author photo
By Cam Sivesind
Fri | Nov 17, 2023 | 6:37 AM PST

The United States National Security Agency (NSA) has raised concerns about Chinese government-backed hackers embedding themselves within U.S. critical infrastructure networks, posing a significant threat to the nation's security and economic stability. These hackers, operating under the moniker "Volt Typhoon," have been targeting power grids, transportation systems, and other critical infrastructure assets, raising the specter of potential disruptions or even cyberattacks that could cripple essential services.

The NSA's warning comes amid growing tensions between the U.S. and China, with both countries engaged in a strategic rivalry that encompasses economic, technological, and geopolitical spheres. Cybersecurity has emerged as a key battleground in this rivalry, with China's state-sponsored hacking groups posing a persistent threat to U.S. interests.

"This NSA warning should serve as a wake-up call for the U.S. government as well as American businesses," said Col. Cedric Leighton, CNN Military Analyst, U.S. Air Force (Ret.), and Chairman of Cedric Leighton Associates. "When a place like Guam is subjected to a cyberattack like Volt Typhoon, it's only a matter of time before other parts of the U.S., as well as our allies, come under attack."

The threat of Volt Typhoon

Volt Typhoon, also known as APT41 or Barium, is a sophisticated hacking group that has been linked to the Chinese Ministry of State Security. The group is known for its meticulous planning and ability to gain access to sensitive systems, often using targeted phishing attacks and Zero-Day exploits.

"Volt Typhoon has been a particularly pernicious offensive cyber campaign that the Chinese have used for both cyber reconnaissance and potential offensive cyber operations," said Col. Leighton, who spoke Wednesday at SecureWorld New York, delivering a keynote on "Cyber World on Fire: A Look at Internet Security in Today's Age of Conflict."

In recent years, Volt Typhoon has focused its attention on critical infrastructure networks, gaining access to power grids, transportation systems, and other vital assets. The group's motives are not entirely clear, but experts believe they may be seeking to gather intelligence, disrupt operations, or even plant malware that could be used for future cyberattacks.

"Volt Typhoon was quite active against U.S. military and critical infrastructure targets on the U.S. Pacific island territory of Guam. Guam was targeted because it hosts large U.S. Air Force and U.S. Navy bases, has a growing U.S. Marine presence, and its relative proximity to China," Col. Leighton said. "In the event of hostilities between the U.S. and China, Guam would be a staging area for U.S. forces, and that makes it a perfect target for China."

The Five Eyes alliance and China's growing cyber threat

The NSA's concerns over the Volt Typhoon's activities are shared by its counterparts in the "Five Eyes" intelligence alliance, which includes the United Kingdom, Canada, Australia, and New Zealand. In a joint statement released earlier this year, the Five Eyes partners warned of the "growing threat of malicious cyber activity from China," specifically citing Volt Typhoon as a group of concern.

The Five Eyes alliance has been increasingly vocal about its concerns regarding China's cyber activities, and the NSA's warning about Volt Typhoon underscores the urgency of addressing this threat. The alliance has been working to strengthen its cybersecurity cooperation and share intelligence to better detect and respond to Chinese cyberattacks.

President Biden's meeting with China's President Xi Jinping

The issue of cybersecurity is expected to be a major topic of discussion during President Biden's meeting with China's President Xi Jinping. Both leaders are likely to address the concerns raised by the NSA and the Five Eyes alliance, and they may also discuss ways to reduce the risk of cyberattacks between the two countries.

"These warnings come as the leaders of China and the U.S. wrap up their meetings in California, at the APEC Conference," Col. Leighton said. "While issues like cyber and AI were discussed by China's President Xi and U.S. President Biden, it's pretty clear that China won't abandon programs like Volt Typhoon. Business and government leaders should be on the lookout for more offensive cyber activity of this type in the months to come."

The outcome of this meeting could have significant implications for the future of U.S.-China relations and the global cybersecurity landscape.

Here are some recent comments from U.S. Congressmen and others on the issue.

"The Chinese government is a clear and present danger to our critical infrastructure. We need to take immediate action to protect our networks from their attacks," said Michael McCaul, Republican Congressman from Texas.

"The Chinese government's cyber attacks on our critical infrastructure are a serious threat to our national security. We need to work with our allies to develop a strong and coordinated response to this threat," said Adam Schiff, Democratic Congressman from California.

James Lewis, Senior Fellow at the Center for Strategic and International Studies (CSIS), added this: "The Chinese government is using cyber attacks to try to gain an edge over the United States. We need to be very careful about their activities and take steps to protect our critical infrastructure."

Col. Leighton added: "The 'living off the land' characteristics of Volt Typhoon should serve as a warning to the cybersecurity industry to up its game. Once again, our critical infrastructure is subject to exploitation and potential attack and our defenses are slow to recognize that fact."

Related: EU NIS2 Directive aims to protect critical infrastructure
The European Union's NIS2 Directive 2022/2555 is a comprehensive piece of legislation that aims to enhance cybersecurity across the bloc. It replaces the previous NIS Directive (2016/1148) and introduces stricter requirements for risk management, reporting, and information exchange in the area of cybersecurity.

Key provisions of the NIS2 Directive include:
  • Expands the scope of cybersecurity rules to new sectors and entities: The NIS2 Directive applies to a broader range of organizations than the previous NIS Directive, including those in the energy, transport, healthcare, and digital infrastructure sectors.
  • Imposes stricter risk management requirements: Organizations covered by the NIS2 Directive must implement risk management measures to identify, assess, and prioritize cybersecurity risks.
  • Mandates incident reporting: Organizations must report cybersecurity incidents to relevant authorities within specified timeframes.
  • Enhances cooperation and information exchange: The NIS2 Directive promotes cooperation and information exchange among EU member states and with relevant stakeholders.
Deadlines for implementation:
  • Member states must adopt and publish the measures necessary to comply with the NIS2 Directive by Oct. 17, 2024.
  • The NIS2 Directive will apply from Oct. 18, 2024.
  • The previous NIS Directive (2016/1148) will be repealed with effect from Oct. 18, 2024.