Sen. JD Vance, R-Ohio, is calling on the Cybersecurity and Infrastructure Security Agency (CISA) to provide more details on a People’s Republic of China (PRC) state-sponsored cyber actor – known as Volt Typhoon – which he says poses a national security threat.
In a May 10 letter sent to CISA Director Jen Easterly, Sen. Vance expressed his concern that U.S. critical infrastructure is “under attack” from Volt Typhoon.
“The impact from a full-scale Volt Typhoon attack on U.S. critical infrastructure would be devastating and could result in our nation being thrown into disarray at the exact time it is under military attack from foreign adversaries,” he wrote. “The consequences of a Volt Typhoon attack would presumably include a threat to the U.S. military by disrupting power and water to our military facilities and critical supply chains.”
CISA – along with the National Security Agency (NSA), FBI, and international cybersecurity agencies – first flagged cyber activity linked to Volt Typhoon in May 2023.
The agencies then issued a more urgent joint advisory – joined by the Department of Energy (DoE), Environmental Protection Agency (EPA), and Transportation Security Administration (TSA) – in February of this year.
That advisory called on all organizations to urgently implement a series of cybersecurity actions after discovering that Volt Typhoon compromised the IT environments of multiple U.S. critical infrastructure organizations – with the end goal of a future cyberattack.
The advisory explained that Volt Typhoon has maintained footholds in some victim IT environments “for at least five years.”
Cynthia Kaiser, deputy assistant director of the Cyber Division at the FBI, told reporters in February that the group is targeting major critical infrastructure – such as the electrical grid, water treatment plants, oil and natural gas pipelines, and transportation systems.
CISA then published a fact sheet in March that warned critical infrastructure leaders of the “urgent risk” posed by Volt Typhoon and provided guidance to bolster their cybersecurity posture.
Sen. Vance details this sequence of events in his letter, and then asks CISA for answers to several questions “to better understand this risk.”
Specifically, the senator wants to know how Volt Typhoon became embedded in U.S. critical infrastructure, what prompted CISA to go public earlier this year warning of the risk posed by Volt Typhoon, and how many critical infrastructure entities are impacted by Volt Typhoon.
Additionally, he wants to know what critical infrastructure sectors are impacted by Volt Typhoon, which sector risk management agencies has CISA worked with to do outreach to each sector, and how many individual network devices in the U.S. are impacted or potentially impacted by Volt Typhoon.
Perhaps most important, Sen. Vance also wants to know what strategies CISA and sector risk management agencies have named in response to the threat from Volt Typhoon.
The senator wants answers to his questions by May 24.