Critical infrastructures face major threat from Chinese cyberattacks, nominee warns

China has conducted aggressive cyberattacks on U.S. critical infrastructures, and the U.S. needs to step up efforts to block the planting of malicious software in control networks, the general slated to be the next commander of Cyber Command told Congress.

Army Lt. Gen. Joshua M. Rudd, who is also nominated to be director of the National Security Agency, disclosed new details about cyberattack threats to infrastructure in recent congressional testimony.

Gen. Rudd, currently the deputy commander of the Indo-Pacific Command, said other adversaries also are threatening critical infrastructure, but less than the dangers from communist China.

“The United States faces a complex and multilayered cyber threat landscape, but there is no ambiguity about our primary threat: China is the most serious and sophisticated threat we face in cyberspace,” Gen. Rudd told the Senate Armed Services Committee.

Gen. Rudd appeared before the panel on Jan. 15 but did not disclose details about Chinese cyberattack threats during his verbal testimony, which were contained in the written answers to policy questions.

Chinese cyberattack capabilities are well-resourced, highly skilled and integrated with Beijing’s national and military goals, he stated.

“Their clear intention is to challenge U.S. interests by penetrating our most critical systems, including our nation’s critical infrastructure systems,” he said.

To mitigate the dangers, the U.S. needs to accelerate efforts to counter and neutralize strategic-level adversaries’ efforts to “pre-position” malicious software and other cyberwarfare capabilities to attack critical infrastructure and civilian targets.

U.S. officials have linked China to large-scale cyberattacks against U.S. and overseas computer networks for at least two decades, with successive administrations offering little or no response, cybersecurity experts say.

Recent high-profile examples of those actions include Chinese-linked operations that cybersecurity experts code-named “Volt Typhoon.”

In those attacks, Chinese state actors were detected burrowing into networks of U.S. water, power and transit systems. Officials view the activity as deliberate pre-positioning of access points that could be used to hold American cities and communities hostage and enable disruption during a crisis or conflict.

“The threat posed by the placement of tools to attack essential services in the United States and the U.S. economy threatens stability and carries the unacceptable risk of causing civilian casualties, both in a potential conflict and in peacetime if left undefended,” Gen. Rudd said.

Cyberattacks by China and other U.S. adversaries, such as Russia, North Korea and Iran, show no signs of diminishing and will be used for espionage and disinformation and in military operations to bolster non-kinetic and kinetic weapons, Gen. Rudd said.

The three-star general said power in cyberspace has increased rapidly in the past decade and is “one of the most significant shifts in modern warfare and national security.”

Tactics used by cyberwarriors are stealthier and harder to detect, and the costs of using cyberweapons have decreased, he said.

“The change has been dramatic, moving from what was primarily a challenge of espionage and theft to a direct threat to our way of life,” he said.

Over the past 10 years, the primary threat in the cybersecurity domain has been the theft of information for economic gain or intelligence.

Adversaries now fully integrate cyberwarfare tools into military doctrine and strategy.

“Their intent is to be able to hold our critical infrastructure at risk — our power grids, financial systems, communication networks, and other civilian infrastructure — and to use that leverage to deter us in a crisis or cripple our response in a conflict,” Gen. Rudd said. “Additionally, a variety of non-state actors employ offensive cyber capabilities that threaten the security of the U.S. homeland.”

Gen. Rudd said the pace of China’s advancement of critical cyberwarfare technologies is “unprecedented” and is driven by massive state investment, systematic intellectual property theft, and the exploitation of open academic and commercial collaboration.

“This presents serious risks in peacetime and in the event of a conflict,” he said.

For Cyber Command, the key challenge will be accelerating the development and fielding of advanced cybersecurity capabilities and ensuring the command has adequate authority to counter adversaries, Gen. Rudd said.

Gen. Rudd said the NSA’s major challenges include confronting the full spectrum of threats from China and the growing danger of crises and conflicts across multiple theaters.

Signals intelligence collection and cybersecurity are the NSA’s main functions, and technology needs to be applied to improve both, he said, noting that key targets of foreign adversaries include critical infrastructure and political and economic targets.

Asked by the committee whether China is deterred from conducting cyberattacks on critical infrastructure, Gen. Rudd said: “China understands that a catastrophic cyberattack against our critical infrastructure in peacetime would provoke an overwhelming response from the United States.”

“However, we recognize strong cyber defenses are not sufficient on their own to deter our adversaries,” he said. “We must account [for] China’s history of cyber espionage, intellectual property theft, and information warfare as we consider our approach to deterrence in cyberspace. Cyber effects must be layered across all domains in order to provide options to best deter.”

Gen. Rudd said effective deterrence is built on a strategy of denying attacks, restoring networks after attacks and having credible counterattack capabilities.

The current strategic approach, aimed at denying adversaries “footholds” in U.S. systems, requires constant, continuous cyberspace contact with intruders.

“Eroding adversary postured cyber intrusions removes technical options and corrodes adversary decision maker confidence that their cyber weapons will be available should they try to employ them,” he said.

If deterrence fails, cybersecurity forces must be ready to respond aggressively and decisively, he said.

Asked about the use of offensive cyberattacks in response to enemy cyberwarfare strikes, Gen. Rudd said he supports actions that impose costs on targets that enemies value in response to infrastructure attacks.

“Deterrence through strength requires that we provide our civilian leadership with a full spectrum of options, including potent offensive cyber capabilities,” he said, noting that an approach is needed for shaping enemy behavior and ensuring strategic stability.

North Korea’s cyberwarfare programs are sophisticated threats and are used by state actors to carry out malicious cyberspace activity for intelligence, to compromise critical infrastructure and to generate illicit revenue to evade sanctions, Gen. Rudd said.

Iran’s government has shown growing expertise in cyberspace operations that pose major threats to U.S. networks for retaliation and spying, he said.

Two days before the general’s testimony, a panel of experts discussed U.S. government failures to deter Chinese and other adversary cyberattacks before a panel of the House Homeland Security Committee.

Joe Lin, chief executive of Twenty Technologies Inc., a company that describes itself as a “cyberwarfare startup,” told the subcommittee on cybersecurity and infrastructure protection that a strategy of offensive cyberattack retaliation is urgently needed.

“For too long, Washington has treated offensive cyberoperations as inherently escalatory — as if responding to a cyber intrusion carried the same risk as nuclear war,” he stated in his testimony.

“The result is a dangerous pattern: we absorb attack after attack, issue warnings about ‘norms,’ and add a modest sanction or two,” he said. “Meanwhile, the People’s Republic of China, Russia, Iran, and North Korea continue to infiltrate our critical infrastructure, steal our intellectual property, and pre-position malware inside our civilian systems — all with increasing confidence that there will be no real cost.”

U.S. government restraint in responding to cyberattacks is meant to prevent escalation in the cybersecurity domain, but, in practice, has invited further attacks, he said.

Mr. Li noted major Chinese intrusions in the Salt Typhoon attacks, which conducted deep strategic penetrations of major American telecommunications providers, including AT&T, Verizon and T-Mobile.

Americans’ private data has been stolen massively in past Chinese attacks on the health care company Anthem, which lost 79 million records, including Social Security numbers and medical IDs, to China.

Mass theft of hotel data from Marriott, including passport numbers, involved 383 million guests, Mr. Li said.

From the credit scoring firm Equifax, 145 million Americans — nearly half the country — lost financial identity information to the Chinese military, he said.

China also obtained 22 million records from Office of Personnel Management systems, including the highly sensitive SF-86 security clearance files of the federal workforce, he said.

That breach involved compromised Social Security numbers, fingerprints and the intimate background details of current, former and prospective federal employees, contractors and their families.

“By harvesting this data, the PRC has gained a permanent counterintelligence road map to the people who operate, protect and lead this country,” Mr. Li said.

Chinese infrastructure attacks, such as Volt Typhoon, resulted in the embedding of cyberspace access to critical services.

“Our adversaries have learned that the marginal cost of doing more is low,” Mr. Li said. “Every time we respond to aggression with speeches instead of real consequences, we send a clear signal: Keep climbing.”

Emily Harding, vice president of defense and security at the Center for Strategic and International Studies, agreed that U.S. cyberattack deterrence has been ineffective.

“Washington has failed to establish deterrence in the cyber domain, and our adversaries control the escalation ladder,” Ms. Harding testified.

Cyber Command has “strong, perhaps unmatched” offensive cyberwarfare capabilities and has repeatedly proved that its troops and tools can disrupt adversary activities when directed to do so.

The demonstrated skill, combined with other elements of U.S. power, makes cyberattack deterrence possible, she said.

“But to actually achieve deterrence, we need a mindset shift,” Mr. Harding said. “We need to stop thinking about cyberattacks as inevitable nuisances and start seeing them for what they are: hostile action against the United States.”

Cyber-criminal activity should be separated from threats from states such as China, Russia, Iran and North Korea. Instead, cyberattacks should be treated as low-level warfare.

American cyberdefenses, Ms. Harding said, are unacceptably weak, and government and industry need to invest much greater effort and resources in rendering critical infrastructure and government systems better defended and ready for the new form of warfare.

“Systems must be able to fail, reset, and recover in minutes, not days, with minimal disruption to essential services,” she said.

Two alarming examples of major infrastructure attacks include the 2023 cyberattacks traced to Iran’s Islamic Revolutionary Guard Corps against U.S. water plants and China’s Volt Typhoon cyberattacks against U.S. water, power and port systems in Guam.

“These two egregious violations received little attention because they were cyberattacks, and ‘cyber’ has been shunted into a silo of what tech people do behind the scenes,” Ms. Harding said.

Viewing operations as technical and an afterthought is a strategic mistake, she said, adding that a dramatic change is needed in how cyberattack threats are addressed.

“Attacks like Iran’s and China’s should be viewed as part of a dangerous new phase in cyberwarfare, one for which U.S. systems and policy are ill-prepared,” Ms. Harding said. “The U.S. government has no hope of deterring, defending, and responding unless it begins to integrate cyber offense and defense into its own national security strategy.”