We’re In for a Rude Awakening on Cybersecurity

Posted on by esimantiras

We’re In for a Rude Awakening on Cybersecurity

source: city-journal.org (contributed by FAN, Steve Page)  |  image: pexels.com

America remains ill-prepared for Chinese hackers targeting critical infrastructure.

It’s a crisis that almost no one is talking about. The Chinese Communist Party is now the world’s preeminent practitioner of cyber warfare. Once notoriously loud and clumsy, the CCP’s hackers have become stealthy and sophisticated. They’re intercepting the calls and texts of our leaders and infiltrating servers at our ports, power plants, and water-treatment facilities. Yet hardly anyone seems to care. When Congress held hearings on cybersecurity late last year, only a handful of journalists bothered to cover them.

In September, the Wall Street Journal revealed to the public a Chinese hacking operation known to American authorities (thanks to the naming conventions of wonks at Microsoft) as Salt Typhoon. Since mid-2023, if not earlier, the group has been assaulting our telecom firms, compromising at least nine of them. It has focused on breaking into wireless networks in and around Washington, D.C. The campaign has won the CCP access to revealing data, such as call, text, and IP logs, on more than 1 million targets. Beijing appears, at minimum, to have gained a thorough understanding of when and how senior American officials communicate with each other, but in many instances, it has obtained the content of calls or texts, as well. The haul likely includes conversations featuring Donald Trump, J. D. Vance, top congressional staffers, and members of the intelligence agencies.

To stop the bleeding, the FBI has instructed federal employees to use end-to-end encrypted apps such as Signal, an abrupt and ironic about-face from an agency that has long pressed for backdoor access to such services. It will be some time before FBI officials can again argue for more backdoors with a straight face—especially given that Salt Typhoon has also exploited existing ones that our government uses for domestic snooping. The flaws in these wiretap systems have presumably gifted the CCP invaluable insights into which of its spies we know about and which we don’t.

Maybe the most disturbing thing about Salt Typhoon is that, almost a year after discovering it, Washington still doesn’t have a handle on the problem. No one knows if the hackers have been ejected. Some national security officials worry that we may never know.

Then there is “Volt Typhoon.” Since at least 2019, this group of Chinese hackers has been entering, exploring, and preparing to disrupt computers used to run critical infrastructure. We must assume, at this point, that malware lies dormant in the digital underbelly of our railroads, airports, electricity grid, gas pipelines, and more. Though these hidden bugs could be used in many frightful ways, the CCP seems primarily to be laying the groundwork for the conquest of Taiwan. As it launches an invasion, it will seek to ensure that the U.S. military cannot move troops or supplies or communicate with bases or ships, and that ordinary Americans must sit by without water, power, Internet, or transportation. The goal will be to foist on us both military incapacitation and societal panic, the better to defeat us in war and discredit liberal democracy.

While we cannot know what steps the federal government has taken behind the scenes, the Biden administration’s public posture was unequal to the seriousness of the threat. Chinese companies that assist Salt Typhoon, while doing no business here, have nothing to fear from the Treasury Department’s sanctions. The CCP probably laughed when Jake Sullivan, Biden’s national security advisor, “sent clear messages” (his words) not about how the U.S. will retaliate for Volt Typhoon now, but about what the U.S. might do if the CCP unleashes its uploaded viruses. That Biden issued an executive order on cybersecurity a mere four days before leaving office underscores his lack of urgency.

The Trump administration must do better. The expert witnesses at a recent hearing before the House Homeland Security Committee broadly agreed on the most urgent tasks. We need more and better planning for “continuity of the economy”—making sure, as one witness put it, that our infrastructure can still “operat[e] in a degraded state” following a cyber-attack. We must streamline federal, state, and local cybersecurity regulations. We should create ROTC-style programs that train computer-science students, then channel them into the federal workforce. Above all, we must maintain our lead in AI research and development. On that front, Trump is off to a good start. He has repealed the Biden administration’s caution-first AI executive order, endorsed a massive AI investment program, and asserted, in one of his own executive orders, that we must “solidify our position as the global leader in AI.”

One of the unsung achievements of Trump’s first term was the creation, in 2018, of the Cybersecurity and Infrastructure Security Agency (CISA), which has strengthened the federal government’s cyber defenses and coordinated the private sector’s response to Chinese (and Russian, Iranian, and North Korean) cyber-attacks. CISA drew Trump’s ire when its then-director vouched for the integrity of voting machines in the 2020 election. The agency also angered conservatives by facilitating the removal, from social-media platforms, of content declared disinformation by election officials or Internet researchers. Nearly half of House Republicans once voted to reduce CISA’s funding, and Kristi Noem, the incoming Secretary of Homeland Security, has vowed to “refocus” the agency.

Whatever one makes of these controversies, they shouldn’t derail CISA’s vital cybersecurity work. Neither election security nor social-media monitoring (or, if you like, meddling) has ever accounted for more than a minuscule fraction of CISA’s budget. In any case, the 2020 election was secure from cyber threats, and the so-called switchboarding that CISA did—forwarding complaints about social-media content—ceased years ago. “I don’t expect that [budget vote] would happen again,” a GOP House member recently said, since “everybody” now “knows that cybersecurity is a top issue.” Let’s hope so. If Congress needs to work protections against mission creep into CISA’s budget, so be it. But it’s crucial to American national security that CISA be strong.

Shortly after resuming office, Trump dismissed the entire Cyber Safety Review Board. The CSRB was created by executive order under the Biden administration, so Trump is well within his rights to reconstitute it, or to promote cybersecurity through different means altogether. As its name suggests, moreover, the CSRB is an advisory body that issues reports reviewing cyber incidents. It had been tapped to investigate Salt Typhoon, but it was in no sense leading the charge to secure our telecom networks and was unlikely to issue its report for at least six months (its members, when dismissed, had reportedly barely started moving). Democrats are citing Trump’s move against the CSRB as a sign that he is soft on cybersecurity. At present, the claim seems baseless—but it will be up to the new administration to prove as much going forward.

Our cybersecurity will never be perfect, and no matter how good it is, it will not deter Chinese aggression. As outgoing FBI director Christopher Wray frequently noted, the CCP’s state-sponsored hackers outnumbered the cyber personnel at his disposal at least 50 to one. “We’ve played defense for too long,” Tennessee representative Mark Green announced, as he chaired the recent Homeland Security Committee hearing, “and now it’s time to go on offense.”

To that end, John Ratcliffe, the new CIA director, has pledged to step up covert operations against the CCP. He should receive the support he needs. He may have to rely heavily on offensive cyber capabilities, as human intelligence remains elusive. Between 2010 and 2012, the CCP systematically imprisoned or executed more than a dozen CIA informants—brave souls exposed and betrayed, it would seem, by yet another American cybersecurity failure. Our spying apparatus in China has yet to recover.

“The Chinese aren’t that interested in making a [cyber] deal with us,” a leading cybersecurity expert reported a month before Biden left office. “I was there in September and they basically said, ‘You’re on a downhill path, why should we deal with you now?’” On one level, this is simply the hauteur you’d expect from Chinese mandarins fed a steady diet of propaganda about Western disorder and the Thucydides Trap. But not all propaganda is false. Viewed from the outside, the United States undoubtedly appears more interested in culture war than cyber war. Unless our political leaders and national security officials strive mightily to prove that looks can be deceiving, we are in for a rude awakening on the terrible morning that, all of a sudden, the power is off, taps run dry, planes are grounded, and the Internet is down.