Guam’s role in the US-China cyber war. Economist Report
A group of Chinese hackers, nicknamed Volt Typhoon, has infiltrated the communications systems of the island of Guam, a key territory in the event of a war between the United States and China. The Economist 's in-depth analysis
The island of Guam, a tiny American territory that lies more than 6,000 km west of Hawaii, has long known that it would suffer a major blow in any Sino-American war. The island's expanding airfields and ports serve as launching pads for American ships, submarines and bombers. In the first hours of a conflict, these would be subject to waves of Chinese missiles. But a group of attackers appears to have been quietly lurking in Guam's infrastructure for years. In mid-2021 a group of Chinese hackers, later dubbed Volt Typhoon, burrowed deep into the island's communications systems. The intrusions had no obvious use for espionage. They were intended, as the US government would later conclude, for “disruptive or destructive cyber attacks against… critical infrastructure in the event of a serious crisis or conflict.” A sabotage, in short.
Not just Guam: the cyber intrusions of Volt Typhoon
For many years, Sino-American skirmishes in the cyber domain have mostly been about the theft of secrets. In 2013 Edward Snowden, a contractor, revealed that the National Security Agency (“NSA”), the American spy agency, had targeted Chinese mobile phone companies, universities and undersea cables. China, in turn, spent decades stealing large amounts of intellectual property from American companies, a process that Keith Alexander, then head of the NSA, called “the largest transfer of wealth in history.”
The Volt Typhoon intrusions, which came to light last year, initially thanks to reporting by tech giant Microsoft, were not limited to Guam. About three years ago, says an American official, “we started finding oddities in the critical infrastructure of the United States”. As America's Cybersecurity and Infrastructure Security Agency (“CISA”) announced in February, Chinese attackers were found to have compromised critical national assets throughout the “continental and non-continental United States.” These included communications and energy facilities, as well as transportation and water facilities. In particular, the targets were not the largest and most important infrastructures, but “a broad swathe” of small and medium-sized businesses whose disruption would have enormous effects.
Fiery keyboards
China would have a “pretty high bar” to destroy these things, noted Rob Joyce, then a senior NSA official, reflecting on the intrusions in March. Crippling America's peacetime energy, water, and transportation would be an obvious act of war. But let's imagine that a war has already started, or is about to. ”
The idea of penetrating critical infrastructures with cyber means with the aim of sabotaging them in times of war is not new. The American-Israeli “Stuxnet” attack that knocked out an Iranian nuclear facility in the late 2000s showed what was possible, as did the Russian sabotage of the Ukrainian electricity grid in 2015 and 2016. As early as 2011, China has made the rounds of American oil and gas companies. In 2012, researchers warned that Russian hackers had targeted more than 1,000 organizations in more than 84 countries, including industrial control systems of wind turbines and gas plants.
Stormy weather
Volt Typhoon appears to be different. For one thing, it is broader in scope. “It appears to be the first systematic preparatory campaign laying the groundwork for widespread disruption,” says Ciaran Martin, who once ran Britain's cybersecurity agency. But it has also developed at a time when war between America and China seems closer and war in Europe is palpable. The GRU, Russia's military intelligence agency, has conducted relentless cyberattacks against Ukraine's infrastructure. Only a huge defensive effort, supported by Western companies and allies, protected Ukraine from the worst.
The Chinese and Russian campaigns break with the past in another way too. Traditional cyber attacks would be associated with a distinctive signature, such as a particular type of malware or a suspicious server. These could be spotted by a diligent advocate. Both Volt Typhoon and Gru used more stealthy methods. By routing the attacks through ordinary routers, firewalls, and other equipment used in homes and offices, they made the connection appear legitimate. One Chinese network alone used 60,000 compromised routers, a person familiar with the episode said. It was one of dozens of networks of this type. Both groups also used “living-off-the-land” techniques in which attackers reuse standard software features, making them harder to detect. In some cases, the GRU maintained access to Ukrainian networks for years, patiently waiting for the right moment to strike.
All of this made Volt Typhoon “incredibly difficult” to track down, says John Hultquist of Mandiant, a cybersecurity firm that is part of Google. In response, America has hunted down hacker tools and infrastructure. In December the FBI took out hundreds of obsolete routers built by Cisco and Netgear, a pair of American companies, which were being used by Volt Typhoon to stage attacks. The following month he did the same with hundreds of routers used by Gru.
The bigger question is whether hostile cyber operations can be deterred, and if so, which ones. In recent years the term “cyber attack” has come to encompass virtually any type of hostile activity within computer networks. The problem is that this confuses routine intelligence gathering, industrial espionage, information operations and disinformation campaigns, pre-war maneuvers within critical infrastructure (like Volt Typhoon), and peacetime destructions like Stuxnet.
Western governments have long sought to create international norms of behavior that would outlaw some of these activities. But this effort has been fruitless and mired in confusion. American officials, for example, tend to distinguish political from commercial espionage. Stealing secrets to help politics is fine, doing it to increase the profits of local companies is not. In practice, not even America's allies all agree on this point; French spies have been notorious for commercial espionage.
A taboo against sabotage would seem simpler. It is not. “Prepositioning is not against the rules,” the American official acknowledges, “until something is done.” Even then, many types of sabotage are permitted under the laws governing armed conflict. America bombed Iraq's power grid in 1991 and 2003 and Serbia's in 1999; Producing the same effects via code is not inherently better or worse. Not surprisingly, there are indications that America has been rifling through its enemies' infrastructure. Under the Obama administration, the NSA prepared to disable Iran's communications and electrical systems in the event of a confrontation. And in 2019 the New York Times reported that America has been placing “implants” in the Russian power grid since 2012.
Cyber regulations remain confusing. The laws of war prohibit attacks – physical or digital – that have the sole purpose of causing panic. But there may be legitimate military reasons, once a conflict begins, to disrupt civilian telephone networks and ports serving American troops. Pentagon hackers would counter that their incursions into Russian and Chinese infrastructure are more careful than Volt Typhoon's sprawling intrusions and more responsible for Crane's reckless attacks on water systems. Much depends on how a country chooses to use its network access. The point is that both good and bad sabotage can require peacetime intrusions. “The reality is that we need to fight the next cyber war now,” Hultquist says. “When the actual war comes, it will be too late to do so. This is the initial skirmish."
This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/cybersecurity/guam-guerra-stati-uniti-cina/ on Sun, 23 Jun 2024 04:18:05 +0000.