We’ve seen what China’s ‘Typhoons’ can do. We can’t wait to prepare for the next attack

In a revealing diplomatic moment this past December, U.S. officials confronted their Chinese counterparts about a series of cyber intrusions into critical American infrastructure – including power grids, water systems and port operations. According to reporting from The Wall Street Journal, Chinese officials tacitly acknowledged responsibility for the hacks, a subdued but incredibly telling admission that should serve as a resounding wake-up call to policymakers and critical infrastructure operators in the United States.

According to the Journal’s reporting, the Chinese officials attributed their growing cyber aggressiveness to increased U.S. support for Taiwan. Since that meeting, tensions have only escalated, with China conducting increasingly sophisticated military exercises near Taiwan and a fast-deepening trade dispute unfolding between the two nations. While open military conflict is not inevitable, cyber warfare would almost certainly play a central role in any confrontation. China’s escalating, highly coordinated attacks on U.S. critical infrastructure make clear that the Chinese Communist Party (CCP) recognizes this reality –and is actively preparing to use cyber capabilities to disrupt a U.S. military response and sow chaos across American society. Their willingness to accept culpability for past attacks clearly shows that the CCP sees strategic value not only in the attacks themselves, but in the fear and strategic confusion they create.

The Volt Typhoon and Salt Typhoon hacking campaigns attributed to China have established footholds in the critical networks that power our economy and safeguard our communities. This pre-positioning within U.S. infrastructure is designed to give China the ability to disrupt essential services and impair readiness in the event of a conflict, while also mapping the digital and physical systems that support their operation. Our cyber defenders have observed the scale, sophistication and frequency of these attacks with growing concern – and by all three measures, the threat is almost certain to intensify. It is critical that policymakers and infrastructure operators take every lesson they can from these attacks and improve our defenses with the same urgency.

Ensuring that our defenders are equipped for this challenge will require a multi-pronged effort. We must ensure that our critical infrastructure operators have the resources necessary to prepare a strong defense, and clear lines of communication with federal resources to share threat information and receive support in the event of an incident. We need to put standards in place that are deferential to the system operators who know their networks best while establishing threat-informed training practices. Finally, we must think critically about what China and other adversaries might do – not just discover what they have done.

Adequately resourcing our cyber defenders has been and will always be a challenge. This is particularly true with smaller water and electric utilities serving rural and mid-size communities. Fortunately, some efforts are underway in Congress to provide additional resources to these communities, but more must be done to match the threat. Policymakers must ensure that federal agencies have adequate funding and personnel in place to prepare for attacks, dynamically respond to threats and, if necessary, respond to incidents. 

Knowing the true nature of the threats we face requires a continuous effort to break down information silos within and between both the public and private sectors to allow the efficient exchange of threat information. Congress must reauthorize the Cybersecurity Information Sharing Act before it expires on Sept. 30. Public and private sector collaboration must continuously improve and grow. Clarity needs to be provided to critical infrastructure operators about what federal resources exist to prepare for and respond to cyberattacks, and whom they should contact in the event of an incident. Any ambiguities within the federal government regarding lines of authority or responsibility need to be quickly ironed out in conjunction with private sector operators.

As we improve public and private collaboration and information sharing, we must also improve training efforts, and we must ensure that our incident training matches what we know about the threats we are preparing to confront. This requires dynamic change over time and avoiding bureaucratic or procedural rigidity. Joint public-private training exercises should be expanded and improved.

While regulation can have a place in ensuring preparedness, any new standards and regulations should focus on laying out desired outcomes while leaving to operators the details needed to achieve these goals. The complexities of critical infrastructure systems make it hard for regulators to know all the information they would need for prescriptive regulations to work. 

America has never shied away from new challenges. We are a resilient, innovative nation fully capable of confronting the growing cyber threat from China. But to succeed, we must learn from the vulnerabilities exposed by the Volt Typhoon and Salt Typhoon campaigns. China isn’t hiding its involvement because it sees cyber tools as instruments of statecraft and, if needed, of war. We’ve had every warning. It’s time to prepare.