Chinese Hack Pushes Up Against Guardrails Intended to Manage U.S.-Chinese Strategic Competition

On Jan. 31, the U.S. government announced it had disrupted a Chinese Community Party (CCP) botnet used to conceal hacking attacks on U.S. critical infrastructure. The announcement included a Department of Justice press release, media briefing, and testimony by the U.S. government’s top cyber leaders in a hearing before the House Select Committee on the Chinese Communist Party in a well-orchestrated campaign to name and shame the Chinese government for stepping over the line from intelligence collection to active measures to deploy in case of war. Currently, Beijing is denying culpability and making counter accusations. The development of this dispute risks a new crisis in the bilateral relationship and will test the guardrails put in place in the latter part of last year to manage growing tensions between Washington and Beijing.

CPP Targeting of U.S. Critical Infrastructure: How It Escalates Tension

Nations routinely collect intelligence on competitors and adversaries; planning sabotage against civilian infrastructure and putting into place attack capabilities is an act of war. FBI Director Christopher Wray testified before Congress that Chinese hackers are preparing to “wreak havoc and cause real-world harm” to the U.S. by targeting water treatment plants, electrical infrastructure, and oil and natural gas pipelines. Chinese hackers are seeking ways to find and prepare to destroy or degrade civilian critical infrastructure. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly testified that attacks on critical infrastructure seek to ensure the CCP can “incite societal panic and chaos and to deter our ability to marshal military might and civilian will.”

For decades, China has run sophisticated intelligence operations against the U.S., collecting intelligence on U.S. foreign policy, military capabilities and intentions, and economic infrastructure. Beijing has also targeted U.S. businesses, stealing intellectual property. The hack first uncovered in May 2023, by a hacking group named Volt Typhoon, has no intelligence collection value, nor economic benefit. It is intended to destroy U.S. infrastructure.

The FBI provided an unusual level of detail on how, through a court-authorized operation, U.S. cyber experts were successful in deleting the botnet from routers where the hackers lurked and severing the connection with the hackers. The FBI installed code to prevent reinfection and did all of this without alerting the companies with the infected hardware. The government’s proactive handling of the threat and the communications strategy appear designed to both put down a marker for China and alert American businesses of the need to step up security countermeasures and resilience. Easterly’s testimony that what has been discovered is likely “just the tip of the iceberg” signals that additional penetrations are likely to be announced.

The Chinese government’s response, thus far, has been limited to denials and counter accusations, but escalation is likely. The U.S. shootdown of a Chinese surveillance balloon violating U.S. airspace in early 2023 triggered increased tensions, embarrassed Chinese President Xi and contributed to the downward spiral in U.S.-Chinese relations. Beijing had cut off military -to-military communications following then-U.S. House Speaker Nancy Pelosi’s visit to Taiwan in August 2022. This important channel for managing incidents and risks of miscalculation was not restored until December 2023, after the Biden-Xi summit in California. This summit also reopened dialogue on curbing the flow of fentanyl, cooperation on climate change, and an agreement to discuss potential risks of AI.

Chinese authorities view talks as a concession rather than a mutual benefit. As such, Beijing does not place the same value in maintaining these guardrails.

Risk Scenarios for 2024

China experts in the U.S. are not optimistic that the bilateral relationship in 2024 will be much improved over 2023. The best-case scenario is that Washington and Beijing will better manage disputes by keeping communication channels open. The U.S. has dropped the use of “strategic” in reference to competition between the two countries, in an apparent nod to Chinese sensitivities. However, the rivalry for global political influence, trade, and military superiority will continue. This is clearly the scenario preferred by the Biden administration, along with European and Asian allies.

A higher risk scenario is that the rivalry will manifest in a breach, with de-risking leading to decoupling and the emergence of distinct blocs in the international system. One bloc would encompass liberal democracies and other countries committed to the current international order. A second bloc would be led by China and include Russia, Iran and other authoritarian states, operating under new sets of understandings (emerging standards and norms challenging the post-World War II international agreements and norms). In this bloc, trade would not be dollar-based, removing a key point of leverage the U.S. and allies have in international relations. Freedom of navigation on the seas would be replaced by nationally controlled waters, effectively ending the international system of free trade.

The highest risk scenario is the outbreak of war between the U.S. and China. Few China experts in the U.S. see war as inevitable, but as a potential outcome of miscalculation. Taiwan and the South China Sea are potential flashpoints leading to armed confrontation between the two superpowers. This is one reason why the Biden administration has been intent upon restoring military-to-military communications with Beijing. It is also why the exposure of the Volt Typhoon hack is so alarming. The scope and scale of the targeting of U.S. critical infrastructure signals that Beijing is preparing for war, or at least preparing active measures to undercut the ability of the U.S. government to respond to a Chinese military move against Taiwan or territory claimed by U.S. allies, the Philippines and Vietnam, in the South China Sea. Freedom of navigation in the South China Sea is also essential to the national security of Japan.   

Implications for U.S. Businesses

CISA (whose mission is to secure critical infrastructure from all hazards by managing risk and enhancing resilience through collaboration with the critical infrastructure community) has already disseminated details to the public on routers vulnerable to the Volt Typhoon hack. Most of the routers were Cisco and Netgear products that were vulnerable because they had reached end-of-life status, meaning they were no longer receiving routine security updates from the manufacturers. Attacks on end-of-life status technology are not new. CISA has long advised that good cybersecurity includes regular software and patch management, keeping software and firmware up to date by identifying and mitigating unsupported, end-of-life, and unpatched software and firmware through performing vulnerability scanning and patching activities.

Beyond cybersecurity, businesses with operations or supply chains in China, and ventures in the U.S. with Chinese companies, are advised to monitor developments for increased political and operational risks. The House Select Committee on the Chinese Communist Party, which convened the hearing on the CCP’s threat to U.S. critical infrastructure, released a report in December 2023, “Reset, Prevent, Build: A Strategy to Win America's Economic Competition with the Chinese Communist Party,” with a list of 150-plus recommendations on revising the relationship with Beijing, putting U.S. “national security, economic security and values at the core of the U.S.-PRC relationship.”

The recommendations include removing permanent normal trade relations with China and imposing higher tariff rates, enforcing strong rules of origin so that China cannot use U.S. trading partners as a backdoor to preferential access to the U.S. market, and imposing import duties on foundational semiconductors from China.

Related to technology, the report recommends establishing and funding programs to remove Huawei, ZTE and other high-risk, foreign-controlled telecom vendors, expanding the FCC’s “covered list” of telecom equipment, and requiring cloud-computing companies to implement “know-your customer” programs.

The report recommends creating transparency into U.S. investment in China, requiring large U.S. public companies to disclose key risks related to China, including material ties to the CCP, supply chain, profit from China and the company’s ability to withstand a sudden loss of market access that could result from a conflict in the region. For investment in the U.S., the report advocates expanding CFIUS jurisdiction over joint ventures with Chinese companies involving critical technologies, critical infrastructure or sensitive personal data. The definition of critical technologies should be expanded to include technologies that directly or indirectly enable technologies on the White House’s Critical and Emerging Technologies list.

To operationalize the recommendations, new legislation and/or executive orders are required. It is likely that some of the recommendations, those that enjoy broad bipartisan support, will be adopted and will impact the U.S. economy, from trade and investment to new technology controls. Should the U.S.-China bilateral relationship resume a downward spiral as a result of the Volt Typhoon hack, Congress will be even more motivated to impose costs on Beijing in the name of economic and national security.