Protecting America’s Critical Infrastructure: Who is ultimately responsible? Part 2.

In Part 1 of this series, we explored the evolution of America’s critical infrastructure protection efforts in the post-9/11 era - from the creation of the Department of Homeland Security and the issuance of PPD-21, to the more recent shift under National Security Memorandum 22.  We examined how responsibilities have been divided between government and the private sector, which own and operate most of the nation's critical infrastructure. The central takeaway: protecting that infrastructure is a shared, urgent imperative that must be addressed to become more resilient and confront the current, fast-moving evolving threat.  In this second article, we move from policy to practice by analyzing some of the most impactful cyberattacks in recent years and asking why—despite their severity—many were dismissed by the public as mere “inconveniences.”

Cyber incident and attacks; what’s the big deal?

It’s very interesting that many Americans, not involved with critical infrastructure protection, don’t really understand the scope and serious impact a cybersecurity incident or attack can have in our day-to-day way of life in the U.S.  The reality is that unless you are following specific cybersecurity news outlets, podcasts, or blogs, you will rarely hear about a cyber incident or attack, and it’s impacts in the mainstream media.  Why is that?  The answer is simple, there are no buildings on fire, collapsing, or a significant loss of life from a cyberattack; at least for now, it is a matter of time when we could see nation state actors figuring out ways to execute such type of attacks.

Probably one of the most covered cyberattacks reported by the media over the last few years was the Colonial Pipeline Ransomware attack in 2021 where DarkSide Ransomware Group attacked Colonial Pipeline, forcing a shutdown of its 5,500‑mile pipeline that carries fuel from Texas to the East Coast.  According to a case study published by INSURICA the attackers gained access to Colonial Pipeline’s network through a compromised Virtual Private Network (VPN) password which was possible, in part, because the system did not have multifactor authentication protocols in place.  Making entry into the VPN easier since multiple steps were not required to verify the user’s identity; even though the compromised password was a “complex password.”  In this case, the pipeline was shut down for about six days, and the company paid approximately $4.4 million in ransom, of which the Department of Justice later recovered about $4.2 million. Why this made the news cycle for multiple days?  This incident caused a major fuel shortage and panic buying through most of the east coast.

However, many more incidents have taken place over the years with the potential to have major consequences on multiple critical infrastructure sectors to include the transportation sector and others which have critical interdependencies with the maritime sub-sector like logistics and freight companies, and other third-party service providers to the port.

The Current Maritime Threat Landscape

As U.S. maritime entities strengthen their cyber defenses to meet evolving U.S. Coast Guard regulations, hackers are not standing still.  Instead, they are shifting tactics to target softer spots along the maritime supply chain.  The good news: several Texas Gulf maritime organizations with advanced cybersecurity programs have reported year-over-year declines in direct cyberattacks against their own facilities.  The bad news: hackers are bypassing those stronger defenses and going after third-party vendors and suppliers—partners that are deeply trusted in daily operations but often unregulated and less prepared.

The most common way in?  Business email compromise.  When hackers gain access to a single vendor’s email account, they can quietly gather sensitive information like logistics schedules, billing data, and even industry-specific terminology.  With artificial intelligence tools, these attacks are becoming more convincing than ever. Hackers can now automate email collection, mimic the writing style of trusted partners, impersonate voices, and even use deep-fake technology to appear as someone you know in a virtual meeting.  The reality is clear: hackers are adapting faster than regulations. While regulated maritime facilities are steadily improving their defenses, their third-party partners often remain the open door.  Once hackers exploit that trust, they can disrupt operations, inflict financial losses, and even pose risks to national security.  They also use these trusted relationships to launch broader campaigns, multiplying the damage from a single compromise.

Despite progress at MTSA-regulated facilities, significant gaps remain in policy and partnerships across the wider supply chain.  Coast Guard regulations set requirements for regulated facilities, but many of the vendors, contractors, and small businesses that support maritime operations fall outside that oversight.  This creates a patchwork of defenses—strong in some areas, weak in others—where hackers are quick to take advantage.

The challenge is not only regulatory. Smaller entities often lack the budget, staff, or expertise to maintain strong cybersecurity.  Without clear policy frameworks or adequate support, these organizations struggle to keep pace with evolving threats.  Just as concerning, information sharing between facilities, vendors, and government agencies remains inconsistent.  Many companies are reluctant to report incidents, fearing reputational or financial harm.  This silence leaves the broader maritime community blind to active threats.  Hackers, meanwhile, count on this lack of coordination, recycling the same tactics against multiple targets with little resistance.  Closing these gaps requires both smarter policy and stronger collaboration. Expanding cybersecurity standards to cover more of the supply chain, helping small businesses adopt baseline protections, and fostering trusted information-sharing partnerships across the maritime ecosystem are all critical steps. Without collective measures, even the best-defended facilities remain vulnerable through the weaker links that connect them.

 This isn’t hypothetical.  Chinese hacking groups, for example, are known for patience and precision.  They often target U.S. supply chain vendors as steppingstones, using low-profile techniques that blend into normal business activity.  Small maritime businesses, many of whom act as third-party vendors, face particular risk.  Lacking the resources to invest heavily in cybersecurity, they become prime targets for attacks that can quickly escalate from local disruptions to national consequences.  For the maritime sector—one of the nation’s most critical lifelines—the question is no longer whether critical infrastructure facilities are strong enough, but whether the broader supply chain can hold the line.

Very sophisticated strategies: Who’s funding these efforts?

I will simplify this into two groups: criminal organizations and nation state funded actors.  Ransomware and stealing proprietary information are a very profitable business; although there’s not an official amount, estimates in 2023 was about $1.1 Billion.  Then we have nation state actors which are sponsored by foreign governments like China, Russia, Iran, and North Korea.  China specifically has been by far the most notorious threat to our critical infrastructure, and they are not shy about it; the PRC has multiple publications like the “Made in China 2025” and other documents stating their intentions to target specific industries and critical infrastructure.

In January 2024, then CISA Director Jen Easterly told Congress that “……Chinese cyber actors, including a group known as “Volt Typhoon,” are burrowing deep into our critical infrastructure to be ready to launch destructive cyberattacks in the event of a major crisis or conflict with the United States. This is a world where a major conflict halfway around the globe might well endanger the American people here at home through the disruption of our gas pipelines; the pollution of our water facilities; the severing of our telecommunications; the crippling of our transportation systems—all designed to incite chaos and panic across our country….”

Volt Typhoon is focused on targeting U.S. critical infrastructure, especially telecommunications, internet service provider (ISP) core routers, communications infrastructure, using “Living off the Land” techniques.  I would compare “Living off the Land” techniques as a cyber tool equal to a B-21 Stealth Bomber in the physical world; they are very or sometimes impossible to detect.

After Volt Typhoon, we discovered other Chinese advance persistent threats including “Salt Typhoon” and “Flax Typhoon;” Salt Typhoon focused on the telecommunication sector for espionage, data exfiltration, and counter‑intelligence.  Flax Typhoon used large botnets from compromised Internet of Things (IoT) -network devices for reconnaissance and intelligence gathering as a potential pivot into more critical systems.  All Typhoons consistently employed ‘Living off the Land’ techniques, operating stealthily in pursuit of the PRC’s strategic objectives.

Key Take Aways / Conclusion

• These hackers  aren’t just stealing intellectual property—they’re building long‑term footholds in systems that could enable disruption or sabotage.  For example, control over telecom/ISP routers could let an adversary interfere with communications or rely on it in a conflict.
• The stealth (living‑off‑the‑land, rootkits, compromise of routers, botnets) means detection is hard; defenses must assume compromise is possible, not hypothetical.
• Because many of the targeted systems cross sectors (telecom, energy, utilities, transportation), a weakness in one can cascade into others (maritime ships connected via satellite/VSAT, ports connected via ISP backbone, etc.).
• Response needs visibility not just in one’s own network but upstream/downstream (service providers, vendors, infrastructure dependencies), since these groups exploit those connections.
• In the next issue, in part 3 of this magazine , we will discuss potential innovative frameworks for collaboration, information sharing, prevention and response necessary to counter the consistent evolving threat we confront to enhance the resiliency of our critical infrastructure.

This article marks the second in a three-part series focused on one of the most pressing questions facing our nation. To read Part 1, click here.

About the Author

Julio R. Gonzalez

Larry Medrano