Beijing has been using its media to counter U.S. and foreign government accusations over its cyber spying for several years, typically issuing denials and pointing at the United States’ own alleged cyber malfeasance. It has been a standard method of operations – a government will accuse China of hacking, often publishing a report or issuing public proclamations with limited evidence to justify the accusation in either instance, and Beijing will promptly retort. Recently, the U.S. Director of the Federal Bureau of Investigation testified before Congress, highlighting an alleged Chinese state-sponsored cyber espionage campaign dubbed “Volt Typhoon” that he said was purposefully embedding itself into U.S. critical infrastructure, waiting “for just the right moment to deal a devastating blow.” Unsurprisingly, China responded via its Embassy in the United States and refuted the claim tying Volt Typhoon to the work of cybercriminals, not Chinese state actors.
The U.S. government is not the only ones comfortable tying this activity to China. Both Microsoft and Google have come to the same conclusion and have shared their analysis and findings publicly. And while both have extensive pieces about the nature of the activity, and how it operates, when it comes to providing evidence of attribution, both are noticeably light. Volt Typhoon activity was first observed in mid-2021, conducting cyber intrusions into high-value targets like critical infrastructure organizations in countries around the world for the purposes of gaining and maintaining access without being detected. If true, this is consistent with what a state actor would do with respect to cyber espionage, and prepositioning itself to be able to leverage surreptitious accesses to execute more disruptive attacks later on should it feel necessary to do so.
However, shortly after the FBI director’s testimony, a contrary viewpoint emerged from an Australian “IT expert” that offered an alternative to what was presented before Congress. Per that author, the timing of the testimony, as well as March 2024’s Five Eyes advisory on Volt Typhoon, dovetailed with the fierce debate in Congress with respect to renewing the Foreign Intelligence Surveillance Act (FISA). FISA is the highly contentious law that empowers U.S. intelligence and security agencies with of surveillance authority to target, monitor, and collect data without the need of a warrant, infringing on privacy and rights. Per the author, the sensationalism of potential catastrophic consequence presented by the FBI director was intended to paint a bleak picture, instill fear in a public, and pressure policymakers to extend FISA without any serious or meaningful revision. This is not to say that this alone was the catalyst for FISA’s passing, but it might have been enough to influence lawmakers sitting on the fence.
Nevertheless, it is not difficult to see that such hyperbolic language on the part of the FBI director was intended to elevate the Chinese cyber threat, at a time when cyber power Russia is embroiled in a traditional and cyber conflict with Ukraine, and the Middle East on the precipice of full-blown war. Bringing attention to China’s cyber activities now seemed a curious move. This is important because for a long time, Chinese cyber activities had been overwhelmingly focused on stealing U.S. intellectual property and trade secrets. Despite an established offensive cyber capability, Beijing had preferred to use these skills to spy, steal, and monitor, rather than engage in any aggressive, disruptive, or destructive behavior. As a result, the constant cries of Chinese cyber theft soon became white noise to the public. This perception has only been exacerbated by the fact that no U.S. presidential administration has seen fit to hold Beijing accountable and inflict some consequence either as a punishment or deterrent.
The public hears a foul called, but sees no retribution, and is compelled to interpret Washington’s failure to act as its tacit acknowledgement that such theft is “no big deal” in the first place. After all, the U.S. public has seen the United States engage in more aggressive and costly actions in response to perceived threats in the past (e.g., invasion of Iraq due to weapons of mass destruction). The fact that decades-long Chinese cyber espionage campaigns has not met any thresholds to warrant a more fervent response from the United States government can be understood that it does not view the activity the threat that some have been saying. Other governments have been linked to destructive cyber attacks (ie, Iran, Israel, North Korea, Russia, the United States), but not China. So, the question stands – why now?
If the Australian author is correct, the focus on keeping FISA authorities at all costs is worrisome, given the track record associated with its abuse by the agencies it empowers. What’s perhaps equally disconcerting is that at the time when the FBI director testified about Volt Typhoon and the Chinese cyber threat, a massive data breach from National Public Data, a consumer data broker, that exposed hundreds of millions of Americans’ Social Security Numbers, addresses, and phone numbers online when a hacker started selling the info online in April 2024. When juxtaposed to the FBI director testimony and FISA debates, it seems that the government is more focused on securing its own surveillance and data collection capabilities and powers, rather than protecting the personal data of its citizens. This is unacceptable given that data breaches continue to put in jeopardy the very types of information that the government is looking to collect itself. In 2023, there were approximately 3,200 data breaches affecting more than 353 million individuals, or nearly the same number of people living in the United States at the time. Where are the robust debates in Congress about protecting citizen data?
Redacted FISA court opinions exposed thousands of incidents of FISA abuses by federal agencies. Notably, FBI field offices repeatedly engaged in prohibited searches; and the National Security Agency conducted routine, suspicion-less searches of people overseas who are applying for immigration benefits. While such activities are supposed to be done in the name of protecting the United States, there is little accountability as to what is done with the information collected, how it’s stored, how it may be (mis)used, and how it will be destroyed. Trusting the government to do the right thing is not high among the U.S. public according to a survey that saw only two out of ten Americans in 2023 believing the government would do what was right “just about always.” Further tarnishing this opinion are instances of government failures, or where government abuses are obfuscated under the banner of preserving “national security” to such a degree that even the Supreme Court declines to take on the issue.
Cyber espionage and geopolitics are increasingly becoming intertwined. On one hand, geopolitics can fuel cyber espionage campaigns, where one state looks to gain decision advantage by compromising sensitive information and plans from an adversary. Or it can be used to gauge political positions on controversial issues even from the most solid of allies. It can also be leveraged to gain access to create a sustained presence on networks of interest, for further exploitation or more disruptive operations. On the other hand, there’s a bigger game being played where accusations of cyber espionage can spurn geopolitical conflict by pursuing more strategic goals such as trying to ban the proliferation of foreign equipment, reduce a state’s expansion of its global technical reach, minimize global influence, or else just promote one’s agenda and/or technology over that of a competitor state, reaping all the benefits financial and otherwise that come with it.
And framed in this context, it becomes less important if Volt Typhoon is state sponsored or the efforts of cybercriminals, and more important to look at what’s to be gained by putting forward this narrative in the first place, who it seeks to influence, and what objectives are being sought. Because in the end, there are three notable takeaways 1.) China has been linked to another cyber espionage campaign; 2.) China has been linked to activity that MIGHT be used to execute disruptive attacks at a later date; 3.) Increasing the danger of the Chinese cyber threat provides more fodder to try to convince governments to turn away from Chinese technological, political, or economic offerings; and 4.) FISA authorities have been preserved for the foreseeable future.
The last one is concerning, because ostensibly threats and national security are the reasons we are expected to surrender our civil liberties willingly to those government stewards that say “trust us” to do the right thing. But there seems to be more examples of overreach and abuse as a result of blindly trusting institutions that continually fall short of that trust, and more instances since FISA has been enacted where these data sweeps for intelligence purposes have failed to yield successful results (e.g, knowledge of the HAMAS attack, Russia’s invasion of Ukraine, or Ukraine’s Kursk invasion, come to mind). The government should be transparently showing us proof that this flagrant civil rights suppression is making the country safer. At the very least, the rest of us should be demanding that it does and holding it accountable through our elected officials when it doesn’t.