China has conducted aggressive cyberattacks on U.S. critical infrastructures and the U.S. needs to step up efforts to block the planting of malicious software in control networks, the general slated to be the next commander of Cyber Command told Congress.
Army Lt. Gen. Joshua M. Rudd, who also is nominated to be director of the National Security Agency, disclosed new details of cyberthreats to infrastructure in recent congressional testimony.
Gen. Rudd, currently the deputy commander of the Indo-Pacific Command, said other adversaries also are threatening critical infrastructure, but less than the dangers from communist China.
“The United States faces a complex and multi-layered cyber threat landscape, but there is no ambiguity about our primary threat — China is the most serious and sophisticated threat we face in cyberspace,” Gen. Rudd told the Senate Armed Services Committee.
Gen. Rudd appeared before the panel Thursday but did not disclose details about Chinese cyberthreats during his verbal testimony that were contained in the written answers to policy questions.
Chinese cyberattack capabilities are well-resourced, highly skilled and integrated with Beijing’s national and military goals, he stated.
“Their clear intention is to challenge U.S. interests by penetrating our most critical systems, including our nation’s critical infrastructure systems,” he said.
To mitigate the dangers, the U.S. needs to speed up efforts to counter and neutralize strategic-level efforts by adversaries to “pre-position” malicious software and other cyber capabilities that will be used to attack critical infrastructure and civilian targets.
China has been linked by U.S. officials to large-scale cyberattacks against computer networks in the U.S. and overseas for at least two decades, with little or no response from the successive administrations, according to cybersecurity experts.
Recent high-profile examples of those actions include Chinese-linked operations code-named Volt Typhoon by cyber experts.
In those attacks, Chinese state actors were detected burrowing into networks of U.S. water, power, and transit systems. The activity is viewed by officials as deliberate pre-positioning of access points that could be used to hold hostage American cities and communities and enable disruption during a future crisis or conflict.
“The threat posed by the placement of tools to attack essential services in the United States and the U.S. economy threatens stability and carries the unacceptable risk of causing civilian casualties, both in a potential conflict and in peacetime if left undefended,” Gen. Rudd said.
Cyberattacks by China and other adversaries such as Russia, North Korea and Iran show no signs of diminishing and will be used for espionage, disinformation, and in military operations to bolster non-kinetic and kinetic weapons, Gen. Rudd said.
The three-star general said cyber power has increased rapidly in the past decade and is “one of the most significant shifts in modern warfare and national security.”
Tactics used by cyber warriors are stealthier and more difficult to detect, and the costs for using the cyber weapons has lowered, he said.
“The change has been dramatic, moving from what was primarily a challenge of espionage and theft to a direct threat to our way of life,” he said.
Over the past 10 years, the primary threat in the cyber domain was stealing information for economic gain or for intelligence.
Current adversaries now fully integrate cyber warfare tools into military doctrine and strategy.
“Their intent is to be able to hold our critical infrastructure at risk — our power grids, financial systems, communication networks, and other civilian infrastructure — and to use that leverage to deter us in a crisis or cripple our response in a conflict,” Gen. Rudd said. “Additionally, a variety of non-state actors employ offensive cyber capabilities that threaten the security of the U.S. homeland.”
Gen. Rudd said the speed of China’s advancement of critical cyber warfare technologies is “unprecedented” and conducted through massive state investment, systematic intellectual property theft, and exploiting open academic and commercial collaboration.
“This presents serious risks in peacetime and in the event of a conflict,” he said.
For Cyber Command, the key challenge will be speeding up the development and fielding of advanced cyber capabilities and ensuring the command has adequate authority for countering adversaries, Gen. Rudd said.
Gen. Rudd said NSA’s major challenges include confronting the full spectrum of threats from China and the increasing danger of both crises and conflicts in multiple theaters.
Signals intelligence collection and cybersecurity are NSA’s main functions, and technology needs to be applied to improving both, he said, noting key targets of foreign adversaries are critical infrastructure and political and economic targets.
Asked by the committee whether China is currently deterred from conducting cyberattacks on critical infrastructure, Gen. Rudd said: “China understands that a catastrophic cyberattack against our critical infrastructure in peacetime would provoke an overwhelming response from the United States.”
“However, we recognize strong cyber defenses are not sufficient on their own to deter our adversaries,” he said. “We must account [for] China’s history of cyber espionage, intellectual property theft, and information warfare as we consider our approach to deterrence in cyberspace. Cyber effects must be layered across all domains in order to provide options to best deter.”
Gen. Rudd said effective deterrence is built on a strategy of denying attacks, restoring networks after attacks and have credible counter-attack capabilities.
The current strategic approach, aimed at denying adversary “footholds” in U.S. systems, requires constant and continual cyber contact with intruders.
“Eroding adversary postured cyber intrusions removes technical options and corrodes adversary decision maker confidence that their cyber weapons will be available should they try to employ them,” he said.
If deterrence fails, cyber forces must be ready to respond aggressively and decisively, he said.
Asked about the use of offensive cyberattacks in response to enemy cyber strikes, Gen. Rudd said he supports actions and imposing costs on targets that enemies value in response to any infrastructure attacks.
“Deterrence through strength requires that we provide our civilian leadership with a full spectrum of options, including potent offensive cyber capabilities,” he said, noting that approach is needed for shaping enemy behavior and ensuring strategic stability.
North Korea’s cyber warfare programs are a sophisticated threat and are used by state actors to carry out malicious cyber activity for intelligence, to compromise critical infrastructure, and to generate illicit revenue to evade sanctions, Gen. Rudd said.
Iran’s government has shown growing expertise in cyber operations that pose a major threat to U.S. networks for retaliation and spying, he said.
Two days before the general’s testimony, a panel of experts discussed U.S. government failures to deter Chinese and other adversary cyberattacks before a panel of the House Homeland Security Committee.
Joe Lin, chief executive of Twenty Technologies, Inc. a company that describes itself as a “cyberwarfare startup,” told the subcommittee on cybersecurity and infrastructure protection that a strategy of offensive cyber retaliation is urgently needed.
“For too long, Washington has treated offensive cyber operations as inherently escalatory — as if responding to a cyber intrusion carried the same risk as nuclear war,” he stated in his testimony.
“The result is a dangerous pattern: we absorb attack after attack, issue warnings about ’norms,’ and add a modest sanction or two,” he said. “Meanwhile, the People’s Republic of China, Russia, Iran, and North Korea continue to infiltrate our critical infrastructure, steal our intellectual property, and pre-position malware inside our civilian systems — all with increasing confidence that there will be no real cost.”
U.S. government restraint in response to cyberattacks is meant to prevent escalation in the cyber domain, but in practice has invited further attacks, he said.
Mr. Li noted major Chinese cyber intrusions in the Salt Typhoon attacks conducting deep strategic penetrations of multiple major American telecommunications providers, including AT&T, Verizon and T-Mobile.
Americans’ private data has also been stolen massively in past Chinese attacks on the health company Anthem that lost 79 million records, including Social Security numbers and medical IDs to China.
Mass theft of hotel data from Marriott involved 383 million guests, including passport numbers, Mr. Li said.
From the credit scoring firm Equifax, 145 million Americans — nearly half the country — lost financial identity information to the Chinese military, he said.
China also obtained 22 million records from Office of Personnel Management systems, including the highly sensitive SF-86 security clearance files of the federal workforce, he said.
That breach involved compromised Social Security numbers, fingerprints, and the intimate background details of current, former, and prospective federal employees, contractors, and their families.
“By harvesting this data, the PRC has gained a permanent counterintelligence roadmap to the people who operate, protect, and lead this country,” Mr. Li said.
The Chinese infrastructure attacks such as Volt Typhoon resulted in embedding cyber access to critical services.
“Our adversaries have learned that the marginal cost of doing more is low,” Mr. Li said. “Every time we respond to aggression with speeches instead of real consequences, we send a clear signal: keep climbing.”
Emily Harding, vice president of defense and security at the Center for Strategic and International Studies, agreed that U.S. cyber deterrence has been ineffective.
“Washington has failed to establish deterrence in the cyber domain, and our adversaries control the escalation ladder,” Ms. Harding testified.
Cyber Command has “strong, perhaps unmatched” offensive cyber warfare capabilities and has repeatedly proven its troops and tools can disrupt adversary activities when directed to do so.
The demonstrated skill combined with other elements of U.S. powers make cyber deterrence possible, she said.
“But to actually achieve deterrence, we need a mindset shift,” Mr. Harding said. “We need to stop thinking about cyberattacks as inevitable nuisances and start seeing them for what they are: hostile action against the United States.”
Cyber criminal activity should be separated from threats from states like China, Russia, Iran and North Korea. Instead, cyberattacks should be treated as low-level warfare.
American cyber defenses, Ms. Harding said, are unacceptably weak and government and industry need to invest much greater efforts and resources into rendering critical infrastructure and government systems better defended and ready for the new form of warfare.
“Systems must be able to fail, reset, and recover in minutes, not days, with minimal disruption to essential services,” she said.
Two alarming examples of major infrastructure attacks included 2023 cyberattacks traced to Iran’s Islamic Revolutionary Guard Corps against U.S. water plants, and China’s Volt Typhoon cyberattacks against U.S. water, power and port systems in Guam.
“These two egregious violations received little attention because they were cyberattacks, and ’cyber’ has been shunted into a silo of what tech people do behind the scenes,” Ms. Harding said.
Viewing the operations as technical and an afterthought is a strategic mistake, she said, adding that a dramatic change is needed in dealing with cyber threats.
“Attacks like Iran’s and China’s should be viewed as part of a dangerous new phase in cyberwarfare, one for which U.S. systems and policy are ill-prepared,” Ms. Harding said. “The U.S. government has no hope of deterring, defending, and responding unless it begins to integrate cyber offense and defense into its own national security strategy.”
• Bill Gertz can be reached at bgertz@washingtontimes.com.
Please read our comment policy before commenting.