Cyber, intelligence chiefs urge U.S. to strengthen against Chinese cyber threats

A lineup of U.S. cybersecurity and intelligence agency heavyweights took the witness stand before a House panel on Wednesday, warning lawmakers — and the American people — that China-backed hacking activities have reached a new level of complexity, and that the federal government must work with private-sector partners to deter Beijing-sponsored cyber threats amid broader diplomatic tensions between the two nations.

It was the strongest message yet from the mix of officials representing the intelligence community, White House and federal law enforcement that the U.S. must better prepare itself as Chinese hackers work to position themselves inside critical U.S. infrastructure and other economic and military systems.

Officials have designated Beijing as a preparative cyberspace force, planting the seeds for future activity by scoping out networks for sensitive information and weaknesses that can be used to China’s advantage at a later time. The nation has been marked as a major industrial espionage player that’s set off alarms from lawmakers’ offices since at least 2012.

“The truth is, the Chinese cyber actors have taken advantage of very basic flaws in our technology,” Cybersecurity and Infrastructure Security Agency Director Jen Easterly said, later adding that critical infrastructure CEOs and leaders must recognize that “cyber risk is business risk.”

She continued to stress secure-by-design and default principles that would direct software developers to manufacture and push out product offerings with already-embedded security protections. Committee chair Mike Gallagher, R-Wis., told reporters after the hearing that Easterly’s push was “compelling testimony” but that it’s too early to say whether the whole committee would endorse the idea.

Harry Coker, just about a month in on the job as the second Senate-confirmed National Cyber Director, stressed scaling public-private partnerships, as well as workforce efforts, which are a major component of his office’s National Cyber Strategy unveiled last March.

“When we let threat actors define our objectives and are simply reactive, we are not advancing our vision for cyberspace, we are living in theirs,” he said in remarks provided by his office.

The House committee, formed just over a year ago with the intent of studying economic and security competition with China, has categorized Chinese cyber activity as a major threat that sets up the Chinese central government as the greatest modern day danger to the U.S.

“This is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities, and power plants,” Gallagher said in prepared opening remarks referring to past actions that Chinese cyber operatives have taken.

“The CCP’s objectives for a cyberattack are not just to impede military readiness, they also seek to target civilian infrastructure to cause political, economic and social chaos” in the U.S., ranking member Raja Krishnamoorthi, D-Ill. said in his opening statement. 

The quartet appeared following major developments in U.S.-China cybersecurity relations in recent days, with the FBI and DOJ announcing the same day as the hearing that they were granted legal authorization to go on the offense against Chinese hackers, while CNN reported Chinese leader Xi Jinping told President Joe Biden that his nation would not interfere in the upcoming U.S. presidential election.

FBI Director Christopher Wray confirmed the offensive, which was announced Wednesday morning in coordination with the Justice Department, and said in testimony that China’s cyber army is “actively attacking our economic security — engaging in wholesale theft of our innovation and our personal and corporate data.”

In a standout statistic, Wray said if all FBI cyber professionals were focused on China, the U.S. would still be at a disadvantage of at least 50-to-1

“We cannot afford to sleep on this danger,” he stressed. “China has shown it will make us pay.”

A February 2023 report from the Office of the Director of National Intelligence speculates that if Beijing feared imminent conflict with the U.S., “it almost certainly would consider undertaking aggressive cyber operations against U.S. homeland critical infrastructure and military assets worldwide” and carry them out in such a way that would induce societal panic. A former White House cyber official told Nextgov/FCW this week that such language is especially strong for an unclassified intelligence community whitepaper.

As the top digital adversary of the United States, threat researchers have noted Chinese state hacking activities improved toward a more mature, coordinated and clandestine operation compared to previous years.

Last year, Chinese cyber operatives breached the Microsoft email accounts of federal officials in the State Department and Commerce Department. Japanese and U.S. cyber authorities have also warned of Chinese hackers lurking in networking gear. Additionally, U.S. and industry security officials told the Washington Post last month that China’s military has been improving its ability to hack and disrupt sensitive U.S. critical infrastructure, including utilities and transportation systems.

The hearing also touched on several other aspects of cyber policy, including quantum computing, surveillance power reauthorization and communications infrastructure replacement. 

The Pentagon's cyber strategy takes a more offensive approach toward U.S. cybersecurity operations, singling out China as a top cyberspace adversary alongside Russia, and vows to go after cybercriminals and other groups that threaten U.S. interests. 

American security concerns are uniquely elevated in 2024 amid an upcoming presidential election and record-level cyber activity that plagued U.S. businesses and governments last year.

NSA and Cyber Command leader Gen. Paul Nakasone, whose last day on the job is Friday, said in his testimony that the November election would be the safest yet, and stressed that he has not seen efforts to disrupt and interfere in the election process. “Yes, I believe it will be the most secure election we’ve had to date,” he said.

Despite this, Easterly later added that the U.S. should “absolutely expect” foreign actors will attempt to influence elections, though she stressed the American people should be confident in election infrastructure.

The intelligence community is also watching for signals of a Chinese invasion of Taiwan or other tensions in the South China Sea that could prompt the U.S. to intervene, a move that may trigger China to pull the lever and disrupt sensitive critical infrastructure that its hackers have already breached, analysts say.

“Only in the last few years has the federal government started to tackle this vulnerability as the threats have become increasingly real. There are decades of security debt of unpatched software, poor security configurations and missing security features,” Chris Wysopal, CTO of application security firm Veracode, said in a statement.

In Latin America, the U.S. is working to convince nations with underdeveloped cybersecurity infrastructure to take up partnerships that would prevent them from purchasing and integrating Chinese-made technologies into their networks, a dynamic that DHS has said is risky to communications security between the U.S. and its allies to the south.

The United Nations is also finalizing a cybercrime treaty aimed at the prevention of international-scale computer crimes and theft. China is a charter member of the UN and one of five permanent members on its Security Council alongside the U.S., though it’s unknown how much or to what extent a treaty would taper cyber exchanges between the two nations.

"The Chinese government has been categorical in opposing hacking attacks and the abuse of information technology," Chinese Embassy Spokesperson Liu Pengyu said in a statement to Nextgov/FCW. "The United States has the strongest cyber technologies of all countries, but has used such technologies in hacking, eavesdropping more than others. We urge the U.S. side to stop making irresponsible criticism against other countries on the issue of cyber-security."

Editor's note: This article has been updated to include a statement from the Chinese Embassy.