Amid the ongoing revelations related to the Salt Typhoon cyber attack on telecommunications companies including AT&T, Verizon and Lumen, a Senate subcommittee recently held a hearing on the issues related China and cybersecurity, as well as economic security and national security.
The national security fallout from the Salt Typhoon hack continues to emerge. Politico reported this week that the Chinese hackers were able to access cellular logs on a “vast number of Americans” as a result of the hacks. The Wall Street Journal also has reported that Chinese hacking targets of Salt Typhoon included both the Harris and Trump campaigns, including Vice President Harris, VP-elect J.D. Vance and President-elect Donald Trump, as well as Senate staffers.
“Think of it for a moment—a foreign adversary attempted to wiretap both presidential campaigns during the past election. We are still learning each week about how sprawling and catastrophic this hacking campaign was, but what we know now—and it’s publicly known—should galvanize action now,” said U.S. Senator Richard Blumenthal (D-CT), who is chair of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. “We need to ensure these specific types of hacks will never happen again.”
Here are five things to know from that hearing.
–Tech firms have a large amount of risk associated with escalating U.S./China tensions. According to testimony by Isaac Stone Fish, CEO of Strategy Risks—which assesses enterprise business operations exposure to China across supply chain, partnerships and other factors, the largest U.S. technology firms have “above average exposure to China.” That includes Apple, Tesla, Meta, Microsoft and Amazon (but notably, Alphabet/Google has below-average exposure). Other firms with above-average exposure to China, according to Strategy Risks’ assessment and ranking, include Cisco, Motorola Solution, Amphenol and Dell Technologies.
Why does it matter? In a choice between a corporation’s economic interests and backing the political interests of the United States, which one will corporations choose? What economic fallout in the U.S. might result from escalating conflict with China? And how might those companies seek to influence U.S. national security policy in order to protect their economic interests?
One conclusion from the hearing is that corporate choices in relation to China probably won’t play out the same way that they have with Russia. Sam Bresnick, research fellow at Georgetown University’s Center for Security and Emerging Technology (CSET), noted that some American tech companies have been “crucial enablers of the Ukrainian military and government” in ways encompassing data and cybersecurity, satellite communications and more. “The absence of major economic or technological ties to Russia before the full-scale invasion simplified these companies’ decisions to support Ukraine. Few, if any, of the firms depended heavily on Russia for revenue, manufacturing, or research and development (R&D) operations, thus allowing them a freer hand in aligning their actions with U.S. and allied interests,” Bresnick said. However, he added: “Many of the same U.S. companies that played pivotal roles in Ukraine have substantial footprints in China, creating a complex web of mutual dependencies that could influence their responses in a conflict with China.”
–Interdependencies with China fall into multiple categories. These include revenue, supply chain, research and development, operation of digital infrastructure such as data centers and cloud computing infrastructure, and supplemental activities such as capital investment in China. For a substantial number of U.S. tech companies—including telecom players—a significant portion of their revenue comes from China, plus a majority of their suppliers; even after many companies have worked to diversify their supply chains after the Covid-19 pandemic. “This dependency not only influences current business strategies but may also shape responses to U.S. government policies during a conflict, particularly if companies fear repercussions to their bottom line. … U.S. tech companies could find themselves in a position where they must weigh the risk of disrupted supply chains against support for U.S. or allied strategic objectives,” Bresnick said.
-The status quo may be at the point of being unsustainable. According to testimony by Adam Meyers, SVP of counter adversary operations for cybersecurity company Crowdstrike, “Chinese threat actors operate complex, sophisticated, meaningfully obfuscated, and often highly effective cyber operations campaigns targeting every region and every industry vertical. Recent campaigns demonstrate the ability to compromise large, well-resourced, and well-defended enterprises that operate as providers for the rest of the technology ecosystem.” Meyers also said that attacks are increasingly well-funded and well-resourced, with well-trained adversaries that draw on not just military resources but Chinese universities and training pipelines. Laws and strategy have been changing in China since the mid-2010s to support its development of cyber capabilities that are being broadly put to use, as evidenced by the high-level hacks like Salt Typhoon.
Fish added that the way that companies have done business in China in the last 20 years may no longer is no longer sustainable, given the urgency of the cyber-threat that China poses to U.S. national security. “In the 2000s and early 2010s … U.S. tech companies could partner with the Party and not necessarily jeopardize U.S. national security,” Fish said. “Those days are over. Companies with high China exposure often downplay the risks of Beijing’s actions to U.S. interests, move U.S. jobs overseas, partner with businesses committing human rights abuses in China, and even strengthen the Party – so that it can implement actions like more successfully hack into the United States government.”
-Attempting to completely pull out of China could have an unintended consequence of escalating the risk of conflict. While Bresnick offered suggestions such as economic incentives for supply chain diversification, clearer corporate disclose of foreign dependencies, and encouraged corporations to make contingency plans in case of escalating U.S. conflict with China, he also made the point that “It would be unwise … to move from de-risking toward full decoupling; mutual interdependence can stabilize bilateral ties and act as a brake on conflict.”
–Blumenthal urged the Federal Communications Commission to start a rulemaking on cyber security standards. The FCC, he said during the committee hearing, “has the power to set and enforce security standards, and I urge the FCC to start a rulemaking process and investigation. It can be started under this administration, carried forward under the next. There should be bipartisan unity on the urgency of that action.”
