FBI Chief Warns China Poised To Wreak 'Real-World Harm' on US Infrastructure

FBI Director Christopher Wray, in his final interview before stepping down, warned that China poses the greatest long-term threat to U.S. national security, calling it "the defining threat of our generation." China's cyber program has stolen more American personal and corporate data than all other nations combined, Wray told CBS News. He said Chinese government hackers have infiltrated U.S. civilian infrastructure, including water treatment facilities, transportation systems and telecommunications networks, positioning themselves to potentially cause widespread disruption.

"To lie in wait on those networks to be in a position to wreak havoc and can inflict real-world harm at a time and place of their choosing," Wray said. The FBI director, who is leaving his post nearly three years early after President-elect Donald Trump indicated he would make leadership changes, said China has likely accessed communications of some U.S. government personnel. He added that Beijing's pre-positioning on American civilian critical infrastructure has not received sufficient attention.

surprised?

[wyHunter]

Are we surprised? No. This has been true for close to twenty years now and the process is accelerating.

Re:

[cob666]

No surprise at all, critical infrastructure is safeguarded by politicians and bureaucrat that have no real knowledge about what their charged with protecting.

Re:surprised?

[dbialac]

The bigger question: why is this stuff even connected to the internet in the first place? The only way to ensure that a device is immune from an internet attack is to not have a connection.

Re:

[Anonymous Coward]

Monitoring, reporting, and remote control.

Re:

[dbialac]

That's a poor excuse. Seriously. That's a really poor excuse. That's laziness and a hazard in the first place. Have people on staff 24 hours a day to monitor everything in the first place, You can have the monitoring equipment work internally without an external connection and without a computer connected to the internet. On the communications side, phone system should work via a physical line hooked up to nothing on the internet.

Re: surprised?

[drinkypoo]

The telcos are trying to kill POTS right now. If your plan requires a non Internet phone connection, it's a bad plan, because it will be short lived at best.

A better plan would be to use radio. I wonder if utilities get a break on that from the FCC?

Re:

[dbialac]

There's a wonderful word that exists that government can use: "No". Radio is easier to jam that a POTS line, though it's not by any means impossible.

Re:

[smooth wombat]

Have people on staff 24 hours a day to monitor everything in the first place.

What you're advocating is called return to office. Is that a thing?

Re:

[dbialac]

Our military never left and companies are mandating it more and more.

Re:

[MacMann]

That's a poor excuse. Seriously. That's a really poor excuse.

Agreed.

Have people on staff 24 hours a day to monitor everything in the first place, You can have the monitoring equipment work internally without an external connection and without a computer connected to the internet.

Or have the communications be one-way.

If there's some need for remote monitoring of something like the RPM of a turbine at a power plant then have a web cam pointed at a gauge, computer screen, or whatever. It would be trivial to prove that anyone that got in without proper authorization would at best be able to read the gauges rather than have full access to the computers that control anything.

The need for 24 hour staffing should be considered on a case by case basis. I remember a YouTube video wh

Re:

[drinkypoo]

At some point we need to admit that there's no stopping every attack on infrastructure. If China somehow rolled up to this dam with a self propelled howitzer then that's just game over for that dam.

The whole point of artillery is that you can shoot people or stuff far away from where you are, you don't "roll up to" anything.

Re:

[alvinrod]

There are limits to how far artillery can fire, so outside of anything built in to a fortification there is a need for it to be moved into place. You would still have to "roll up to" the target even if that means being several miles away. However it's far more realistic that infrastructure would be attacked by bombers or some other long range missile platform as the effective attack range is far greater than artillery and doesn't require setting up and protecting that artillery. If you can get ground artill

Re:

[MacMann]

There are limits to how far artillery can fire, so outside of anything built in to a fortification there is a need for it to be moved into place. You would still have to "roll up to" the target even if that means being several miles away.

Indeed. The maximum range on the M109 Paladin and similar self propelled howitzers is about 20 miles.

To do some real damage the M109 is equipped for direct fire, as in firing to line of sight than lobbing a shell over many miles. This turns an artillery piece into a tank destroyer.
https://www.youtube.com/watch?... [youtube.com]

Of course direct fire from a self propelled howitzer also comes in handy to take out large concrete structures, such as various fortifications or a hydroelectric dam. An armored vehicle built sp

Re:

[necro81]

Have people on staff 24 hours a day to monitor everything in the first place

There are cases where it's tough to avoid.

Say you have a substation 100 miles from your nearest service center. You want to monitor what's happening there, and be able to physically manipulate what it's doing (i.e., throw a breaker). You can:
1) Have some poor schmuck camp out there and do nothing but stare at set of dials, and relay that not-realtime data back to the central office. And, occasionally, throw a switch when

Re:

[dbialac]

5) You provide housing for the people on-site, so they're not driving 100 miles every day. A cousin of mine once worked on a cruise line. While food and basics were provided, things like medications required trips off the ship. This is somewhat analogous because they only had access to these things for a few hours in between voyages. Even in tourist stops, they were required to stay on board as not all of the guests were gone for the entire time the ship was in dock.

Re:

[necro81]

Your (5) is just a restatement of my (1).

Re:

[dbialac]

Not really. I'm thinking the entire staff is on-site; that is a small town. A family drives into town once a week and get the goods they need.

Re:

[radarskiy]

"That's laziness and a hazard in the first place."

No, that's "The vote for the town budget failed twice already."

Re:

[Anonymous Coward]

Air gapping needs to be more common

Re:surprised?

[nightflameauto]

The bigger question: why is this stuff even connected to the internet in the first place? The only way to ensure that a device is immune from an internet attack is to not have a connection.

Hyperbolic salespeople selling convenience over security to folks that have zero security knowledge to start with and probably net negative technological knowledge to boot.

Re:

[ole_timer]

cost - puc's won't allow the cost to be given to the rate payers - hence we live with the risk...

Re:

[penguinoid]

Even if it has an internet connection, there's no excuse these days. The internet data should always be considered as potentially hostile, and as such any data that doesn't match expectations should be aggressively discarded (wrong port, wrong length, etc., plus no universal password).

Re:

[BringsApples]

Are we surprised? No. This has been true for close to fifty years now and the process is accelerating./quote

There, fixed that for ya

Re:

[wyHunter]

Well, we didn't really have SCADA things attached to the public internet 50 years ago...just saying.

Infrastructure attack = WMD

[BubbaDave]

Make sure they know we will treat a mass infrastructure attack same as any other WMD attack.

Re:Infrastructure attack = WMD

[dfghjk]

But we won't and we don't. We don't even respond to such attacks.

Re: Infrastructure attack = WMD

[dwater]

Idiot. They'll do the same to you.

Re:

[reqteridae]

the US doesn't publicize it's cyber responses - it only broadcasts takedowns

Re:

[Hoi Polloi]

Or maybe just improve your security

We are not going to war with China

[rsilvergun]

Big business and the billionaires won't allow it. They will allow a little bit of saber rattling so that they can get big defense contracts and some government subsidies for local American manufacturing they wanted to do anyway. But no actual war is going to happen or even at any serious fighting.

Maybe about a decade ago the Pakistan government was aware of a major terrorist attack about to happen in India.

Pakistan didn't tell India about it. They let the attack happen. Lots of people died and it wa

Honestly that might be an improvement

[rsilvergun]

There's a few multimillionaires in the DNC but we don't have anywhere near the amount of cash that the Republican party has.

Elon Musk without a second thought dropped a quarter of a billion dollars (that we know of) getting Trump elected. The Democrats just cannot compete with that.

I do think that the multi-millionaires are starting to worry that the multi-billionaires aren't in the same class. You could see some of them switching over to team blue because they've seen what happens to their lot over

Re:

[mysidia]

The likely bad actors hide who launched the attack And even pretend to be a different one, so you won't actually know who the retaliation should be against.

Re:

[penguinoid]

So you're saying we should have started a global thermonuclear war several times last year?

Re:

[sabbede]

Well, it would be an act of war, so presumably it would occur at the outset of a war.

To do what

[hdyoung]

Exactly? Hackers have taken down water treatment plants. The result is a local boil advisory for a few days while they switch to manual operation. Nowadays, hospitals get taken down by malware on a weekly basis. They switch to paper temporarily. Ou interne, telecomsand even airport systems go down regularly. Sometimes we even do it to ourselves coughCLOUDFLAREcough. Is it disruptive? Yes. But life goes on. Certainly nothing happens that would render us suddenly vulnerable to some nefarious Chinese takeover. Maybe theres some special back-back-forward-punch attack that shuts literally everything down and makes our cities burn.but I definitely haven’t heard or read about anything plausible like that.

Re:To do what

[XXongo]

Exactly? Hackers have taken down water treatment plants. The result is a local boil advisory for a few days while they switch to manual operation.

Amateurs.

We've never seen a concerted military attack on our infrastructure.

Re:

[dfghjk]

How do you know? What you mean is that YOU have never seen it.

Re:

[Anonymous Coward]

You'd know it when tens of millions of people are without drinking water for weeks because the systems were irreparably damaged. You'd know it when air traffic can't be routed because adversaries bricked the entire national airspace system.

I can go on.

The stuff you've seen has mostly been script kiddies and ransomware operators inflicting what is relatively minor damage. A nation state military strike would be real, painful, obvious, and affect tens or hundreds of millions of people all at once.

Re:

[hdyoung]

Our air traffic system recently got bricked by Cloudflare. It definitely caused inconvenience but the country didn't exactly grind to a halt. And, the water systems would simply switch over to "boil advisory" mode while they fixed the problem.

Inconvenient? yes. But not exactly the stuff that would distract a modern rich-world country much in a military situation.

Re:

[necro81]

We've never seen a concerted military attack on our infrastructure.

Ukraine has. In the years before Putin launched his invasion, there was an ongoing effort to hack and sabotage all manner of public infrastructure. Wired wrote about [wired.com] it in 2016.

The narrative has largely been supplanted by the ongoing efforts by Russia to just blow up Ukraine's infrastructure the ol' fashioned way, but the cyberattacks are definitely ongoing [google.com].

Re:

[dbialac]

You should read the news more. Multiple schools in smaller communities were all given bomb threats more or less all at once in the eastern US in April of last year. Almost all emergency responders were on site within a few minutes. If you wanted to rob a bank, that was the time to do it as nobody was available to respond. This isn't hard to pull off.

Re:

[hdyoung]

There are different scales of disruption. What you described is definitely disruptive to some parents, children and a subset of first responders. Yeah, someone could use it to rob a bank. But, at the national level, it would barely register. Certainly wouldn't give some other other country enough of an advantage to stage an attack and make much of a difference.

To have a real military-scale effect, it would need to be something that actually goes "boom" or at least lights a bunch of stuff on fire and caus

Re:

[dbialac]

Have terrorists/adversaries do a large coordinated set of calls throughout the country in the context I described. EMS will be tied up everywhere.

Re:

[DarkOx]

The point of such attacks on infrastructure at least initially would not be cripple production etc. That might come latter if a protracted shooting war actually develops - see Russia and Ukraine, but as far as the US goes it would be make response and containment of an initial attack less effective.

If you were going to deploy some bio-weapon, or strategic arms (ICBM) type attack you lead it by some hours with some infrastructure chaos. So everyone is running around like chickens with their heads off, tryi

Naaa

[gweihir]

They will just watch it crumble all by itself....

lie in wait?

[dfghjk]

""To lie in wait on those networks to be in a position to wreak havoc and can inflict real-world harm at a time and place of their choosing,"

Just like the US does, and every nation does. That's what national defense involves. The US "lies in wait" to "wreak havoc" and "inflict real-world harm" too, that's what weapons are for.

Don't forget that this guy is a Trump appointee and collaborator, and he's also a coward. I would fully expect China to have plans to attack the US, just as the US has to attack China. It's not news.

Re:

[technology_dude]

Jake Sullivan said the US has responded to the Volt or Salt Typhoon attacks. I guess we will never know what that means.

https://www.reuters.com/techno... [reuters.com]

Re:

[Zocalo]

A memo was sent. It might even have been strongly worded.

Re:

[waspleg]

Ah yes, whataboutism, the hammer for the nail of every wumao.

Where are all the "But China good!" posts? No crime, no pollution, nothing but benevolence everywhere - according to the CCP politburo.

Re:

[Ol Olsoc]

Ah yes, whataboutism, the hammer for the nail of every wumao.

Where are all the "But China good!" posts? No crime, no pollution, nothing but benevolence everywhere - according to the CCP politburo.

Gotta ask - what is a wumau?

Re:

[Alypius]

CCP-funded internet troll. It's part of the CCP's 50 Cent Party [wikipedia.org]

Re:

[Ol Olsoc]

CCP-funded internet troll. It's part of the CCP's 50 Cent Party [wikipedia.org]

Thanks - I learn something new every day!

Re:

[Brain-Fu]

In this case, "lie in wait" means "maintain a set of trojans on networks that control critical infrastructure, so we can take said infrastructure down when we want."

In essence, the attack has already happened and they already have bases in our territory. Their trojans are on our networks NOW. They are just hard to detect because they have not been ordered to cause harm yet. That's news because it means we are, right now, extremely vulnerable to devastating attacks.

And, there is something we can do about

Then WHY....

[Anonymous Coward]

Do you ALLOW THEM to connect to the US Internet? CUT OFF THE NATION. BAN ALL CHINESE IPs...

Re:

[bn-7bc]

No banning beeded just filter inbound bgp announcements from Chinese AS# way fewer filters to maintain

Re:

[snowshovelboy]

Won't fix it. They will hop on a plane and use the internet in their hotel.

Re:

[snowshovelboy]

Hi, welcome to the discussion. It is not hard to send a phishing email or control a botnet from hotel internet, which is what we are talking about.

What TF?

[drreid]

If all these intrusions are known why weren't they prevented/currently being mitigated? How does this guy still have his job?

STFU noob

[drinkypoo]

If all these intrusions are known why weren't they prevented/currently being mitigated? How does this guy still have his job?

First, that guy doesn't still have his job. He's on his way out the door.
Second, the FBI are police. That's it. They can't force utilities to secure their systems. In fact there is no government agency whose job it is to go around and do that. There's just the NSA, whose ostensible mission is to secure government communications but apparently spends most of their time spying on citizens, and NIST, which creates recommendations which nobody listens to even when they are supposed to because they are handling federal data.

This is indeed part of the FBI's job

[rapjr]

From the FBI's web site:

https://www.fbi.gov/investigat... [fbi.gov]

The FBI is the lead federal agency for investigating cyber attacks and intrusions. We collect and share intelligence and engage with victims while working to unmask those committing malicious cyber activities, wherever they are.

This is part of what they are supposed to be doing now, as well as counter-terrorism, instead of pursuing white collar fraud. So this press release is essentially telling us the FBI has failed at that job and that it is

Re: This is indeed part of the FBI's job

[drinkypoo]

Engage with victims does not mean forcing them to do things, HTH HAND

Re:

[MacMann]

They can't force utilities to secure their systems. In fact there is no government agency whose job it is to go around and do that.

While the FBI isn't equipped to enforce security on infrastructure there are federal government agencies that can at least lean hard on private corporations and state governments to ensure safety of electricity, water, fuel, roads, bridges, dams, etc.

I can give some examples on this. The Department of Energy can set standards on security for any utility or power plant that is connected to an interstate electrical grid. Locks, dams, reservoirs, and other water works would be regulated by the Department of

Re:

[penguinoid]

If we can't enforce internet security by normal means, maybe we should have the NSA do ransomware attacks on all those cheap assholes (think of it as a fine for bad security).

Re: STFU noob

[drinkypoo]

Honestly I'm here for that. For public corporations you could also have the SEC team them for not reporting risks like their incompetent security. But for a municipal utility I'm not sure what you could really do besides what you said. Sue them? That's just going to cost everyone money... I like your idea.

Re:

[Mirnotoriety]

> Go to your local store and look for something that doesn't say, "Made in China" or "Made in Vietnam". The latter has been used by China as a front to get around Tariffs. Investors in the US have left us incredibly vulnerable.

US companies were happy to invest in China. Apple, Boeing, Caterpillar, Ford and General Motors. That's why Detroit has become a wasteland.

Sure, Buddy.

[bill_mcgonigle]

Give it two weeks and his name will be mud.

The number of ops against innocent Citizens he's responsible for is a horrent.

One of their prostitutes is making the podcast rounds claiming that Al Qu'e'da, now ruling Syria with CIA's help, will unleash terror attacks simultaneous around the country. And if you question Building Seven you're one of them.

Guess what THEY plan to do in eight days...

greatest threat

[groobly]

"FBI Director Christopher Wray, in his final interview before stepping down, warned that China poses the greatest long-term threat to U.S. national security, calling it "the defining threat of our generation.""

Wait, wasn't it domestic right wing terrorists just a little while ago? Oh, but then it was Hitler assuming power and ending Democracy. It's really hard for me to keep up.

you fucking worthless traitors

[drinkypoo]

https://www.cnn.com/2021/01/08... [cnn.com]

The upside

[Ol Olsoc]

Making COMSEC a cost center task, great value was provided to the shareholders for a short time.

And the CEO just called, he says you better continue his children's access, or the whole department will be shut down. Gadammed Computer weirdos anyhow! 8^)

It will be used in 2 years when they invade Taiwan

[schwit1]

2027 is the expected invasion of Taiwan.

https://pjmedia.com/vodkapundi... [pjmedia.com]

"Communist China's People's Liberation Army (PLA) celebrates its centenary in 2027, the same year the CCP has indicated it will be ready to take Taiwan by force — and new satellite photos show that it could be prepared to cross the straits in force before then.

Before you accuse me of being a crazy person for somehow just knowing that Beijing — Xi Jinping, to be more exact — wants war in 2027, it isn't me. Two months a

AI

[TJHook3r]

As we transition over to AI and humans become more and more distanced from the products of their labour, the risk is not just that workers become dissatisfied but that we lose the institutional knowledge to do this stuff. We'll have machines we don't know how to fix should China ever decide to disrupt infrastructure. It might take years but the signs are already here - think offshoring but x100

Major attacks always have to build

[Tony Isaac]

For any kind of major attack to be successful, the attackers would have to do significant real-world testing. You can't just figure out how to take down an electric power station, and replicate it across the entire grid. Each uses differing technologies and would require different strategies and different software. In the process of testing the effectiveness of the digital weapon, they would have to perform smaller-scale tests. These would be noticed, and result in countermeasures.

So I don't buy that attack

Stole?

[Growlley]

you gave them most of it in pursuit of a $!

Who cares

[nehumanuscrede]

If the threat were truly as bad as they claim, they would be taking steps to mitigate the exposure of said i
nfrastructure ( via regulations and rules ) to prevent the attacks in the first place.

If they are not doing so, then this is simply more boogyman propaganda.

Similar to them boasting about the hundreds of terrorist attacks they thwarted last year but can't give specifics
on any of them because it's all classified :| ( aka: more propaganda )

Re:

[snowshovelboy]

Tell me why I should care. Russian and Chinese are perfectly useable languages.

Re: Trump will practically hand it to them

[drinkypoo]

Chinese is famously hardest to learn of the actually used languages. Many people can not get it at all, they are tone deaf. It's going to have to be machine translation, which is a surveillance state's wet dream.

Re:

[Alypius]

I actually thought Russian was harder. I only studied each for a couple of years, but getting Russian grammar right was a huge PITA (the genitive case is famously difficult). Mandarin was just...wildly different.

Re:

[drinkypoo]

I literally often cannot hear the difference between one word and another in Mandarin. It also has an antiquated alphabet which is simply inefficient. This is not to say English is all that great, it has a lot of weird problems, but at least it's possible for most people to learn.