Last week, we highlighted the DPRK’s efforts to scam companies hiring IT workers.
This week, we provide executives a guide to defending against China’s Volt Typhoon and explain why the threat isn’t going away anytime soon.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com
PinnacleOne ExecBrief | Volt Typhoon’s Winds Pick Up Speed
Volt Typhoon (VT) intrusions commanded the headlines again, as researchers found evidence of the group’s activities in U.S. internet service provider infrastructure. The intrusions come more than a year after the U.S. government first brought attention to the team, which focuses on maintaining persistent access to the nation’s critical infrastructure. Volt Typhoon aims to use that access to attack critical infrastructure in the U.S. preceding or during armed conflict to deter or disrupt U.S. military operations.We don’t expect Volt Typhoon’s operations for this purpose to stop anytime soon. Companies previously hit by Volt Typhoon will remain on their targeting list — companies in western critical infrastructure who have not yet identified and evicted VT from their networks must search harder.
The Crux of the Issue
Corporate leaders and elected officials frequently ask, “What will it take to deter Volt Typhoon’s operations?” We are here to say that they cannot be deterred. And we are in good company. Top agency brass at NSA and FBI grasp the infeasibility of deterring China’s cyber operations. NSA Assistant Deputy Director for China Dave Frederick made clear in late August his view that China cannot be successfully deterred from continued intrusions into U.S. critical infrastructure. In the same week, FBI Deputy Director Paul Abbate came to a similar conclusion, that no actions, thus far, have deterred China’s actions. Abbate also expressed concern over the lack of clear options to reduce Chinese intrusions.
The U.S. cannot deter Chinese hacking operations against critical infrastructure precisely because the PRC views such hacking as their best path to avoid military defeat. PRC strategists believe attacking civilian critical infrastructure would persuade both the American public and political leaders to stay out of any future conflict. Their belief is predicated on the deterrent effect of nuclear, cyber, and space capabilities, which the PLA argues is China’s best strategy over superior U.S. forces. Of the triad of deterrent capabilities the PLA believes it has, cyber requires the lowest level of commitment. Space capabilities can have unwanted destructive effects if managed poorly, especially kinetic ASAT platforms. Nuclear deterrence is an ever-present last resort. Cyber has comparatively few downsides and is the cheapest option. If China sees Volt Typhoon’s hacking operations as one of the country’s few military advantages, then U.S. efforts to deter China’s use of hacking will fail.
Worse still, critical infrastructure operators in the U.S. — most of them private, commercial entities — concertedly lobby against their regulation, leaving government agencies ill-equipped to require meaningful changes in security practices. Even the recent National Security Memorandum-22 on Critical Infrastructure Security and Resilience relies only on the purchasing requirements of the federal government to drive critical infrastructure operators to meet minimum security standards. Companies are lobbying against what they perceive to be costly regulations, jeopardizing U.S. military preparedness and civilian lives in the process.
What Can We Do?
Companies that operate critical infrastructure, and especially those tied to NATO military procurement or operations, must mature their in-house cybersecurity teams. Specifically, we see proactive threat hunting, practiced incident response teams, and cross-industry intelligence sharing as key tenets of good cybersecurity posture. So far, Volt Typhoon has been observed operating against telecoms, ISPs, transportation, ports, and electrical grid operators. Companies in these sectors must pay special attention to the risks at hand.
In-house hunting and response talent is critical to countering Volt Typhoon. Many business leaders plan to call one of only a handful of competent incident response and cybersecurity companies during a crisis. We worry that those few incident response firms – much like cyber troops in wartime – will not have sufficient capacity to meet the simultaneous surge in demand. Some cybersecurity companies may even lose staff who serve the U.S. or NATO militaries in a reserve capacity. Having a dependable in-house team increases the odds that your company will be able to resume operations more quickly and without the need for outside talent. PinnacleOne consultants have direct experience standing-up such operations at victims of Volt Typhoon and we’re always happy to talk.
Security teams should also pursue a strategy of engagement with in-house policy advocacy and lobbying teams to help shape regulations for the sector, rather than fighting against regulations wholesale. For many security teams, regulations provide a useful tool to increase capabilities even when the business wants to cut security investments. Companies working with regulators, rather than against them, also get to help set standards for their sector, potentially advantaging them over competitors who resist security regulations.
What This Means
China’s military is relentlessly pursuing the ability to disrupt U.S. critical infrastructure. In the worst-case scenario, their operations may significantly disrupt the U.S. economy and kill civilians. No actions the government can take will deter these operations because, in many ways, they are China’s only good tool to counter the U.S. military for the time being. As China’s military fields better traditional weapons systems and contests the U.S. military globally, their behavior may change, but that will bring different problems and is years aways. For now, security teams must build the in-house teams they need to defend their networks. The clock is ticking.