Volt Typhoon: The Cybersecurity Industry Effect on Critical Infrastructure

The increasing interconnectedness of operational technology (OT) and information technology (IT) is exacerbating U.S. infrastructure vulnerabilities to state-sponsored cyber-attacks. Imagine this hypothetical scenario where the People’s Republic of China (PRC) invades Taiwan, aiming to seize the island and its crucial semiconductor production. The U.S. Navy mobilizes its carrier groups to defend Taiwan and deter a Chinese takeover. Simultaneously, cyber sabotage cripples’ infrastructure on U.S. territorial and allied islands, impacting power and water on key bases and delaying the U.S. Navy’s deployments, which in turn, jeopardizes the Department of Defense’s (DoD) ability to effectively aid Taiwan. Shortly after, the National Security Agency (NSA) reveals Volt Typhoon is the PRC-supported cyber actor group behind the sabotage. But it is too late. The People’s Liberation Army Navy (PLAN) Marine Corps have made landfall, established a logistics beachhead, and now occupy Taipei City. This is not an unrealistic scenario.

The PRC has gained persistent access to critical U.S. infrastructure thanks to their Volt Typhoon. This spells disaster for private firms which control the majority of U.S. power and water sectors. Since mid-2021, the group has targeted and exploited IT and OT devices to leverage them in future crises.¹ To counter this threat, the U.S. government must proactively strengthen private sector cybersecurity by increasing the talent pool of the IT and OT defensive workforce, which have diminished over time. It must also streamline standards to foster core competencies for this workforce. Finally, it must provide funding in key areas to ensure the proper safeguarding of critical infrastructure.

The PRC maintains a cyber offensive program larger than every other nation combined.² The PRC effort is fifty times larger than the cybersecurity workforce of the Federal Bureau of Investigation (FBI).³ The former FBI director, Christopher Wray, believes PRC endeavors to leverage Volt Typhoon as part of a larger, whole-of-government approach to undermining the U.S.’s influence in the world.⁴ Other PRC-sponsored cyber hack groups which fall under this strategy include Salt and Flax Typhoon. Salt Typhoon is the group responsible for hacking telecommunications companies, and targeting select law enforcement and political figures.⁵ Flax Typhoon was a similar attack to Volt Typhoon, using the same tactics with botnets against Taiwanese infrastructures.⁶ Flax Typhoon and Salt Typhoon were reported in September and October of 2024, respectively.

In May 2023, Microsoft revealed its initial discovery of Volt Typhoon.⁷ In February 2024, Cybersecurity and Infrastructure Security Agency (CISA), NSA, and FBI, as well as other agencies and international partners co-authored a Joint Cybersecurity Advisory (CSA) report. This report detailed tactics which Volt Typhoon used to exploit private sector IT and OT network vulnerabilities as far back as mid-2021.⁸ The report also detailed key areas in which network defenders can mitigate attacks, and hunt for hackers.

The Volt Typhoon hackers use a stealthy cyber infiltration tactic called living-off-the-land (LOTL) to gain initial access, maintain a persistent presence, and conduct reconnaissance of a network. LOTL attacks do not use many third-party tools during intrusion in a network. Instead, they use commands native to Microsoft software and can go months before detection.⁹ Detection is difficult because network defenders typically search for different signals–such as malware–to hunt hackers. LOTL attacks target edge devices such as routers, firewalls, and virtual private networks (VPNs). From there, hackers can access credentials of key personnel in networks without detection, which enables disruption of operational technologies (OT) related to other critical sectors, including telecommunications, energy, transportation systems, water, and wastewater.¹⁰

The February 2024 CSA revealed eight key tactics, techniques, and procedures (TTPs) employed by Volt Typhoon to gain and maintain access in networks. To gain access, the actors use multi-hop proxies, which are usually multiple virtual private servers (VPSs) to obfuscate their access. They also target zero-day vulnerabilities, or flaws in software of which a developer is completely unaware.¹¹ They gain initial access through public-facing edge devices to conduct reconnaissance for further vulnerabilities.¹² During this reconnaissance period, the actors exploit software glitches to gain limited privileges, such as “flooding” a password field or finding insecurely stored passwords.¹³ In addition, Volt Typhoon avoids detection by blending in with normal network traffic. They also follow operational TTPs by only working during a victim’s observed office hours to avoid detectable anomalous activity. They also observe other user behaviors, and delete specific system logs.¹⁴ The reconnaissance usually involves data dumping via snapshotting files via normal Windows commands an administrator would not look for.¹⁵ Next, Volt Typhoon seeks to gain more credentials to heighten their access into a system, targeting as many IT-OT connections as possible. They perform data discovery, map networks, and take snapshots using native commands. Once they extract a large number of files, Volt Typhoon actors use software to crack user credentials like passwords. The techniques vary in sophistication, from more simplistic brute force decryption, to highly complete rainbow tables, which leverage a cryptographic hash function.¹⁶ Once the hackers gain elevated credentials, they use remote desktop clients to target many users in a network to gain as much access as possible to OT devices. The CSA warned that this access enables manipulation of “heating, ventilation, and air conditioning in server rooms,” as well as controls for water, energy, and even camera surveillance systems.¹⁷ This IT-OT access is known as lateral movement. It enables the PRC’s pre-positioning within OT device systems for collection and sabotage of critical infrastructure.

To imagine the implications of Volt Typhoon’s cyber effects on U.S. military operations, consider the U.S. Territory of Guam. Guam is a key island territory and the furthest projection of U.S. power within the Indo-Pacific region, enabling assurance of key U.S. allies such as Japan, South Korea, and partners like Taiwan.¹⁸ Operations on air and naval bases enable fuel storage, surface and subsurface vessel repair, and a first stop for expeditionary island-hopping marine campaigns; potential future uses include a base for maritime surveillance aircraft, missile defense systems, and cutting-edge electronic warfare systems.¹⁹

As an under-developed territory, Guam is vulnerable to cascading effects across critical infrastructure sectors, such as power and water. Military forces there rely heavily on a civilian electrical grid run by Guam Power Authority (GPA).²⁰ The GPA has long-term goals to fully diversify its energy sales to renewable resources like solar and wind by 2045.²¹ This could mitigate its reliance on imported fossil fuels like diesel, which accounts for 80% of its power generation.²² While the GPA are considering alternatives such as small modular nuclear reactors, natural disasters have left the territory vulnerable to outages and impacted upgrades.²³ This lack of redundant power generation options places Guam at a great risk. For example, Typhoon Mawar in mid-2023, caused widespread infrastructure damage where 98% of customers lost power.²⁴ As GPA’s single largest customer, Guam Waterworks Authority (GWA) was impacted the most²⁵ which led to contaminated drinking water across the island.²⁶

Guam’s history of natural disasters causes additional vulnerabilities during times of geopolitical tension. Even a smaller scale natural disaster could by amplified by cyberattacks against the power grid. Finally, Furthermore, Guam is within the range of the PLA’s nuclear-capable ballistic missiles.²⁷ The PRC could launch a pre-coordinated attack that hybridizes cyber and kinetic strikes to capitalize on IT-OT cyber and environmental vulnerabilities. This would take Guam’s strategic utility in defense of Taiwan completely out of commission. Both the private sector and DoD present a soft target to the PRC and network defenders must be more vigilant as a result.

IT-OT interconnectedness is key to network defenders’ situational awareness in the energy sector.²⁸ OT devices include industrial control systems (ICSs), programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCSs), and human machine interfaces (HMIs).²⁹ All of these OT devices provide access to plant equipment, facilities, and buildings. Energy sector OT devices enable the efficient human control of power generation, transmission, and distribution.³⁰ Increasing connections between IT, OT, and legacy physical access control systems (PACS) enables visibility into performance and security of an electric grid. With real- and near-time access to aggregate data from various OT devices, managers and security personnel can respond to anomalies such as power fluctuations, map, and analyze outage sources.³¹

Volt Typhoon possess a wide array of tools which necessitates better situational awareness from network defenders. The co-authors of the CSA noted “many organizations lack security and network management best practices,” complicating defenders’ ability to “conduct behavior analytics, anomaly detection, and proactive hunting.”³² Experts in a discussion of Volt Typhoon’s tactics emphasized that proactive “threat hunting” is necessary.³³ Cloud Range, a company specializing in cyber defense training for military and government personnel, hosted a discussion with U.S. Air Force and IBM cybersecurity experts. To counter LOTL tactics, speakers recommended finely scoped queries targeting system event logs, filtering for specific native Microsoft commands, and looking for proxy systems.³⁴ Dr. Duane Dunston, Senior Adversarial Engineer of Cloud Range, suggested training must be equally proactive.³⁵ He noted that defenders are typically not familiar with LOTL attacks, and that there must be a “back to basics” approach to OT. He added that instructors should create a mock environment for cybersecurity students, perhaps preparing them for better detection of network traffic anomalies.³⁶ He is not alone; experts at Georgetown University have argued that cyber training must be equipped with “real OT boxes,” which are hardware and software modifications from ICS and SCADA manufacturers.³⁷ Such modifications build foundations for a realistic training environment.

Beyond updating training methodologies, the digital workforce is in urgent need of new entrants with unique qualifications. Across the world, the cybersecurity skills gap has grown wider, with job vacancies rising by 19% from 2023 to 2024.³⁸ A 2024 survey of over 15,000 global professionals revealed 90% of organizations lack the cybersecurity talent required.³⁹ The report emphasized on-the-job training and professional development to respond to each organization’s unique requirements.⁴⁰ As IT-OT interconnectedness evolves, industries will progressively adopt more smart technologies and the Industrial Internet of Things (IIoT) devices. Furthermore, organizations will increasingly diverge in what they ask of cybersecurity professionals, driven by differences in technological upgrades, adopted standards, and workplace culture. This means employers must bolster specialized training cadres. Institutions must also emphasize basic problem-solving skills to foster a more adaptive and resilient cybersecurity force.⁴¹

To combat the workforce gap, Congress has introduced new legislation. In September 2024, the House of Representatives introduced the Providing Opportunities for Technical Training to Build a Skills-Based Cyber Workforce Act of 2024 (Cyber PIVOTT). This legislation lowers the barrier of entry for professionals interested in changing careers in network defense. It offers full-scholarship programs at two-year community colleges and trade schools, but new graduates would need to commit at least two years of public service in a cybersecurity position.⁴² The Cyber PIVOTT act targets both young citizens interested in the field, as well as professionals who seek to divert their career’s vector to serve their country in a different manner. The goal is to create 10,000 jobs.⁴³

Still, even if Congress passes it, the Cyber PIVOTT Act’s goals would not close the workforce gap in personnel, training, or experience needed. There are currently 500,000 vacant cybersecurity positions in the U.S..⁴⁴ Despite maintaining the world’s largest cybersecurity workforce, the U.S. dropped in job postings by 3% from 2022-2024.⁴⁵ Applicants do not possess experience with new security frameworks. For example, zero trust–which requires continuous authentication of all users across a network–is cited as the greatest shortfall in the military.⁴⁶ Additionally, a 2023 analysis of IT-OT cybersecurity postings on job aggregator sites showed 82% of employers require employees with a Bachelor’s Degree, and 77% require at least three years’ experience.⁴⁷ The authors noted also that the average OT cybersecurity position requires an average of 7.9 years of experience in IT or OT.⁴⁸ Simply stated, the Cyber PIVOTT Act endeavors to generate an entry-level workforce where entry-level positions do not exist.

In spite of current workforce gaps, the CSA provides concrete guidance for the current IT-OT professionals. This guidance begins with IT defenders. First, harden the attack surface. This includes keeping edge devices patched, following hardening guidance, soliciting third-party vulnerability assessments, and replacing old, out of date equipment.⁴⁹ Next, IT defenders should secure their data, including storing credentials logs through encrypted means, separating user accounts, limiting remote access services, and auditing all remote access.⁵⁰ Finally, IT defenders should implement network segmentation, secure cloud assets, and maintain vigilance of all third party software.⁵¹

The CSA recommended only one set of recommendations for OT defenders as they have a more difficult job due to older equipment, which is often unsegmented and unencrypted.⁵² A comprehensive vulnerability assessment in 2019 revealed 438 vulnerabilities in ICSs, nine percent of which enabled unencumbered lateral movement from IT to OT devices.⁵³ In order to mitigate these vulnerabilities, the advisory recommended OT defenders implement strict operating procedures for personnel and also strengthen passwords, and deny connections to OT networks by default. Finally, they should implement a frequently patched firewall, and a demilitarized zone (DMZ) that acts as a bottleneck, exposing all traffic attempting IT-OT lateral movement.⁵⁴ These recommendations are best implemented together, rather than piecemeal. Because of this, other authors have recommended both IT and OT defenders develop comprehensive upgrade and maintenance plans year-round.⁵⁵

All of these recommendations are expensive. Large and small firms alike must hire personnel to collectively fill the 500,000 workforce gap. They must also pay for assessments, plan maintenance and upgrade schedules, and provide professional development opportunities for both IT and OT defenders. Therefore, the U.S. government can stimulate private sector investment in specific areas to incentivize firms to be proactive.⁵⁶ In DoD, the Small Business Cybersecurity Act of 2024 awards tax credits to small firms which comply with newer National Institute of Standards and Technology (NIST) standards.⁵⁷ The tax credit deducts thirty percent of their spending to reach a compliant state, up to a maximum of $50,000.⁵⁸ Yet these incentives are only available after the firms spend the funds. Small businesses involved in modernization of DoD operations, such as automating flight lines, often live day-to-day. Some have reported needing to refinance their home loans to cover the input costs.⁵⁹ These costs can include such expenses as personnel, travel, and advertising.

The complicated interconnectedness of critical infrastructure calls for risk management standardization which is difficult, and federal leaders have had implementation problems downstream. The Government Accountability Office (GAO) identified many areas where CISA is not leading the private sector, such as with the National Critical Functions (NCF) set. This framework identifies 55 critical functions of government, across all infrastructure sectors.⁶⁰ The functions are separated into four categories: connect, distribute, manage, and supply. If Volt Typhoon succeeded in disrupting or corrupting them, it would have a crippling effect on national security.⁶¹ However, GAO reported in 2022 that CISA failed to propagate or explain the NCF set to federal and nonfederal stakeholders.⁶² The NCF set is a simple list of core infrastructure roles, which are sector-agnostic, but mention specific functions of the sectors. Examples include “operate core network,” “distribute electricity,” and “supply water.”⁶³ GAO reported not only that CISA failed to disseminate this information, but did not “understand” how to incorporate the NCF functions into a grand strategy for critical infrastructure defense.⁶⁴

Other complications arise with cybersecurity frameworks. Two examples of standards include the MITRE ATT&CK mapping and NIST’s Cybersecurity Framework (CSF). These frameworks compete with each other, and do not currently align. While 80% of companies follow MITRE ATT&CK, all infrastructure sectors follow the CSF.⁶⁵ The two frameworks have different philosophies, but may not answer the cybersecurity environment’s current problems. These problems are that the adversary is more agile, more innovative, and more flexible in comparison to larger firms like Microsoft. An alternative, more proactive, more intuitive, and simpler approach is a risk-based approach, which only 23% of organizations currently apply.⁶⁶ There are three common themes to risk-based approaches: risk quantification, prioritizing by vulnerability, and analyzing exposure of specific nodes of a network.⁶⁷ Results for these companies show that by adopting a simpler, more comprehensive strategy to cybersecurity assessments, firms can respond more quickly to threats.⁶⁸ They can also release their personnel from a slower-paced “check-the-box” mentality, as well as forget about staying up to date with compliance frameworks. These frameworks are updated multiple times a year, and often only focus on responding to a threat after it is inside a network. By adopting a simpler, more proactive approach, cybersecurity professionals can also stay relevant with both NIST CSF and MITRE ATT&CK.⁶⁹

The U.S. government may see dividends from a more straightforward policy. As Falsone, Brennan, and Lemieux of Georgetown University recommended, this would “harmonize the dizzying array of cybersecurity and technical standards into a single framework.” As previously mentioned, these frameworks and standards confuse even CISA, according to the GAO in 2022. Such a tactic may have been employed in February 2025, when President Trump repealed the previous administration’s artificial intelligence (AI) policy.⁷⁰ The Trump Administration appears eager to innovate by removing similar compliance-based approaches, and abstaining from dictating AI governance policies at the time of this work.

The convergence of IT and OT systems within U.S. critical infrastructure sectors presents an escalating cybersecurity challenge. Volt Typhoon exposes the cyber vulnerabilities of essential sectors, specifically power and water in the scenario depicted here. While the U.S. government has taken steps to address these threats, such as issuing detailed advisories, and proposing legislation like the Cyber PIVOTT Act, there remain significant gaps in workforce readiness, framework standardization, and private sector investment and entry level hiring. Addressing these challenges requires a multi-pronged approach that balances proactive threat hunting, realistic cybersecurity training with a focus on practical problem-solving and OT systems. It requires more serious incentives for private sector investment, exploring subsidies and funding opportunities, and streamlining complicated and often conflicting cybersecurity frameworks. Finally, a more unified, risk-based approach is crucial for bolstering U.S. critical infrastructure resilience against evolving cyber threats.

The author is responsible for the content of this article. The views expressed are the author’s own and do not reflect the official policy or position of the United States Air Force, the Department of Defense, the National Intelligence University, the Office of the Director of National Intelligence, the U.S. Intelligence Community, or the U.S. Government.

Endnotes 

1. Microsoft, “Volt Typhoon Targets U.S. Critical Infrastructure with Living-off-the-Land Techniques,” last modified May 24, accessed February 14, 2025, https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/. 
2. Christopher A. Wray, “Director Wray’s Opening Statement to the House Select Committee on the Chinese Communist Party,” Federal Bureau of Investigation, last modified January 31, 2024, accessed February 17, 2025, https://www.fbi.gov/news/speeches/director-wrays-opening-statement-to-the-house-select-committee-on-the- chinese-communist-party. 
3. Ibid.
4. Ibid.
5. Chris Jaikaran, “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications,” Congressional Research Service, November 15, 2024, https://crsreports.congress.gov/product/pdf/IF/IF12798. 
6. Ibid.
7. Microsoft, “Volt Typhoon Targets U.S. Critical Infrastructure with Living-off-the-Land Techniques.”
8. Joint Cybersecurity Advisory (CSA), “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency; National Security Agency; U.S. Department of Justice, Federal Bureau of Investigation; U.S. Environmental Protection Agency; U.S. Department of Homeland Security, Transportation Security Administration; Australian Government, Australian Signals Directorate, Australian Cyber Security Centre; Canadian Communications Security Establishment, Canadian Centre for Cyber Security; New Zealand National Cyber Security Centre; and United Kingdom National Cyber Security Centre, February 7, 2024, https:// www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf.
9. “Analysis of Volt Typhoon Attack: A Discussion on Securing Critical Infrastructure Webinar,” Cloud Range, video, 43:45, https://youtu.be/Tjow_idtAvk?si=xs1jhIxKrj-eRXNF. 
10. CSA, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.” 
11. Ibid, 9. 
12. Ibid, 6-7.
13. Ibid, 7.
14. Ibid, 6, 10.
15. Ibid, 7.
16. Ibid, 8.
17. Ibid, 9.
18. Andrew Tilghman, “Guam: Defense Infrastructure and Readiness,” Congressional Research Service, September 13, 2023, https://crsreports.congress.gov/product/pdf/R/R47643.
19. Ibid.
20. Ibid.
21. Chrissy Scarpitti and Phil Voss, “Guam: 2023 Energy Baseline Report,” National Renewable Energy Laboratory, access February 17, 2025, https://www.nrel.gov/docs/fy24osti/88454.pdf. 
22. U.S. Energy Information Administration “Guam Profile” Last modified October 26, 2023 https://www.eia.gov/state/print.php?sid=GQ#:~:text=The%20Guam%20Power%20Authority%20(GPA,renewables%20account%20for%20the%20rest. 
23. Tilghman, “Guam: Defense Infrastructure and Readiness.”
24. Chrissy Scarpitii and Phil Voss, “Guam: 2023 Energy Baseline Report.” 
25. Ibid.
26. Tilghman, “Guam: Defense Infrastructure and Readiness.”
27. Ibid.
28. Jim McCarthy, Otis Alexander, Sallie Edwards, Don Faatz, Chris Peloquin, Susan Symington, Andre Thibault, John Wiltberger, et al, “Situational Awareness for Electric Utilities,” National Institute of Standards and Technology, 2017. https://doi.org/10.6028/NIST.SP.1800-7. 
29. Ibid.
30. Jim McCarthy, Otis Alexander, Sallie Edwards, Don Faatz, Chris Peloquin, Susan Symington, Andre Thibault, John Wiltberger, et al, “Situational Awareness for Electric Utilities,” National Institute of Standards and Technology, 2017. https://doi.org/10.6028/NIST.SP.1800-7. 
31. Ibid.
32. CSA, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” 16.
33. “Analysis of Volt Typhoon Attack: A Discussion on Securing Critical Infrastructure Webinar.” 
34. CSA, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” 16, 20.
35. “Analysis of Volt Typhoon Attack: A Discussion on Securing Critical Infrastructure Webinar.” 
36. Ibid. 
37. Rico Falsone, Niall P. Brennan, Frederic Lemieux, “Securing U.S. Infrastructure Amid Volt Typhoon Threat,” Georgetown University, last modified November, 2023, access February 17, 2025, https://scs.georgetown.edu/news-and-events/article/9453/securing-us-infrastructure-amid-volt-typhoon-threat.
38. “Employers Must Act: Cybersecurity Workforce Growth Stalls as Skills Gaps Widen,” ISC2, last modified September 12, 2024, accessed February 13, 2025, https://www.isc2.org/Insights/2024/09/Employers-Must-Act-Cybersecurity-Workforce-Growth-Stalls-as-Skills-Gaps-Widen. 
39. Ibid.
40. Ibid.
41. Ibid.
42. U.S. House of Representatives Committee on Homeland Security, “Chairman Green Introduces ‘Cyber PIVOTT Act’ to Tackle Government Cyber Workforce Shortage, Create Pathways for 10,000 New Professionals,” last modified September 24, 2024, accessed February 14, 2025, https://homeland.house.gov/2024/09/24/chairman-green-introduces-cyber-pivott-act-to-tackle-government-cyber-workforce-shortage-create-pathways-for-10000-new-professionals/.
43. Ibid.
44. Ibid.
45. “Employers Must Act: Cybersecurity Workforce Growth Stalls as Skills Gaps Widen.”
46. Ibid.
47. Christopher A. Ramezan, Paul M. Coffy, and Jared Lemons, “Building the Operational Technology (OT) Cybersecurity Workforce: What are Employers Looking for?” Journal of Cybersecurity Education, Research and Practice 2024, no. 1 (2023): 6.
48. Ibid.
49. CSA, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” 23.
50. Ibid, 24-26.
51. Ibid, 26-27.
52. Falsone, Brennan, and Lemieux, “Securing U.S. Infrastructure Amid Volt Typhoon Threat.” 
53. Ibid.
54. CSA, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” 28-29.
55. Falsone, Brennan, and Lemieux, “Securing U.S. Infrastructure Amid Volt Typhoon Threat.”
56. Ibid.
57. Waterman, Shaun. “Congress, DoD Push Small Businesses on New Cyber Rules.” Air & Space Forces Magazine, last modified December 10, 2024. Accessed February 17, 2024. https://www.airandspaceforces.com/congress-dod-small-businesses-new-cyber-rules/. 
58. Ibid.
59. Ibid.
60. “Here Are CISA’s 55 ‘Make-or-Break’ National Critical Functions, Setting Stage for Risk Register,” Homeland Security Today, last modified April 30, 2019, accessed February 17, 2025, https://www.hstoday.us/federal-pages/dhs/here-are-cisas-55-make-or-break-national-critical-functions-setting-stage-for-risk-register/.
61. Ibid.
62. Government Accountability Office (GAO), “Cybersecurity High-Risk Series: Challenges in Protecting Cyber Critical Infrastructure,” GAO-23-106441, December 2022, https://www.gao.gov/assets/gao-23-106441.pdf. 
63. “Here Are CISA’s 55 ‘Make-or-Break’ National Critical Functions, Setting Stage for Risk Register.” 
64. GAO, “Cybersecurity High-Risk Series: Challenges in Protecting Cyber Critical Infrastructure.”
65. Gidi Cohen, “Why Cybersecurity Frameworks Alone Won’t Stop the Next Major Breach,” Forbes, last modified July 18, 2022, accessed February 17, 2025, https://www.forbes.com/councils/forbestechcouncil/2022/07/18/why-cybersecurity-frameworks-alone-wont-stop-the-next-major-breach/.
66. Ibid.
67. Ibid.
68. Ibid.
69. Ibid.
70. The White House, “Fact Sheet: President Donald J. Trump Takes Action to Enhance America’s AI Leadership,” January 23, 2025, Accessed February 7, 2025.