American cyber brass calls for retaliatory strikes against China, but is the US really ready?

• 3 points

In the wake of the Salt Typhoon attacks that compromised most of the major telecommunications providers in the US, many in the upper echelons of power are pushing for offensive cyber operations against China.

The move would model a tit-for-tat strategy, in that China has struck the US, so the US should strike China, and vice-versa until they stop.

The difficulty with that strategy, as legendary threat intelligence analyst Marcus Hutchins explains, is that the US is woefully under regulated and underprepared for any escalation of cyber warfare with China.

No scope for cyber war

Despite China’s claims that Volt Typhoon is actually a CIA asset, there is fairly reliable evidence to suggest that all of the ‘typhoon’ groups are Chinese state-sponsored actors, and it was Salt Typhoon that breached the US telecommunications networks by targeting and exploiting systems put in place under the Communications Assistance for Law Enforcement Act, (or CALEA for short).

This act, introduced in 1994, saw all major communications networks have ‘backdoors’ installed to monitor the communications of criminals.

However, as John Ackerly, CEO and co-founder of Virtru told me, “It's the same doors that the good guys use, that the bad guys can walk through,” - and walk through they did.

Hutchins writes that while the US certainly has the capability to launch offensive cyber operations on China, and would likely see success, the US is not prepared for the retaliation-in-turn that would come next.

For example, US critical infrastructure is woefully underequipped to protect against cyber attacks and relies heavily on outdated tech that in some cases hasn’t received an update in over a decade.

China and its Typhoons have been mapping this infrastructure for years, probing the defences and checking responses and recovery plans with small scale attacks in preparation for a much bigger strike that could be used should a hot conflict erupt between the two super powers.

But equally, Hutchins argues, this large scale attack would be just as effective as a response to US cyber offensives in China, and it can’t be patched any time soon.

Thanks to a lack of federal regulations governing cybersecurity in the US, the private sector has been largely left to its own devices to protect itself from cyber attacks, and Hutchins duly notes that its often cheaper for a company to ignore a cyber intrusion than it is to chase them down and evict them from the network.

It's also cheaper to continue using outdated tech to run systems than to spend billions of dollars replacing everything and training your staff to operate new systems. Who could’ve guessed that the private sector wouldn’t regulate itself?

Now throw into the mix a smattering of federal bodies that, because they are modelled on the US separation of powers, must rely on each other to get anything done.

As Hutchins puts it, “Ultimately, cybersecurity in the United States feels like trying to put together a puzzle; except, there’s no picture on the box, each piece has been distributed to a random entity, half of the entities aren’t even willing to disclose that they have any puzzle pieces, and nobody is sure who’s actually supposed to be the one building the puzzle.”

What’s more, China’s own regulations for cybersecurity at both the state and private sector levels are fairly robust, and have been for many years more than the US can hope to catch up to.

Convincing an administration to establish a body with complete cyber-regulatory oversight in the age of DOGE is one thing, convincing the private sector to spend the ever increasing billions to give their networks even a fighting chance at being resilient is another.

"Personally, I think that trying to deter China through offensive cyber operations would not only be unsuccessful, but also a huge mistake," Hutchins concludes. "I am not arguing that the US should bow down to China, or that it should not be able to defend itself, only that increasing offense[ive] cyber operations without the defencive capabilities to back them up, is a horrible idea.”

You might also like

• “If we want our data to remain confidential, we have to act now”
• Here is the best endpoint protection security software
• Take a look at our guide to the best antivirus