CISA official Natarajan notes expanding list of cyberthreat sources, victims

Cyberattacks are being initiated by a growing number of entities and are being directed at an ever-expanding list of targets in both the public and private sectors, according to Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency (CISA).

Natarajan made the statements during his March 28 keynote address at the IWCE 2024 event in Orlando, in which he noted significant shifts in the cybersecurity landscape that CISA officials encounter today.

“We’re seeing a change in the adversary landscape, as well as a change in the victim landscape,” Natarajan said. “When we think about cybersecurity years ago, we focus on four nation states: China, Russia, Iran and North Korea. It was easier when we were dealing with the nation-state threat—there are rules-ish that folks tried to follow, and we understood our adversaries.

“Now, what we’re seeing is a promulgation of cyberterrorist and cybercriminal organizations. These are groups that don’t have rules; these are groups that are looking to make money; and these are groups that are willing to attack anyone.”

This reality has resulted in the need for all organizations—not just high-profile entities—to improve their cybersecurity and resilience capabilities, according to Natarajan.

“When we think about attacks in the past, we used to focus on large organizations, large business, big cities and big government agencies,” he said. “But I didn’t have to worry, if I was in the heartland. I didn’t have to worry, if I was a small business. I didn’t have to worry, if I was small school. Now, we’re seeing all of those types of organizations attacked.

“We’re seeing attacks against healthcare. When you think about, even in kinetic warfare—going back decades—you never bombed the tent with the Red Cross on it. Today, we’re seeing hospitals attacked with cyber incidents in the United States and across the world … Any entity—large or small, urban or rural—can be a victim of an attack. It’s not just a matter of ‘if,’ it’s a matter of ‘when.’”

With this in mind, Natarajan said that he believes that U.S. entities should change their mindsets when establishing cybersecurity strategies, emphasizing the importance of organizations being resilient enough to maintain operations, even in the face of a successful cyberattack.

“We need to move away, in cybersecurity, from the perspective that we’re going to prevent everything from happening and really try to focus on how we make sure that we’re able to maintain resilience and recover while we’re keeping order during a disaster,” Natarajan said.

While the sources of cyberattacks have expanded far beyond nation states, Natarajan said that the U.S. government has recognized the growing challenges of nation-state cyberattacks—particularly those coming from the People’s Republic of China (PRC).

“Director [Christopher] Wray of the FBI made a statement that, if he redirected 100% of his intelligence analysts and cyber analysts and focused them solely on the PRC, he would still be outnumbered 50 to 1,” Natarajan said. “That is what we’re up against in one nation state, much less what we’re facing more broadly across the board.

“We’re also seeing threat of not just attacking for intelligence purposes but truly attacking to disrupt the way of life for day-to-day Americans. We’re seeing the impact of pre-positioning on our nation’s critical infrastructure—living off the land, waiting to attack on a future day. They’re on our networks, with the potential to cause harm in the future.”

And these PRC implications are significant for the critical-communications world and the critical infrastructure entities it serves, Natarajan said.

“We know that they’re looking at our telecommunications sector; they’re looking at our communications infrastructure around the nation, as well as energy, transportation, water and other sectors,” Natarajan said.

“We also understand that there is great interdependency between the sectors. We need the energy grid to be resilient in order for telecommunications to [be effective]. We need the water sector to be resilient in order for health care to be delivered. So, we need to make sure that we truly understand the threat that we’re facing and taking the steps that we need to to build resilience across the nation.”

Natarajan encouraged IWCE attendees and others in the critical-infrastructure sector to utilize CISA resources, including documents outlining threats and potential mitigation measures, utilizing prioritized communications services like GETS and WPS, and leveraging technical assistance from the agency.

Notably, Natarajan urged entities to pay attention when CISA issues warnings and recommendations.

“If CISA calls you on a Friday night or a Saturday, take our call,” Natarajan said, noting that CISA notified 1,200 entities last year of ransomware threats.

“It really is an opportunity to get ahead of … these types of cyber events. We had a partner on the East Coast who did not take our call on a Friday night—the game was on, I’m guessing—and they called us on Saturday after they got encrypted [via malware].”