US slow to react to pervasive Chinese hacking, experts say
The warning came as news was breaking about a Commerce Department investigation into the possibility that computer network routers manufactured by the Chinese firm TP-Link may pose a threat to the millions of U.S. businesses, households and government agencies that use them.
Also on Wednesday, Congress took long-awaited steps toward funding a program that will purge other Chinese technology from U.S. telecommunications systems. The so-called rip-and-replace program targets gear manufactured by Chinese firms Huawei and ZTE.
Too far behind
While experts said the recent actions are a step in the right direction, they warned that U.S. policymakers have been extremely slow to react to a mountain of evidence that Chinese hackers have long been targeting essential communications and infrastructure systems in the U.S.
The lack of action has persisted despite law enforcement and intelligence agencies repeatedly sounding alarms.
In January, while testifying before the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party, FBI Director Christopher Wray said, "There has been far too little public focus on the fact that [People's Republic of China] hackers are targeting our critical infrastructure — our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems. And the risk that poses to every American requires our attention now."
A year previously, Wray had warned lawmakers on the House Appropriations Committee that his investigators were badly outnumbered.
"To give you a sense of what we're up against, if each one of the FBI's cyber agents and intel analysts focused exclusively on the China threat, Chinese hackers would still outnumber FBI Cyber personnel by at least 50-to-1," Wray said.
Decades of complexity
Part of the problem, experts said, is that it is difficult for policymakers to summon the political will to make changes that could be disruptive to the lives and livelihoods of U.S. citizens in the absence of public concern about the problem.
"It still remains very, very difficult to impress upon average, typical everyday citizens the gravity of Chinese espionage, or the extent of it," said Bill Drexel, a fellow with the Technology and National Security Program at the Center for a New American Security.
He contrasted the relatively muted public response to the recent revelation of a Chinese hacking operation known as Salt Typhoon, which compromised mobile telephone networks throughout the country, with the uproar that accompanied the far less serious appearance of a Chinese spy balloon over the U.S. mainland in 2023.
"That just goes to show this … problem where really grave issues that are intangible — that are just in cyberspace — are really hard to wrap our minds around," Drexel told VOA.
"For four decades, we intertwined our supply chains very deeply with China, and our digital systems became more and more complex, allowing more and more compounding ways to be hacked, to be compromised," Drexel said.
"We've just started to try to change course on this stuff," he added. "But there's so much momentum for so long on these issues, and they continue to compound in complexity, such that it's just really hard to catch up."
Warning 'highly targeted' Americans
The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance on Wednesday, reporting that it "has identified cyber espionage activity by People's Republic of China (PRC) government-affiliated threat actors targeting commercial telecommunications infrastructure."
It continued, "This activity enabled the theft of customer call records and the compromise of private communications for a limited number of highly targeted individuals."
The warning appeared to be related to the Salt Typhoon hack that, according to government investigators, compromised all the major mobile phone carriers in the U.S., giving the Chinese government extraordinary access to the communications among millions of Americans.
The five-page CISA document outlines steps that the agency advises all Americans, but particularly those most likely to be targeted, to take immediately.
The first is to immediately curtail use of standard mobile communications platforms, such as voice calls and Short Message Service (SMS) texting. Instead, the agency advises Americans to restrict their communications to free messaging platforms that offer end-to-end encryption, such as Signal, which support one-on-one and group chats, as well as voice and video calls. Data sent with end-to-end encryption is extremely difficult to decrypt, even if a malicious actor is able to intercept it during transmission.
Among the other advice CISA offered was to avoid using SMS messages for multifactor authentication by switching to apps that provide authenticator codes or, where possible, adopting hardware-based security keys for highly sensitive accounts. Other recommendations included the use of complex and random passwords stored in password manager software, as well as platform-specific suggestions for iPhone and Android users.
TP-Link concerns
On Wednesday, The Wall Street Journal reported, and other outlets subsequently confirmed, that the Commerce Department, as well as the Justice and Defense departments, are investigating reports that computer routers manufactured by the Shenzhen-based TP-Link are one vector of attack for Chinese hackers.
TP-Link currently dominates the market for computer routers in the U.S., with nearly two-thirds of total market share. In October, a report from Microsoft revealed that one Chinese hacking operation it identified as CovertNetwork-1658 has compromised thousands of TP-Link routers to create a network that is used by "multiple Chinese threat actors" to gain illicit access to computer networks around the world.
The Journal's reporting also revealed that the Commerce Department is considering a ban on the sale of TP-Link routers in the U.S. next year, an action that could significantly disrupt the U.S. market for networking hardware.
Rip and replace
Congress on Wednesday took long-delayed action to address a different potential threat from China, allocating $3 billion to a program that will remove telecommunications equipment manufactured by Huawei and ZTE from rural telecommunications networks in the U.S.
Funding for the rip-and-replace program arrives years after the U.S. identified the two companies as posing a potential threat.
Beginning in the first Trump administration and continuing during Joe Biden's time in office, the U.S. pressured allies around the world to block the installation of Huawei and ZTE 5G cellular communications equipment from their networks, in some cases threatening to stop sharing sensitive intelligence with allies that failed to comply.