When the highest-ranking US law enforcement official describes a concern as “the defining threat of our generation,” it should be taken seriously. On January 31, FBI Director Christopher Wray testified before Congress about China’s capability to threaten US national and economic security. In particular, he identified the imminent cyber threat that Chinese hackers pose to critical infrastructure. A China-sponsored cyber group called “Volt Typhoon,” Wray explained, has prepositioned cyberattack capabilities in the US communications, energy, transportation, and water sectors intended to “destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.” Alarming in its own right, Volt Typhoon is just the latest example of Beijing’s ongoing “cyber onslaught,” Wray added.
This story is not new. Since at least 2019, the US government has publicly sounded the alarm about the threat that China’s cyberattack and espionage enterprise poses to US national security and to regional stability in East Asia. The 2023 annual threat assessment by the US Office of the Director of National Intelligence (ODNI) states that China “uses coordinated, whole-of-government tools to demonstrate strength and compel neighbors to acquiesce to its preferences.” The assessment adds that China’s cyber capabilities are essential for orchestrating espionage, malign influence, and attack operations in support of Chinese interests.
To confront the threat to critical infrastructure posed by Volt Typhoon and other state-sponsored Chinese cyber actors, the United States should launch an expansive new multilateral cyber threat intelligence sharing coalition in the Indo-Pacific. This coalition should utilize some of the lessons learned from the Five Eyes intelligence alliance, and it would incorporate members of the Five Eyes alliance, US Indo-Pacific partners, and even some European states. The expanded reach and resources of such a coalition would help disrupt cyber threats, signal to the world that the United States and its partners are committed to protecting both cyber and physical infrastructure from malicious actors, and ideally help deter future cyber threats from China.
Meeting the threat
The Biden administration has already taken some steps to improve cybersecurity cooperation in the Indo-Pacific region, such as recent commitments with Japan and South Korea. In each case, the partners recognize the importance of sharing cyber threat intelligence information related to critical infrastructure threats. A goal of this cooperation is to enhance cybersecurity in the region, especially through capacity building and sharing best practices with network defenders and incident responders. In practice, this often amounts to arming individual critical infrastructure asset owners with better tools and procedures that will improve their cybersecurity posture over time.
Increased cybersecurity at the point of a potential attack is necessary, but it is not sufficient given the urgency and scope of the threat. Dedicated, well-resourced state-sponsored adversaries, as demonstrated by Volt Typhoon, have already proven they can establish a cyberattack foothold in the control systems that operate critical infrastructure.
In fact, this strategy of merely sharing cybersecurity information with network defenders may play into Beijing’s hands, since malicious actors already present with deep access privileges in these networks could be prepositioned to observe how new cybersecurity programs are implemented, potentially giving them valuable information to evade detection in the future.
The additional key to interrupting China’s cyberattack enterprise as it exists today is for the United States and its allies and partners to detect and dismantle global command-and-control (C2) infrastructures that Chinese-supported threat groups use to perform “living off the land” techniques. These techniques are very difficult for network defenders to identify because they use a network’s built-in administration tools to closely mimic normal network business traffic and operational protocols. For any threat actor to execute disruptive actions within a victim network, they must first establish remote C2 connections through external communication access points, such as the open internet or web-based channels. Network defenders might miss these remote C2 connections, lost in a cacophony of legitimate network traffic. However, US and allied intelligence services are often better equipped to monitor, track, and disrupt covert C2 activities wherever they occur around the world.
Building out a new coalition from the Five Eyes alliance
Thankfully, the United States does not need to imagine a radical solution for this challenge. The US intelligence community already has decades of experience managing a complex foreign intelligence-sharing alliance with multiple countries that routinely collaborate to monitor adversaries of mutual concern.
The “Five Eyes” intelligence sharing partnership among the United States, Australia, Canada, New Zealand, and the United Kingdom was established in the 1940s to surveil the Soviet Union and Eastern Bloc nations. It then expanded to monitor terrorism-related activities after the 9/11 attacks. Just as the original Five Eyes members were driven to confront the autocratic Soviet threat to capitalist democracy, it is easy to imagine how a new cyber-focused alliance of US and Indo-Pacific partners could coalesce to counter Beijing’s manipulation of cyberspace. It is just as easy, in the absence of such a coalition, to imagine China continuing its quest to dominate East Asia and undermine US military efforts to support US regional allies and partners.
Five Eyes is especially adept at sharing intelligence derived from electronic signals and systems used by foreign targets, called signals intelligence. While there are important differences between signals intelligence and cyber threat intelligence, an established intelligence sharing system in the former gives Five Eyes countries a model to work from, since the latter is largely derived from intercepts of digital signals in network traffic that reveal indicators of malicious activities. In addition, it is more effective to build governance measures, such as security protocols, that protect sensitive sources and that uphold shared democratic values, within the structure of a coalition than, say, trying to manage these issues in a series of cumbersome bilateral security arrangements.
A consequential first step would be for the United States to engage current Five Eyes partners on a strategy to bring more Indo-Pacific intelligence liaison partners into the fold. Highlighting the recent danger posed by Volt Typhoon, the United States and Five Eyes partners could underscore for this expanded group the urgency of working together to find and disrupt similar threats.
Given that Australia is an existing Five Eyes member with clear regional security interests, it would be an ideal partner with the United States to lead engagements with capable and like-minded partners to lay the groundwork for a more expansive cyber intelligence coalition.
Obvious starting points are Japan and South Korea, which already have bilateral agreements with the United States to enhance cyber intelligence sharing. The United States also has long-standing military alliances with the Philippines and Thailand, which could be further developed to include intelligence analysis and collection components focused on Chinese cyber activities. India and the United States have recently committed to partner on sharing information about cyber threats and vulnerabilities as part of their Comprehensive Global and Strategic Partnership. And building upon President Joe Biden’s steps to upgrade US relations with Vietnam and Indonesia to Comprehensive Strategic Partnerships—both of which include elements to improve digital cooperation—the groundwork exists for expansion into more sophisticated cyber intelligence sharing arrangements with partners in Southeast Asia.
Leadership for this new coalition should come from the ODNI, with support from the National Security Agency (NSA), which is the primary US intelligence community element responsible for sharing signals intelligence within the existing Five Eyes alliance. The NSA has all the required authorities, experience, and expertise to operationalize intelligence-informed insights on Chinese cyber threats to assist Indo-Pacific intelligence liaison partners in strengthening their own intelligence sharing mechanisms to contribute to the alliance’s mission. Moreover, these efforts should be carried out in ways that complement and boost, but do not detract from, the ongoing work of the Five Eyes alliance.
Deterring Beijing in cyberspace
The United States must act soon. The revelations about Volt Typhoon are a wake-up call not only about the operations China currently has underway, but also about the far-reaching threat it will continue to pose. China has proven it is willing and able to exploit cyberspace to achieve its objectives, and until the United States and partner nations confront it in places where it operates, it will only become more dangerous.
In addition to the immediate benefits of disrupting ongoing operations like Volt Typhoon, an expanded multilateral Indo-Pacific cyber threat intelligence alliance might contribute to long-term deterrence strategies. More eyes on this adversary could increase opportunities to disrupt China’s future cyber activities, making them less likely to succeed over time. Increased attribution could also cause the Chinese government reputational harm internationally, in addition to the direct financial costs Beijing would suffer each time it needed to reconstitute C2 upon discovery.
If the United States wants to achieve its strategic vision of an “open, free, global, interoperable, reliable, and secure” internet that “that uplifts and empowers people everywhere,” then Washington must commit to pushing back on any efforts to weaponize cyberspace to achieve autocratic or coercive geopolitical objectives. None of these efforts is likely to deter China completely from mounting cyberattacks, of course. But more eyes on malicious Chinese cyber activities targeting critical infrastructure through a comprehensive, coordinated cyber intelligence alliance would make it more difficult and costly for Beijing to continue its current course. Equally valuable, this would send a clear signal to the world that the United States and its regional allies and partners are willing to contest Beijing in cyberspace to secure the enduring freedom of the global digital ecosystem.
Victor Atkins is a nonresident fellow with the Atlantic Council’s Indo-Pacific Security Initiative, where he specializes in cyber intelligence, national security, and industrial cybersecurity issues. He was previously a leader within the Department of Energy’s Cyber Intelligence Directorate, where his teams provided all-source foreign intelligence analytical support to the US energy sector.
The views expressed in this article are the author’s and do not reflect those of the Department of Energy or the US intelligence community.
Further reading
Wed, Dec 13, 2023
The 5×5—2023: The cybersecurity year in review
The 5x5 By Simon Handler
A group of Atlantic Council fellows review the past year in cybersecurity, which organizations and initiatives made positive steps, and areas for improvement going forward.
Mon, Dec 4, 2023
Community watch: China’s vision for the future of the internet
Report By Dakota Cary
In 2015, Beijing released Jointly Building a Community with a Shared Future in Cyberspace, a white paper outlining the CCP’s vision for the future of the internet. In the eight years since then, this vision has picked up steam outside of China, largely as the result of Beijing’s efforts to export these ideas to authoritarian countries.
Wed, Sep 6, 2023
Sleight of hand: How China weaponizes software vulnerabilities
Report By
China's new vulnerability management system mandates reporting to MIIT within 48 hours, restricting pre-patch publication and POC code. This centralized approach contrasts with the US voluntary system, potentially aiding Chinese intelligence. MIIT shares data with the MSS, affecting voluntary databases as well. MSS also fund firms to provide vulnerabilities for their offensive potential.