According to recent reporting, in December 2024, top U.S. and Chinese officials met in Switzerland to discuss growing tensions over Taiwan.  Notably during that meeting, China allegedly acknowledged its role in conducting cyber operations against U.S. critical infrastructures to include ports, water utilities (alluding to various TYPHOON activities), that took place over several years.  While the Chinese side did not explicitly admit its role in these hacking campaigns, a Chinese official from the Ministry of Foreign Affairs allegedly intimidated to his U.S. counterparts that the activity was a direct result of the situation in Taiwan, and continued U.S.’ financial and legislative support of the island’s sovereignty.  It is not clear how information from the secret meeting got to the news outlet first breaking the story, and Beijing has repeatedly chastised Washington for using cybersecurity-related issues as a means to smear China on a global stage, and perhaps, influence other nations’ opinions of China.  As expected, China was quick to refute this claim, citing the report as misleading and promoting disinformation.

As relations between Beijing and Washington continue to deteriorate, China has also escalated its war of public opinion with the United States.  Recently, Chinese officially exposed three individuals it claims are a part of the National Security Agency’s vaunted Tailor Accessed Operations, the United States’ premier cyber unit that allegedly conducts some of the more sophisticated surreptitious cyber-enabled activities.  Chinese reports implicate these three individuals in hacking the Asian Winter Games.  Per a Chinese media outlet, the attackers used front organizations from various countries and rented infrastructure in Europe and Asia from which to execute their operations.  The attacks targeted the games’ registration and competition platforms in addition to critical infrastructure organizations in China’s defense research, energy, telecommunications, and transportation sectors.  Taking a page from the United States, Beijing has listed these three individuals as wanted fugitives offering a reward for their delivery to China.

It is not uncommon for Beijing to periodically raise the issue of alleged U.S. cyber attacks against it, particularly in times of geopolitical tensions between the two governments.  But Beijing has steadily ratcheted up its efforts to tarnish the United States’ brand by attempting to point out its hypocrisy of calling out the cyber infractions of other states when it also does the same thing.  Historically, Beijing’s playbook in this regard has been to counter accusations of its own cyber malfeasance by blaming the United States for hacking as well, content to frequently cite leaked classified informationexposed by Snowden and others as proof.  Some critics of this tactic have pointed out China’s failure to provide the same type of technical evidence typically supplied by cybersecurity vendors when they determine “attribution” of advanced persistent threat cyber campaigns, though there has been an acknowledgement this may have been done purposely to avoid exposing their methods for conducting such analysis.

Regardless, this has now changed with the identification of the three U.S. individuals.  And while this practice mimics what the U.S. has done to several foreign APT actors including those from China, it is the first time China has done so.  The message sent to the United States is loud and clear:  China not only has the capability of tracking surreptitious cyber espionage activities, but it can also use its larger intelligence apparatus to go granular in identifying the actual people behind the keyboards.  If this unmasking is valid, it would certainly indicate that China has a more robust cyber analytic skill set than many had previously supposed, and one that the government had not previously demonstrated.

The reasons for revealing this capability at this time likely has more to do with the current state of Chinese-United States relations, than a direct cyber tit-for-tat response to the VOLT/SALT TYPHOON concerns that has rippled through Washington and Congress.  Tense trade issues, increasing U.S. financial and military equipment support to Taiwan, listing China as a top threat to U.S. national security, and an increasing call to take the fight to China in cyberspace have created geopolitical uncertainty, not just for the two nations but the global community.  With all eyes looking at the two big boys on the block, neither one wants to be seen as surrendering its Alpha Dog status.

The outing of these three individuals will not result in their arrest, the way it hasn’t so far for any of the foreign actors the U.S. has indicted.  In fact, “charging” them will unlikely deter cyber behavior largely because that is not the point.  What it does is create a more solid foundation for China’s accusations of U.S. hacking than just public blame.  Whether they share the evidence or not, putting names to an activity lends more credibility to China’s complaints about U.S. cyber incursions, much in the similar way it has worked for the United States when identifying the foreign individuals conducting hostile cyber activity against it.  This could help Beijing’s messaging campaign of U.S. cyber hypocrisy and would certainly give cause for Beijing to impose retaliatory sanctions, further upping the ante in its tariff war with Washington.

But this move by Beijing may create an unexpected opportunity, at least with respect to trying to codify cyber behavior norms.  Whether the TYPHOON activities or this latest incident, the common denominator of concern are the security and integrity of critical infrastructure, and that no state should be trying to forage digital beach heads in these networks, at least outside of military conflict.  This could be the type of discussion that could officially set boundaries that have been so desperately needed when it comes to state activities in cyberspace.  Since both states have allegedly done it to the other, this provides common ground and equal footing from which to commence discussions.  And two cyber powers collaborating on setting lanes in the road and adhering to them could garner the trust of other nations, and the impetus for them to get on board.  It would also require victim governments to show their work and share data publicly to prove any act that breaks such an agreement, with set economic or diplomatic punitive ramifications to follow, depending on the degree of the infraction. 

Ultimately, the goal should be for states to adhere to the rule of law in cyberspace which is done via action and not just words.  Protecting critical infrastructure from unnecessary exploitation is something that most if not at all states can get behind.  And while deterrence may be difficult to achieve currently, agreeing to not adversely impact the very industries citizens rely on should not be.