While Russia is making the most noise now, China is the bigger long-term cyberthreat to the U.S., according to the National Security Agency's cybersecurity head.
Rob Joyce, director of cybersecurity at the NSA, spoke at RSA Conference 2022 in a Wednesday session titled "State of the Hacks: NSA's Perspective" and discussed the nation-state threat actors targeting the country and the technology and tactics that are used.
Joyce began with an overview of Russian nation-state hacking, which increased dramatically this year amid the country's invasion of Ukraine. Despite that increase, he said China represents a larger long-term cyberthreat to the U.S.
"Russia is like a hurricane. If you look at the activities in Ukraine, [they're] loud and aggressive and it is the near-term threat right now," Joyce said. "But China is climate change. They are the long-term pacing threat for us. And if you look at the challenge we have ahead of us, we have to be ready to deal with China."
Joyce noted that over the past several years the Chinese government has become more aggressive in stealing data and intellectual property from the U.S. and using it to bolster their military and economy. This activity, he said, has led the U.S. government to take a meticulous approach to defending against cyberthreats from China.
"Our approach to countering the Chinese aggression is outcome-driven, alliance-centric and deliberately sequenced to impose cost," Joyce said. "There is nothing that is going to turn the Chinese malicious activity off like a light switch, so we have to address this with that long-term piece in mind and do things that over time will add up to bring the pressure, undercut the capabilities and take it away."
Joyce noted that engaging in an exchange of cyber attacks is not the goal of the U.S. and that the hope is to defuse the Chinese cyberthreat and hamper its infrastructure using sanctions and diplomatic processes.
When speaking at the CyberUK event in Wales last month, Joyce said that sanctions like the ones being considered on China were a potential reason for a possible decrease in ransomware attacks from Russia this year.
Technology and methodology
Joyce noted that while more activity and more threat actors have been attributed to Russia in recent years, the NSA is still tracking and releasing reports on cyberthreats from Chinese actors. He mentioned a recent government security advisory stating that nation-state threat actors were exploiting known vulnerabilities in network providers and devices such as routers and VPNs in order to gain access to targets in the U.S.
Joyce said the NSA is seeing China attacking routers in the U.S. in order to then jump to service providers of victims they want to target. He said that all kinds of routers are being breached, from enterprise models used by large telecommunications companies to small businesses devices.
He said that often routers are not able to even identify when these breaches occur, and that it is necessary for potential victims to reevaluate their security infrastructure and make it so that they are able to monitor for these kinds of attacks.
This is where Joyce said the relationship between the federal government and the private security industry is so important.
"One thing [China] leverages is our privacy protection," Joyce said. "We at the NSA can look into the foreign space, but we can't look into the domestic space. That is where our partnership with industry that owns and operates this has to be really tight. We try to find ways where our insights can be leveraged by industry or industry who has a lead or understanding can then tip us to look out into the foreign space and find the other end of that and continue to peel and work backwards or even upstream."
Joyce cited specific Chinese threat groups such as Hafnium, which exploited Microsoft Exchange Server zero-day vulnerabilities, known as Proxylogon, in earlier 2021. But cyber attacks and breaches are not the only way that China is targeting the U.S. Joyce warned the country is also attempting to get into the field of spreading disinformation, which is increasingly becoming one of its main goals.