SUBSCRIBER+ EXCLUSIVE ANALYSIS — As tensions escalate between China and Taiwan – from competing military drills to increasingly heated rhetoric from the mainland – U.S. officials are growing more concerned about the wide-ranging impact of any potential Chinese aggression against Taiwan.
Cipher Brief experts have previously warned of the global economic fallout from a Chinese blockade or invasion of the island, and experts have also said that in the event of a China-Taiwan conflict, Beijing may conduct cyber strikes against targets in the U.S. – including command and control systems, the defense-industrial base, and critical infrastructure – as a way to deter or hamper the American response.
U.S. officials believe last year's "Volt Typhoon" cyberattacks against American critical infrastructure were a prelude to such cyberattacks; probes conducted by hackers tied to China, aimed at breaching key American networks - not to disrupt them now, but to gain the ability to do so in the event of a major U.S.-China conflict.
If it comes to war over Taiwan, “This is one of the key components to disrupt either communications or even fuel systems delivery or other things that would aid the United States or allies to be able to work in that area," Microsoft Corporate Vice President Kelly Bissell told The Cipher Brief last year. "I think this is very tactical, but strategic to the future of what [the Chinese leadership is] thinking about.”
Earlier this month, The Cipher Brief hosted a high-level dialogue on the cyber risks that might accompany a cross-Strait conflict, at a summit meeting of the Cyber Initiatives Group (CIG). The session featured leaders from two U.S. companies that know more than most about the subject: Microsoft and Google.
Jeanette Manfra, CIG Principal and Director of Risk and Compliance at Google Cloud, and Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, answered questions posed by Lieutenant General Michael Groen (Ret.), another CIG Principal and former Director of the Joint Artificial Intelligence Center at the Department of Defense.
One clear takeaway: A conflict over Taiwan wouldn’t be limited to the air, land and sea operations involved in a Chinese invasion or blockade; the experts said it would also involve Chinese cyberattacks aimed at the U.S. private sector, critical infrastructure, and technology supply chains – with semiconductors a prime target.
“I would say there aren't a lot of things that keep me up at night,” DeGrippo said, “but the consolidation and almost singular production out of Taiwan of semiconductors is extremely stressful for me.”
THE EXPERTS
This excerpt of the briefing has been lightly edited for brevity and clarity.
Groen: What do you think about yourselves (at Google or Microsoft) as a target? Do you think that in a Taiwan scenario, the Chinese would come after you as an institution?
Manfra: I think we're always a target. Both of our companies, as well as many others, are always a target, and it's something that we have to deal with on a regular basis.
Then the thought is: What could potentially change as things escalate? Then you start getting into questions about supply chains, and you get beyond the more traditional cybersecurity scenario that we're already dealing with, and looking at how do all tech companies, as well as the government and their use of our software systems, manage that additional challenge.
Supply chain is probably the largest concern we would have, well beyond what we're currently dealing with.
DeGrippo: I think China nation-sponsored threat (actors) absolutely understand the differences within their targeting choices. The software supply chain, as Jeanette mentioned, is generally the number one target. Not just from China – from the rest of the threat actor groups that are nation-sponsored as well.
We see technology organizations being the number one target across that spectrum because there is a cascading force multiplier — being able to compromise the software supply chain, or technology companies that provide services and products to their ultimate targets, and being inside that gives them a gateway path access to those further targets down the chain.
Large technology companies have special targeting, which means that we also have some special responsibilities around defense, and special responsibilities around getting our security house in order. Making sure that we're paying attention to our own data, our own infrastructure, but also to the data and infrastructure of course that is responsible to our customers.
Groen: What kind of attacks might you expect on your infrastructure – and what do you expect the government to do to help you?
DeGrippo: The general response to regulatory responses and interaction is that feedback is a gift. Microsoft very much sees feedback as a gift. So the information that we get back from regulatory bodies is very helpful and important to us.
Additionally, the deep public sector partnerships — and when I say deep, I mean speed-dial, one phone call away, constant contact with our public sector partners — has also been a gift. And I think that those relationships are very close and they are in the spirit of a collective defense mindset. So we have to think that we are sort of globally protecting the world.
Manfra: When you have, in particular, entities like Google, Microsoft, Amazon, and others that have a global scale of infrastructure and capabilities and are in the business of providing services to critical infrastructure [and] government, you both have to have a high bar for the security, safety and reliability of our services – likely higher than other smaller entities – but there's also a huge opportunity there, because of the capabilities that our companies have developed over many, many years. And because of what we've learned.
When you say, What do I expect from the government, I think the main thing I would expect would be that when they have information that is relevant for us to take action upon, either as an industry or as individual entities, that that would be shared.
I think that it is the government's responsibility that if they have information, they do have a duty to warn the entities, whether they're potential victims or they're somewhere in the supply chain that can do something about it to prevent further victimhood.
And it's also important on the government side to be thinking — and I know they are, so this isn’t intended to be a criticism, just in terms of setting the expectations — as they're thinking about various different geopolitical plans and how they might be managing different relationships in different regions and different partners, it’s important to think about the potential consequences of actions and the vulnerabilities that might introduce on their side as well.
Groen: Do we have any kind of rehearsal? I'm not sure that every government office knows exactly who they should be calling in commercial industry to execute the partnership and to actually say, OK, turn on the plan?
Manfra: As a risk management professional, Yes, you should always be planning for all of the different scenarios, even if they're not likely. And you should always be training for that, whether that's in physical or cyber or a combination of both. I absolutely think that that's necessary.
I know Google does, I imagine Microsoft and many other companies plan internally for different scenarios and think about, What if this happens? What would we do? How would we respond?
But to your point, it is important to do that collectively, to do that as industry, to do that with government because there is a lot that you learn.
When you're talking about China-Taiwan and escalating tensions there, there's a lot of different threads that probably need to be exercised some more. And to think about impacts even beyond the tech sector. We have not just government that's using our products, we have other sectors that could be impacted.
Ages ago, when I was working in public safety communications and talking to firefighters and others, one of the things that they would always say is, you should never be exchanging business cards on the site of an incident. And I think that goes the same here.
DeGrippo: It is a significant issue for Microsoft reaching out to customers to let them know that we've seen activity that may be of concern, and I've heard unfortunately from my public sector friends and partners that people don't always answer the phone when agencies call, that it just goes to voicemail and they never get calls back. So there really is kind of a connection issue.
I think obviously Microsoft has many public sector connections that we are able to leverage there. But if you're not Microsoft or you're not Google, how are you doing this? And as you've asked in the question, Do you have a plan? Microsoft is constantly doing threat modeling with very basic scenarios all the way to things that are very, very wild. But after something like SolarWinds or Log4j or some of the other events we've been through, I don't think wild is as wild as it used to be. The spectrum of wild has grown exponentially.
Groen: Do you think Xi Jinping would risk a World War? And does the U.S. have the digital resilience to survive and through a major disruption like a Taiwan invasion?
Manfra: I am not a China expert. I've worked a lot with the Chinese government when I was in the U.S. government, but I can't pretend to be the best person to make that prediction. That being said, No, I don't think he's going to risk World War III. I think China and their leadership are rational actors in their context and have a very clear sort of goals that they've set out as a leadership group. Now that doesn't mean that these escalations won't happen.
I think a lot of it is how we collectively prevent and provide off-ramps for ensuring that escalating tensions do not become that World War III scenario.
There are a lot of things that we need to be thinking about and are thinking about when it comes to Taiwan – and should U.S. and Western companies and others lose access to the capabilities that we depend upon there. And from a Google perspective, we spend a lot of time investing in the improved resilience of Taiwan, thinking about diversifying our supply chain.
DeGrippo: I definitely think about TSMC (Taiwan Semiconductor Manufacturing Company) quite frequently. I would say there aren't a lot of things that keep me up at night, but the consolidation and almost singular production out of Taiwan of semiconductors is, I think, extremely stressful for me, just in my own materialist life every day going to get Starbucks, and I'm wanting various technology in my home and things like that. So that does concern me. I think that we've got to, probably from a perspective of public-private partnerships, figure out how we can deescalate the risk there to U.S. concerns.
And China, when we think about the most developed nation-state cyber threat capacities or capabilities – North Korea, Iran, Russia, China – China is the last one left that still has diplomatic relationships that hasn't really been pushed completely to the fringes.
And I believe that there is a desire to remain in the good graces in the global community. I think that there hopefully will not be a risk of global conflict.
One of the things that may deescalate some of that is to move semiconductor manufacturing to western allies to some degree, a much greater degree than it's today.
Groen: Where do you think we are in starting to have the right imagination about the threat? Are we paying enough attention to our resilience to any kind of attack? Do you think we have it right? How do you feel about our resilience and preparation in the technology space, as a government and as a commercial industry?
Manfra: I'll do it like a GAO report: Much progress has been made. More work needs to be done.
There is a lot more work that needs to be done on the software supply chain. There is a really significant dependence that could be disrupted and have consequences well beyond the tech sector. And so there's a lot of work to be done.
Have we fully imagined all the different factors? Probably, but you always need to be creative in this. I would say we should keep that. Second, are we aligned between company and government?
DeGrippo: I think that China is voracious, the appetite is unending for data and for access. It's a consistent, almost, if it were an individual, we would say it was obsessive, but a desperate constant need to have access and data all the time. And they have created an apparatus to facilitate that.
I am watching the AI capability for the nation-sponsored actors. We have already seen leveraging AI technology to do things like reconnaissance, to help them with scripting, to support social engineering. A lot of people talk about AI and have a lot of concepts and visions and things like that. But for me, the bottom line of AI is acceleration. It makes everything faster. And so for a threat actor, being able to have the advantage of extreme speed leveraged through AI, that's something for defenders that is going to be very, very difficult to grapple with. This acceleration is going to be beyond, I think, what most people can comprehend, how fast threat actors would be able to move.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief.