Senate panel pushing DOD on strategy to deter Chinese cyber activity on critical infrastructure

The Senate Armed Services Committee is proposing legislation that would require the Department of Defense to develop a deterrence strategy against cyber activity on critical infrastructure.

The provision is part of the annual defense policy bill. The committee released a summary Friday, although the full text of the legislation won’t be released until a later date.

The executive summary of the bill only offers that a provision mandates “a strategy to reestablish a credible deterrence against cyberattacks targeting American critical infrastructure using the full spectrum of military operations.”

A senior congressional official who briefed reporters Friday on the condition of anonymity described the provision as trying to identify a full scope using various methods and full spectrum options to more critically deter adversaries, particularly China, from conducting attacks on critical infrastructure, especially defense critical infrastructure.

An official noted the provision directs DOD toward what the department needs to be doing to more effectively establish a deterrent. Officials in open testimony have indicated a clear concern that Beijing, in particular, continues to attack critical infrastructure.

They singled out Volt and Salt Typhoon by name, noting they’re a growing and more aggressive threat in cyberspace to utilities and critical infrastructure that supports DOD.

Volt Typhoon is one of a number of cyber players from China that have been discovered in U.S. networks, troubling American officials. For its part, Volt Typhoon was discovered inside U.S. critical infrastructure using a technique in the cybersecurity world dubbed “living off the land,” which means it’s using legitimate tools organic to the systems for malicious purposes.

China has become more brazen in intrusions and probes into U.S. and defense networks, particularly in maritime or port environments to potentially limit an American military mobilization response if Chinese leaders decide to invade Taiwan.

Guam, a key U.S. military outpost, has been a top target for Beijing in recent years. Chinese hackers targeted critical infrastructure there, burrowing deep inside a couple of years ago and startling experts who referred to it as one of the largest cyber espionage campaigns against America.  

What has particularly alarmed officials regarding Volt Typhoon is the paradigm shift of Chinese threats moving from espionage and intellectual property theft to holding critical infrastructure at risk.

Salt Typhoon, by contrast, has been found inside networks of telecoms and other companies, likely for the purpose of espionage.

Cyber deterrence has been an elusive policy point for many years. While some academics have pointed to evidence cyber deterrence exists, such as U.S. hesitance to hit back against Russia following its malicious activity in the 2016 election for fear of America’s great digital vulnerability, current and past officials have noted the difficulties of deterrence and how adversaries don’t fear the United States in cyberspace.

Senators recently pressed the Trump administration’s nominee to be the top cyber policy official at DOD on the subject.

“There’s no price to pay for our adversaries. I hope in your counsels within the Defense Department and in the administration you’ll argue for a serious and substantial cyber deterrent stated policy. If it’s not stated, a deterrent doesn’t work,” Sen. Angus King, I-Maine, a fierce critic of perceived weaknesses in cyber deterrence, said at the May hearing.

For her part, Katie Sutton, President Donald Trump’s nominee to be assistant secretary of defense for cyber policy, wrote to senators as part of her confirmation process that a critical part of her role, if confirmed, would be to improve the nation’s defenses and digital deterrent.

“Deterrence is possible in cyberspace and can be made more effective through a combination of denial, resilience, and credible responses. If confirmed, I will review the capabilities we have in our toolkit, integrate military cyberspace capabilities with other tools of national power, and restore deterrence in the cyber domain. One of my core goals as ASD Cyber Policy will be to ensure the Department has the offensive and defensive capabilities and resources necessary to credibly deter adversaries from targeting the United States,” she wrote.

While Salt Typhoon was considered traditional espionage activity, which is virtually impossible to deter, especially given the United States does the same thing, officials are hoping to deter activity like Volt Typhoon in the future.

As Trump was coming back into power for his second term, officials associated with the transition and new administration vowed a top priority would be a more aggressive posture in cyberspace to respond to a bevy of activity against the U.S., namely from China.