Under the Digital Radar: Defending Against People’s Republic of China’s Nation-State Cyber Threats to America’s Small Businesses

For years, the Cybersecurity and Infrastructure Security Agency (CISA) has worked to defend federal, state, local tribal, and territorial governments as well as our private sector partners from malicious cyber activities emanating from the People’s Republic of China (PRC). According to the latest annual report by the Office of the Director of National Intelligence, “China remains the most active and persistent cyber threat to U.S. Government, private sector, and critical infrastructure networks.” Recently, CISA and our U.S. Government partners have seen a troubling shift: PRC nation-state cyber actors are setting their sights on U.S. critical infrastructure with an eye toward future disruption.

We are deeply concerned that the PRC is seeking the ability to disrupt the critical services that support the American people in the event of a geopolitical crisis or conflict, marking an alarming evolution in their tactics. Many critical infrastructure owners and operators either are small businesses themselves or rely on small business service providers and vendors to support their operations. This critical infrastructure is vital to ensuring the American people can rely on essential services, from water to energy, every hour of every day. The PRC aims to infiltrate those networks now in order to be ready to disrupt and degrade services at a later date, which makes the cybersecurity of critical infrastructure and small businesses a national security priority.

These threats are not theoretical; as Director Easterly said to Congress earlier this year, CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water and telecommunications. Through our work, CISA knows that many small and medium-sized business (SMB) owners, including those operating in these sectors, are prime targets for PRC nation-state cyber actors. Some of these victims have limited cybersecurity capabilities and provide critical services to larger organizations or key geographic locations. And what we’ve found to date is likely the tip of the iceberg.

While the scale of the PRC cyber threat can seem overwhelming, there are actionable steps that SMBs can take to manage the potential risks. 

1. Report Every Cyber Incident. Every victim of a cyber incident should promptly report it to CISA, every time. We use this information to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. Cyber incident reporting helps us fill critical information gaps and allows us to rapidly deploy resources and help victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. Reporting cyber incidents quickly and effectively may reduce harm and help expedite recovery for the victim. 
2. Engage with CISA Proactively. CISA offers a range of cyber and physical services across our 10 regions. We recommend every critical infrastructure entity establish a relationship with its local CISA team. To contact your region’s office, visit CISA Regions | CISA.
3. Enroll in Vulnerability Scanning. Enroll in free services, particularly the Vulnerability Scanning program, to identify and repair vulnerabilities exploited by PRC cyber actors.
4. Leverage CISA’s Resources. CISA offers free tools and resources to help SMBs protect their people, customers and investments: Small and Medium Businesses | Cybersecurity and Infrastructure Security Agency CISA.
5. Resolve to Be Resilient. Committing to resilience means doing the work up front—whether at a personal or organizational level—to be ready. It also means anticipating, preparing, and putting plans and measures in place to better withstand and recover rapidly when an incident occurs.

But the burden of securing our infrastructure should not fall on SMBs alone. Technology underpins our nation’s infrastructure and economy—it provides the necessary connectivity to fuel innovation, ideas, production, and service delivery.  Unfortunately, much of our technology is dangerously insecure at the time of sale, enabling even the most basic cyber intrusions at speed and scale and putting us all at risk. That’s why technology manufacturers must assume responsibility for securing their products from the design and development phases. In line with the National Cybersecurity Strategy, CISA’s Secure by Design movement seeks to drive the adoption of the principles outlined here to ensure that technology products are designed and built in a way that reasonably protects against malicious cyber actors successfully exploiting product defects:

1. Take Ownership of Customer Security Outcomes. Technology manufacturers should make improving the real-world security posture of their customers a core business requirement and make the requisite investments in application hardening, application security features and application default settings.
2. Embrace Radical Transparency and Accountability. Technology manufacturers should share lessons learned and best practices to raise the standard of security in the industry. They should also be accountable to their customers through transparency regarding investments, pricing, features, components and security—as well as product defects and their root causes. We cannot manage what we can’t measure. 
3. Lead from the Top. While technical subject matter expertise is critical to product security, it is not a matter that can be left solely to technical staff. Quality and security are business priorities that must start at the top—and manufacturers should name an executive sponsor to influence product investment to achieve customer security outcomes.

The more than 33 million small businesses in the United States, comprising 99.9 percent of all U.S. firms, form the backbone of our economy. CISA is undertaking urgent action to shield these businesses from nation-state cyber threats. To learn more about CISA’s efforts around the PRC, visit cisa.gov/China. For more cyber and physical resources for SMBs, visit our Small Business Week page: Small Business Week | CISA.

Additionally, we hope you can join us on May 15 at 11:30am EDT for our CISA Live!  on LinkedIn Live: “People’s Republic of China Cyber Threats and What We Can Do."