U.S. braces for China to eclipse Russian cyberthreat

“Russia is the hurricane, and China is climate change,” a top U.S. cybersecurity official said Tuesday, underscoring White House warnings about the long-term cyberespionage threat posed by Beijing.

Russia’s hybrid war in Ukraine has captured the global cybersecurity community’s attention, from Moscow’s rapid deployment of wiper malware, cyberattacks on critical infrastructure and warnings from ransomware gangs that they would use “all possible resources to strike back” at Russia’s enemies.

But officials in the U.S. and U.K. are already shifting their focus to what they see as an even greater threat: China.

The White House released on Wednesday its National Security Strategy for 2022, and despite warning that Russia “poses an immediate and persistent threat to international peace and stability,” much of the document was devoted to the Biden administration’s concerns about China.

Beijing “is the only competitor with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military and technological power to do it,” the White House said, echoing concerns voiced by the heads of the U.S. Cybersecurity and Infrastructure Security Agency, the NSA and the U.K.’s cyber intelligence agency, GCHQ.

“Even with our intentional focus on Russia right now,” CISA director Jen Easterly said Tuesday at a talk hosted by the Council on Foreign Relations, “we sort of see Russia as the very urgent threat, almost like Russia is the hurricane and China is climate change.”

GCHQ director Jeremy Fleming went even further during the Royal United Services Institute’s Annual Security Lecture for 2022. Fleming said Tuesday that he was “spoiled for choice” when it came to picking the top cyberthreats facing Britain, whether it be the hybrid war in Ukraine, changes wrought by the pandemic or a spike in cybercrime.

But Fleming said he wanted to provide “the James Webb telescope view, as opposed to binoculars,” into the UK’s national security posture. And that meant talking about China.

The hurricane

CISA, GCHQ and other agencies continue to respond to the threat of Russian cyber operations. That’s part of the reason why the Shields Up campaign, which CISA introduced in February, has continued.

“The Russians are very unpredictable — their back is up against the wall,” Easterly said. “We’ve seen these horrific kinetic attacks against civilian infrastructure, and we may be seeing a lot worse coming. We need to ensure that we are prepared for threats, for incursions against our critical infrastructure, whether it’s state-supported actors, criminally aligned ransomware groups or even the cascading attacks with attacks on Ukraine that could bleed over to Russia or bleed over into the U.S. as we saw with NotPetya in 2017.”

Before CISA told American organizations to put up their shields, U.S. Cyber Command (CYBERCOM) was actively helping other countries secure their networks via “hunt forward” operations. Gen. Paul Nakasone, director of CYBERCOM and the NSA, said Tuesday that the U.S. has “done 37 operations, 20 nations, on 55 different networks,” since 2018, including one in Ukraine that started in November 2021 and continued into 2022.

“This is an opportunity for us to help our partners,” Nakasone said in the panel moderated by The Record’s Dina Temple-Raston. “It’s also a way that we think about, how do we secure the United States, and how do we look at the malware that we see?”

The answer, at least in recent months, has been for CYBERCOM and the NSA to provide information about that malware to other federal agencies as well as their partners in the private sector.

“This is why this campaign against malware, I think, is so important,” Nakasone said. “Being able to stay ahead of the adversary. What are they using? If they’re using that, let’s share it with a series of cybersecurity firms to have them rip it apart and see if they can attribute it, and then if they can attribute it, or even if they can’t, let’s go ahead and publish it. Then suddenly it’s signatured [everywhere].”

These efforts are roughly analogous to a hurricane. Someone has to warn people of potential threats; someone has to determine how prepared anyone in the path of that threat is; and someone has to respond to that threat before, during and after the actual incident. Collaborating with other agencies — and with private companies — can help whether the threat is a hurricane or a cyber attack.

The climate

It’s clear that Easterly and Nakasone have taken the threat posed by Russia seriously. Why, then, did they and their U.K. counterpart separately say that China is even more of a threat?

Some of it has to do with Russia’s war with Ukraine. “Far from the inevitable Russian military victory that their propaganda machine spouted,” Fleming said Tuesday, “it’s clear that Ukraine’s courageous action on the battlefield and in cyberspace is turning the tide.” Russia’s perceived dominance in offensive cyber operations has been challenged due to Ukraine’s resilience and assistance from the U.S. and U.K.

That hasn’t been the case for China, whose technological influence extends far beyond the realm of cybersecurity.

“What I do think is really important to pause on,” Easterly said Tuesday, “is to think about where we’re going to be in the next 10 or 15 years if we don’t make the right investments in technology, in human capital, in intellectual capital… because if we don’t, I really fear that we and the rest of the like-minded nations in the West are going to lose that battle for technological innovation.”

Fleming said technology has “become not just an area for opportunity, for competition and for collaboration, it’s become a battleground for control, values and influence.”

That means concerns about China’s growing influence on technology, whether it’s by normalizing surveillance or influencing global standards, aren’t just economic problems; they’re national security issues.

What it means for cyber

China has also become increasingly active — or at least its activity has come under increasing scrutiny — in the cybersecurity realm in recent years.

While Beijing has routinely denied targeting the U.S. with cyberespionage, CrowdStrike said in its 2022 Global Threat Report that China had become “the leader in vulnerability exploitation” due to its growing use of publicly disclosed security flaws in popular software in its operations.

Mandiant, meanwhile, said in its M-Trends 2022 report that it expected “cyber espionage activity in support of China’s national security and economic interests will continue to accelerate in the coming year.” It also reported on two influence operations, one related to potential competition to China’s rare earths mining industry and the other focused more on swaying public opinion about the Chinese government and its rivals.

Meta said in September that it had disrupted “a small network that originated in China” targeting the U.S. as well as the Czech Republic and Chinese and French speakers elsewhere as part of its ongoing efforts against what it calls “coordinated inauthentic behavior.”

“This was the first Chinese network we disrupted that focused on US domestic politics ahead of the midterm elections, as well as Czechia’s foreign policy toward China and Ukraine,” Meta said. “Chinese influence operations that we’ve disrupted before typically focused on criticizing the United States to international audiences, rather than primarily targeting domestic audiences in the U.S.”

Most recently, Symantec reported Thursday that a China-linked espionage group it tracks as Budworm had targeted “a U.S. state legislature,” saying it was “the first time in a number of years Symantec has seen Budworm targeting a U.S-based entity.” CISA published a separate report on Budworm on Oct. 5, leading Symantec to say that “a resumption of attacks against U.S.-based targets could signal a change in focus for the group.”

This activity doesn’t seem particularly impressive compared to some of Russia’s cyber operations. But that’s the thing about climate change — it’s more subtle than a hurricane, and its effects aren’t usually felt as acutely, but in the long term it will prove even more dangerous.

CISA, the NSA and other agencies demonstrated their concern about Chinese offensive cyber operations earlier this month. As the Russian hacking group Killnet targeted websites operated by state governments and U.S. airports with distributed denial-of-service attacks, the agencies put out a joint cybersecurity advisory detailing the “Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors.”

“Inflection point”

These concerns about Beijing’s cyberespionage aren’t new. Former U.S. Attorney General William Barr said in 2020 that some of the most high-profile hacks of American organizations in the preceding decade, from data brokers like Equifax and Anthem to the U.S. Office of Personnel Management, were conducted on behalf of the Chinese government.

China is also said to have spied on semiconductor firms in Taiwan to bolster its own chip industry; targeted defense contractors to hasten the development of its own fighter jets, aircraft carriers and defense systems; and hacked “dozens” of U.S. government agencies, software makers and tech companies in search of “data that could offer insights into foreign or trade policy.” (With the odd “cryptojacking” operation thrown in for good measure.)

The U.S. has responded to perceived threats from China via a number of actions—the introduction of export rules meant to hobble China’s nascent semiconductor industry, increased support for Taiwan’s independence and reported plans to ban telecommunications products made by Huawei and ZTE over national security concerns—taken by the federal government.

“In the competition with the PRC, as in other arenas, it is clear that the next ten years will be the decisive decade,” the Biden administration said in its latest national security strategy. “We stand now at the inflection point, where the choices we make and the priorities we pursue today will set us on a course that determines our competitive position long into the future.”