Opening Statement by CISA Director Jen Easterly

Chairman Gallagher, Ranking Member Krishnamoorthi, Members of the Committee, thank you for the opportunity to testify on CISA’s efforts to protect the Nation from the preeminent cyber threat posed by the People’s Republic of China.

As America’s civilian cyber defense agency and the National Coordinator for critical infrastructure security and resilience, CISA has long been focused on cyber threats from China. In recent years, however, we have observed a deeply concerning evolution in Chinese targeting of US infrastructure.

Specifically, Chinese cyber actors, including a group known as “Volt Typhoon,” are burrowing deep into our critical infrastructure to be ready to launch destructive cyber-attacks in the event of a major crisis or conflict with the United States. This is a world where a major conflict halfway around the globe might well endanger the American people here at home through the disruption of our gas pipelines; the pollution of our water facilities; the severing of our telecommunications; the crippling of our transportation systems—all designed to incite chaos and panic across our country and deter our ability to marshal military might and citizen will.

This threat is not theoretical: leveraging information from our government and industry partners, CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water, and telecommunications. And what we’ve found to date is likely the tip of the iceberg. Given the malicious activity uncovered by CISA, NSA, FBI, and industry partners, we are acting now, knowing that this threat is both real and urgent.

First, through authorities provided by Congress based a recommendation from the Cyberspace Solarium Commission, we are using the Joint Cyber Defense Collaborative or JCDC to drive robust operational collaboration across government and industry focused on uncovering additional Chinese malicious cyber activity and developing new ways to prevent Chinese intrusions. Second, we are delivering services, guidance, and resources to critical infrastructure owners and operators across the nation to identify and reduce risks posed by Chinese cyber actors. And we are leveraging our now hundreds of advisors and subject matter experts across the country to work directly with critical infrastructure businesses to strengthen the resilience of the critical services Americans rely on every hour of every day.

The reality is, however, eradicating malicious Chinese activity, bolstering the resilience of critical infrastructure, or even going on the offense to disrupt and impose costs, are all necessary, but insufficient. While the PRC is a sophisticated cyber adversary, many of its methods to break into our critical infrastructure are not. They don’t have to be. Why? Because we’ve made it easy for them. The truth is that, in many cases, the PRC is taking advantage of known product defects.

Unfortunately, the technology base underpinning much of our critical infrastructure is inherently insecure, because for decades *software developers* have been insulated from responsibility for defects in their products. This has led to misaligned incentives that prioritize features and speed to market over security, leaving our nation vulnerable to cyber invasion. That must stop. Technology companies must help ensure that China and other cyber actors cannot exploit defects in technology products to saunter into the open doors of our critical infrastructure to prepare destructive attacks. They must build and deliver products that are secure by design.

We are at a critical juncture for our national security. Today’s hearing should serve as an urgent call to collective action. Specifically:

1. Every victim of a cyber incident should report it to CISA or FBI, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security.

2. Every critical infrastructure entity should establish a relationship with their local CISA team and enroll in our free services, particularly our Vulnerability Scanning program, to help identify and repair vulnerabilities being exploited by Chinese cyber actors.

3. Every critical infrastructure entity should use these services, along with CISA’s Cybersecurity Performance Goals, and the many advisories we’ve published with NSA and FBI to drive necessary investment in cyber hygiene, including throughout their supply chains.

4. Every critical infrastructure entity should double down on their commitment to resilience. They must expect and prepare for an attack, continually testing and exercising the continuity of critical systems to ensure they can operate through disruption and recover rapidly to continue to provide services to the American people.  

5. Finally, every technology manufacturer must build, test, and ship products that are secure by design. We must drive toward a future where defects in our technology products are a shocking anomaly, a future underpinned by a software liability regime based on a measurable standard of care and safe harbor provisions for software developers who do responsibly innovate by prioritizing security.

These steps, however, are only achievable if CEOs, Boards, and every single business leader of a critical infrastructure organization treats cyber risks as core business risks and recognize that managing them is a matter of both good governance and fundamental national security.

Thank you. I look forward to your questions.

*As called for in the National Cybersecurity Strategy, we must shift incentives so that companies invest in producing technology that is secure by design, taking care not to place the burden on end users or individual developers*.