China Has Raised the Cyber Stakes
The “Salt Typhoon” Hack Revealed America’s Profound Vulnerability
Over the last few months, U.S. government officials have revealed details about a sophisticated Chinese cyber-operation called “Salt Typhoon.” The campaign, which U.S. investigators believe is connected to China’s Ministry of State Security, has targeted at least nine telecommunications and infrastructure firms in the United States, as well as other targets in dozens of other countries. Over the past year or two—investigators have not yet been able to determine the exact duration of the operation—the hackers geolocated and recorded the calls of millions of Americans and gained access to the texts and phone calls of a more select group of high-level officials and politicians, including now U.S. President Donald Trump and Vice President JD Vance, according to Politico. Chinese-sponsored cyber-espionage is not new, but Salt Typhoon was unprecedented in its breadth. The full extent of the breach, and the degree to which hackers still have access to that information, remains unknown, but the vice chair of the Select Senate Intelligence Committee, Senator Mark Warner, has called the attack “the worst telecom hack in our nation’s history.”
Senior lawmakers and U.S. officials have begun using encrypted apps to make cellphone calls and send texts. The Biden administration issued guidance to infrastructure operators on how to mitigate the threats, banned Chinese telecommunications firms from operating in the United States, and convened discussions with U.S. telecom CEOs and cybersecurity firms. In his last week in office, U.S. President Joe Biden issued an executive order that, among other things, requires companies selling software to the federal government to prove publicly that they have met cybersecurity standards. A more sustained policy response, however, will fall to Trump. Many of his staff will be familiar with the threat that Chinese hackers present, but they will be less familiar with how sophisticated and technologically capable their adversary has truly become.
The threat of cyber-espionage can never be eliminated. The Chinese leadership not only views the information gathered in these operations as critical to the country’s national security and foreign policy interests but also believes that the United States conducts the same operations against China. Aggressors in these types of attacks have the advantage over the defenders, and China cannot be talked out of spying. But that does not mean these attacks should just be endured. The new Trump administration can better stymie its adversaries by modernizing technology, providing greater support to critical infrastructure operators, and expanding U.S. efforts to disrupt and impose costs on Chinese hackers.
NEW AND IMPROVED
Salt Typhoon is the latest in a long string of Chinese-backed cyber-espionage campaigns. China dedicates significant resources to gathering information on foreign agencies, institutions, and individuals who might promote policies that harm Chinese interests or influence international debates on topics of importance to Beijing. The last high-profile operation before Salt Typhoon took place in 2023, when Chinese hackers exploited a vulnerability in Microsoft-based email accounts to gain access to Commerce Secretary Gina Raimondo’s account and steal tens of thousands of emails from State Department officials working on East Asian and Pacific affairs. In the last week of 2024, the Treasury Department informed Congress that Chinese hackers had accessed workstations and unclassified documents in the Office of Financial Research and targeted the Office of Foreign Assets Control, which administers economic sanctions against countries, firms, and individuals. Over the last two decades, Chinese hackers have penetrated the networks of the Departments of Commerce, Defense, and State; the White House; the presidential campaigns of both John McCain and Barack Obama; and the embassies, foreign and defense ministries, and parliaments of U.S. allies and partners around the world.
China has much to gain from these campaigns. The theft of some data sets could, for instance, aid Chinese intelligence and counterintelligence operations. In addition to location data, calls, and texts, Salt Typhoon has compromised the surveillance systems that telephone companies allow law enforcement to access when authorities are conducting criminal and national security investigations. By entering through these backdoors in U.S. telecom systems, Chinese intelligence could have seen which of its operations are being monitored by the FBI. From 2014 to 2018, Chinese hackers stole the personal data of over 20 million federal employees from the Office of Personnel Management, as well as the credit information, passport numbers, travel plans, and health data of tens of millions of Americans in hacks of the private companies Anthem, Equifax, Marriott, and United Airlines. This data could have helped Chinese intelligence officers compel individuals to spy for Beijing, and it may have assisted Chinese counterintelligence in identifying and tracking U.S. spies around the world. It is also possible that the metadata from U.S. telecommunications—that is, information about whom a call was placed to and how long it lasted, but not the content of the call itself—could be employed to diversify the domestic data used to train Chinese artificial intelligence systems.
DIPLOMACY, DEFENSE, AND DISRUPTION
The U.S. government has so far responded to these types of attacks with diplomacy, by strengthening the defenses of domestic networks, and by seeking to disrupt the attacks of adversaries. These tactics have yielded mixed results. So far, diplomatic tools have not been effective in stopping or deterring cyber-espionage. The Chinese foreign ministry denies that Beijing is behind cyber-operations, publicly calls out the United States for being the real “Empire of Hacking,” and claims that Washington is using cybersecurity issues to “vilify China.” China’s National Computer Virus Emergency Response Center and the Chinese cybersecurity firm 360 Digital Security Group have also released reports, trumpeted by the state’s English-language newspaper Global Times, that claim that another Chinese operation known as “Volt Typhoon”—which the United States discovered in the early months of 2023 but which had been active since mid-2021, according to Microsoft—is in fact the work of an international ransomware gang and that U.S. spy agencies have created false narratives about the origin of the attacks in order to raise their budgets.
To be sure, the United States does engage in cyber-espionage, spying on the political leaders, foreign ministries, and militaries of potential adversaries. But the key difference between U.S. actions and those of Washington’s rivals is that, in their own cyber-espionage, the United States and its allies target only legitimate national security interests and are not interested in seeking economic gains, collecting a disproportionate amount of data on populations, or causing harm to third parties.
In the first week of this year, the Treasury Department sanctioned a Beijing-based cybersecurity company, Integrity Technology Group, for supporting a hacking campaign known as “Flax Typhoon” that targeted organizations within U.S. critical infrastructure sectors. The members of the Five Eyes intelligence alliance—Australia, Canada, New Zealand, the United Kingdom, and the United States—have publicly called out China for this sort of interference, sometimes with the support of other countries, attributing cyberattacks to Chinese-backed groups. Although these actions are effective in warning vulnerable targets about Chinese campaigns and in creating a shared understanding among U.S. allies about what types of cyber-operations are considered legitimate, they have had no noticeable effect on curbing the scale and scope of Chinese cyber-espionage.
China has made itself a peer competitor in cyberspace.
To better shield the United States from these covert campaigns, the Biden administration employed executive actions and sought voluntary commitments from U.S. industry. Working with the private sector, federal agencies have developed new safeguards and standards for railways, pipelines, and the aviation sector. In April 2024, Biden signed a new National Security Memorandum on Critical Infrastructure, which tasked an agency within the Department of Homeland Security with coordinating efforts to protect critical infrastructure, especially those underpinning national security, public health, and safety. The memorandum also directed U.S. intelligence agencies to share information about cyberthreats with the owners and operators of critical infrastructure. In response to Salt Typhoon, current Federal Communications Commission Chair Jessica Rosenworcel proposed new rules that would oblige telecom operators to secure their networks, introduce an annual certification requirement for those providers to maintain cybersecurity risk management plans, and apply fines—or even criminal penalties—if they failed to comply. This rule and other regulations are likely to be revisited (and potentially rescinded) by the incoming Republican-controlled Federal Communications Commission and Congress, which view the private sector as overburdened. The Trump administration is unlikely to introduce new regulations to raise cybersecurity standards.
But even if bolstered, cyberdefense regulations would not be enough to protect the United States from outside cyberthreats. Attackers will continue to find weaknesses across networks and devices. They have increasingly breached networks by targeting third-party suppliers of software. Cybersecurity talent is scarce, and replacing old equipment can be expensive. Salt Typhoon, for example, may have exploited vulnerabilities in hardware that can be addressed only by upgrading equipment, which would cost the public and private sectors billions of dollars. Given such challenges, a better defense could require greater offense.
Republicans may doubt the utility of stiffer regulations in protecting the country from cyberthreats, but they have already taken steps to advance, or at least lay the groundwork for, offensive tactics. During his first term, Trump relaxed restrictions on offensive cyber-operations through National Security Presidential Memorandum 13, and the 2019 National Defense Authorization Act preauthorized “appropriate and proportional action in foreign cyberspace to disrupt, defeat, and deter” any “active, systematic, and ongoing campaign of attacks against the Government or people of the United States in cyberspace” by China, Iran, North Korea, or Russia.
One such tactic that the United States already employs is what the 2018 Department of Defense Cyber Strategy called “defending forward,” or disrupting malicious cyber-activity at its source. Public details of these operations are scarce, but according to The Washington Post, the United States mounted cyber-operations during both the 2018 midterm elections and the 2020 presidential election to stop hackers, including an operation preventing TrickBot, one of the world’s largest botnets, from being used in attacks on U.S. targets. In addition, U.S. Cyber Command, which is part of the Department of Defense, works with partner countries to conduct “hunt forward” operations that search for malicious cyber-activities, copying and publicly exposing malware on public websites, such as VirusTotal, before it can be used against other targets. According to its commander, General Timothy Haugh, Cyber Command conducted 22 missions in 17 different countries in 2023. The Department of Justice also plays a role in disruption. In December 2023, Chinese-sponsored hackers were detected using home and small-business Internet routers to mask attacks on U.S. critical infrastructure. To thwart these attacks, a U.S. court authorized the FBI to delete the malware and to disconnect infected routers from a botnet without the owners’ permission.
VIRTUAL SECURITY
The incoming Trump administration will face a more capable China than the first Trump administration did. As the Office of the Director of National Intelligence put it in 2024, “China remains the most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” China has made itself a peer competitor in cyberspace by investing in new technology and training, developing closer connections between the Ministry of State Security and cybersecurity researchers, and building a competitive domestic ecosystem of private companies willing to support the state’s cyber-operations.
Although the Trump administration is unlikely to rely on new regulations or legislation to harden the defense of American networks, it can lead on the harmonization of cyber standards across multiple federal agencies, reducing compliance costs and providing greater clarity to the private sector on cybersecurity priorities. This standardization could begin under the Office of the National Cyber Director. Under Biden, the ONCD began a study on how demands placed on critical infrastructure operators, who are often subject to multiple regulators, might be standardized and simplified. The ONCD could continue this work by implementing the study’s recommendations and streamlining the regulations that govern how federal agencies must respond to cyberattacks, which are numerous and sometimes conflicting. Such steps would free up resources that are currently used for compliance to instead be invested in greater cyberdefense. In addition, U.S. business sits on the cusp of a wave of investment in artificial intelligence applications, cloud services, smart energy grids, and high-speed connectivity. To ensure that such technology remains secure, the new administration should coordinate with the private sector to incentivize parallel investments in cybersecurity talent and technology.
The United States should also conduct more hunt forward and disruptive operations to hurt Chinese operators and the infrastructure they use to launch attacks. Trump’s incoming national security adviser, U.S. Representative Mike Waltz, told CBS News, “We need to start going on offense and start imposing, I think, higher costs and consequences to private actors and nation state actors that continue to steal our data, that continue to spy on us.” But offensive cyber-operations occur out of sight. They should be accompanied by highly publicized warnings to Beijing that the United States is willing to respond to large-scale espionage operations that target U.S. citizens en masse.
Sanctions and indictments against individual hackers and small technology firms that support cyber-operations have not worked. The Trump administration should instead consider sanctioning—with its Asian and European partners that also suffer from Chinese cyber-operations—the Chinese officials who authorize the cyber-operations that steal intellectual property, install malware on critical infrastructure for destructive attacks, indiscriminately expose widely used systems to exploitation, or otherwise cross the line of political military espionage.
The new administration will likely not end Chinese cyber-espionage simply by increasing diplomatic pressure and offensive cyber-operations. But if it more concertedly goes on the offensive and hardens the country’s capacity to defend against cyber-operations, it can help prevent another breach on the scale of Salt Typhoon.