SUBSCRIBER+ EXCLUSIVE— When U.S. and British officials filed charges of cyberespionage and imposed sanctions against China Monday, for a campaign which they said had hit millions of people in the two countries, it was only the latest salvo in a cyber war that has intensified sharply over the past year.
The U.S. and U.K. called the group of hackers "Advanced Persistent Threat 31" - or "APT31" - and said it was run by China's Ministry of State Security. Officials said the APT31 campaign had gone on for more than a decade, with targets including members of the U.S. Congress and the British parliament, along with academics, journalists, and employees of companies that had been critical of China. Deputy U.S. Attorney General Lisa Monaco said the aim of the hacking had been to "repress critics of the Chinese regime, compromise government institutions, and steal trade secrets."
Reuters reported that Chinese diplomats in Britain and the U.S. dismissed the allegations as unwarranted, and China has often responded to charges of cyberespionage by charging the U.S. and its allies with hacking Chinese operations.
Prior to Monday’s announcement, U.S. intelligence officials have been most concerned - publicly at least - with the operation known as Volt Typhoon, in which hackers traced to China have penetrated U.S. critical infrastructure - including local water supply operations, electric grids, and telecommunications properties. In the case of Volt Typhoon, the concern is that hackers have been probing for weaknesses they might use to attack American infrastructure in the event of a full-scale U.S.-China conflict.
For all these reasons, China was high on the agenda for last week's Cyber Initiatives Group (CIG) summit, during which intelligence experts, government officials, journalists, and representatives of leading companies spoke about the range of challenges facing the U.S. in the realm of cyberspace. In one special session, some of the nation’s leading experts came together to assess the scope of the China problem, the efforts to deal with it and what more could be done, in the public and private sectors alike.
THE CONTEXT
- On Monday, the U.S. and U.K. imposed sanctions and filed charges against Chinese firm Wuhan Xiaoruizhi Science and Technology and several individuals tied to the Chinese state-backed hacking group APT31. The U.K. Foreign Office accused APT31 of hacking Britain’s Electoral Commission between 2021 and 2022. The Chinese Embassy in London said the U.K. accusations were “completely fabricated and malicious slanders.”
- Also on Monday, officials in New Zealand said they had tied malicious cyber activity targeting New Zealand’s parliamentary services and counsel office in 2021 to a Chinese state-sponsored cyber actor known as APT40. The New Zealand government raised concerns with Beijing. The Chinese Embassy in New Zealand rejected the claims as “groundless and irresponsible accusations.”
- The Chinese-sponsored hacking group Volt Typhoon has breached several U.S. critical infrastructure systems for “at least five years” with the long-term goal of launching “destructive cyberattacks,” according to the NSA, CISA, and FBI. The Five Eyes intelligence partners have also published a white paper warning the business sector and critical infrastructure operators of the threat posed by Volt Typhoon.
- A congressional investigation into Chinese-built cargo cranes at U.S. ports has found communications equipment on cranes that don’t appear to support normal operations. Some of the cranes manufactured by China’s ZPMC, which accounts for nearly 80% of ship-to-shore cranes in U.S. ports, were found to have installed components like cellular modems, raising fears of potential remote access and espionage. The Biden administration has pledged more than $20 billion to replace foreign-built cranes with U.S.-manufactured ones, citing security concerns.
THE BRIEFING
The Cipher Brief asked experts during the Cyber Initiatives Group 2024 Spring Summit to assess the cyber threats posted by China, and how the U.S. can mitigate them.
This excerpt of the full briefing has been edited for length and clarity.
Cilluffo: I think you're starting to see indications (from China) that we're moving from espionage to potential prepositioning and planning for attack. That is a big deal.
What you're hearing from all of our government officials, whether it's the director of the National Security Agency, whether it's the commander of Cybercom, director of the FBI, you're starting to get a sense that this is beyond CNE (computer network exploitation) and we're starting to get into real concern around potential positioning for attack. Obviously a lot of this hinges around the broader set of issues in Taiwan and what could trigger China to transition from espionage, which they've been doing forever, and that's sort of fair game. But I think you're starting to see concern about intentions escalating.
Ledgett: I think this is something China's been working on for a number of years, at least 15 years that I know of. They are going after critical infrastructure and they are doing it for the express purpose of interfering with the ability of the U.S. to move supplies to Taiwan in the event of a cross-strait conflict. They're doing it to affect the morale of the U.S. population. It's hard to generate enthusiasm for war when your telephones don't work or your power doesn't work or you can't get groceries, that sort of thing.
This is all part of the Chinese plan. And it's separate from (the question): Are they going to invade next year or not? That's a different decision from doing the preparatory work, the cyber work that they need to do to be ready in case they do decide to invade. So they're giving Xi Jinping the flexibility that will let him make that call.
Hayden: I think that when we refer to (China) in the economic sense as a competitor, I think it waters down some of the things they're saying actively in their militarization and their outlook of the world.
And when cyber comes and overlays there, we're just introducing additional risk to those economic and supply chain trails throughout. And so it is a challenge, where they've strategically played their hand to be in a lot of our pocketbooks and our supply chains, at a point where it makes it a difficult or at least a more challenging national security conversation.
Ledgett: I agree. I also think that the U.S. is focused on quarterly returns, quarterly results driven by the profits, and makes decisions in that vein, (while) the Chinese make decisions looking 20 years down the road: Where do we want to be? What do we want the world to look like? And that makes it a hard fight. Couple that with the fragmentation in the marketplace where you've got this gigantic Chinese domestic market and companies really want to get access to that.
And so that positions China to take advantage in a way that the U.S. just doesn't have.
Cilluffo: I do think that in the government environment, we still have not clearly articulated a deterrence strategy. All things said and done, there is a China strategy, and there's a cyber strategy. The two can't be in isolation, they have to be married up, and I think there's a whole lot more that we can do there to make very clear - and aggressively - what is at risk and what is unacceptable.
I think we've taken for granted that democratic principles, norms, and the like will continue to be the beacon as we all hope they will be. But we can't take that for granted. Autocratic regimes and others can utilize technology in ways that can be very powerful and we need to make sure that those principles are part of whatever our response in fact is.
We do need to double down on articulating a concrete deterrence strategy that imposes cost and consequence on bad behavior, makes clear what some of those rules of the road are, and then we have to have the political will to back that up.
Ledgett: The other part of the problem is that the entities that sustain the U.S. economy — Microsoft, Google, Apple, Meta, you pick the large company that comprises most, percentage-wise, of the economic growth of the U.S. over the last number of years — their business model is challenged by our attempt to make data a national security issue, because they have a different business model which is, “Your data is my data and I'm going to use it for advertising and things like that.”
And so there's a real danger there of us over-legislating early on to clamp controls on it, and then poisoning our own economy. We need to make data recognized as national security, and we need to do it in a way that lets those businesses operate the way that they have been, or steer them towards something that's closer to what we want, without cutting them off entirely. That's really going to be the artful part of this.
Hayden: Is there an emerging technology that really has your attention that we might not be focused on well enough, that our adversaries in China may be looking at?
Ledgett: I think that Volt Typhoon, going after the critical infrastructure, has been a wakeup call - at least I hope it's a wakeup call - for the nation. And what you see, if you look at the 16 critical infrastructures - the National Infrastructure Advisory Council did a study a few years back where they looked at the 16 of them, and they said there's three that matter the most: telecommunications, finance and electrical power. And if any one of those goes down, the other two quickly follow and then over time there's a slow degradation of the other ones.
But what you're seeing is an increase over the last six months to a year of attacks on the (U.S.) water supply. That's not something anybody thinks about much, but it's critical to us living the life that we want to, and doing the things that we need to. And it's also complicated, like electrical power and some other critical utilities, managed at the local level where you've got public utilities, commissions and entities like that that regulate costs. They can't double your water bill to pay for cybersecurity because that would hurt people, but we have to do something to fix that. I think that water and distribution networks, things like the people that deliver gasoline to the gas stations, those sorts of things are, I think, where China is going to go next.
Cilluffo: If you look in the healthcare sector right now, it's entities I've never heard of that are holding a lot of data and very valuable information. You've got data that's aggregated there that is clearly at risk and being exploited largely by ransomware operators, but I'm sure by nation states as well.
And when I look at water, I mean if you're in the Middle East, water really matters when you're in a desert. Israel has been targeted extensively by the government of Iran and its proxies, same with the UAE and Saudi Arabia and others. I think we have some lessons we can learn there that we've seen play out, not at the scale they've seen, but everything that's happened somewhere has the potential to be a preview of a movie coming to a theater near you.
Hayden: And then that kind of brings us to: How do we make sure that we're running at pace with some of these challenges? We have a lot of strong partnerships between academia and government, government and industry. We've gone from no such agency to the National Security Agency, and that's great. There's a lot more transparency into where we see threats, but at the same time we're kind of in this teetering balance: Is it on me, the critical infrastructure operator, to protect myself? What is the government doing to help me?
Ledgett: A few years ago we still had track-1.5 and track-2 discussions going on with China, and I believe those have stopped now - and along the lines of the recently-restarted military hotline that we've got with China, those need to come back because there is value in there. There is value in having those conversations and getting to know people.
I would argue, though, that with critical infrastructure, (the government) needs to raise it with a little bit of feeling behind it, because there is more that could be done. Encouraging the U.S. government to do that is a good thing for infrastructure providers to do.
Cilluffo: The underbelly are small- and medium-sized businesses. That's still where most innovation in our great country comes from. How do we get to them? How do we provide resources for organizations that may not even be able to absorb the simplest of resources?
Ledgett: If we're in problem-solving mode, I think one thing that we could do with the big companies I mentioned is give them some responsibility. Say your job at Microsoft, Google, wherever, is to help protect these small and medium businesses and you do that. It's going to cost you some money, but you're making a lot of money, so it's okay. And we could encourage that, or legislate that sort of thing. I would start with encouraging.
The other thing is, if you want critical infrastructure to be fixed, you're going to have to provide money. Some of it could come from the companies that I described, some of that's going to have to come from rate increases to really make the change that you need to make. And that is a touchy subject because it goes directly to voters, and voters don't want that sort of thing. But at some point it's either that, or learn to speak Chinese.
Hayden: I think everybody would pay just a little bit more on their bills, if it got that drastic. With Volt Typhoon, we have people's home routers getting leveraged against critical infrastructure. The challenge is, how do you get someone actually concerned that their home router could be used against their employer, or their home router could be used against their government if they don't keep it up to date? I mean, there's a hard enough conversation about updating your iPhone, and when it gets more complicated than just saying Yes, how do we get the general public involved in this? We all have family members that look at you and they're like, Ugh, again with the patching? But yes, it has to be done. The public awareness aspect of it is a big deal.
Cilluffo: I still speak to people every day who say, "Who do I call when an incident occurs and what is that 911 equivalent for cyber incidents?" And the reality is we don't have one right now. I know we're doing what we can. But let’s bring along our state and local law enforcement, firefighters, EMS and the like to be part of this solution.
Ledgett: I think that part of the answer is the national cyber strategy that talks about giving responsibility to providers.
I would say to Comcast or Verizon or whomever provides your home internet: You are now responsible for keeping my home router up to date and you can do that remotely and I'll agree to that. I'll sign over and let you do that. And there'll be some subset of the population that worries about the government going to put their mind control software in my home router. And so you need a way to address that. But at the end of the day, I think this is really the only solution that is at all economical. Australia tried that a few years ago and they ran into some legal issues and they had to stop, but I still think it's the right way.
Cilluffo: You could have an opt-in function as well, where a vast majority would opt in and then you own some of the consequences if you don't. So I don't think they're necessarily completely at odds. I don't disagree with that at all.
Hayden: 95% of all businesses are small or medium. How are you going to get the large businesses to cover those basic expenses and costs? And the broader regulatory conversation is a tough one. I don't think there's a forcing function as much as a good governance, good citizen, good company compelling function.
Ledgett: I think those are good points. I think also you can have companies contribute to a fund and set up a business that provides services to small and medium companies. And it wouldn't cover every company in the universe, but it would address some of them. That sort of approach is what I would look at. I would not look at it as the government mandating that you must do X, Y, and z. I think that's the short route to insanity. But you can put in place broad regulation, broad rules that encourage people to do the right thing and give them the space within which to do that.
Cilluffo: The one thing I would add is, I was always, Mitigate, before litigate or regulate. That was just my mindset writ large. Because I think if you're really trying to induce changes in behavior, you want to build the business case and the incentives to do so.
But again, I think there is the need to help small- and medium-sized businesses. And that's, in my eyes, our biggest concern from a security standpoint.
Hayden: What we've hit on is: China's switching posture in the cyber domain; they've gone from intelligence and information gathering to posturing for disruption; we see an escalation in their adversarial techniques, where they are looking to be interested in finding any inroad into something they want to get their hands on; we're seeing big data grabs for the purpose of AI and we're seeing big data grabs for the purpose of what their future may hold, where we see a very transparent adversary and we see a very strategic adversary. And we're working with our whole of government to get our systems of systems aligned.
Ledgett: I just think that China is the pacing threat facing the U.S. for the next 50 years, and we need to think about it that way. It needs to underpin all of our thoughts as we work through the cyber and national security, and any economic security strategies, and we need to keep it front of mind and keep it on the front burner.
Cilluffo: I very much agree. They're top of the list. That's not to suggest that Russia, North Korea, Iran, you name it, what they lack in capability they can make up for with intent. And anyone can have, the bar is pretty low to have a significant cyber capability. But when we look at existential, China's at the very top of the list.
The bottom line is, we've got to recognize that we've got to go beyond just saying the scary stuff, and actually put in place manageable programs that can be acted upon. We need a roadmap, and I'm going to come back to this point: We need to articulate a cyber deterrence strategy that has playbooks for specific actors. So - lots to do. We'll be having this conversation in 15 years I think.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
