Lawmakers wonder: why don't we hack back against China?

The intrusion of Chinese-backed hackers into telecommunications systems in the U.S. and around the world drew questions in a Wednesday Senate hearing about whether American cyber warriors should be further authorized to digitally retaliate against their adversaries in the East.

“On cyber, we are so much on defense,” Sen. Dan Sullivan, R-Alaska, told Nextgov/FCW. Sullivan said that in classified briefings about the hacking collective dubbed Salt Typhoon, “it’s very bipartisan where senators say, ‘OK, wait. I understand why we’re trying to defend against this…but what are we doing to raise the level of deterrence?’

“This Salt Typhoon fiasco"—in which some 80 telecom providers and their wiretap-request systems were breached—"it’s gotta take a suite of policies [to fix it]. But one in my view that’s missing is that nobody fears us. We’re like the cyber punching bag of the world, and we need to change that,” Sullivan said.

On Wednesday, witnesses with backgrounds in national security and cyber policy told Senate Commerce Committee lawmakers that an offensive deterrence strategy — the act of hitting back at enemy hackers to disrupt their systems — would make China think twice about spelunking into communications networks and other critical U.S. infrastructure.

“It isn’t a capabilities discussion,” said James Mulvenon, a Chinese cyber-espionage expert and chief intelligence officer at Pamir, which advises clients about investing in China. “It is absolutely a political-will and National-Command-Authority decision-making discussion.”

The U.S. can “take action to interrupt [cyber] operations” of foreign adversaries, said Justin Sherman, who leads Global Cyber Strategies, a tech policy and geopolitics advisory firm.

The FBI’s cyber division has launched several operations this year to pulverize digital infrastructure used by nation-state hacking groups to break into U.S. networks. In January, it disabled a nexus of devices used by Volt Typhoon, another well-storied Beijing-backed hacking group. It also took several actions against Russian operatives spreading disinformation in the months leading up to November’s presidential election.

But those moves, at this point, have served more of a defensive strategy, said Sherman. “Did that stop them from getting back up? Definitely not.”

James Lewis, head of the Strategic Technologies Program at the Center for Strategic and International Studies, said an offensive blueprint will require diplomatic warnings, too.

“You need to start by telling the Chinese: This is unacceptable, you’ve gone too far and if you don’t stop we’re going to take action now.”

“The next step is to actually do something,” added Lewis, a former United Nations information security advisor who helped craft the Wassenaar Arrangement that oversees some 40 nations’ exports of technology and security tools. From there, U.S. Cyber Command and the National Security Agency could develop a “menu of responses” to rip apart digital infrastructure used by China to launch their cyberattacks, he said.

Cyber Command deployed its digital force in “hunt forward” missions 22 times to 17 countries in 2023. The missions seek to root out hackers and slow adversaries’ cyber operations while gaining important defensive insights for future cyberwar.

But that dynamic could change during the next administration. Trump transition advisors are crafting a plan to split the leadership of both entities, The Record reported Wednesday, citing people familiar with the discussions. Cyber Command and NSA are currently managed in a dual-hat role by Gen. Timothy Haugh and are both based in Fort Meade, Maryland. 

Defense strategies aren’t useless. Lawmakers have touted the addition of a $3 billion investment that closes a financial shortfall in a Federal Communications Commission program to help rural broadband providers rip out and replace Chinese-made internet equipment. 

The funding was slotted into the must-pass national defense bill, which advanced out of the House Wednesday evening.

“Everybody knows [rip and replace] has to be done. The little guys just don’t have money for it,” Roger Entner, a telecom industry analyst and founder of Recon Analytics, said in a phone interview. “What’s really interesting is that some of the big guys got infected through the small guys,” he said, referring to Salt Typhoon. “This is a clear and present danger.”

FCC Chairwoman Jessica Rosenworcel last week shared a draft ruling with colleagues that, if adopted, would immediately require telecommunications firms to secure their networks against unauthorized access to systems that house wiretap requests from law enforcement.

The United States wiretap environment is governed by the 1994 Communications Assistance for Law Enforcement Act, and requires telecom carriers to engineer their system for “legal access” surveillance requests. Salt Typhoon moved through the systems of at least two victims before pivoting to their respective CALEA environments, a senior FBI official said last week.

Under current standards, the FCC lets carriers develop their own wiretap solutions tailored to their networks, purchase solutions from equipment manufacturers and rely on a third party to determine whether they are CALEA-compliant.

“Public telecom networks are primarily designed around reachability, which means security trade-offs often take place and can leave you inherently vulnerable,” Blackberry VP of Secure Communications David Wiseman said in a statement. “No doubt, telco and internet providers globally will be assessing vulnerable entry points and legacy systems comprehensively in an effort to boost resilience against espionage efforts.”

Amid the breaches, officials have suggested Americans and federal employees use encrypted messaging services. A phishing campaign that piggybacked on those encrypted messaging advisories has targeted lawmakers on Capitol Hill, Nextgov/FCW reported last week.

The hacking collective has likely accessed communications of some 150 select, high-value political targets, including people affiliated with President-elect Donald Trump, according to previous media reports. Last week, a senior administration official said that the campaign may have started a year or two ago and that eight or so of the victims are American telecom firms.

“Clearly, it’s very serious and something we have to address, but it’s gonna take time,” Sen. Gary Peters, D-Mich., chairman of the Homeland Security and Governmental Affairs Committee, told Nextgov/FCW.

“I imagine we’ll see some ideas come together where both [offensive and defensive] tools are going to be put together in some form and fashion that will strengthen the policies here in the United States and send a clear message to anyone thinking about doing this in the future,” Sen. Ben Ray Luján, D-N.M., told Nextgov/FCW after Wednesday’s hearing.