Volt Typhoon and the Disruption of the U.S. Cyber Strategy

The Volt Typhoon cyber intrusion into U.S. critical infrastructure is troubling on many levels. The most significant, however, is the way in which it suggests that some of the assumptions underlying the U.S. strategy of national cybersecurity are at odds with reality and require significant reexamination.

What Is Volt Typhoon?

On Feb. 7, the federal government issued an urgent cybersecurity advisory. More than a dozen federal agencies, along with cybersecurity agencies in ally nations—Australia, New Zealand, Canada, and the U.K.—joined together to deliver a warning about a threat (dubbed Volt Typhoon) to the “IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors.”

The agencies said,

Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S … agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to [operational technology] assets to disrupt functions. The U.S … agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.

Translated from agency cyber-speak, this means that the federal agencies think that Volt Typhoon actors (who the government says are Chinese state-sponsored hackers) are pre-positioning malicious software packages in the digital systems of critical infrastructure providers—like the electric grid—with the expectation that those packages could then be moved laterally to actual operating systems—like the industrial control systems that manage the transmission of electricity across the network. It also means that the Chinese actors are, in the federal government’s judgment, not just scouting around within the systems; they are apparently planning to create disruptive effects if real-world events warrant it.

Or, to put it bluntly, and colloquially, the federal government has seen evidence that the Chinese are preparing to try to shut down the U.S. electric grid and other parts of our national infrastructure like our water systems if they invade Taiwan and the U.S. responds militarily.

That by itself would be troubling, but of equal concern was the method by which the Chinese hackers sought to gain access and propagate their malicious software. When initially identified by Microsoft in May 2023, it was already evident that the hackers were using techniques known as "living off the land”—which is to say conducting much of their activity while resident in common everyday devices such as routers, modems, and internet-connected security cameras. The detailed technical advisory released jointly in February by the Cybersecurity and Infrastructure Security Agency (CISA) and several other government agencies revealed many of the details of this activity, including the conclusion that Volt Typhoon gained access through routers, VPNs, and firewall vulnerabilities. In the long run, as Reuters characterized it,

Volt Typhoon has functioned by taking control of swathes of vulnerable digital devices around the world—such as routers, modems, and even internet-connected security cameras—to hide later, downstream attacks into more sensitive targets. This constellation of remotely controlled systems, known as a botnet, is of primary concern to security officials because they limit the visibility of cyber defenders that monitor for foreign footprints in their computer networks.

As one data point, it appears that more than 30 percent of one particular type of Cisco router was compromised.

The U.S. response to this intrusion has required the FBI to conduct court-authorized technical operations to remove Volt Typhoon malware from devices owned by private actors. As FBI Director Christopher Wray told the Munich Conference last month:

China-sponsored hackers known as Volt Typhoon were hiding inside our networks, lying in wait for the moment China might choose to use their access to hurt American civilians. And while many of you may have seen the Volt Typhoon story as one about the PRC targeting the United States, in fact their targets spanned the globe—which shouldn’t be surprising, because in hack after hack, for years, we’ve seen the PRC hitting our partners around the world. Now working with our partners, the FBI was able to shut down Volt Typhoon’s access through yet another one of those joint, technical operations.

What this means in practice is that the FBI secured authority from a federal court to access vulnerable routers and remove the Chinese presence, even without the knowledge of the private owners. Much of the at-risk hardware was routers that had neared the end of their life cycle and were no longer supported by manufacturer security patches. With the court’s permission, the FBI, working with other agencies, removed the botnet malware that was used to propagate Volt Typhoon and took other steps to block communications between those routers and their command servers back in China. Wray’s statement also makes clear that part of the way that Volt Typhoon compromised large-scale critical national infrastructure was through the compromise of small private devices, like routers, that are found in American homes and small businesses.

What Does It All Mean?

The salient takeaway from the Volt Typhoon takedown should be that it signals a disruption of America’s cybersecurity strategy and a possible descent into strategic fundamental incoherence.

First, and most obviously, this attack revealed the shortcomings of the U.S. concept of “mutually assured disruption.” Much of the U.S. cyber strategy has been based on a modified form of the doctrine of mutually assured destruction first developed in the nuclear era. Early on, U.S. strategists recognized that the cyber domain was different from the kinetic (as Martin Libicki put it, cyber disruptions would not bleed over into real-world conflicts). The U.S. government and American policy experts came to think that this assumption was generally true at scale—anticipating small-scale kinetic disruptions—especially to digital assets, but strategists discounted significantly the possibility of large-scale kinetic disruptions through cyber means. The colloquial mantra was “[t]he Chinese won’t turn off the lights in New York because we will turn them off in Beijing.” Thus, the U.S. operational strategy was to take steps to ensure that the government could hold Chinese infrastructure assets at risk as a way of deterring China’s direct action against American infrastructure assets. The U.S. cyber policy community built an entire operational structure, known as “Defend Forward and Persistent Engagement” to implement this strategy and even transformed the acronym for MAD (mutually assured destruction) so that it now also meant “mutually assured disruption.”

Volt Typhoon may be nothing more than a similar set of activities by China. It may be that the significant investment of Chinese resources is intended to hold American infrastructure at risk as a means of influencing American cyber activity in case of kinetic conflict. In that sense, Volt Typhoon may be just another brick in the cyber-MAD wall.

But it doesn’t look that way. Of course, Chinese intentions are unclear at this point, but the scope and scale of the reported Volt Typhoon intrusions suggest that it is more than an influence operation. Rather, as the federal government’s report says, the nature of the Chinese actions suggests that they are contemplating using “their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.” If that is the case—if, in fact, the Chinese have decided to include disruption of American infrastructure as part of their broader kinetic conflict strategy, then many of the assumptions that lay behind the U.S.’s current posture are flawed.

To begin with, the threat of infrastructure disruption could have an immediate deterrent impact on America’s kinetic response. It is far too easy to imagine that the U.S. might refrain from aiding Taiwan in times of crisis for fear of domestic disruption.

But even more importantly, these Chinese steps enhance the risk of escalatory infrastructure disruption. The premise of the nuclear MAD doctrine is that the ultimate consequences of the use of nuclear weapons are so severe that their use is unimaginable. We had thought that the same might hold for large-scale cyber infrastructure disruptions. But deterrence depends on a shared conception of the unimaginable nature of events. Volt Typhoon appears to signal that the Chinese no longer consider infrastructure disruption to be unimaginable.

Perhaps Beijing has a defensive system—akin to anti-ballistic missiles (ABMs)—that gives it tremendous confidence about a cyber conflict. Perhaps China thinks that America is more dependent on infrastructure than China and thus that the U.S. is asymmetrically vulnerable. Perhaps the Chinese have simply concluded that the costs of significant infrastructure disruption in their country are bearable.  

Whatever the thinking, if cyber-MAD is no longer an effective strategy, the U.S. needs a replacement. Perhaps it is a greater investment in the cyber equivalent of ABMs (that is, more effective defensive measures that operate beyond our firewall defenses). Perhaps it is increasing the threat of cyber disruption to Chinese infrastructure in the same extraordinary way that the Chinese have with Volt Typhoon. Perhaps it is holding something other than Chinese infrastructure at risk—something the Chinese value more highly (like, say, their control of information flows into China). Whatever the response, it is incumbent at this juncture to consider whether the fundamental paradigm of deterrence has shifted.

Second, and slightly less obviously, the Volt Typhoon intrusion confirms what many in the cyber community have long feared: that the power of purely defensive measures is limited.

One reciprocal aspect of “mutually assured disruption” has long been an effort to decrease China’s ability to hold American infrastructure at risk. To that end, the U.S. has invested substantial resources in hardening the information technology defenses of our infrastructure targets.

The predominant theory on which that effort has operated, however, has been the belief that our defensive efforts could be focused primarily on assistance to the infrastructure providers themselves. We have, for example, touted public-private partnerships between the government and industry. We have passed laws to incentivize information sharing between infrastructure owners and the government as a means of mitigating vulnerabilities. More recently, we have begun to deploy regulatory structures as a way of forcing infrastructure owners (and other public companies) to enhance their cybersecurity posture.

The hallmark of all of these efforts is that they are focused on large industry actors. We have thought that small private actors (like individual owners of routers) were too difficult to incentivize to promote their security and that we could achieve significant reductions in vulnerability by looking to larger, more competent, and more effective private actors.

This paradigm is no doubt partially accurate. Our electric grid and our financial system are both significantly less vulnerable today than they were 20 years ago, at least in part because of this strategic effort.

But Volt Typhoon makes clear that the U.S. strategic defensive focus is at best incomplete and at worst misleading us into complacency. The Chinese exploitation of thousands of small-user devices reveals a systemic vulnerability that will require significant resources to address.

The episode also reveals that our current tools for mitigating vulnerabilities in private devices are inadequate. To begin with, as already noted, small devices are not our strategic focus. As a result, our tools for dealing with living-off-the-land propagation are limited. Where private routers and small devices are compromised, the government must, as the Volt Typhoon takedown demonstrates, act on a case-by-case basis. This piecemeal approach is highly inefficient.

Because its current legal authorities (like the Rule 41 process the FBI used in the Volt Typhoon case) can generally be put in play only after the vulnerability has been discovered, the U.S. government has limited anticipatory capability. Worse yet, given the scale of the problem and the impossibility of securing consent from all of the impacted private actors, to be effective the government’s response must (as the FBI did with Volt Typhoon) intrude on the devices of private citizens without their knowledge or consent.

Some observers look at this state of affairs and see threats to privacy in the government’s court-authorized access to private devices. To be sure, that is the case. But the far greater problem is that, at least as of now, the government has no method of addressing private device vulnerability at scale before the vulnerabilities are exploited by our adversaries, and it has no realistic prospect of doing so any time in the near future. Neither regulatory nor legislative proposals for ameliorating private device vulnerability are likely to be enacted any time soon. And current requirements do not adequately address the problem while existing tools are cumbersome (at best) and subject to potential abuse.

In short, the U.S.’s focus on hardening the ultimate targets of cyber disruption cannot be fully successful until the U.S. also develops a more robust strategy for hardening the targets that are the conduits for the disruptive attack. Volt Typhoon should remind the government and policymakers that our current efforts are inadequate.

And so, in the end, Volt Typhoon is more than just another cyber intrusion. It is, or at least it ought to be, a wake-up call. This is not the cyber domain of the 2000s. The current vulnerability surface is much different from what we thought it was 20 years ago. And as our understanding of that vulnerability changes, so too must the U.S. strategy for dealing with it.