China’s offensive cyber capabilities have been under the scanner for a few years now. Even though China does not have a formal cyber offensive strategy, the capability mix and the changing approach that China has developed in the cyber offensive realm remain quite consequential.
A recent U.S. House Select Committee on the Chinese Communist Party (CCP) hearing disclosed a lot about China’s growing offensive cyber prowess. The hearing titled “The CCP Cyber Threat to the American Homeland and National Security” revealed Beijing’s interests in targeting U.S. infrastructure, the disruption of which would “wreak havoc,” creating enormous harm to American society at large. The hearing included statements from Federal Bureau of Investigation (FBI) Director Christopher Wray, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, and U.S. Cyber Command Chief General Paul Nakasone.
In his opening statement, Wray said that “the CCP’s dangerous actions – China’s multi-pronged assault on our national and economic security – make it the defining threat of our generation.” He added that the threat posed by the CCP to the United States’ critical infrastructure – including water treatment plants, the electrical grid, oil and gas pipelines, and the transportation sector – has received very little public focus. Wray remarked that “China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities.”
According to Wray, China’s cyber offensive is not merely about planning for future conflict. Rather, he said, “today, and literally every day, they’re actively attacking our economic security – engaging in wholesale theft of our innovation and our personal and corporate data.” Also, Wray asserted that China plans to not merely target the U.S. military, but attack “across civilian infrastructure… Low blows against civilians are part of China’s plan.”
Wray’s comments also highlighted that the threat from China is not just its cyber offensive capabilities. He asserted that China is “vastly more dangerous by the way they knit cyber into a whole-of-government campaign against us.”
But Wray assured the Committee that the FBI is “laser-focused” on the cyber threats coming from China and that it is working with multiple partners internally and externally, including the domestic private sector, key government agencies, and US allies abroad. Wray also briefed the Committee about an operation from a few days ago, where the United States and its partners “identified hundreds of routers that had been taken over by the PRC state-sponsored espionage and hacking group known as Volt Typhoon. The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors.”
CISA Director Easterly as well as Nakasone, commander of the US Cyber Command, who was also part of the hearing, referred to Volt Typhoon as one of the most significant threat from China. Easterly added that based on Volt Typhoon and other Chinese cyber intrusions, the CISA has strengthened partnerships across different U.S. agencies, including industry as well as its partners, in order “to proactively reduce risks in the face of the most pressing threats.”
In detailing the FBI’s efforts at addressing China’s cyber threats, Wray said that the FBI has issued several Joint Cybersecurity Advisories on PRC State-Sponsored Cyber Actors, which provide details including China’s “tactics, techniques, and procedures (TTPs) that can be used by network defenders to both find and prevent malicious cyber actors from accessing their networks.” The FBI’s efforts include working with and pooling resources with multiple stakeholders, including cybersecurity industry professionals who may be on top of developments involving cyber vulnerabilities.
When Wray was asked about the risks posed by Chinese apps like TikTok, he said that a critical starting point is “the role of the Chinese government.” He claimed that the company is effectively under the thumb of the Chinese government.
Easterly also noted China’s pernicious cyber offensive capabilities, including in targeting critical infrastructure. She added that the Chinese cyber threats are not theoretical, and that CISA teams have found and eradicated Chinese intrusions in many sectors.
According to Easterly, countering Chinese malicious activities and strengthening the resilience of critical infrastructure, or even retaliating, will all still be insufficient because “unfortunately, the technology base underpinning much of our critical infrastructure is inherently insecure.” A bigger emphasis is being given now to security from the time of design in order to remove the vulnerabilities. Easterly went on to add additional measures that must be put in place to enhance the cyber resilience of critical infrastructure by inculcating a sense of security from the time of designing a product.
Other experts have somewhat similar conclusions about the United States’ cyber defenses. In a testimony before the U.S.-China Economic and Security Review Commission on China’s cyber capabilities in February 2022, Winnona DeSombre of the Atlantic Council and Harvard Belfer Center stated in unambiguous terms that the U.S. “does not currently have adequate cyber defenses, personnel, supply chain security, or international technical and standards leadership to rival China long-term.”
In his testimony, Nakasone categorized China’s cyber threats as “persistent,” but he was a lot more optimistic about U.S. capabilities, which he characterized as “very, very good – the best.” He added that the United States will continue to “maintain its supremacy in cyberspace.”
The cyber vulnerabilities faced by the U.S. are by no means unique. India remains equally vulnerable to and concerned about China’s cyber offensive capabilities. China’s state-backed actors have carried out cyber attacks on Indian critical infrastructure including one on the electricity grid that caused a massive power outage in Mumbai in October 2020. The power outage in 2020 reportedly caused delays in the running of trains as well as shut down Indian stock exchanges and hospitals for hours.
These U.S. House hearings should serve as a huge repository of knowledge for India on China’s advances in the cyber offensive arena and accordingly inspire India to build better resiliency as well as redundancy to avoid any major shutdowns as happened in October 2020. This calls for more intense collaboration between India and the United States as well as other like-minded partners who are subjected to similar cyber attacks emanating from China.