The U.S. intelligence community is relying on artificial intelligence to uncover some of the Chinese intrusions into U.S. critical infrastructure that have alarmed national security officials in recent years, according to a senior cybersecurity official.
“AI is one of the tools that is able to look across a large volume of activity on your network and understand what is normal and what is abnormal,” Rob Joyce, the outgoing head of the National Security Agency’s Cybersecurity Directorate, told reporters during a briefing at NSA headquarters on Friday.
China’s campaign of cyberattacks on U.S. telecommunications, energy, transportation, and water utilities — which the U.S. government calls “Volt Typhoon” — has been successful in part because of Beijing’s stealthy tactics. Instead of breaching these elements of critical infrastructure using malware that might trip alarms, officials say Chinese hackers have snuck in by using stolen login credentials to impersonate employees at the companies they target. In some cases, they’ve even used that access to create new user accounts for themselves. By masquerading as legitimate users — and by using hacked U.S. routers as intermediaries to access victim networks, so their IP addresses don’t raise red flags — Chinese operatives have been able to hide in a sea of network activity, rendering most traditional attack-monitoring systems useless.
That’s where AI has come in for U.S. cyberdefenses. With its ability to quickly analyze vast quantities of information, artificial intelligence can spot anomalous activity — like a pattern of unusual account logins — and alert security personnel. The NSA’s acknowledgment that the U.S. government used AI to find Chinese spies lurking in critical infrastructure underscores the technology’s immense value for defenders, not just attackers, in cyberspace.
NSA officials say the agency’s four-year-old Cybersecurity Directorate — which leads the agency’s efforts to improve its collaboration with private companies, academic experts, and foreign allies — is eager to further integrate AI into its defensive work. “That’s been a focus for us,” said David Luber, Joyce’s deputy and the man who will succeed him when he retires on April 1.
Playing defense against "Volt Typhoon"
AI’s defensive capabilities have surged in importance as the Biden administration scrambles to understand the full scope of China’s Volt Typhoon campaign, which Microsoft first revealed in May 2023. Senior administration officials worry that in the event of a major U.S.-China conflict — if, for example, China decides to invade Taiwan — Chinese operatives could sabotage power, water, and communications infrastructure in the U.S. and create panic and distractions that would undermine the U.S. military’s ability to come to Taiwan's aid.
Joyce was blunt when describing the intelligence community’s conclusion that China has been laying the groundwork to sow chaos in American society. “The plain language for that is terrorism,” Joyce told reporters. “That’s domestic terrorism.” He pointed to the U.S. intelligence community’s conclusion, in its latest annual Threat Assessment that was released last week, that China is increasingly mimicking Russia’s attempts to exploit fissures in American politics.
China “may attempt to influence the U.S. elections in 2024 at some level because of its desire to sideline critics of China and magnify U.S. societal divisions,” the report warned. It added that Chinese hacker groups “have increased their capabilities to conduct covert influence operations and disseminate disinformation.”
The NSA said that the U.S. government still hasn’t identified all of the targets in Beijing’s Volt Typhoon campaign, meaning there could still be dozens of vital communications, power, and transportation systems vulnerable to Chinese sabotage in the event of a crisis.
“We’re still finding victims and working to make sure that we clean up the intrusions,” Joyce said. “From the beginning, it’s been a broad campaign…There’s a wide array of opportunities to go after infrastructure that we rely on.”
China appears to be reserving its most destructive capabilities for a major conflict with the U.S., according to American intelligence assessments. “We do think it’s a pretty high bar” for activating those capabilities, Joyce said. In part, he added, that’s because last year’s spy balloon incident was a wakeup call for Chinese officials, who were was surprised by the intensity of the controversy and reaction in the U.S. Joyce said Beijing had “sorely underestimated what would happen if they went after the water, or the airlines, or the electricity in the U.S.”
The intelligence community’s hunt for more victims of Chinese hacking comes as the U.S. enters a presidential election year that intelligence officials are convinced will see widespread efforts by foreign actors to interfere in or influence the outcome.
Given the proliferation of AI, Joyce said he expected to see more cases of AI-powered robo-calls like the recent one in New Hampshire that impersonated President Joe Biden. At the same time, he cautioned against overhyping the AI threats, telling reporters that “we’re seeing more promise than impact at this point” as attackers learn how AI tools work and test their limits.
And while Chinese cyberattacks are getting the most attention right now, officials are also keeping a wary eye on Russia, which has a history of election interference operations, and which may mount extensive online influence efforts aimed at toppling American candidates who favor sending more aid to Ukraine.
“Russia is very motivated to make sure that the focus on support for Ukraine is disrupted,” Joyce said, and the intelligence community expects Moscow’s election interference efforts to reflect that priority. The hope is that the U.S. government’s cyberdefenses — with the help of AI — will be able to go toe-to-toe with the Kremlin and other global cyber attackers.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
