity conference Easterly reiterated her previous calls for the public to be prepared for incidents that cause the kind of technology outages seen two weeks ago when a faulty update from CrowdStrike knocked 8.5 million Microsoft devices offline.

The incident affected thousands of hospitals, airports and businesses around the world and required days of hands-on IT work to resolve. 

“We are building resilience into our networks and our systems so that we can withstand a significant disruption or at least drive down the recovery time to be able to provide services, which is why I thought the CrowdStrike incident — which was a terrible incident — was a useful exercise, like a dress rehearsal, for what China may want to do us in some way and how we react if something like that happens,” she said. 

“We have to be able to respond very rapidly and recover very rapidly in a world where [an issue] is not reversible.”

‘This is exactly what China wants to do’

While China has denied any involvement in the Volt Typhoon compromises, CISA and the FBI have repeatedly warned that the hackers are “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

As China has increased its aggressiveness toward Taiwan in recent years, evidence of Volt Typhoon hackers was found hidden in U.S. critical infrastructure in Guam and near other U.S. military bases with the intent of slowing any potential mobilization of forces. 

The Volt Typhoon campaign set off an effort by the White House and other arms of the U.S. government to not only root out the hackers but also harden critical infrastructure. 

A February advisory said several U.S. agencies have seen Volt Typhoon hackers “maintaining access and footholds within some victim IT environments for at least five years.” Earlier this year the U.S. Justice Department confirmed that it disrupted the “KV Botnet” malware run by Volt Typhoon. 

Easterly said the CrowdStrike incident illustrated the kind of coordination needed to quickly address a malicious attack. CISA worked alongside several other government agencies and Microsoft to provide mitigation guidance to CrowdStrike customers and assess the impact on critical infrastructure. 

But during the incident, Easterly said what was going through her mind was: “This is exactly what China wants to do.” 

Big 🙏 to everyone who packed the arena for @BlackHatEvents keynote kickoff! Free & fair elections are the foundation of democracy; we can all play a part to #Protect2024. Grateful to @NCSC, @enisa_eu & @AP_Christina for the great convo…and to @thedarktangent for the intro. pic.twitter.com/0jqJS7NFBM

— Jen Easterly🛡️ (@CISAJen) August 8, 2024

“What we know about Chinese cyberspace actors is, typically those colloquially known as Volt Typhoon are embedding in our critical infrastructure specifically not for espionage or data theft or IP theft, but to launch disruptive or destructive attacks in the event of a major conflict in the Taiwan Strait,” she said.

The lesson from the CrowdStrike incident is to “build that resilience now, so we are prepared for that massive disruption,” she added, explaining that CISA and other agencies have been working with the private sector so companies understand the threats, know what they need to do to drive down that risk and be prepared for it, she said.

While they have been hard at work preparing for potential attacks, Easterly said it is still unclear whether all of the publicity around the Volt Typhoon has had an impact in driving the hackers into places where officials cannot find them or causing them to change tactics. 

“I don't think we have seen material changes yet. But as I've said, what we've found to date across multiple sectors is likely just the tip of the iceberg,” she told the crowd.