CYBER INTERVIEW – National Security Agency (NSA) Director General Timothy Haugh said Thursday that U.S. cyber defenses didn’t see China’s recent breach of American telecommunications until they were alerted by Microsoft, and he warned that more Chinese cyberattacks were likely.
Gen. Haugh, who also leads the U.S. Cyber Command, spoke about the “Volt Typhoon” and “Salt Typhoon” attacks – which have targeted a range of American critical infrastructure, including a major intrusion into AT&T and Verizon and other telecommunications companies. Both have been attributed to hackers backed by China.
“We did not see activity in U.S. telecommunications networks,” Gen. Haugh said at an event hosted by the Paley Media Center in New York. A Microsoft “flare” had alerted the government, and Gen. Haugh said that private-public sector partnerships would be critical in beating back future attacks.
For now, Gen. Haugh said, China “is not yet deterred.”
Gen. Haugh’s comments came a day after another top U.S. cybersecurity official called China-backed attacks on American infrastructure the gravest cyber threat to the country. Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency, said in an interview with Cipher Brief CEO Suzanne Kelly that recent Chinese cyber intrusions were the “tip of the iceberg,” and warned of dire consequences for U.S. critical infrastructure in the event of a U.S.-China conflict.
“This is a world where a war in Asia could see very real impacts to the lives of Americans across our nation, with attacks against pipelines, against water facilities, against transportation nodes, against communications, all to induce societal panic,” Easterly said during the Winter Summit of the Cyber Initiatives Group.
The U.S. has recently accused hackers tied to Iran, Russia and particularly China of seeking to breach cyber defenses in the transportation, communications and water sectors. The Volt Typhoon attacks are believed to have been an attempt by China to probe U.S. critical infrastructure and gain the ability to carry out damaging attacks in the event of a U.S.-China conflict. The breach known as Salt Typhoon involved cyberattacks that penetrated American telecommunications firms in an effort to access U.S. national security information.
At The Cipher Brief’s Threat Conference in October, Gen. Haugh said that “what we see broadly from a PRC [People’s Republic of China] threat perspective is they’re going to be very aggressive at critical infrastructure collection operations and targeting our critical infrastructure.” He warned that the West faced “an unprecedented challenge…the greatest challenge of our time” in its competition with China.
At the Paley Media Center event Thursday, Gen. Haugh was interviewed by New York Times correspondent David Sanger. Excerpts from their conversation follow.
Sanger: General [Paul] Nakasone, your predecessor [at U.S. Cyber Command], said to me at one point that his biggest surprise was the rise of influence operations. Of course, he came in right around the time that you were dealing with the aftermath of the Russian interference in the election. What was your surprise?
Gen. Haugh: It's really the velocity of change and the impacts on national security. When we think about all of the things that are happening simultaneously – Russia, Ukraine, and the impacts and what that looks like and the changing transformation of warfare, and the rise of UAS [unmanned aircraft systems] and what that looks like and how that has really evolved quickly.
When we think about October 7th, [2023], and the implications of what has now happened in the Middle East, both with the impacts on Israel through the terrorist attack and then what has happened subsequently, that rapid pace of change that still is underway in the Middle East. And then the pace of change in technology, and what we see now, which really isn't about size, it's about speed.
Sanger: General Nakasone said in his confirmation hearing in 2018 – he was in a discussion with Dan Sullivan, the senator from Alaska, [who] said to him, "I think the problem with cyber these days is our adversaries do not fear us." Nakasone agreed and said, "Yes, they don't fear us." And he made it clear that it was going to be part of his mission to change that. And yet when I look at the rise of ransomware from Russia, when I look at the hacks from China, when I look at the use of cyber in the sabotage that the Russians are doing across Europe right now, I have to question: do they fear us yet?
Gen. Haugh: Today, the PRC [People’s Republic of China] is not yet deterred. And I think from our standpoint, this is how we have to think about it. Not just how we at NSA and Cyber Command look at the problem, but how do we bring together other nations? How do we bring together all the tools of the U.S. government and how do we partner with the industry?
The PRC has waged a campaign for over 15 years. It started in intellectual property theft, and they gained huge benefits from that. We've seen it evolve now into where they have targeted our allies and our partners, particularly throughout the Indo-Pacific, and then we can look at what they've done in our critical infrastructure and then most recently the targeting of our telecommunications networks.
What we have to think about in that response is how do we bring together all the tools of the U.S. government and then what does it look like in the partnership with industry? Because today the PRC is taking advantage of vulnerabilities that are right in front of them, and they're taking advantage of it very aggressively. We have to make that bar be much higher for entry.
Sanger: The conventional tools that we have turned to for this are sanctions, which is what we've done against China for years now, and that we attempted against Russia, but once the war [in Ukraine] started, there wasn't a whole lot of separate sanctioning you could be doing for cyber activity. And your offensive operations, which we rarely see, but we know have been a big part of that.
What's striking to me is that it seems as if the Chinese and the Russians in particular, and the Iranians and the North Koreans, have so upped their game that the sanctions do not get in their way at this point. The tools that we have brought to bear have not worked, and they are now coming together.
So I'm wondering first, are you seeing [these adversaries] working together in the cyber world?
Gen. Haugh: First, let me describe what I think is different and what it looks like today in our partnerships. What we have seen is an evolution in our partnership with industry, our partnership with our foreign partners, our allies, the depth of how we're approaching the problem. Because in this case, industry creates this domain of warfare. That's the only domain of warfare that is actually created by industry.
In terms of collaboration and what it looks like between those nations [China, Russia, Iran and North Korea], it is certainly different than what we have seen before in terms of their strategic collaboration, brought on largely by Russia's desperation.
They have created the situation through their unlawful invasion of Ukraine, where they've depleted resources to a point, and the impact of the sanctions has caused them to turn to China for financial support and for North Korea for material support.
Sanger: Technological support also.
Gen. Haugh: Of course. I think we have certainly seen commercial technologies that are enabling a continuation of Russia's war against Ukraine. The fact that Russia had to turn to Iran for UAVs and other support is an act of desperation and an act of weakness from Russia. And we have seen more collaboration than we've seen in the past.
What we have not seen is a depth of collaboration in cyber. And what I would largely attribute that to is that the bulk of the work from each of those nations is done by their intelligence services, who are not inherently trusting of each other.
Sanger: Let's dig into the biggest challenge you have faced in the past couple of months. And that is an attack on the U.S. telecommunications networks called “Salt Typhoon.” We've given this a lot of coverage, but I still discover that the depth of this story and what has happened has maybe not sunk in with most Americans.
It's probably one of the largest embarrassments in the cyber world for our telecommunications companies AT&T and Verizon. The U.S. government has said eight separate firms all got hacked. It went on for more than a year, maybe two, your colleagues tell us.
And we've been told last week that you are not confident that even months after this, the Chinese are out of the system. So given the level of investment over these past 15 years in cybersecurity, how could the core of the American networks go for a year and a half and not see that there was a Chinese actor in their midst turning the system against them?
Gen. Haugh: I appreciate you really highlighting the issue of cybersecurity and how we raise the bar. When I look at this particular situation, we of course have been following this class of threats for some time. And if anyone would like to do some very detailed reading, you can go to nsa.gov, and we put out a cybersecurity advisory on this in 2022. And in our advisory, we focused on information we had learned through our foreign intelligence activities overseas, where we had seen PRC targeting telecommunications companies and using a series of tactics.
As we look across U.S. industry, we see pretty different sets of implementation of cybersecurity standards. Certainly when we have collaborated with the financial sector, they have invested. And they have done really deep cybersecurity work to ensure the security of the networks. And in terms of some of the other elements of our critical infrastructure, we have seen very similar vulnerabilities that we now see today being exploited in the telecommunications networks.
Where to from here? We have begun a partnership with the telecommunications companies in CISA [the Cybersecurity and Infrastructure Security Agency]. And we are holding meetings with all of the industry leaders so that we can collaboratively develop the hardening approach. We have put out interim hardening recommendations that went out earlier last week. But we have agreed with industry that we will do the hardening effort together. Meaning everything that we know about this threat…and we’re also going to bring classified information into that discussion. And then combine that with bringing all of industry together to look at their understanding of the threat and also the hardening ethics.
Sanger: One of the things that's been missing from the White House description of this is any talk of China paying a price. And as some officials concede, rarely on the record, we do surveillance on other countries as well. We try to break into their systems. So is part of the problem in exacting a price here that we can't really charge the Chinese with doing something that we wouldn’t be hesitant to do ourselves?
Gen. Haugh: Well if we zoom out, the PRC has a really active cyber program. And so in terms of what we recommend as options to our policymakers, we do think about it and the totality of the PRC cyber program. This is one aspect of it. Their intellectual property theft is another that we need to consider. But from my perspective, our policymakers are going to look for a whole series of options that go from hardening to cost.
Sanger: Let me ask this another way. When the Chinese stole all that data from the Office of Personnel Management, 22 million security files, probably yours too, the Director of National Intelligence at the time said, "I have to give them credit. If we could have done this, we would've as well." Would you say the same in the case of Salt Typhoon?
Gen. Haugh: I don't want to talk about our side of this discussion. I would say that if we look at how they did this, and our approach to how we think about tradecraft and how we think about expertise, [Salt Typhoon] was not the highest-end operation that we've seen. And so that tells me both what we can do as the U.S. government to inform that, and what industry needs to do to raise their bar, and not make this a success [for China].
Sanger: And tell me why you didn't see it as well. Obviously, persistent engagement means you're on their networks, as General Nakasone used to say. You're trying to be watching every major threat actor around the world, but particularly China, Russia, and North Korea. Have you ever gone back and said, Why didn't we see this group, which works essentially for the Ministry of State Security in China, doing what they were doing here in the United States?
Gen. Haugh: We are a foreign intelligence agency in the combatant command, so we operate outside the United States. And so when we report on things like the telecommunications advisory that we did, that's generated by our activities to be able to do foreign intelligence under our authorities.
Now if we see something that is coming from overseas to the United States, that's certainly areas that we report on all the time, those are the things that we want to communicate both internally to the U.S. government, to our partners, and to industry.
Sanger: You tell the FBI, you tell the Department of Homeland Security.
Gen. Haugh: And we tell industry, because we want them to be as best defended as possible. Where these types of operations are really effective, when we can counter them, is when we get a cue from industry. So if it's happening in the United States – because we're not looking here – and we get that first hint of an activity, that allows us to bring all of our tools to bear overseas, from foreign intelligence.
Sanger: But you did not see it initially overseas until Microsoft sent up that flare and a warning here?
Gen. Haugh: We did not see activity in U.S. telecommunications networks. We did observe some activity in foreign telecommunications.
Sanger: But nothing that told you that they were coming in here?
Gen. Haugh: No.
Sanger: I spent some time a few weeks ago with the Microsoft team that detected this, and it was fascinating. Because of course Microsoft has got so much range across American networks, and they legally can look inside the U.S. You can't legally look inside the U.S. So they were able to warn you, it was a key part of the engagement here. Does the law need to be changed to match the modern age, so that you can begin to have the kind of view that Microsoft's done?
Gen. Haugh: I think that is clearly a policy and legal discussion. I talk pretty routinely with all the members of Congress about what we can do and what we can't do. What is currently in my control is the depth of partnership with industry. That is the piece that I think is the clearest in front of us, consistent with our policy and our values. But I do think any discussion of activities for us in the United States is one that really needs to be led by Congress.
Sanger: But your basic message is until Congress changes the law, you are dependent on the Microsofts and Googles and others in the world who can look inside U.S. networks to raise the alarm?
Gen. Haugh: I think that it is a mixture between our domestic agencies and our industry, and then how do those two elements partner with the broader intelligence community.
Sanger: Before Salt Typhoon, there was something called “Volt Typhoon,” which was very different. Salt Typhoon is about surveillance. Volt Typhoon is about getting into our utility grid. The water systems, particularly around military bases, that might be involved in a response to a Taiwan attack. In other words, try to turn off the water, turn off the electricity in a way that would enable the Chinese to delay, to slow a U.S. response. We've been after this one now for a year and a half, two years probably. Are the [Chinese hackers] out of the utility networks at this point?
Gen. Haugh: I would expect that they are going to persistently try to find new areas. We have worked really diligently. We've publicly exposed this. We've worked with each of the domestic agencies that are responsible for our critical infrastructure, and we work with the industry. And we have really taken multiple steps to be able to root them out of the infrastructure. They're going to continue to try, and that's one of the key areas that we have to really understand. As we start to think about the vulnerabilities, we have to close that and then we have to continue to increase the cost on the PRC, particularly for this class of campaign, which is targeting the critical infrastructure of civilians.
Sanger: No conversation on this topic would be complete if I didn't ask you about the rise of artificial intelligence. On the one hand, cyber defenders say to me, there's been no better advance for cyber defense than AI. On the other hand, you must be examining how to use it on the offensive side as well. Can you talk a little bit about both?
Gen. Haugh: On our side, what we have done is invested in AI security, and that's where we believe the U.S. government can bring something back to industry. We've established an AI security center to be able to look at how can we recommend what security looks like. We put out a product – how to secure large-language models, and that is where we think we're understanding where adversaries are going, how to protect that and to be able to communicate it. We are certainly looking at, How does AI accelerate our work in all of our mission sets?
Sanger: Can you talk a little bit about how it changes offensive?
Gen. Haugh: We are looking at, How does it accelerate our targeting? What would be areas that would be most important to an adversary as they think about the use of their own technology? For us to be able to identify those key points that we would want to be considering, and planning around if we were asked for options or we were in the middle of a conflict, that's a large amount of information. How we shrink that very deliberate targeting process that we use in all domains in the Department of Defense. This allows us to help accelerate that. —
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief.
