On publicizing Chinese hacking success
Revealing tactical shifts amidst long-term mutual vulnerability
In cybersecurity circles, there has long been a general understanding that Chinese government hacking groups are among the most capable on Earth. Several of the high-end actors termed advanced persistent threats (APTs) by cybersecurity defenders are suspected to be Chinese, with others linked to North Korea or Iran. Chinese cybersecurity companies have likewise identified some APTs as likely of US origin, and it would surprise no one to learn the National Security Agency has highly skilled teams targeting Chinese systems.
As a baseline, then, we should expect that Chinese government hackers would be all over US systems and vice versa. What, then, do we learn from publicized reports?
The three recent stories present different kinds of revelations:
In July, reports emerged that Chinese cyber operators had gained access to some number of email accounts belonging to US officials, including Secretary of Commerce Gina Raimondo and Ambassador to China Nicholas Burns, having found or engineered a vulnerability in Microsoft’s cloud environment. US government officials reportedly detected “anomalous activity” and got to work with Microsoft starting in May to close the breach. (For those keeping score, US officials also attributed to China an earlier massive hack targeting Microsoft Exchange servers in 2021.) In this story, US agencies were actively putting the word out, and officials were leveraging the incident to push Microsoft to make advanced logging features, without which the intrusion might have gone undetected, available to all. No one is surprised Chinese spies want US government communications, but some might be alarmed that they could get them.
Later in July, The New York Times reported that the US government was at work trying to root out malicious code from infrastructure systems critical to military operations put there by hackers “probably working for the People’s Liberation Army” and framed as being relevant to a potential future war, for example in a Taiwan contingency. The story expanded on a publicized discovery of code in telecommunications systems in Guam. In this story, anonymous sources are invoked to paint a dramatic picture of Situation Room meetings and debates over just how broadly the Chinese effort is targeted; as usual, it’s unclear whether sources are “leaking” with or without authorization. The article feeds a foreboding sense that China is planning something, but it’s not so clear how new or unexpected this is.
TodayYesterday, The Washington Post reported that since 2020 US and Japanese officials have been responding to the US discovery that PLA-attributed cyber actors were deep in Japan’s defense systems and “appeared to be after anything they could get their hands on — plans, capabilities, assessments of military shortcomings.” This story uses mostly anonymous sources to recount a US and Japanese struggle to root out the intruders and to cooperate despite trust divides, despite the importance to both governments of the bilateral alliance.
These three stories lead me to a few observations
First, some of the espionage and sabotage capabilities I would have assumed China had are pretty well confirmed. Assuming the reports are accurate, it’s not surprising to longtime observers that Chinese spies would be after US or allied government communications or PLA operators would seek to develop the ability to hold US systems in peril—an ability that could be used in many ways. Here we simply have fairly solid public reporting across all three incidents.
This information will land differently depending on the audience. Most vividly, if you thought Chinese hackers were probably not this capable or active, or if you thought US and Japanese defenses were impervious, this would surprise you in a way it doesn’t surprise me.
Second, the specifics and narratives around the revelations matter. When hackers attributed to China were reported to haul away the Office of Personnel Management database almost a decade ago, some portrayed dastardly Chinese thieves but many saw the hack as an obviously legitimate foreign intelligence target that really should have been better guarded. (These are not actually incompatible attitudes.) In the recent incidents, we have a range of specifics and a range of narratives: Hacking US cabinet emails is an obvious objective for Chinese spies, though it would be nice if Microsoft’s security had been more effective. Spying on Japanese military systems is also a natural Chinese government activity, and today’s yesterday’s story is more interesting for the apparently lackluster efforts to stymie them.
It’s the infrastructure hack revelations, first in Guam in May and more broadly but quite vaguely from the Times last month, that really break from the pattern of what’s widely known. Yet the implications spun out from the story are hard to interpret. One possibility discussed in the Times article is that Chinese planners could be preparing to disrupt US military and/or civilian infrastructure in case of a Taiwan invasion or other contingency as a way to slow down US response. It’s a possibility that has been discussed for at least a decade and maybe two. I cannot quickly find the reference, but one analyst (was it James Lewis?) years ago wrote imaginatively of the possibility that Chinese hackers might seek to delay the US launch of a carrier group by messing up the traffic lights in San Diego as crew members on leave were recalled to steam west. The article also says US intelligence agencies suspect Chinese planners could believe disruptions to US infrastructure would “so fixate the attention of American citizens that they would think little about an overseas conflict.” (A heck of a strategy if true: It could also push fence-sitters to support a broader conflict with China!)
Now, it’s not new to US-China cybersecurity nerds that some cyber elements would be baked into contingencies for conflicts, and if you had asked me a year ago I’d have said, yeah, I’m sure they have some footholds in systems and could do damage if needed. Infrastructure systems are sprawling and notoriously hard to secure, after all. But the effect on the world is different when the information is in The New York Times rather than a reasonable assumption among policy nerds.
Third, authorities (or leakers) have a field of dilemmas when it comes to what parts of the picture they show the public. Some events, like the Solar Winds hack attributed to Russia or the Microsoft 365 gap that gave someone access to US government emails, are going to become public because people need to mitigate the vulnerability broadly. (Some efforts, such as Stuxnet, become public despite attackers’ best efforts—because cyber is hard.) Some matters, like highly-sensitive assessments about Chinese military infiltration in infrastructure or in Japanese defense systems, could stay secret for a long time without the assistance of authorized or unauthorized officials speaking to journalists.
Secrecy is appealing for the government, as it protects intelligence sources and methods and can at least temporarily prevent embarrassment. It can also avoid leading people to conclusions based on only a piece of the picture. But it can come at a cost of keeping the public and the broader universe of decision-makers in the dark.
What’s the downside to keeping the public in the dark? It depends on your goals and needs. If you know an adversary is up to novel activities that cannot be easily explained by prior assumptions about intentions, or if the activities upset your confidence in defending critical systems, secrecy means people might not be alarmed in a way that you believe they should. There’s also the constant refrain from people inside national security agencies speaking to skeptical outsiders: If you knew what I know, you wouldn’t be so critical. And maybe that would be true; you never find out if you won’t share the secret.
Reporters should be helping readers think through the motivations of their sources, and, if they don’t, readers should apply line-by-line critical thinking to the inevitably unattributed information.
Fourth, it is unlikely the US government does not have similar operational potential or existing footholds in Chinese systems. We just don’t have as many US leakers willing to blow open highly sensitive US operations, and Chinese sources either don’t know about or choose not to publicize many US capabilities.
Litigating tactical shifts amidst long-term mutual vulnerability
The most important take-away from these stories comes if you extend your time horizons, think about the vastness of the infrastructure that could be leveraged for spying or creating damage, and understand that no system of systems will be 100% secure against faults and attacks. This is fundamental to cybersecurity theory and practice, as well as to risk assessment. Defenders and engineers work to decrease risks and increase the security of information, reliability of systems, and resilience in case of incident—but risk always remains.
Taking this to the US-China context, there’s a fundamental truth: Neither the United States nor China can reasonably hope to stop being vulnerable to hugely damaging attacks by the other, through cyberspace or other means.
This is pretty basic, and it applies for instance in the nuclear-strategic realm as well: Even as individual capabilities and deployments change calculations about survivability, second strike, etc., neither side can launch without fear of devastating retaliation.
The truth of persistent mutual vulnerability is not supposed to make you stop worrying and learn to love the worm. This stuff is hair-raising, and all the more so when you realize it’s not just big, organized state actors who might develop this kind of capability. But it should make observers skeptical when commentators draw vast implications about intentions or plans from the mere fact of an adversary’s capability. Isolated revelations about cybersecurity reality must be kept in context, and they are too often used in service of a narrative unmoored from the reality that we’re just not living in an era where threats can be nullified through physical distance.
About Here It Comes
Here it Comes is written by me, Graham Webster, a research scholar and editor-in-chief of the DigiChina Project at the Stanford Cyber Policy Center. It is the successor to my earlier newsletter efforts U.S.–China Week and Transpacifica. Here It Comes is an exploration of the onslaught of interactions between US-China relations, technology in China, and climate change. The opinions expressed here are my own, and I reserve the right to change my mind.