Expect China to attack US infrastructure within 3 years, MITRE CTO says
The US needs to figure out how to disconnect its industrial-control systems from its networks—and fast, says a top leader of the defense R&D not-for-profit.
MITRE Chief Technology Officer Charles Clancy has led the not-for-profit government R&D giant’s technical and innovation strategy for the intelligence community since 2019, becoming an expert on multiple topics at the intersection of cybersecurity and technology.
Clancy recently spoke with Defense One sister publication Nextgov/FCW about recent U.S. cybersecurity news headlines, as well as threats to critical infrastructure, following his Feb. 6 testimony before a House panel on securing water systems from hackers. This interview has been edited for length and clarity.
Nextgov/FCW: Talk about how you prepared for the water-systems security hearing today and any major takeaways from it.
Clancy: We met with the majority and minority staff ahead of the hearing to get a sense of their objectives. Of course, MITRE has a diverse set of sponsors in these areas, so we engaged with them to make sure we were representing a whole-of-government view across the sectors.
My big message is what I said in my opening statement. A lot of these policy fixes on the fringes are not going to deal with the scale of the threat that we face. So if you want to continue to fight against harassment campaigns from nation states…the sorts of solutions people were talking about are probably okay, but I think the big point I want to get across that didn’t get enough air time is that the threat has really changed.
We’ve got maybe three years to figure this out before China does an all-out attack against our critical infrastructure. We’re going to have to train and prepare to disconnect our operational technology systems from our information technology systems ahead of a major attack from China.
Nextgov/FCW: Last year, the EPA rescinded a memo ordering water-systems operators to evaluate their cyber defenses when conducting sanitation surveys. Was this the right move?
Clancy: I guess I’m not surprised that industry [representatives] pushed back. But I’m heartened to see the industry is still interested in figuring out a solution that does include some cybersecurity regulation. One proposal on the table is an approach where EPA would manage a [North American Electric Reliability Corporation]-like entity that would serve as a non-governmental organization.
Nextgov/FCW: The U.S. last week confirmed it went on the offensive against China-linked Volt Typhoon hackers. Your response to this?
Clancy: I think it was great. When the proportional response to a cyberattack against U.S. critical infrastructure is sanctions like we saw with Iran last week, I don’t know if that sends a very strong signal. All of the things that we’ve been doing through sanctions and other means to respond are not slowing down our adversaries and are not making them think twice.
I think we need to ratchet up our response if we want to have a deterrent effect against hackers, going on the offensive against individual hacker groups and their infrastructure. In the case of Volt Typhoon, that’s a good example.
Nextgov/FCW: Last year saw record ransomware activity. The White House has been inviting governments to pledge to not pay those ransoms. Do you agree?
Clancy: 100% agree. I think the best way to affect that is to work with insurers. I think if the insurers are not willing to pay ransoms but are willing to pay for mediation, even if it costs a little more, then we can begin to turn the tide on ransom payments.
Nextgov/FCW: The State Department says it will restrict visas for people linked to spyware abuses. Google just this week said the private sector has a heavy hand in spyware activities. Your reaction to this?
Clancy: We’re gonna use all the tools in our toolbox. Sanctions are one of the tools, but I think we have to realize it is not the only tool. I’m certainly supportive of sanctions related to individuals connected to these espionage and cyber enterprises.
I think there is a suite of more traditional-based law enforcement mechanisms that can be used to take legal action. For instance, you can go after individuals who are involved with the actors behind [spyware], you can go after the nationals that host them or you can go after the IT infrastructure they’re leveraging to do the attacks.
Nextgov/FCW: The Biden administration says the president will not veto efforts to undo the SEC cyber incident disclosures rule. What do you think of this?
Clancy: I think for transparency, it’ll help drive market-based incentives for people to deploy and operate secure infrastructure. Based on examples of disclosures I've seen, I don’t see any particularly technical data in these things that would help hackers exploit [companies].
Nextgov/FCW: The FCC just issued a cease-and-desist letter to a telecom operator allegedly linked to last month’s AI-generated Biden robocall. What does this say about the state of election security?
Clancy: Robocalls continue to be an endemic part of our telecom infrastructure. I applaud the commission’s efforts over the last few years to deploy the STIR/SHAKEN protocols that provide digital signatures for a call record. I think generative AI is going to play out in many interesting ways as we approach this election cycle. I think it really just helps people with existing propaganda campaigns, and I think if we want to try and deal with it, looking at the source and being able to hold accountable the propagandist behind AI is perhaps the best strategy we have for the next year.