Chairman Gallagher, Ranking Member Krishnamoorthi, Members of the Committee, thank you for the opportunity to testify on CISA's efforts to protect the Nation from the preeminent cyber threat posed by the People's Republic of China.
As America's civilian cyber defense agency and the National Coordinator for critical infrastructure security and resilience, CISA has long been focused on cyber threats from China.
In recent years we have observed a deeply concerning evolution in Chinese targeting of US infrastructure.
This threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water, and telecommunications.
First, through authorities provided by Congress based a recommendation from the Cyberspace Solarium Commission, we are using the Joint Cyber Defense Collaborative or JCDC to drive robust operational collaboration across government and industry focused on uncovering additional Chinese malicious cyber activity and developing new ways to prevent Chinese intrusions.
Second, we are delivering services, guidance, and resources to critical infrastructure owners and operators across the nation to identify and reduce risks posed by Chinese cyber actors.
We are leveraging our now hundreds of advisors and subject matter experts across the country to work directly with critical infrastructure businesses to strengthen the resilience of the critical services Americans rely on every hour of every day.
The reality is eradicating malicious Chinese activity, bolstering the resilience of critical infrastructure, or even going on the offense to disrupt and impose costs, are all necessary, but insufficient.
While the PRC is a sophisticated cyber adversary, many of its methods to break into our critical infrastructure are not.
The technology base underpinning much of our critical infrastructure is inherently insecure, because for decades software developers have been insulated from responsibility for defects in their products.
This has led to misaligned incentives that prioritize features and speed to market over security, leaving our nation vulnerable to cyber invasion.
Technology companies must help ensure that China and other cyber actors cannot exploit defects in technology products to saunter into the open doors of our critical infrastructure to prepare destructive attacks.
We are at a critical juncture for our national security.
Every victim of a cyber incident should report it to CISA or FBI, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security.
Every critical infrastructure entity should establish a relationship with their local CISA team and enroll in our free services, particularly our Vulnerability Scanning program, to help identify and repair vulnerabilities being exploited by Chinese cyber actors.
Every critical infrastructure entity should use these services, along with CISA's Cybersecurity Performance Goals, and the many advisories we've published with NSA and FBI to drive necessary investment in cyber hygiene, including throughout their supply chains.
Every critical infrastructure entity should double down on their commitment to resilience.
They must expect and prepare for an attack, continually testing and exercising the continuity of critical systems to ensure they can operate through disruption and recover rapidly to continue to provide services to the American people.
Finally, every technology manufacturer must build, test, and ship products that are secure by design.
These steps are only achievable if CEOs, Boards, and every single business leader of a critical infrastructure organization treats cyber risks as core business risks and recognize that managing them is a matter of both good governance and fundamental national security.
This Cyber News was published on www.cisa.gov. Publication date: Wed, 31 Jan 2024 22:13:04 +0000