FBI Director Christopher Wray warned of Chinese government efforts to jeopardize critical pieces of American infrastructure such as water treatment plants and electrical grids, calling on the country to prepare itself to fend off disruptive cyberattacks.
“PRC hackers are targeting our critical infrastructure, our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems, and the risk that poses to every American requires our attention now,” Wray said at a hearing of the House’s Select Committee on China, using an abbreviation for the People’s Republic of China.
“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” he added.
“They’re not focused just on political and military targets, we can see from where they position themselves across civilian infrastructure that low blows aren’t just a possibility in the event of conflict — low blows against civilians are part of China’s plan.”
Wray’s remarks came during a broader hearing on China’s cyber risk to American security, highlighting that the PRC’s cyber threat extends far beyond seeking intellectual property by targeting physical infrastructure Americans rely on every day.
But he nodded to ongoing budget negotiations as the committee weighs the threat, noting the extent China has invested in its own hacking programs.
“The PRC has a bigger hacking program than that of every major nation combined,” he said, noting that even if the FBI devoted all its cyber personnel to China, they’d still be outnumbered 50 to 1.
“So as we sit here, while important budget discussions are underway, I will note that this is a time to be keeping ahead of the threats by investing in our capabilities rather than cutting,” Wray said.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), told lawmakers that Chinese and other cyber actors have essentially been able “to saunter through the open doors of our critical infrastructure to destroy it.”
“The truth is, the Chinese cyber actors have taken advantage of very basic flaws in our technology. We’ve made it easy on them,” she said in her opening statement before the same panel.
“Unfortunately, the technology underpinning our critical infrastructure is inherently insecure because of decades of software developers not being held liable for defective technology that has led to incentives where features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion.”
She called on infrastructure outlets to work with CISA to secure free vulnerability scanning.
“Every technology manufacturer must build, test and deploy technology that is secure by design. We have to drive towards a future where cyber actors cannot take advantage of technology defects to break into our critical infrastructure,” she said.
“None of this is possible unless every CEO, every business leader, every board member for a critical infrastructure company recognizes that cyber risk is business risk, and managing it is a matter of both good governance and fundamental national security.”