The United States appears to be engaged in a new way to address China’s rampant cyber espionage – legislation.  In the wake of intense SALT TYPHOON scrutiny reaching the levels of the U.S. Congress, Senators are considering ways to use legal mechanisms to address alleged Chinese infiltration into telecommunications of not only the United States, but also the global community as well.  Recently, lawmakers received a classified briefing on this activity, which has raised alarm bells throughout the private and public security communities.  In addition to fueling other espionage activities (such as theft of customer call records, recording the calls of top U.S. officials, and the compromise of private communications, to name a few), such access could allow an adversary to cause significant and massive disruption/destruction over a critical infrastructure, especially during periods of domestic and/or geopolitical unrest.  This could potentially give an adversary like China advantage, particularly over a hot button issue like Taiwan unification or another crisis.  

While eye-opening, the briefing did generate a lot of questions from the lawmakers with respect to why the U.S. Intelligence Community whose budget was USD $99 billion (roughly 11 percent of the total defense budget) failed to detect the infiltration and lack of accountability at the top for missing it.  Given the prowess of the United States when it comes to conducting cyber operations, such questions seem a fair ask.  One interesting development after the hearing was the possibility of enacting legislation to help combat the threat, namely, mandating that U.S. telecommunications should be secure, though what that would look like and how it would be implemented has not been fully fleshed out or discussed.  However, what it has yielded is bipartisan support, a rare accomplishment in today’s bipolar divide.  If political opponents can come together on an issue, then you know that it is probably the right course of action, and in this case, one that has been long coming. 

Little has been done so far to mitigate Chinese cyber operations, or any nation state activity in cyberspace for that matter.  No hack pacts, cyber sanctions, active defense operations, and ongoing stalled efforts to codify responsible state behavior in cyberspace have all failed to curb what states do in the digital domain.  A legislative track seems an interesting and worthwhile development in tackling cyber problems both internally and externally.  For example, in addition to exploring the possibility of mandating security practices for telecommunications sector (and if done, the United States appears to have many similar tracks in the works.  According to recent reports, the U.S. House of Representatives is ready to vote on an annual defense bill that includes USD $ 3 billion for U.S. telecoms to eliminate any equipment made by Chinese companies Huawei and ZTE from U.S. networks.

Dovetailing with this, recent reporting indicated that a bipartisan duo of Senators is looking to provide stronger oversight powers to the interagency Federal Acquisition Security Council (FASC), a group charged with the mission of securing the government’s IT supply chain.  To date, FASC hasn’t blocked the use of technology that could potentially threaten the United States, something that may be better facilitated via the bill that lays out a process for Congress to compel council investigations.  Per the reporting, t would also move leadership authorities from the Office of Management and Budget to the Office of the National Cyber Director, giving that role more prominent responsibilities.

In another turn of events, a House representative introduced the Restoring Trade Fairness Act, a bill designed to revoke China’s Permanent Normal Trade Relations, in an attempt to persuade Beijing to liberalize and adopt “fair trading practices.”  Granted, this is not directly in response to Chinese cyber espionage activities but is the type of move designed to influence behavior changes in how a government – in this case Beijing – conducts itself.  This type of tactic could also be applied in response to trying to stem Chinese cyber malfeasance, as part of a “whole of government approach” that leverages all of a state’s nonlethal influence and power.

These moves demonstrate a new approach to fence in China, undoubtedly one of the most pervasive cyber threat actors operating today in terms of volume of activity and global reach.  However, they just focus on China, perhaps at the expense of others that loom in the background.  This is not to say that such focus has not been needed; it clearly has.  But what would be mistake is that in this furor over the infiltrations of some of the largest telecom companies in the world that more focus is placed on China as cyber adversary than on securing the networks of critical infrastructure.  It’s easier to combat a visible enemy rather than search for and fix existing problems, which require more time and diligence and repetition.  Cyber offense may be the more attractive option, and perhaps more satisfying of the two, but cyber defense is the essential component for preserving the confidentiality, integrity, and availability of information systems and the information resident on them.  The latter involves actually ramping up security mechanisms to prevent further intrusions, while also applying diplomatic/economic punitive measures for a state caught with its hand in the cookie jar.  

If a silver lining has emerged in this dark cloud, it’s that it has codified what a threat against telecoms looks like and what could happen if it went undiscovered and unchecked.  And while the extensive compromise of U.S. telecoms has not produced a debilitating result, the fact that a proficient adversary is in U.S. networks elevates the concern from “hypothetical” to “real world,” an important national security and policy distinction.  Judging how Russia has demonstrated what cyber attacks look like against telecommunications, it is more imperative to clean and protect critical infrastructure networks than retaliate, which can come at a later date.  As geopolitics continue to play out in cyberspace, critical infrastructure security can no longer be a campaign slogan.  And if these industries and sectors are not going to take the lead in rigorous self-assessment and actively checking for the types of infiltrations like the ones SALT TYPHOON has perpetrated, they shouldn’t be surprised that the government will step in and fill that role, whether they like it or not.