Air Force cyber leader warns threats like Volt Typhoon could enable China to wage ‘total war’ against US
The Air Force is working on a new defensive cyberspace operations campaign plan as it moves to protect military bases and utility companies against digital threats, according to a top commander.
The effort comes amid concerns about the vulnerability of critical infrastructure to China-backed actors. Prominent entities known as Volt Typhoon and Salt Typhoon, which are believed to be backed by the Chinese government, have particularly alarmed U.S. officials.
“Volt Typhoon being a state-sponsored malicious cyber actor that has had persistent access in our CIKR infrastructure — critical information, key resources — [such as] water, energy, transportation, persistent access for five years. They haven’t done anything with it. … Salt Typhoon — persistent access into our telecommunication networks. So, persistent access, [but] they haven’t done anything with it. Why? Because they’re probably setting the conditions to execute destructive cyberattacks, should there be a regional conflict in the Pacific over Taiwan. And my words and my words only — nobody else has said this — but if we find ourselves in a conflict with China and they execute destructive cyberattacks against our critical infrastructure in the United States, that is total war in my definition,” Lt. Gen. Thomas Hensley, commander of 16th Air Force and Air Forces Cyber, said Monday during a panel at AFA’s Air, Space and Cyber conference. “Not total war in the sense of World War I total war or World War II … total war, but total war in the sense of all-domain warfare, using the cyber domain to execute a counter-value attack against the U.S. population in the United States.”
Cyber threats are growing, not just against IT systems but also operational technology networks, he noted.
Hensley highlighted the Stuxnet attack against Iran’s nuclear program and Russian cyber operations against Ukraine, as examples of how digital attacks can affect physical systems.
“When you look at 2010, that’s Stuxnet, that’s when a cyberattack struck those nuclear centrifuges in Natanz in Iran, and they messed with the ones and zeros and caused those centrifuges to spin out of control and explode. [In] 2014, you have the Russians executing an OT cyberattack against Ukrainian electrical grid to set the conditions for [so-called] ‘little green men’ to go into Ukraine. And as we’ve seen in 2022 and nearly four years of conflict, we’ve seen the Russians use cyber against IT targets, against OT targets, and they’ve done it synchronized with their military operations, sort of a campaign plan, if you will,” he said.
U.S. military bases are also at risk.
“Whenever we talk about base defense, it’s always in terms of kinetics. It’s always in terms of, how do we defend against larger [operations squadrons], how do we defend against missile strikes? Those are absolutely reasons that are really important that we need to figure out. But we also need to start talking about terms of cybersecurity and cyber defense,” Hensley said. “We have to have resilient, reliable comms to do all of the functions that we have.”
Complicating the challenge is the fact that many American bases depend on public utilities.
“We can do all that we can to defend those bases, but realize that those bases rely on public utilities. So if those public utilities are attacked, you know, we’ll have a week, maybe two weeks of generator power to keep the missions going, but then that’s it, we’re out of Schlitz. So how do we protect the public utilities that are feeding … the bases so that we can continue to fight?” Hensley said.
16th Air Force is trying to tackle those issues via cybersecurity service providers and cyber protection teams.
CSSPs are under the 688th Cyberspace Wing, and CPTs are under the 67th Cyberspace Wing.
“Previously, we had always looked at those as like different mission sets, but in reality, they have a common mission, and that’s to secure and defend our networks,” Hensley said.
CSSPs provide persistent monitoring of networks that affect weapon systems and command and control platforms.
“If they find an anomaly, or they get some intel reporting that the bad guys is out there trying to do something, they’ll do incident response,” he explained. “The CPT teams, they’re more of a point defense focus and with a deeper dive, with exquisite tools that they use to root the adversary out, to kick them out, to mitigate and to harden that network. And so we’re coming up with a DCO [defensive cyberspace operations] campaign plan that better synchronizes the nexus between our persistent monitoring and our point defense. And so that’s a key piece, but that strategy is also going to have to rely on a sensor strategy and a data strategy to make use of that.”
The Air Force is working through cooperative research and development agreements (CRADAs) with public utility companies at a variety of strategic locations and bases, he noted.
There are different types of CRADAs that can be leveraged.
“There’s an … [information sharing] CRADA where we can inform them of adversary activity in their networks. There’s a CRADA where we can share best practices and TTPs [tactics, techniques and procedures] on what works as far as eradicating adversaries that are in the networks. There are some CRADAs where, you know, we can get an agreement where we can put our sensors on their system, and we can do the persistent monitoring. That [last] one gets a little bit trickier, because you have Department of Homeland Security responsibilities and authorities — but the great thing is, if we got some [National] Guard folks that are out there, the Guard has authorities to be able to do that kind of work, and so they are key in that nexus point there,” Hensley said.
