Today, Andrew Scott, Associate Director for China Operations at CISA, drew more attention to the threat posed by China on critical infrastructure in a blog post.

The PRC is seeking the ability to disrupt the critical services that support the American people in the event of a geopolitical crisis or conflict, marking an alarming evolution in their tactics. Many critical infrastructure owners and operators either are small businesses themselves or rely on small business service providers and vendors to support their operations. This critical infrastructure is vital to ensuring the American people can rely on essential services, from water to energy, every hour of every day. The PRC aims to infiltrate those networks now in order to be ready to disrupt and degrade services at a later date, which makes the cybersecurity of critical infrastructure and small businesses a national security priority.

These threats are not theoretical; as Director Easterly said to Congress earlier this year, CISA teams have found and eradicated Chinese intrusions into critical infrastructure across multiple sectors, including aviation, energy, water, and telecommunications. Through their work, CISA knows that many small and medium-sized business (SMB) owners, including those operating in these sectors, are prime targets for PRC nation-state cyber actors. Some of these victims have limited cybersecurity capabilities and provide critical services to larger organizations or key geographic locations. And what we’ve found to date is likely the tip of the iceberg.

Actionable steps that SMBs can take to manage the potential risks:

1. Report Every Cyber Incident. Every victim of a cyber incident should promptly report it to CISA, every time. We use this information to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. Cyber incident reporting helps us fill critical information gaps and allows us to rapidly deploy resources and help victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. Reporting cyber incidents quickly and effectively may reduce harm and help expedite recovery for the victim.
2. Engage with CISA Proactively. CISA offers a range of cyber and physical services across our 10 regions. We recommend every critical infrastructure entity establish a relationship with its local CISA team. To contact your region’s office, visit CISA Regions | CISA.
3. Enroll in Vulnerability Scanning. Enroll in free services, particularly the Vulnerability Scanning program, to identify and repair vulnerabilities exploited by PRC cyber actors.
4. Leverage CISA’s Resources. CISA offers free tools and resources to help SMBs protect their people, customers and investments: Small and Medium Businesses | Cybersecurity and Infrastructure Security Agency CISA.
5. Resolve to Be Resilient. Committing to resilience means doing the work up front—whether at a personal or organizational level—to be ready. It also means anticipating, preparing, and putting plans and measures in place to better withstand and recover rapidly when an incident occurs.

The more than 33 million small businesses in the United States, comprising 99.9 percent of all U.S. firms, form the backbone of our economy. CISA is undertaking urgent action to shield these businesses from nation-state cyber threats. To learn more about CISA’s efforts around the PRC, visit cisa.gov/China. To access the full blog post, see CISA.