The provision is part of the annual defense policy bill. The committee released a summary Friday, although the full text of the legislation won’t be released until a later date.

The executive summary of the bill only offers that a provision mandates “a strategy to reestablish a credible deterrence against cyberattacks targeting American critical infrastructure using the full spectrum of military operations.”

A senior congressional official who briefed reporters Friday on the condition of anonymity described the provision as trying to identify a full scope using various methods and full spectrum options to more critically deter adversaries, particularly China, from conducting attacks on critical infrastructure, especially defense critical infrastructure.

An official noted the provision directs DOD toward what the department needs to be doing to more effectively establish a deterrent. Officials in open testimony have indicated a clear concern that Beijing, in particular, continues to attack critical infrastructure.

They singled out Volt and Salt Typhoon by name, noting they’re a growing and more aggressive threat in cyberspace to utilities and critical infrastructure that supports DOD.

Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

China has become more brazen in intrusions and probes into U.S. and defense networks, particularly in maritime or port environments to potentially limit an American military mobilization response if Chinese leaders decide to invade Taiwan.

Guam, a key U.S. military outpost, has been a top target for Beijing in recent years. Chinese hackers targeted critical infrastructure there, burrowing deep inside a couple of years ago and startling experts who referred to it as one of the largest cyber espionage campaigns against America.  

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

Salt Typhoon, by contrast, has been found inside networks of telecoms and other companies, likely for the purpose of espionage.

Cyber deterrence has been an elusive policy point for many years. While some academics have pointed to evidence cyber deterrence exists, such as U.S. hesitance to hit back against Russia following its malicious activity in the 2016 election for fear of America’s great digital vulnerability, current and past officials have noted the difficulties of deterrence and how adversaries don’t fear the United States in cyberspace.

Senators recently pressed the Trump administration’s nominee to be the top cyber policy official at DOD on the subject.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” Sen. Angus King, I-Maine, a fierce critic of perceived weaknesses in cyber deterrence, said at the May hearing.

For her part, Katie Sutton, President Donald Trump’s nominee to be assistant secretary of defense for cyber policy, wrote to senators as part of her confirmation process that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote.

While Salt Typhoon was considered traditional espionage activity, which is virtually impossible to deter, especially given the United States does the same thing, officials are hoping to deter activity like Volt Typhoon in the future.

As Trump was coming back into power for his second term, officials associated with the transition and new administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.

The post Senate panel pushing DOD on strategy to deter Chinese cyber activity on critical infrastructure appeared first on DefenseScoop.

Cyber Yankee, now in its 11th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side-by-side with the private sector, utilities and other entities to protect critical infrastructure — which includes operational technology and industrial control systems — in a simulated attack.

A small utility in Littleton, Massachusetts, nearly 40 miles from Boston and roughly 20 miles from New Hampshire, was notified in 2023 by the FBI that it had been compromised by the Chinese entity dubbed Volt Typhoon.

Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

Other high-profile threats include Salt Typhoon, which targeted and breached telecom companies.

Littleton Electric, Light, and Water Departments provided a briefing to the participants of Cyber Yankee this year during a “lunch and learn” event in what proved to be an eye-opening and educational experience for attendees.

“Volt Typhoon penetrated their network, had access to IT systems and potentially OT systems. That’s the type of thing that our exercise scenario is built around,” Lt. Col. Matthew Dupuis, exercise director for Cyber Yankee with the New Hampshire Army National Guard, said in an interview.

Officials said after that briefing, there was a noticeable shift to more of the military members focusing on the OT track of the exercise.

The briefing was new to Cyber Yankee this year and it was so useful, planners hope to have more companies with similar experiences do the same thing next year.

“It was great being able to hear that from real, live people,” Dupuis said.

The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems. When threat actors — from hacktivists to ransomware deployers to nation-states — compromise private critical infrastructure companies, the Guard often acts as a surge force when called up by the governor to aid in the remediation of threats on private networks.

Exercises like Cyber Yankee allow trust to be built between the Guard and private companies, who ultimately own the networks and have to invite Guardsmen to come in and help.

The operational technology for a water treatment plant is different than an electric power generator or a grid operator or natural gas pipeline, and thus it’s important for each sector and the government to come together through different tracks to rehearse and learn.

Cyber Yankee rotates every year, taking place in a different New England state. This year, it was held in New Hampshire May 5-16. By the end of the exercise, it saw almost 400 participants, which included 240 military, 20 government, 35 private industry — such as water, power and utilities — and 40 international partners from Albania, the Bahamas, El Salvador, Israel, Kenya, Paraguay and Uruguay.

While last year was the first iteration to introduce foreign partners, only a few actually played in the exercises as most observed. This year, the majority were slated to be active participants alongside their U.S. counterparts.

The scenario that plays out is unattributable cyberattacks against critical infrastructure in the New England region. Guard cyber forces are activated by governors to support the critical infrastructure companies with incident response.

“Everyone knows who our pacing threat is. China is our pacing threat, if you look at our strategic guidance from the president. China is an active threat, as we’ve learned from Volt Typhoon. We’ve seen Volt Typhoon [in] the news and the other ‘typhoons’, [including] Salt Typhoon,” Col. Cameron Sprague, deputy director for Cyber Yankee with the Connecticut Army National Guard, said. “This year’s scenario is focused on that peer, near-peer nation-state threats against United States critical infrastructure specific to the New England region.”

The exercise uses real-world scenarios and open source tactics, techniques, procedures and exploits to simulate the most realistic environment for participants as possible. It uses open source products purposefully to keep the event unclassified.

“We base the scenario on real world from an open source standpoint, so we can keep it completely unclassified because of the foreign, coalition partners that are here, as well as the civilians from [critical] infrastructure. That way, it allows us to have a good interaction without having to be concerned with security clearances. There’s enough open source material that’s very realistic for the scenario that allows us to do that training,” Col. Barry Groton, Unified Coordination Group lead for Cyber Yankee with the New Hampshire Army National Guard and one of the exercise’s founders, said. “We could do this at the [top secret] level, but it wouldn’t be the same. A lot of these utility folks, they do have some that have clearances, but it would just be really difficult … what happens at a utility that’s not classified.”

The companies find the exercise useful because it’s something that they can’t just go out and buy, officials said. They receive top-notch training that they can’t get anywhere else by partnering with the Guard as well as other companies in their sector.

For the Guard, it also aids in their homeland defense mission as a critical resource to the federal government.

The “National Guard [is] looking at the potential homeland defense mission in support of defense critical infrastructure, which the working definition of that is, critical infrastructure that supports military installations and military ability to project power and to have habitual relationships — and specificity with those particular nuances of the different utilities because it’s not generic,” Groton said.

From an active-duty military perspective, there has been growing interest in recent years. While last year was the first year the Space Force observed Cyber Yankee with a small contingent, this year additional guardians came.

Their interest is the operational technology aspect, as the Space Force’s cyber element focuses a lot on those types of systems.

The post National Guardsmen receive brief from Volt Typhoon utility victim at cyber exercise appeared first on DefenseScoop.

That October 2023 EO, among many tasks, directed the secretary of defense to develop plans for, conduct and complete an operational pilot to “identify, develop, test, evaluate and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.”

U.S. Cyber Command is leading that effort on behalf of the DOD and, in working with Army Cyber Command, designated its Panoptic Junction tool to fulfill that directive, officials from both organizations said.

PJ, as the tool is referred to, was initially developed in response to Army Cyber Command leader Lt. Gen. Maria Barrett’s early 2023 guidance to reduce complexity for the workforce, find ways to automate away tasks that are hard to get right and do that at scale, according to an Army Cyber Command spokesperson.

The command assembled a “tiger team” of cyberspace operations, artificial intelligence and machine learning experts from across the Army to analyze how to do that across the sprawling cyber mission space. That team eventually determined that automating key parts of the continuous monitoring process to enable detection of “living off the land” — a tactic where an actor uses legitimate tools organic to the systems for malicious purposes — would help the most while enabling the authorizers, system owners and cybersecurity service providers to have a continuously updated, common view of any given system’s current level of vulnerability, according to the spokesperson.

The effort was a partnership between the Army Cyber Command Technology and Innovation Center Lab, industry and Cybercom.

Upon evaluating PJ, Cybercom determined it would be a good fit for its response to Biden’s executive order.

“We leveraged our limited acquisition and laboratories and teamed up with an industry partner to develop a prototype,” Barrett said May 15 during the distinguished visitors day at Cyber Yankee 24, a National Guard exercise. “Our industry partner was able to develop this prototype for a very reasonable amount because they are using off-the-shelf AI systems … The key part of that last statement is this then means that future opportunities for industry partners to build and share critical analytics can be rapidly deployed.”

Booz Allen Hamilton is responsible for building the tool, according to Army Cyber Command, while the C5ISR Center is the “tool champion” and recipient.

According to Army Cyber Command — which stressed Cybercom is leading the overall project for the executive order and it will work through them on this effort — PJ is a prototype platform that, once productized, will revolutionize security monitoring of IT systems.

PJ’s primary goal is to enhance the detection of anomalous and malicious cyber activity — including living off the land — through scalable and continuous monitoring. It is seen as a significant step towards more effective digital security.

Living-off-the-land techniques have come into sharp focus with the May 2023 disclosure of a Chinese actor called Volt Typhoon. That threat has been found to have penetrated U.S. critical infrastructure systems at an unprecedented scale — over a year later, the government is still finding remnants — signaling a paradigm shift in China’s cyber actions.

While typically focused on espionage and intellectual property theft, Volt Typhoon has shifted the dynamic by now targeting critical infrastructure for the purpose of disrupting these services at the time and place of its choosing.

“Open-source reporting talks about this actor out of China who has access to our critical infrastructure and some of our key capabilities. Why? Not just for foreign intelligence collection, but to be able to do a couple of things: to foment terror within societal panic; to be able to deny our capability, our ability to surge or maneuver or fight in the time and place of our choosing; but also to gain a military advantage for China,” Maj. Gen. Lorna Mahlock, commander of the Cyber National Mission Force, Cybercom’s elite sub-unified command tasked with defending the nation from significant digital threats, said in April.

Several officials across the U.S. government have noted that there is no valid intelligence reason to be lurking in critical infrastructure systems such as water or power.

The PJ effort was started before Volt Typhoon was disclosed and living-off-the-land activities were not its original purpose. However, the working group adjusted PJ’s focus to include these techniques, shifting its test and assessment criteria to focus on Volt Typhoon-like behaviors in one of the two critical assessment scenarios, the Army Cyber Command spokesperson said.

The tool uses AI-driven, programmatic access to Enterprise Mission Assurance Support Service (EMASS), the platform for authorizing IT systems, and threat intelligence to identify what risks most apply to a specific enclave’s architecture. It delivers those priorities to a second set of AI-driven functions to conduct event log analysis and identify anomalies or malicious activity, the spokesperson said. PJ is novel in that it uses artificial intelligence to link EMASS with continuous cybersecurity monitoring tools.

“The Army requires the ability to continuously monitor ever-increasing numbers of IT systems to enable faster detection of malicious activity, rapid response, and comprehensive Vuln Management while reducing complexity for people,” they added.

Multiple assessment iterations kicked off in April and a final prototype is expected to be delivered in July.

The post DOD using Army tool to fulfill directive under AI executive order appeared first on DefenseScoop.

“If we were to go back to 10 years when we started this, there were a lot of challenges working through what to do in this space. You have eliminated the gaps where law or policy or public private partnerships have stretched,” Lt. Gen. Maria Barrett, commander of Army Cyber Command, said May 15 during the distinguished visitors day at Cyber Yankee 24, which ran from May 6-17 at Joint Base Cape Cod.

Cyber Yankee, now in its 10^th year, is a one-of-a-kind exercise that acts as a dry run of sorts in which members of the Guard in the six New England states work side by side with the private sector, utilities and other entities to protect critical infrastructure — which include operational technology and industrial control systems — in a simulated attack.

Barrett noted that the exercises year after year have incrementally worked to take down barriers, further partnerships, and illuminate ideas, gaps and areas to change policies.

“Among the things that keep me awake at night is the resilience of our critical infrastructure, and particularly operational technology and industrial control systems, both on military installations and in the homeland,” Barrett said.

The Guard is a critical resource for states and localities as the first responders to cyber incidents that affect critical infrastructure, which are becoming more rampant from attacks on pipelines and water systems.

“We have to be ready and our governors when the bad day happens, the first response local, and it’s going to be state and the governors are going to say, ‘What do I have? What resources do I have here in the state before the federal government gets here? What can we do now?’” Lt. Col. Tim Hunt of the Massachusetts National Guard and Cyber Yankee exercise director, told visitors. “One of those resources is the National Guard, so we have to be ready for this. That’s why Cyber Yankee [is important] and that’s why we’re here.”

The event simulated cyberattacks stemming from an unknown actor against critical infrastructure across all of the New England states, with the governors mobilizing the Guard to respond.

The goal is to build relationships with utility companies so that in the event of a real-world incident, there is trust among responders as the Guard will have to operate inside utility networks. These exercises lay the groundwork for the utilities to understand what the Guard can do and vice versa, helping illustrate that Guard members aren’t trying to go places within the network where they’re not supposed to be.

While the exercise had five fake utility companies, members of real utility companies served as role players of the CIOs at the fictional companies.

The exercise is of interest to the active duty component and Army Cyber Command given that it runs the largest portion of DOD’s network.

Army Cyber Command is also responsible for cyber operations within the Northern Command area of responsibility, which includes the U.S. homeland.

Of particular interest now is the Chinese actor Volt Typhoon, which was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

What has particularly scared officials regarding Volt Typhoon is the paradigm shift of Chinese actors moving from espionage and intellectual property theft to holding critical infrastructure at risk.

“I would be remiss if I didn’t mention the biggest thing to hit the cybersecurity landscape since you all gathered for Cyber Yankee a year ago, and that is what we are seeing happening [with] Volt Typhoon,” Barrett said.

“What got everyone’s attention is the seeming paradigm shift from cyber exploitation and traditional military targets or industry targets for foreign intelligence or espionage … to a new set of targets — aviation, water, energy, transportation. In other words, our critical infrastructure,” she added, noting that this actor will just sit and lurk with the purpose of disrupting these services at the time and place of its choosing.

In fact, there was a simulated actor within the exercise to replicate, as close as possible, Volt Typhoon.

At its initial instantiation, U.S. Cyber Command and its subordinate units, such as Army Cyber Command, were focused on Internet Protocol-based networks. However, Army Cyber Command in particular in recent years has worked to get more into the operational technology and ICS space.

Events like Yankee Cyber “inform what we’re doing at Army Cyber … [and] the mission that consumes easily 80% of my time, resources and people is operating and defending the Army’s portion of the DOD Information Network. The Army’s network is 1.2 million people spread across 288 posts, camps and stations. It is the DOD’s biggest network if you count both on premises and cloud,” Barrett said. “We are converging these networks, not just to get efficiencies … but really to substantially improve our resilience against an advanced persistent threat like Volt Typhoon.”

Army Cyber Command also must set the theater for the combatant commands it supports, meaning it must enable them to transition swiftly from crisis to conflict should deterrence fail.

Army Cyber Command has additionally placed a greater emphasis on hunting methodology in order to identify living-off-the-land techniques. Barrett noted that recently, following Russian cyber events, it had two of its high-end defensively oriented cyber protection teams focused on industrial control systems.

More broadly, the command’s cyber protection brigade is working more closely others to defend hydroelectric power plants and supply depots, with specializing training to defend industrial control systems.

This work is building toward the recent decision that Army Cyber Command is the organization in charge of the Army’s operational technology. Officials are in the process of providing how it will do that to senior leadership.

“This will enable us to move from the episodic CPT engagements on critical infrastructure to something that is more enduring, [with] continuous monitoring that is absolutely necessary in order [stay ahead of] a persistent threat,” Barrett said.

She noted that when U.S. Cyber Command was first created, it was focused primarily on nation-state threats. However, digital threats are much more pervasive now with both nation-state and independent actors executing ransomware attacks.

State Partnership Program

This was the first year in which international partners participated in Cyber Yankee.

The State Partnership Program was started at the conclusion of the Cold War and pairs state National Guard units with other nations’ militaries.

Cyber Yankee 24 saw participation from the Bahamas, Cyprus, El Salvador, Israel, Japan, Kenya, Latvia, Montenegro, Paraguay and Uruguay.  

Additionally, outside of the New England states, members from the Michigan, New Jersey and Maryland Guard units participated. This was also the first year that members of the Space Force joined in the event.

“We think that’s really great because when we go on engagements in these countries and we’re talking about cyber, some of the things that they’re most interested in is the United States, what we call whole of government. And really with this it’s expanded to kind of whole nation because we’re doing public and private,” Hunt said during a media engagement May 8. “They’re really interested in that how we worked with the military, with the Department of Homeland Security, with our private industry, how we work together in this industry, or in this field of cyber. That’s something that our foreign partners are really interested in learning about. And … we’re really interested in learning about how do they do things in their country or what has been their experience — because learning from each other is really the key of the State Partnership Program.”

The program was lauded for the role it played in helping Ukrainians counter Russia’s invasion of their country, based on the support and training that troops had received. The benefit, officials have said, is that relationships and trust are built and maintained long before crisis or conflict occurs.

“It all starts with … Lt. Smith and a lieutenant from Kenya or whatever country meeting each other in person, breaking bread together, training together and just getting to know each other,” Hunt said. “In 10 years, when those two officers are now majors or lieutenant colonels, they know each other, they have a relationship and they have trust.”

He noted that cyber knows no bounds and what happens overseas will likely affect the continental U.S. and vice versa. Working together and learning from each other is mutually beneficial and makes each partner stronger.

The post Army Cyber Command taking key lessons on critical infrastructure defense at National Guard exercise appeared first on DefenseScoop.