Strengthening America’s Resilience Against the PRC Cyber Threats

As America’s Cyber Defense Agency and the National Coordinator for critical infrastructure security and resilience, CISA’s mission is to safeguard America’s critical infrastructure and enhance our nation’s collective resilience. We help protect and defend the critical services Americans rely on every day against threats from anyone, anywhere, anytime. 

China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure. Last year, I testified about these threats before the House Select Committee on the Chinese Communist Party. In my opening statement, I underscored the very real possibility that a crisis in Asia, precipitated by an invasion of Taiwan or a blockade of the Taiwan Strait, could have very real consequences for the safety and security of American citizens here at home. Chinese leader Xi Jinping has pledged on numerous occasions—to include on the eve of Communist China’s 75^th birthday this past September—to achieve “reunification” with Taiwan, a move analysts assess will likely occur, either peacefully or militarily, by the end of this decade, if not sooner. Such action could be accompanied by disruptive attacks against “everything, everywhere, all at once:” our transportation nodes, our telecommunications services, our power grids, our water facilities, and likely much more—all with the goal of inducing societal panic and deterring our ability to marshal military might and citizen will to expend American blood and treasure in defense of Taiwan. 

Over the past two years, CISA and our federal government and industry partners have been laser focused on deterring China’s cyber aggression, working with critical infrastructure entities across the nation to identify and evict Chinese cyber actors, whether they are focused on espionage—such as the recent “Salt Typhoon” campaign against U.S telcos—or disruption—the “Volt Typhoon” campaign designed to disrupt or destroy our most sensitive critical infrastructure.  While PRC cyber actors have attempted to evade detection by using living-off-the-land methods—hiding their activity within the native processes of computer operating systems—our world class team of threat hunters have detected them and assisted critical infrastructure partners in evicting them. Their work to address the Volt campaign in particular was recognized in the Congressional Record of June 27, 2024, by Representative Mark E. Green of Tennessee, Chairman of the House Homeland Security Committee. He noted: 

“I rise to honor a team of highly skilled cybersecurity professionals for their invaluable service to the United States. While few know their name or see their work, the Threat Hunting team saved millions of Americans from a devastating series of cyberattacks. Volt Typhoon, a malicious state-sponsored cyber actor connected to the People’s Republic of China (PRC), repeatedly targeted critical U.S. infrastructure. By prepositioning cyber threats within critical infrastructure networks, Volt Typhoon was poised to launch destructive cyberattacks of immense proportions against the U.S. The Cybersecurity & Infrastructure Security Agency (CISA) confirmed that the malign group compromised critical infrastructure organizations in communications, energy, transportation systems, and water and wastewater systems. In a moment of crisis, the PRC could devastate American communities. Through the vigilance, dedication, and hard work of the Threat Hunting team, Volt Typhoon was detected and evicted from many of these critical infrastructure organizations. Despite Volt Typhoon operating in a pattern of behavior inconsistent with traditional cyber espionage, they were no match for our best and brightest. Using their expertise, this unique group of specialists shared Volt Typhoon’s tactics, techniques, and activity with the public, ensuring that the malign group could no longer operate in the dark. Americans owe much to these patriots, though their work often goes unnoticed. This team deserves our deepest gratitude. On behalf of the American people and the United States Congress, I thank the Threat Hunting team for their service to this country.” 

Notably, a critical element in the U.S. Government’s ability to understand the totality of the Salt Typhoon campaign targeting U.S. telecommunications infrastructure was the fact that CISA threat hunters previously detected the same actors in U.S. government networks. This information, along with industry tippers, is what allowed our law enforcement partners to gain access to images of actor-leased virtual private servers. This, in turn, gave us and our federal government partners visibility into the breadth of the campaign and allowed us to notify and provide technical assistance known or suspected private sector victims.

Despite the truly excellent work of our CISA teams and of our federal and industry partners, we know our adversaries remain relentlessly focused on holding our critical infrastructure at risk. And even as we’ve successfully eradicated numerous Chinese intrusions into critical infrastructure across multiple sectors, we know that what we have found is likely just the tip of the iceberg. This unrelenting PRC campaign underscores the urgent need for robust cyber defense and vigilance across public and private sectors. 

CISA’s approach to countering these threats is rooted in partnership and resilience. We remain dedicated to working proactively to reduce further risks from the vulnerable devices that the PRC is using to conduct their intrusions. In doing so, we are leading three lines of effort to address these threats and reduce risks to the American people: 

• First, we are helping victims identify and evict PRC cyber actors from their networks. CISA hunt and incident response teams have deployed to find and eradicate the PRC’s malicious activity across multiple sectors, including energy, transportation, water, and telecommunications. Our regional teams—hundreds of security experts stationed in every state across our nation—are actively working with systemically important entities across sectors that we know have been targeted by PRC activity, helping them strengthen their defenses and reduce their vulnerability.
• Second, through our Joint Cyber Defense Collaborative (JCDC), we have initiated a cyber defense planning effort with key information technology, communication, and cybersecurity industry partners – as well as USG and international partners – focused on the protection and defense of U.S. critical infrastructure networks from PRC malicious cyber activity. This effort is focused on combining the collective visibility of the internet ecosystem to further understand PRC targeting of critical infrastructure and identifying and implementing mitigations at both the ecosystem and enterprise network levels. 
• Third, we are delivering services across critical infrastructure that directly reduce risks posed by PRC cyber actors, including our CyberSentry threat detection capability; our Attack Surface Management services, now deployed across nearly 7,000 critical infrastructure organizations to identify and mitigate the technology defects that allow these threats to get a foothold in American businesses; and our best-in-class protection capabilities to help prevent successful intrusions against under-resourced businesses. 

The reality is, however, that rooting out malicious PRC activity and bolstering the security of critical infrastructure organizations are necessary but insufficient. While the PRC is a sophisticated, well-resourced, and formidable cyber adversary, the methods they’re using to exploit our critical infrastructure are not. They don’t have to be—Why? Because in many cases, we’ve made it easy for them. 

Indeed, the PRC is largely taking advantage of known product defects. The truth is that the technology base upon which our critical infrastructure depends is inherently insecure, because of decades of misaligned incentives that prioritized features and speed to market over security. That must stop. Technology companies must help ensure the PRC and other adversary threat actors cannot exploit defects in technology products to target our critical infrastructure. These weaknesses—and the resulting risks to our national security—can only be addressed at scale by companies building and selling products that are secure by design. 

We are at a critical juncture for our national security. The clear and present danger from China’s cyber actors must serve as a call to action for the technology and cybersecurity industry, the critical infrastructure community, and all of our partners. Specifically:

• Every victim of a cyber incident should report it to CISA, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security. 
• Every critical infrastructure business should establish a relationship with their local CISA team and enroll in our free services, particularly our Vulnerability Scanning program, to help identify and reduce vulnerabilities that are actively being exploited by PRC actors.
• Every critical infrastructure organization should double down on their commitment to resilience. CEOs, Boards, and every business leader must recognize that they own cyber risk as a business risk and a matter of good governance. They must expect disruption, continually testing the continuity of critical systems and functions to ensure they can operate through disruption and recover rapidly from an attack. 
• Finally, every technology manufacturer and software producer should design, build, test, and deploy their products using the practices outlined in our joint Secure by Design guidance. We must drive toward a future where technology products are safe by design and defective products are not present in critical infrastructure systems. 

The threats posed by the PRC are real and persistent, and we anticipate they will continue evolving through 2025 and beyond. But these threats are not insurmountable. By fostering a culture of security and resilience and developing IT and software products that are built with security in mind, we can protect our nation’s critical infrastructure. While such deterrence by denial must be accompanied by equally aggressive efforts to hold our adversary’s critical infrastructure at risk—deterrence by punishment—both are equally important to the security and resilience of the critical services Americans depend on every day. At CISA, we know that true success depends on sustained collective action and that the stakes have never been higher. We remain committed—for as long as it takes—to working alongside our partners to address these challenges with the sustained attention and action that they demand. Together, we can outpace our adversaries and achieve a more secure and resilient future