https://www.wsj.com/politics/national-security/china-is-prepositioning-for-future-cyberattacksand-thenew-nsa-chief-is-worried-5ede04ef?mod=politics_feat3_national-security_pos1China Is ‘Prepositioning’ for Future Cyberattacks—and the New NSA Chief Is Worried
‘We see it as very unique and different—and also concerning,’ Gen. Timothy Haugh says in a WSJ interview
Gen. Timothy Haugh took charge of the NSA and the military’s Cyber Command in February. ALEX WONG/GETTY IMAGES
By Niharika Mandhana
Gordon Fairclough
June 3, 2024 5:30 am ET
SINGAPORE—As the U.S. military’s new cyber chief and the head of the nation’s main electronic spy agency, it is Gen. Timothy Haugh’s job to be concerned about China’s clandestine efforts to steal sensitive American data and weapons know-how.
But he is also contending with an unusual Chinese threat, one that is designed not to extract military secrets or data of any kind but to lurk in the infrastructure that undergirds civilian life, as if lying in wait for the right moment to unleash chaos.
“We see it as very unique and different—and also concerning,” Haugh said in an interview with The Wall Street Journal on the sidelines of a security conference in Singapore. “And the concern is both in what is being targeted and then how it is being targeted.”
TAP FOR SOUND
China is using bases in Cuba to monitor communications and gather intelligence throughout the southeastern U.S, a practice known as signals intelligence. Here’s the technology involved, and what the U.S. is doing to defend itself. Illustration: Adam Adada
The U.S. believes the Chinese hacking network—known as Volt Typhoon among cybersecurity experts and U.S. officials—aims to “preposition” in critical infrastructure networks for future attacks. “We can see no other use,” said Haugh, who took charge of the National Security Agency and the military’s Cyber Command in February.
“We see attempts to be latent in a network that is critical infrastructure, that has no intelligence value, which is why it is so concerning,” he said.
Unlike other state-backed hackers who typically use tools to target a network and then take data, these Chinese intrusions involve neither. “One of the reasons we believe it is prepositioning is—there are not tools being put down and there’s not data being extracted,” Haugh said.
U.S. officials worry that in a conflict over Taiwan, for instance, China could use its latent access to launch damaging cyberattacks against key pieces of infrastructure in America or allied countries—ranging from water supplies and power grids to transportation services—disrupting lives and potentially injuring civilian populations.
It was revealed last year that a state-sponsored Chinese campaign targeted a range of networks on Guam. PHOTO: ANTHONY HENRI OFTANA FOR THE WALL STREET JOURNAL
Especially concerning was the targeting of water systems, said Haugh. That was one of the networks Volt Typhoon infiltrated on Guam, a U.S. territory in the Western Pacific that is critical to military operations, especially in the event of a fight with China.
“It is very difficult to come up with a scenario where targeting a water supply for a civilian population, even if part of that population is also military, is an appropriate target,” he said. “And so I think that’s an area that just brings pause.”
“From a military perspective, it is inconsistent with how we would approach a proportional military necessity target,” he said.
Asked if Volt Typhoon had penetrated U.S. military networks, Haugh said: “We know that those tactics have been tried and so those are areas that of course everyday we’re very vigilant.”
Microsoft revealed last year that the state-sponsored Chinese campaign went after a range of networks on Guam and elsewhere in the U.S., including communication, transportation, maritime and other sectors. The company said the hackers were likely developing capabilities that could disrupt critical communications infrastructure between the U.S. and Asia during future crises.
In January, the U.S. government said it had disrupted the Chinese hacking operation, but officials have continued to warn that Beijing’s efforts are at a scale greater than they have seen before.
In response to a question about whether China’s inroads may be more widespread than known so far, Haugh said: “I would suspect that there will be additional areas that we’ll continue to discover but what we want to do is make the tradecraft widely known.”
Volt Typhoon uses tactics that make it harder to detect.
If they were taking data out, that would allow cyber defenders to see where the data went, how much, and what was being targeted, Haugh said, adding: “In this case, we don’t see that.”
Private Chinese firm I-Soon claims to have hacked into dozens of targets. PHOTO: DAKE KANG/ASSOCIATED PRESS
To gain access, he said, Chinese hackers subvert the identity of a user on the network, allowing them to then operate as a user and use tools inherent in the system they are targeting—a tactic known as living off the land. To combat them, U.S. cyber defenders were monitoring user activity in addition to using traditional approaches, he said.
U.S. officials went public with the details of the campaign to allow other countries and critical-infrastructure operators in America to understand what the threat looks like and how to fight it, Haugh said. Hackers exploit vulnerabilities to gain access to user credentials so “what we really want is to be able to continue to up the defenses” to make it harder for them, he said.
More broadly, Chinese cyberattacks against the U.S. are growing consistently in number and sophistication, he said.
Advertisement
It was hard to quantify “because, of course, we don’t see everything all the time,” Haugh said. But he pointed to the operations of one private Chinese firm I-Soon, which were revealed in leaked documents earlier this year, as a window into the scope and scale of the country’s state-backed activities.
I-Soon claimed to have hacked into dozens of government targets, including ministries in Malaysia, Thailand and Mongolia, and also claimed to have penetrated universities in Hong Kong, Taiwan and France. The documents showed some of its biggest customers were local and provincial-level bureaus of China’s Ministry of State Security, the Ministry of Public Security and the People’s Liberation Army.
Beijing routinely denies accusations of cyberattacks and espionage linked to or backed by the Chinese state and has accused the U.S. of mounting its own cyberattacks. The U.S. has been gathering evidence against Beijing for years, charging Chinese hackers with stealing secrets.
Haugh said he is working especially closely with U.S. defense contractors to stop China from stealing sensitive information relating to American weapons.
“We know that there’s certainly been a consistent pursuit of that technology,” he said. “What we would think about is, ‘Where do we have an advantage?’ And likely it will be targeted.”
The bodies Haugh oversees have relationships with over 1,000 defense-related companies. “If they see a threat they can share it with us, and we do the same with them—every day across a thousand companies,” he said.
Gen. Haugh said he is especially concerned about the targeting of water systems. PHOTO: CHIP SOMODEVILLA/GETTY IMAGES
Haugh also stays in close touch with the U.S. military’s Indo-Pacific Command, which deals most directly with issues around China, Taiwan and the South China Sea.
His job, he said, was to give them secure networks to communicate internally and with partners, and, in a crisis, to enable them to operate unaffected by any hacker that would target them. Since last year, Cyber Command’s mission also expressly includes working with other countries to help improve their defenses.
“We’ve found really strong partners that want to just be able to ensure they’ve got well-defended networks, that they’re also being able to have defended critical infrastructure and that their economy can operate unimpeded,” he said.
Write to Niharika Mandhana at niharika.mandhana@wsj.com and Gordon Fairclough at Gordon.Fairclough@wsj.com
U.S.-China Tensions