EXPERT INTERVIEW — The U.S. Treasury Department closed 2024 with the announcement that state-sponsored hackers from China had breached its systems in a “major incident.” The hackers compromised a third-party cybersecurity provider to access networks of the Office of the Treasury Secretary and the Office of Foreign Assets Control (OFAC) — the department entity that deals with economic sanctions. Treasury said the hackers accessed unclassified documents.
The hack is the latest in a series of sobering reminders of the cyber threat emanating from China – a threat manifested most profoundly in the so-called “Volt Typhoon” and “Salt Typhoon” attacks, which in the last two years have breached U.S. critical infrastructure and exposed vulnerabilities in areas from the water supply to the electric grid to telecommunications. In the case of the Salt Typhoon attacks, the breach compromised major U.S. telecommunications companies and went unnoticed until Microsoft alerted the government.
The Cipher Brief focused on these threats in the latter days of the year at the Cyber Initiatives Group Winter Summit, where Cybersecurity and Infrastructure Security Agency Director Jen Easterly called the Salt Typhoon breach only the “tip of the iceberg” in terms of what may be coming from China-linked cyberattacks.
The CIG summit also featured George Barnes, who served as Deputy Director of the National Security Agency from 2017 to 2023. As the NSA’s chief operating officer, Barnes had the key role of overseeing strategy and policy on U.S. cybersecurity, including against the kinds of attacks from Chinese actors that have been so prevalent in recent months.
In a conversation with Cipher Brief CEO Suzanne Kelly, Barnes said he was “not surprised” by Salt Typhoon, given the severity of the cyber threat emanating from Beijing, and urged a proactive response. “This is unfortunate, but it should be a wake-up call to us.”
This interview has been edited for length and clarity.
Kelly: Salt Typhoon has been going on for a while, but the White House is still sending signals that they're having trouble getting whoever the perpetrators are. How serious is this issue is, and how long it might take to be able to bring a little more mitigation around the hack?
Barnes: I think this is a visible manifestation of [China’s] strategy and intent – I'll assume it's them. By all accounts, it's a hallmark and it would be them. They have a strategy of being the best in the world [at cyberattacks] and definitely trying to equal, if not overtake, the U.S. in intelligence prominence. They’re trying to establish themselves on the world stage. And they're also very keen to understand all the innards and intricacies of the United States, whether that's from the political and national security level, all the way down to economics, and just the vibe of people on the street, because weakness in our society gives them leverage and strength globally.
It was unfortunate this happened, of course. But I'm not surprised. They are very aggressive, increasingly capable, and sophisticated. We should never underestimate their desire, their intent, their long view. And they are patient learners.
This is unfortunate, but it should be a wake-up call to us. Our society versus theirs. We're an open society. That's how we were founded. That's the core of our existence, and we want to keep that. But that means we have to work harder. They are operating in our space, their companies are in our landscape, in our networks. We don't have reciprocal access to them. We have very different rules and perspectives, and so that just means we have to be smarter.
But we all have to have an awareness. It's not just for the government or for those that touch this every day; it's for everybody in our society to realize you can't take for granted the freedoms that we have and hold dear, and we need to defend them.
Kelly: You say it should be a wake-up call. There have been many previous episodes when people have said, "Oh, there should be a wake-up call." And now we have this. What could be next? What are you worried about if we, the United States and our allies, don't figure out a way to collectively protect against these types of things?
Barnes: The end game [for China] is cyber supremacy and to include, incorporate, and integrate cyber as part of the national security doctrine of the CCP. And yes, we have to be aware of that. But where it's going is to this era of potential destabilizing actions and/or instability when we don't have established expectations, norms internationally, much less adversary-to-adversary. And so the calculus that we have in the United States and the diligence that we have in determining collateral damage, stopping short of loss of life, all those types of things that are extensions of our framework for warfare, it's different in these autocratic societies, whether it be the PRC, Russia, what have you.
This is all a telltale sign and why we say it's a “wake-up call.” The first and biggest one from China was really the critical infrastructure threats. But those were all potential – they hadn't been acted upon. They were laying latent in networks. It took the current administration a long time to just create that awareness and create the conditions for bolstering defenses. Look how much trouble they had with a lot of the states trying to establish standards for critical infrastructure in areas the states controlled. And what's the federal versus state balance there? What are the rights of states versus the government and vice versa? We have to think of this together – states and federal government, government and industry. This is for all of society to deal with.
Kelly: I think you pinpointed the problem, which is we live in a democracy, which is also the privilege in this case. But those partnerships are going to be key. So when you're thinking about how the NSA has partnered with industry, how could the new administration take advantage of building on what was already there and creating even stronger partnerships?
Barnes: I think they need to look at what has worked, how well and why. The creation of the Cyber Security Collaboration Center really was a pivotal moment. And that happened because we worked with a prior CIO (Chief Information Officer) under the Trump administration, Dana Deasy in the DOD, to delegate an authority he had. He delegated it to NSA, and that allowed NSA to collaboratively work with industry on cybersecurity threats that affected the defense industrial base and supporting industries. And that created a broad aperture for engagement, but it wasn't the total aperture.
That's an example of the good we've seen from industry-NSA collaboration on threat. Industry has a broadening, sophisticated ability to identify threats. NSA has the ability for them to work together, bring value in both directions, not just throwing things over the transom, but having partnerships, gaining trust, gaining understanding. All those things have come out of that relationship. And I think this is a societal thing for us. We have to work together. We have to break down the barriers.
Kelly: Let me ask you about something that's a bit controversial, and that is more of an enhanced relationship with the government and the private sector when it comes to disruption. Finding ways to organize disruptive practices, create some guidance, understand which titles companies might be able to work under with government supervision, so that companies can take a more aggressive approach. If you look at who's being targeted, it's private sector companies – government as well, but they're certainly not out there alone. How are you thinking about both the opportunities and the challenges that would come with putting more organization around disruption?
Barnes: My perspective on this is, get the foundational elements in order first, create that strong foundation, and from there you can build. The foundation that we have not established or exercised is for the government and its authorities. It has some authorities it's not fully utilizing. It has other authorities, which were designed at a time before the internet, much less cyber operations. And so, if you look at the epidemic of ransomware, how many millions upon millions of dollars are lost? How many lives are endangered? And we have a system of trying to establish lawful activity domestically, but also through foreign partners. And the best we can do is indict people in a foreign land like Russia, and they'll probably never travel anyway. We're not looking at the authorities that we have. Are they fit for purpose for this domain that we're actually in?
I think we need to be much more aggressive. We need to peel back, review, renew, refresh, expand the authorities of the government, and then the government needs to come together across all arms, diplomatic, economic, militarily, law enforcement, and determine how to take action. Because if we just stay where we are now and we say, "Oh, well, we need more help, let industry get involved," what's the foundation on which they're doing that? And who's accountable when things escalate and go off the rails? Well, it comes back to the government. We have to get first things first. And I feel like we have not done that to the degree we could or should.
Kelly: A lot of the principal members of the Cyber Initiatives Group have been saying that it might be time for a new national offensive strategy in cyber. Do you support that idea?
Barnes: I support an offensive strategy first and foremost in the government. Industry will always have a role to play, and it can increasingly help. Industry has an aperture. They understand what's happening. Industry has software tools and capabilities distributed around the world, and they have credentialed access to those capabilities for providing updates. And so, like we saw in Ukraine, industry ended up having a role in helping Ukraine defend itself against the Russians. There is definitely a role for industry.
One of the things we need to do is think ahead. Let's develop playbooks. Let's do exercises with industry and government ahead of time to say, Well, what if X happens? How will we react and respond? How can we proactively position ourselves so we know for one of our big U.S. companies that has a big deployed infrastructure in that foreign area, what should they do? What's the policy? What are the parameters? What are the accountabilities?
There’s a lot there that we saw play out without those policies and strategies in Ukraine. Let's learn from that and say, OK, if a Ukraine war was to happen again, in Taiwan or somewhere else, how could industry know what latitude it should take? Should it request latitude? There are all kinds of things that Microsoft and others did and can do. Let's think about that. And that can be very effective, and it can be coordinated. That's different from them getting into deny, disrupt, disable. It can get into deny, but to disable or to destroy, it's all a matter of which “D” you pick and where industry can more comfortably play.
Kelly: On the personal side, since retiring from the NSA and now running a cyber program at Red Cell Partners, are you seeing industry differently? Are you seeing the opportunities differently? Are you seeing their problems differently?
Barnes: Most definitely. I see some of what I always saw, and then I see a lot that I never saw. I was very familiar with how the defense industrial-based players engage with the government. It's their lifeblood. They've learned the system, the bureaucracies. The government and those industrial players are basically tied in this dance because the FAR, Federal Acquisition Regulations, those types of things have created this relationship and they're both bound up into it. But what that means is it locks certain players in and it pretty much locks other players out or makes it hard for other players to come in. And so, that's where you get into Silicon Valley, you get into innovation.
It's very hard for startups, which might have wonderful, impactful innovations that could really do things in a whole different way, it's very hard for them to break in unless they have deep external financial backing. And so the Defense Department as an example, they have processes where they provide seed money for research efforts. But those things are low-dollar, sporadic, and you're tied to the availability of funds with budgets. So if you're a small startup, you are on the end of a little string and it's whether the budget passed, whether it's a continuing resolution, is it $50,000 or is it even a million? Well, how long will that take you if you're trying to grow a company? It's very hard. There are foundational things that make it hard. And so I think we as a society have to understand those and start whittling away at them. They were created as a response to badness. A lot of the regulation is there because there's been favor, there's been all types of things that create advantage for one entity over the other. But while all we respect that, China's running away with the day.
We have the rapid expansion of technology. Our country is still number one. We need to keep it number one. But China has been a fast follower and in some respects, they are actually equal, if not passing us. We've got to get our acquisition framework in a place that allows the best of the best technologies to come into the national security world and help it run fast.
Kelly: Government does have several different entities that are focused on things like this, but no one's really focused on fixing the problem yet. What would be next steps that you would recommend on actually doing something about this in a way that can be effective?
Barnes: The first order is to recognize we have a problem. Anytime you have a change of administration, it's an opportunity for a fresh look on things. I think we need to capitalize on change. And that could happen with either party, because either way there was going to be change. But change is good in this respect, because people are going to be coming in from the outside, they'll have a fresh perspective, they'll have a different context, and it'll only last so long, and then they'll get swallowed into all the urgencies that those jobs require. We need to look at that. We need to look at the rate of change of our adversary, their technology base.
National security now is not just weapons. National security is technology and economics. We’re in a battle with China over technology, primacy and security. We need to factor that in — the development, but also the use of those technologies. That means we need a different framework for how you actually leverage those into the operational realm.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief.
