Ever since China’s ‘Salt Typhoon’ hacking operations against US telecom networks was uncovered, there’s been a lot of discussion about “hacking back”. Now, what actually constitutes hacking back is somewhat of an enigma. Some believe that the US needs to do to China what they’re doing to us, whilst others think going further and launching offensive cyber operations against their infrastructure may serve as a deterrence. I’d like to share my thoughts on both.

Recently, I came across this Lawfare blog, titled “Why America Needs Its Own Salt Typhoon”. The article cites several quotes from Senator Mark Warner, who is Vice-President of the Senate Intelligence Committee, and one of very few senators paying close attention to cybersecurity.

Your diplomatic pushback on the Chinese would be a hell of a lot stronger, if the U.S. could tell China, We’re going to go into your networks the exact same way you go into ours.

It suggests two things:

1. That the US is not infiltrating Chinese networks in the same way they are doing to US networks.
2. That hacking Chinese networks would act as a deterrence against future Chinese state-sponsored intrusions.

I Find both of these ideas extremely flawed. But first, let me explain a bit about ‘Salt Typhoon’, as well as introduce ‘Volt Typhoon’, which I personally believe to be a far more serious threat that is not getting anywhere close to the media attention it warrants.

There’s a lot of public confusion about all the different ‘typhoons’. As a matter of fact, I myself often get confused. Now, that’s not to say it’s because I lack the relevant expertise, it’s just an unfortunate side effect of how the cybersecurity industry operates. ‘Typhoon’ is part of Microsoft’s naming convention, it’s their classifier for Chinese state-sponsored threat actors. The prefix appears to just be a random word that distinguishes between different China-backed operations.

Each vendor has their own naming convention which they use to categorize and distinguish malicious actors or activity. The criteria for what constitutes different groupings is usually internal to the specific vendor, as is the intelligence used to attribute different activity to different groups. That’s a lot of words to say basically, nobody but Microsoft and their partners knows for sure who’s who or what’s what in the world of typhoons, but we can get a basic idea from public reporting.

Salt Typhoon

Arguably the most high profile of the Typhoons, Salt Typhoon is responsible for the significant US telecom breach disclosed in August 2024. The threat actor was able to breach almost every major US telecom company, primarily by exploiting vulnerabilities in network hardware such as routers and switches. While investigations are still ongoing and the full extent of the intrusion is not known, it appears the intended targets were systems associated with something known as the Communications Assistance for Law Enforcement Act of 1994 (CALEA).

CALEA was designed to facilitate court-ordered wiretapping of targets under active surveillance. It enabled Law Enforcement to provide telecom companies with a list of phone numbers they intend to monitor. The CALEA system provided two levels of wiretapping capabilities:

1. Recording of call and text metadata such as who contacted who, from where, when, and for how long.
2. Realtime monitoring of phone calls and text messages, allowing law enforcement to actively listen in on a target’s communications.

While initially these systems were not legally required to store any data, only provide realtime interception capabilities, over the years their scope has expanded. The full range of capabilities of these systems is not publicly known, but since metadata is often stored for months to years, it’s possible such systems may also provide retroactive access to metadata. Whether calls recordings and text message logs are store by these system is also unclear.

Salt Typhoon were able to successfully breach CALEA systems at several major telecom companies, which would have granted them the following capabilities base on what is publicly known about the system:

• The ability to see which phone numbers are currently under surveillance.
• The ability to intercept phone calls and text messages from targets of their choosing.
• The ability to access metadata tracking the times calls or texts were made, and to who.
• The ability to see which cell tower a communication was made from, revealing a targets approximate location.

While the investigations are likely highly classified, it has been publicly reported that the threat actor was able to spy on phones belonging to the current President and Vice President of the United States.

Volt Typhoon

A threat actor which primarily seems to target critical infrastructure organizations and major industries within the US and its territories. While Salt Typhoon appears to be entirely espionage focused, Some of Volt Typhoon’s activities suggest more militaristic goals. In many reported intrusions, the group was found to be performing reconnaissance on Operational Technology (OT) networks, as well as searching for information about disaster recovery plans.

OT networks are collections of computer responsible for controlling industrial systems, such as assembly lines, power stations, and water treatment plants. Unlike IT networks, these systems don’t contain information which is of traditional espionage value. Instead, Volt Typhoon’s focus on gathering intelligence on how these systems operate and their disaster recovery plans suggests the group is likely developing capabilities to disrupt or disable US industrial and critical infrastructure.

Volt Typhoon’s activity seems reminiscent of early Russian intrusions into Ukrainian power infrastructure. Hackers spent years breaking into these networks, mapping connected systems, learning about their operating procedures, failsafes, and recovery plans. The acquired intelligence and access enabled them to build BlackEnergy3 and Industroyer, two pieces of malware which were used to cause massive power outage across Ukraine.

Covert Proxy Networks

One problem faced by Chinese threat actors is that many secure US networks are closely monitoring (or even outright blocking) network traffic originating from China. Historically, Chinese hackers have gotten around this by purchasing servers from US cloud providers, performed their intrusions from there instead. As US service providers began to more closely monitor their networks, this too became risky.

More recently, several nation-states, not just China, have addressed this problem by building networks of compromised devices, commonly known as botnets. The internet is full of unsecure internet-enabled devices. Smart fridges, security cameras, internet routers; you name it, it can probably easily be hacked. By mass compromising these systems, hackers can use them to covertly route traffic across the internet in a way which goes undetected. By connecting into secure networks from hacked devices situated in US homes and businesses, hackers can blend in with daily work-from-home or business-to-business network traffic.

One huge benefit of these covert proxy networks is there is an endless supply of unsecured devices to hack. Big corporations, cloud providers, and government agencies typically have large budgets for security monitoring, but consumers and small businesses do not. As a result, threat actors can simply hack poorly secured US systems, then in turn use those systems to hack into more secure networks. This is just one of the many reason why cybersecurity is a collective problem, not something that can be solved on a network by network basis.

Other Chinese Activity

It’s important to understand that while only a handful of ‘Typhoons’ have made international news, it’s not the case that the US is just dealing with a small number of China-nexus threat actors. Chinese state-sponsored cyber operations are vast and plentiful, spanning multiple government agencies, as well as many private companies and even individuals.

There appears to be some belief, at least among some thought leaders, that securing cyberspace is simply a case of addressing a handful of hacking groups. This is not even close to reality, it’s just a perception stemming from Salt Typhoon and Volt Typhoon being used as metonymy for Chinese state-sponsored hacking in general.

One claim I’ve been seeing a lot is the one that the US could deter Chinese hacking by responding in-kind. This is the assertion that I’m by far the most skeptical of. While I’m not privy to any US intelligence operations, thus can’t confirm what they are/aren’t doing, we can draw upon the 2014 Snowden Leaks for some insights.

For background, Edward Snowden was an NSA contractor who was a system administrator and architect for the NSA’s computer systems, and as such had highly-privileged access to those systems. Typically, classified operations are extremely compartmentalized and run on a need-to-know basis; however, given Snowden’s access to the systems which stored documentation for those operations, he had broad access to information about many of the NSA’s most classified operations. He later turned whistleblower, leaking troves of documents to the media.

There’s many leaks of strong relevance here, but I’m going to focus on just a few.

Important Background Based On Publicly Known Hacking Operations

First detailed by The Intercept, this was a GCHQ-lead operation which compromised Belgium’s biggest Telecom company, Belgacom. The leaked details about the operation bare striking resemblance to Salt Typhoon’s breach of US telecoms, with not just the company’s IT systems being compromised, but also the routers which comprised their core network. The purpose of this operation was also almost identical: to enable surveillance of cell phones whose traffic passed through Belgacom’s network.

Since the leaked documents were stolen from the NSA’s computer systems and reference the use of tools publicly attributed to the NSA, the NSA at the very least knew about the operation before it was public. The most generous reading of this is that GCHQ independently, without the NSA’s knowledge, used their tools to hack Belgacom, then informed the NSA only after the fact. The more likely reading, is that the NSA knew the whole time. Belgium is a founding member of NATO, and it seems unlikely that the UK would hack a fellow NATO member without running it by the US first.

Operation Shotgiant

Another operation, this time reported on by the New York Times, details an NSA operation against the Chinese tech giant Huawei. The leaks suggest that the NSA breached Huawei’s servers with two distinct goals.

Firstly, the US wanted to prove Huawei had ties to the Chinese military, known as the People’s Liberation Army. The PLA was, at the time, the entity primarily responsible for the majority of Chinese state-sponsored intrusions into US systems. They were involved in everything from intelligence gathering, to stealing intellectual property to help Chinese companies improve products.

The second goal of the Huawei breach was to gather intelligence about Huawei’s products, which would better enable the NSA to compromise them. Huawei is a major global manufacturer of telecom equipment, which is deployed both inside China’s telecom networks, as well as abroad.

NSA’s Interdiction Program

The interdiction program was a collection of NSA operations focused on supply-chain compromises. The leaks suggest that the NSA would intercept shipments of computer hardware such as servers and routers being delivered to targets, redirect them to a secret facility where they’d be unboxed, backdoored, then sent on their way to the original customer.

The leak documents details the NSA being able to compromise Syria’s GSM backbone, which they claim had never before been done. This goes a far beyond what Salt Typhoon were able to accomplish by through hacking, as the NSA was able to pre-position devices they’d already backdoored into target networks.

So, Does The US Need Its Own Salt Typhoon?

While I can’t say for sure the NSA is performing Salt Typhoon style intrusions into Chinese networks, the leaks tells us a lot. Although the Snowden leaks were published in 2013, many of the operations detailed in them happened much earlier. If US intelligence partners were performing Salt Typhoon like attacks on their own allies in 2010, the NSA has been backdooring routers for decades, and there’s publicly known cases of the NSA hacking Chinese networks and Chinese companies, I’d hazard a guess and say if the NSA isn’t doing Salt Typhoon style intrusions against China, it’s because they simply don’t need or want to.

The NSA isn’t known to be particularly reserved in their extent of their hacking. They were famously involved in the development of Stuxnet, which was the first documented case of a malware designed to cause physical damage to industrial hardware. The virus was able to set back Iran’s nuclear weapons program by rapidly ramping up and down the speed of their uranium enrichment centrifuges, causing them to fail critically and need to be replaces.

To answer the Lawfare blog, I’d say no, the US does not need its own Salt Typhoon.

Could In-Kind Responses Act as a Deterrence?

What I do find curious is that Senator Warner is vice-chair of the Senate Intelligence Committee, so would be privy to US intelligence operations, thus could definitely answer the question “is the US doing to China what China is doing to the US?”. From a national security standpoint, the US would be extremely unlikely to disclose such capabilities or a lack thereof, so we can assume his statement is simply intended to build support for cyber as a deterrence, knowing the intended audience is unlikely to ask “but aren’t we already doing that?”.

Let’s, for argument’s sake, say the US isn’t already responding in-kind to Chinese cyber-intrusions. If the position one wishes to take is that China is violating the norms of cyberspace, then it doesn’t exactly make for a strong argument if you immediately start violating the exact same norms in response. In fact, all this would likely achieve is the establishment of a new set of norms, ones in which everyone is fair game.

Personally, I don’t believe for a second the US isn’t already responding in-kind. I think that what China did with Salt Typhoon, while embarrassing for the US, was well within the norms of cyber espionage. Therefore, there is no argument to be made that an in-kind response would deter such activity, or we wouldn’t even be having this discussion in the first place. Which leave only one other possible avenue for deterrence: escalation.

What actually are Offensive Cyber Operations?

Offensive Cyber Operation (OCO), is a term often confused by many outside of the military & intelligence space. Hacking in and of itself is offensive, not defensive, thus many people incorrectly conflate OCO with hacking in general. However, in military terminology hacking, or more specifically Computer Network Exploitation (CNE), is not considered OCO in and of itself. CNE can be used to intrude into foreign systems for espionage purposes, which is treated much the same as physical espionage.

Offensive Cyber Operations, in the context of hacking, is the use of CNE to deny, degrade, disrupt, or destroy adversary computer systems or operations. It requires intent to cause disruption, rather than disruption simply being a second-order effect, such as operators having to shut down a network to investigate and remediate an intrusion. This is where the general-public often gets confused, as cyber-intrusions are inherently disruptive, and can even cause unintended damage.

Why So Much Confusion Around Offensive Cyber Operations

Something I discussed in my recent keynote ‘The Future Of Cyber-Attacks’, is the fact that it’s a commonly held belief among the general public that state-sponsored offensive cyber operations against the US are already a common occurrence. The average American does not see these intrusions as a case of countries engaging in cyber-enabled espionage against each other, but as an unprovoked attacks on the United States. This is a sentiment we’ve seen before in response to intrusions from other adversaries too. Some of you may remember pundits going as far as calling for war with Russia in response to the SolarWinds breach.

I’ve often made the case that I believe the general confusion around OCO stem from a combination of two different factors.

Firstly, the term ‘cyber-attack’ is colloquially used as a catch-all for any form of cyber-intrusions. Since the word ‘attack’ is typically associated with an intentionally destructive act, it implies destructive intent. And of course, when you put malware designed to cause power outages and espionage in the same bucket, there’s bound to be some confusion.

Secondly, there is both an implicit and explicit information asymmetry when it comes to cyber-intrusions. Egocentric bias dictates that people tend to pay more attention to events that affect them, and as such, are intrinsically more likely to be more aware of cyber-intrusions against their own country, rather than some far away foreign nation. But on top of that, there’s also a clear difference between how the US responds to cyber-intrusions compared to its adversaries.

Since the US political system is much more sensitive to public opinion, the US government has a tendency to be extremely vocal about cyber-intrusion, and in some cases even overplays their severity and significance as a means of building political capital. Eastern countries, on the other hand, tend to download or even cover-up instances of foreign intrusions into their systems, treating them as a source of embarrassment. Consequentially, even if the public where to pay equal attention to both domestic and foreign media, they’d still hear about exponentially more instances of foreign adversaries breaching US systems than the reverse, regardless of reality.

So, Would Offensive Cyber Operations Deter China?

Imposing Cost

One common buzzword you’ll hear a lot in cybersecurity is “imposing cost”, which is just a way to say “making the adversary’s operations more expensive”, ideally in the hope of deterring them entirely, or at the very least, reducing their impact and frequency. There’s two main means by which to impose cost on an adversary: defensively and offensively. By bolstering cyber defences, it simply makes it hard and more expensive to hack US systems. Whereas offense is a little more complicated.

When it comes to offensive cyber operations against cybercrime actors, it’s a much simpler equation. At the end of the day, cybercrime is a business, and financially motivated threat actors care only about profits. Cybercriminal also typically have significantly less resources than nation-states, so it’s not particularly difficult for a nation-state or even a private company to impose significant cost. Well orchestrated disruption operations against cybercrime infrastructure can take months to recover from, as well as cause 7-8 figures in financial losses in terms of both lost revenue and seizure of funds.

Imposing cost on a nation-state, however, is a whole different ball game. With the exception of North Korea, state-sponsored actors are not typically financially motivated. In fact, cyber operations are often huge cost centers, with states funneling billions of dollars into developing cyber capabilities and gathering intelligence. This makes it far more difficult to quantify value, and therefore calculate the right cost to impose. It’s also much harder to identify and disrupt adversary controlled infrastructure, as they tend to operate much more covertly.

The Nation-State Cost-Benefit-Analysis

The calculus for nation-states can be increasingly complex and is often misunderstood. One very recent example I’d point to is Russia’s invasion of Ukraine. In the run-up to the invasions, many reputable think-tanks and even foreign governments were refuting the US government’s assessment that an invasion was imminent. The core of their argument was that Russia stood to lose much more as a result of international sanctions than they could have possibly gained had the invasion been successful. But to many people’s surprise, they did it anyway.

Similarly, North Korea and Iran have continued developing nuclear weapons despite heavy international sanctions. The US and its allies have continually conducted both offensive cyber operations and conventional military operations against Iran’s nuclear program, yet they remain undeterred. In the case of North Korea, the sanctions have weakened their economy to the point where they’ve resorted to engaging in state-sponsored cybercrime, yet still continue to peruse their nuclear aspirations.

It’s extremely difficult to accurately estimate what cost, if any, would deter a nation-state from building weapons, launching military operations, or engaging in espionage. And the case with China is no different.

For China, There May Be No Cost Too Great

As I mentioned earlier, it seems highly likely that Volt Typhoon’s goal is to aid China in building capabilities to disrupt US critical infrastructure. During President Biden’s term, he had said that US forces would defend Taiwan in the event of a Chinese invasion. Thus, China’s capabilities are likely intended to act as a deterrence against the US. Making it clear that they could impose cost on the US, should the US come to Taiwan’s aid.

Given that the US is a military superpower with forward bases in over 80 countries, China would be at an extreme disadvantage in a purely kinetic conflict. However, cyber-capabilities could swing things in their favor. While the US has invested significantly in almost all forms of kinetic defence, it’s cyber-defence capabilities are well known to be notoriously weak. China’s ability to cause disruption to the US economy and critical infrastructure could prove invaluable during a military confrontation.

One point of note here is how quickly the US public lost their appetite for supporting Ukraine in its defence against Russia’s invasion. Much of this sentiment was driven by disinformation feeding into people fears about their own economic situation, as well as the unrealistic prospect of the conflict escalating into nuclear war or WW3. Having seen how easy it was for Russia to degrade US support for Ukraine purely via information warfare, China may see the very real threat they pose to US infrastructure as a potential win condition. If that is indeed the case, then there may be no amount of cost likely to deter China from continuing its cyber-intrusions, not even an actual war.

Again, for the sake of hypothesis, let’s say there is some amount of offensive cyber operations that would cause China to cease or dial back its own cyber operations against the US. The question then becomes, can the US afford that cost?

Here I’d like to highlight another quote referencing Senator Warner’s same interview at the Munich Security Conference.

Warner said that replacing aging and vulnerable networking equipment could cost the telecom companies tens of billions, while evicting the Chinese from every nook and cranny inside the nation’s sprawling phone system could take 50,000 people and a complete shutdown of the network for 12 hours.

While I was unable to find the full transcript of the interview, and it’s unclear if Senator Warner intended to use this point as an argument for why the US need to be more hawkish on China, the Lawfare blog post frames it this way. personally, I go in completely the opposite directly here, and would argue it’s a good reason not to risk any escalation with China, at least not yet.

Senator Warner is absolutely correct here, one of the reasons Salt Typhoon happened, and is yet to be remediated, is the extreme cost of doing so. Many of these telecom companies are running hardware that’s past end-of-life, thus no longer supported by the vendor. This means there’s no security updates available to fix the flaws that China exploited to hack into these devices, and little help for remediation. In fact, one quite prevalent piece of hardware still in use was produced by a Canadian company which ceased operating in 2013.

If it were just a case of buying new devices, it’d’ already be a monumental and extremely expensive task. But issues like lack of backwards compatibility, and lack of cross-compatibility between different vendors, adds significantly more complexity. We could be looking at telcos having to perform a complete overhaul of their networks, replacing equipment, redesigning management infrastructure, and retraining staff.

While much of the discussion has been focused around Salt Typhoon and telecom companies, this is a nationwide issue that spans every kind of network imaginable. From banks to hospitals to power plants to corporate networks, every aspect of our infrastructure is drowning in technical debt. And that technical debt makes the nation extremely vulnerable to cyberattacks.

Through The Eyes Of A Defender

While I don’t claim to know much, if anything, about the US’ offensive capabilities, I’m intricately familiar with cyber defence, as this has long been my primary area of focus. To offer some insight into the shortcoming of US cyber defences, I’m going to draw on just a couple of the major cyber incidents I’ve worked.

Mirai

My career in cybersecurity started around the time of Mirai. The Mirai malware brought in an entirely new epoch of cybersecurity. Prior to this, criminal hackers had focused primarily on attacking desktop and server systems, but Mirai targeted IoT. IoT, or “The Internet of Things” is a term use to describe devices that are essentially internet connected computers, but aren’t what you’d typically refer to as a computer. Think smart TVs, Routers, Cloud Security Cameras, Home Automation. Devices that connect to the internet, but aren’t desktop computers, laptops or phones.

Mirai was on the surface very simple. The developers found that many IoT devices expose protocol for administrators to remotely control them; Typically, SSH or telnet. Most device owners were not even aware that these protocols even exist, never mind the fact that device were automatically exposing them to the internet by default. Many such devices come with default administrator logins, such as username: ‘admin’, password: ‘admin’, which were designed to be changed by the owner when they set up the device. Of course, it’s hard to change the password for an account you did not even know existed.

As such, there were hundreds of thousands, if not millions of devices exposed to the internet that could be logged into using their default password. All Mirai did is automatically scour the internet looking for these devices, attempting to log in to each device with a username and password from a list of 61 common default username and password combinations. Upon successful login, Mirai would infect the device with malware, which would give the attackers control over the device, while also using it to seek out and infect other exposed devices.

The result? The largest and most powerful DDoS botnet ever created. This botnet was so powerful, in one attempt to take offline a Minecraft server, the operators overloaded the system of one of the internet’s biggest DNS providers, causing a global internet outage. Major websites such as Facebook, Twitter, Amazon, Reddit, Playstation, all used this DNS provider. When the DNS servers became unreachable, so did the websites utilizing them.

At the time Mirai’s size and power resulted in the largest DDoS attack ever seen, and motivated thousands of copycat hackers to abuse the same IoT security weakness. Bringing in a new era of DDoS and DDoS for hire. Despite This happening almost a decade ago, the problem still persists.

The UK responded by passing a law requiring that if IoT devices were to have default passwords, they had to be unique to each device. Similiar to how your Wi-Fi router comes with a random SSID and password. The US, on the other hand, passed no meaningful regulations in response.

WannaCry

Probably my least favourite and most over-told story, but given that even today, WannaCry remains the most destructive cyberattack ever, it came with some important lessons. WannaCry was a piece of ransomware created by North Korean state-sponsored hackers. It was unique in that it used an extremely powerful Windows vulnerability to automatically spread from computer to computer completely unaided.

The vulnerability used by WannaCry only affected older Windows operating systems, primarily Windows XP, Windows Vista, and Windows 7. At the time, Windows 10 had been out for nearly two years. The issue was two-fold. Although a fix for the vulnerability had been out for two months, many organizations had disabled the Windows feature which automatically installs security updates. Additionally, many organizations were still using Windows XP, which was 16 years old, and at the time of WannaCry had been discontinued for 8 years. As a result, no fix for the issue was available. Though, in response to WannaCry, a fix was later provided.

As many of you know, I was the one who stopped the WannaCry cyberattack by activating its kill-switch, which was a website address that if registered stopped the spread of the malware. Since every WannaCry infection attempts to connect to this web address, I was able to see which systems were infected with WannaCry, what operating system they were running, and where they were located. As time went on, I could also track how many networks had still not installed a fix for the vulnerability, despite the severity and global media attention surrounding WannaCry.

Even now, nearly 8 years on, thousands of networks have still not installed the security patch. Ironically, I’ll probably never know the true scale of WannaCry, due to limitations in my own tracking. When I initially built the system which stopped WannaCry, it was designed to log unique IP addresses, which is typically sufficient for measuring the size of cyberattacks. However, with WannaCry this is not the case.

The vulnerability leveraged by WannaCry exists in the protocol used for connecting Windows systems together to form networks. Once inside a network, WannaCry is capable of spreading to every vulnerable system connected to that network. But, because most corporate networks sit behind a gateway which routes all traffic through a single IP address, simply counting IP addresses was not a suitable metric. Each IP address represents a network infected with WannaCry, not a single system. Consequentially, the initial figure I released of 250,000, then later revised to 416,989 is the number of networks, not individual computers which were infected with WannaCry.

The company I was working for at the time later went back and analyzed the raw connection data, concluding that the number of individual systems which connected to the kill-switch was as around 12 million. Since the kill-switch disables the WannaCry ransomware, none of our statistics include systems successfully ransomwared. But this estimate would suggest the thousands of IP addresses still connecting to the sinkhole to this very day likely correspond to over 100,000 still vulnerable computers.

For many countries, WannaCry was a wake-up call. But while the US founded the Cybersecurity and Infrastructure Security Agency (CISA) a year later, they were only given authority over federal government systems, and as such, the private sector remained extremely vulnerable to repeating the same mistakes that acted as the catalyst for WannaCry.

Log4j

Probably one of the messiest incidents I’ve worked was Log4j. It was neither the biggest, nor the most severe, but it was uniquely complex due to the fact the Log4j vulnerability wasn’t in a single piece of software, but in a software library.

Software libraries are a bit like ingredients in a recipe. A bad batch of flour could make many different products from cakes to cookies unsafe, and a software library vulnerability does the same for software. Since Log4j was used by millions of applications, it was a huge problem.

In order to fix the issue, any software developer whose software used the vulnerable library would have to update the library, repackage their software, then get every user of their software to install the new version. Many developers weren’t even aware of the vulnerability, or even that their code was using Log4j. The result was a vulnerability which spanned millions of applications, and will still be a problem in 20 years time.

As software development matured, we reached a point where most software is built on top of libraries that are built on top of libraries that are built on top of libraries. This is referred to as a ‘dependency chain’. The average developer might know what libraries their code uses, but not what libraries those libraries use, and so on. Much of their software dependency chain is a black box. So, what happens when there’s a security flaw in one of those libraries? The software equivalent of radioactive fallout.

It’s hard enough getting users to install updates, without having to get the developers to build them in the first place. Not to mention, there’s plenty of libraries that are no longer maintained. So if a developer is using a library that’s no longer maintained, and that library is found to use a vulnerable library, now they have to take responsibility for updating someone else’s code. It’s a problem with no clear solution.

Cybersecurity Takeaways

While I can’t discuss many of the other incidents I’ve worked throughout my career, they all keep leading me back to several core issues.

• Organizations are reluctant to update obsolete hardware and software due to cost.
• Organizations are slow to install security fixes, and often disable built in functionality to automatically install security fixes as sometimes it can cause system instability.
• The federal government has not created any meaningful cybersecurity or data privacy legislation that is widely applicable, only laws laser focused on highly specific issues in specific sectors.
• Many users are not even aware of security flaws in the systems they own or control, and there exists no reliable framework to inform them or address issues for them.
• As software supply chains get more complex, so does fixing vulnerabilities in them, but our remediation strategies haven’t evolved to keep up.
• Security software, appliances, and employees are expensive, creating a high barrier to entry for even basic cybersecurity hygiene.
• Much of the technology sector operates on a “move fast and break things” mentality where they aim to get a product to market as quickly as possible, often not building in long term resilience.

Almost all US infrastructure is privately owned and run by for-profit businesses. Historically, and often even today, a lot of cybersecurity breaches cost companies less than it’d cost to prevent them. A ransomware attack might result in losses in the millions of dollars, but upgrading infrastructure could cost billions. And of course, that’s not including the yearly operational costs of maintaining an effective cybersecurity team to keep things in check.

Cyber-espionage especially, is often of relatively low cost. If spies lurking inside a network don’t impact its availability or stability, then most organizations won’t even know they’re there, never mind be willing to spend millions or billions of dollars to evict them.

Since cybersecurity is a cost center, most businesses have neglected to do even the bare minimum. And the longer companies go without addressing cybersecurity issues, the more costly it becomes to address them down the line. So, as time goes on, it will only become cheaper to endue cyberattacks relative to addressing the root problem, which is why even now, security breaches are often just seen as the cost of doing business.

Of course, the cost cyberattacks incur on businesses is completely disconnected from their cost to the nation’s security. As such, cybersecurity cannot be left up to market forces and is the sole responsibility of the federal government. Without comprehensive cybersecurity legislation and intervention from congress, nothing is likely to change.

In football, you might be able to substitute poor defence with good offence, since there’s only one ball. Even in conventional warfare, it could be argued that there is still some rhyme to that reason. Military assets are physically tangible items which can be preemptively destroyed to limit the adversary’s response capabilities.

Cybersecurity is very much the opposite. Once cyber capabilities have been developed, they can be deployed anytime from anywhere. It doesn’t take an airfield or a tank factory to launch a WannaCry or a Mirai, only a single person with a single computer anywhere in the world.

Now, we can probably assume that the US’ offensive cyber capabilities exceed that of China’s, given the US’ massive head-start. However, seeing how rapidly China’s technology has been advancing across the board, I’m becoming less and less certain of this with each passing day. Regardless, I don’t think it actually matters. There is no amount of offensive cyber operations that would physically prevent China from being able to breach or disrupting US networks.

The absolute best case scenario is US offensive cyber operations, or the threat of them, simply scares China into stopping. Which, given that China likely see their cyber capabilities as the key to winning a military confrontation involving the US, I think that is highly unlikely. The more realistic outcome is the US creates a new norm where cyber operations that go beyond just espionage are now permissible during peacetime, and China responds accordingly. This could also result in escalation from other US adversaries too.

So, let’s assume the more realistic case where the US escalates and China responds in-kind. We hit them, they hit us back, and things just keep going back and forth (and hopefully not escalating to all-out war). Which, essentially, puts it down to who has the better defences.

A Brief Introduction To China’s System Of Government

Without getting too deep into the weeds on the history and specific of the Chinese system, it can best be though of a single-party unitary state. Where western democracies tend to opt for some separation of powers (typically between the judiciary and the legislative / executive branch, or in the case of the US, all three), China opts for a more centralized and unified government. Although China does permit its people to engage in capitalism, the government is very careful to avoid private businesses or individuals from amassing enough power to threaten its authority.

As such, the CCP has much less resistance when it comes to passing even extremely broad legislation, which they’ve been able to utilize to pass several comprehensive laws governing cybersecurity, data privacy, and national security. While these laws do come with many of their own flaws, they are considerably more comprehensive than anything anywhere else to date.

Cybersecurity Law of the People’s Republic of China

Requirements placed on ISPs, Online Platforms, Corporate Network Operators, Etc

• Form internal security teams with designated employees responsible for handling cybersecurity issues and implementing cybersecurity policies.
• Adopt technical measures for preventing cyberattacks and intrusions.
• Record network logs as well as cybersecurity incidents, which are to be stored for at least six months.
• Immediately remediate security flaws, and promptly inform users, as well as the relevant authorities.
• Establish mechanisms for threat sharing and collaborating on cybersecurity across organization within the same industry.
• Create emergency response plans for cybersecurity incidents and notify the relevant authorities whenever they’re invoked.
• Provide technical support and assistance to the governments when it comes to safeguarding national security and investigating criminal activity.
• Encourages industry organizations to establish standardized mechanisms for collaborating on cybersecurity within the same sector.

Critical Infrastructure

Critical infrastructure regulations establish additional requirement, which require organizations designated as critical infrastructure to:

• Conduct background checks on people in positions which could pose a threat to infrastructure security.
• Conduct periodic cybersecurity training and evaluation.
• Perform incident response drills to for their emergency response plans.
• Have any products or services which may pose a national security threat undergo a national security review by the state.
• Store sensitive or personal data on systems within Mainland China.
• If it’s necessary to transmit sensitive or personal data abroad, it must follow set protocols and undergo a security assessment by the state.
• Conduct a yearly review of cybersecurity risks and submit a report to the state.
• Government bodies overseeing critical infrastructure are to coordinate spot tests, emergency response drills, technical support, and promote threat sharing across relevant organizations.

Additionally, the relevant government bodies overseeing critical infrastructure organizations are responsible for helping establish security requirements, as well as overseeing and guiding their implementation.

Security Vulnerabilities

China has some unique laws when it comes to vulnerability reporting. Broadly speaking, these laws require security researchers and companies operating within China to notify the Chinese government of any security vulnerabilities they discover. There is research to suggest that this information has been abuse to build hacking capabilities for use against foreign systems. It’s also possible that the Chinese government can or is using these capability to block Chinese researchers from reporting critical vulnerabilities to foreign companies, preventing them from being fixed.

While the United States does have its own vulnerability reporting and cultivation ecosystem, it’s entirely driven by market forces. Companies can incentivize researchers to report security vulnerabilities by offering them money (bug bounties) in return. Some companies may also optionally inform the US government of any vulnerabilities found in their products. Additionally, vulnerability brokers can offer cash for vulnerabilities (typically significantly more than any bug bounty programs), then package and sell the vulnerabilities to the US government for use in military and intelligence operations. However, all of this is optional, and it’s up to organizations and individuals what they want to do, if anything, with any vulnerabilities they discover.

The United States

In a way, the United States is almost the polar opposite of China, its form of government was very deliberately designed to avoid centralized and unchecked power. The constitution delegate some powers to the federal government, while others are reserved to the states. Then at both the federal level, and in the majority of states, the government is split into a separate executive, legislative, and judicial branch. Each branch has its own distinct powers, but also the power to keep other branches in check.

Congress took much of the same approach when forming federal agencies, with agencies typically given specific mandates and only the powers required to execute those mandate. This resulted in hundreds of different federal agencies with different but sometimes overlapping authorities, which for the most part has worked out fairly well, albeit extremely inefficiently.

However, cyberattacks affect everything. From power stations to banks, state to federal government systems, domestic companies and international enterprises, espionage and warfare. So whose responsibility is cybersecurity in the US? Nobody and everyone.

With no central authority to regulate cybersecurity, everyone is essentially responsible for their own house. What should be comprehensive national cybersecurity legislation and national cybersecurity defence capabilities is just a fragmented ecosystem split across private industry, regulatory agencies, and every level of government from local to federal.

To understand just how fragmented US cyber defence is, I’ll provide a brief overview of some agencies.

National Security Agency

As the United States’ main signals intelligence agency, the NSA’s primary role is to infiltrate foreign networks and gather intelligence. While the NSA is part of the Department of Defence, it operates under Title 50, which outlines the authorities of covert agencies. Under Title 50, the NSA has limited ability to operate domestically, spy on US citizens, or perform offensive cyber operations. Typically, the NSA plays more of a supporting role for other military operations.

US Cyber Command

Cyber Command is a Combatant Command which operates under the Department Of Defence, and is responsible for coordinating cyber operations across different branches of the military. Since CYBERCOM operates under Title 10 (Military), it does have the authority to engage in offensive cyber operations, and is typically supported by the NSA, with whom it shares a director. But as an element of the US military, it is also limited in its ability to operate domestically. As such, Cyber Command’s main role is defending military networks, and disrupting adversary military and intelligence operations.

Federal Bureau of Investigation

While it may not sound like a cyber defence agency, the FBI plays a critical role in cybersecurity. Agencies operating under Title 10 & Title 50 authorities are extremely limited in their ability to operate domestically. As a result, many military and intelligence agencies have blind spots when it comes to adversaries operating on US soil or from within US infrastructure. As a law enforcement agency, the FBI are permitted to make arrests and serve search warrants within the US. With the help of foreign law enforcement partners, the FBI also has some ability to operate abroad.

Cybersecurity And Infrastructure Security Agency

Established because the US government felt agency names weren’t getting long enough, CISA is the US’ main cybersecurity agency. Despite it’s name, CISA’s authorities are extremely limited. It’s neither a law enforcement, military, nor intelligence agency. The agency primarily acts as a cybersecurity threat sharing hub, though does have some authorities under an amendment to Title 6 (Domestic Security). CISA’s main power is its ability to enforce cybersecurity standards for federal government systems, though not those belonging to state/local government, or the private sector. Additionally, the agency can engage in disaster response, helping federal, state, and local governments, as well as critical infrastructure organizations deal with cyberattacks; however, these teams are fairly small and have access to very limited resources.

Cyber Unified Coordination Groups

One of the downsides of the separation of powers is there’s a lot of limitations on the ways in which different agencies can assist each other. The US doesn’t want a deep state or secret police, so its deliberately created a lot of friction when it comes to its various different agencies with cybersecurity responsibilities and capabilities working together. This is wonderful from an addressing hypothetical threats of a secret government cabal aspect, but absolutely terrible from a cyber defense perspective.

The only real saving grace is a little known framework referred to a Presidential Policy Directive 41. Under PPD-41, the National Security Council can form Cyber Unified Coordination Groups (Cyber-UCG) in response to a ‘Significant Cyber Incident’ (i.e. a cyber threat which poses a significant risk to national security or public safety). UCGs enable representatives from various federal agencies, along with private sector companies, to work together to address a designated threat, making collaborating easier. However, in reality UCGs are rarely ever formed. And due to PPD-41 being a relatively new framework, few agencies are familiar with how to collaborate effectively, thus these groups tend not to be particularly cohesive.

So far (according to public accounts) only 3 Cyber-UCGs have been formed in response to significant cyber incidents:

• Russia’s breach of SolarWinds Orion in 2020
• China’s Zero-day attack against On-Premises Microsoft Exchange Servers in 2021
• Salt Typhoon’s infiltration of major US telecom networks in 2024

Another downside of USGs is it can often be difficult to identify the correct people to add to the group, as the required expertise can vary drastically from incident to incident.

the gap in our defences

Ultimately, cybersecurity in the United States feels like trying to put together a puzzle; except, there’s no picture on the box, each piece has been distributed to a random entity, half of the entities aren’t even willing to disclose that they have any puzzle pieces, and nobody is sure who’s actually supposed to be the one building the puzzle.

Much of the burden of cybersecurity tends to fall upon ‘trust groups’, which are informal ad-hoc groups of volunteers across public and private sector who collaborate to share information about cyber threats. These groups usually have no formal frameworks or hierarchy, no legal protections, official authorities, nor any funding. They’re essentially the volunteer fire departments of the internet where people allocate their free time towards doing common good for the community. It’s a system that works fairly well, until it does. At some point the volume of attack will become too great to handle, the risk of civil or legal liability to high, or if the US goes down the path of escalation, volunteers may become targets for offensive operations by hostile state actors.

Personally, I think that trying to deter China through offensive cyber operations would not only be unsuccessful, but also a huge mistake. I am not arguing that the US should bow down to China, or that it should not be able to defend itself, only that increasing offense cyber operations without the defencive capabilities to back them up, is a horrible idea.

In A War Of Public Opinion, Cyber-Power Opens Up A Whole New Front

When you look at previous wars involving the US, it’s evident that it has never been realistic nor possible to defeat the US military, but a viable strategy to just wait them out. There’s plenty such examples from Vietnam to the Afghanistan. Eventually, the public loses their appetite for war, and the US withdraws its forces.

Most recently, all eyes have been on Ukraine. assisting Ukraine in its defence against Russia is both a moral and strategically beneficial position for the US to take. At the cost of less than a fraction of a percent of US GDP, the US has been able to prevent an illegal invasion, eviscerate much of the Russian military, and weaken Russia’s economy through international sanction. Yet, after only three years, public opinion has already capitulated. Years of unjustified global intervention and domestic instability have recessed public opinion back to that of isolationism.

Given China’s aspirations to invade Taiwan, they’ve likely been watching closely. It certainly seems like the public support for foreign wars, or even military aid, justified or not, is next to none. When we look into some of the reasoning behind American’s views, a lot of it comes down to an increased focus on their own perceived safety and stability. This makes China’s capability to disrupt US infrastructure all the more valuable. They likely see it as not only a deterrence, but also as a means to degrade public support for any intervention. Hence, the amount of cost the US would have to impose to force China to surrender these capabilities is likely infinite.

The US Needs To Put Some Serious Effort Into Cybersecurity Legislation

While to reiterate, I’m not suggesting the US cannot and should not defend itself, or couldn’t go on the offensive in the near future, but policymakers need to think long and hard before committing to an increase in offensive cyber operations without the appropriate defensive frameworks in place. Currently, the US:

• Does not have any effective cybersecurity legislation.
• Does not have a strong centralized organization that can quickly or easily move to address cybersecurity flaws.
• Does not have the capacity to remediate the cyberattacks that are already occurring.
• Has infrastructure that is extremely decentralized, outdated, and hard to defend.
• Is much more heavily reliant on technologically than China.
• Is both socially and culturally prepared for a major cyberattack or economic disruption.

Furthermore, the proposal to defer responsibility for cybersecurity to the states is quite simply a non-starter. The majority of states have neither the funding, resources, nor the incentive to implement effective cybersecurity legislation and controls. Cybersecurity is a national problem with national consequences, not something that can differ on a state by state basis. States don’t exist in a vacuum, their supply-chains are heavily intertwined. When a ransomware attack against Colonial Pipeline in 2021 was able to cut off 45% of the East Coast’s oil supply, we all saw first hand exactly how much of a state problem cybersecurity isn’t.

Going Forward

In a perfect world, we wouldn’t expect companies to defend their networks from state-sponsored cyberattacks, just like we wouldn’t expect them to build air defences to defend their infrastructure from missile strikes. But, failing that, the least we can do is think about some meaningful cybersecurity legislation to decrease costs for small/medium businesses, and increase expectations for well-funded enterprises.

There’s also plenty of problems out there that can be addresses closer to the source. The more legislative effort that goes into making software and devices more secure by design, the less costly it is for everyone to deal with the fallout. Companies shouldn’t have to fend off record-breaking DDoS attacks because IoT device manufactures wants to set their default passwords to ‘password’.

The US doesn’t need to have a perfect cyber defence, but it’s going to need to start putting a lot more effort into passing comprehensive cybersecurity legislation, especially if policymakers wish to pursue offensive cyber operations as a form of deterrence.