Cybersecurity & Tech

Lawfare Daily: Can Chinese Cyber Operations Be Deterred, with Dakota Cary

Eugenia Lostri, Dakota Cary, Jen Patja
Tuesday, November 5, 2024, 8:00 AM
Discussing Volt Typhoon.

Published by The Lawfare Institute
in Cooperation With
Brookings

Dakota Cary, Strategic Advisory Consultant at SentinelOne, joins Lawfare Senior Editor Eugenia Lostri, to discuss his article on U.S. attempts to deter Chinese hacking group Volt Typhoon. They talk about why Volt Typhoon won’t stop its intrusions against critical infrastructure, whether other hacking groups can be deterred, and where we should focus our attention to counter malicious activity.

Materials discussed during the episode:

To receive ad-free podcasts, become a  Lawfare  Material Supporter at  www.patreon.com/lawfare. You can also support  Lawfare  by making a one-time donation at  https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Intro]

Dakota Cary: But the idea that we could ask some of these organizations that are victims of Volt Typhoon to implement a deterrence by denial strategy is so far from possible that it, I can't consider it within the next decade based on the maturity of some of these organizations and what we're asking, you know, victims to stand up against. It's a military with tens of thousands of people, kind of, dedicated to this issue.

Eugenia Lostri: It's the Lawfare Podcast. I'm Eugenia Lostri, Senior Editor at Lawfare, with Dakota Cary, strategic advisory consultant at SentinelOne.

Dakota Cary: Where in conflict, where in escalation ladders, do we think that China would go, okay, now is the time to attack civilian critical infrastructure in the United States? I think that's a really hard question to ask, and if I could say anything to U.S. policymakers, it would be focus your analytical efforts on determining where in that crisis China makes that decision.

Eugenia Lostri: Today we're talking about whether China's hacking groups can be deterred.

[Main Podcast]

So Dakota, a few weeks ago the Wall Street Journal reported that hackers linked to the Chinese government broke into a handful of U.S. internet service providers like Verizon and AT&T. And this is suspected to be an intelligence operation that was carried out by a group that Microsoft calls Salt Typhoon, and may have compromised the systems that the federal government uses for court authorized network wiretapping requests.

And now this is only one of several groups that are linked to the Chinese government that have made headlines recently, you know, most famously, I think recently we've been hearing a lot about Volt Typhoon, which is another group that tends to infiltrate critical infrastructure.

So I think a good place to start our conversation today is just by talking through what are the different groups connected to the Chinese government and the different types of operations that they conduct.

Dakota Cary: Yeah, absolutely. So the names are new to us, but I think the organizations behind some of these operations are not, they're not new. They've been at this for a long time.

And so we're having a bit of this interesting kind of like a public awareness or like an observability bias kind of built in because at the end of 2022, Microsoft changed their naming convention for threat actors. So they'd previously used elements on the periodic table to organize threat actors associated with, you know, different government entities, et cetera, that they attract kind of in this ecosystem. The most prolific groups got these names.

And so when that naming convention changed at the end of 2022, we're having to like, relearn these associations between the publicly named threat actor and then the bureaucratic organization behind their actions or the contractors behind their actions. Right?

And so threat actors associated with China fall under the Typhoon label, those associated with Russia fall under Blizzards and so on. So that's kind of half of the question is, you know, which of these groups do we already know about and are just having to map backwards to previously known and understood threat actors? And then the other part of that question is, okay, well, given that, do we actually know who is behind these particular operations? And what does that say about what we're observing them do?

And so in the case of Salt Typhoon, you know, it does look to be very straightforward, you know, very valuable intelligence collection for the Chinese government. Not sure who the actor is behind that, but that sort of intelligence collection does typically fall to the civilian intelligence service or its contractors, so the Ministry of State Security. Whereas the behavior of Volt Typhoon and, you know, operational preparation of the environment for disruptive and destructive attacks against critical infrastructure typically falls under the purview of the People's Liberation Army and its hacking teams.

Eugenia Lostri: So that's great background, I think, to shape the conversation today about how this conduct can or cannot be deterred. You recently wrote an article that looked at the possibility of deterring China's cyber operations. But before we dive into that, could you maybe give us an overview of, kind of, the different strands, the different positions in the more academic debate about cyber deterrence and how useful it can be?

Dakota Cary: Yeah, absolutely. So, you know, deterrence theory has been kind of, severely impacted or maligned by questions of nuclear deterrence from the Cold War period. And so, in the last 15 years or so, academia has really tried to wrestle with what does deterrence mean in cyberspace? Is it possible? Can you deter particular actions?

There are folks who think that norms are more appropriate lens to view this behavior through. And it's kind of a mixed bag on whether or not policymakers view cyber as a realm of conflict that's most associated with deterrence or norms. I typically fall into the category of people that think, particularly as it relates to the use of cyber, that it's guided by norms and that, you know, the folks behind these operations are typically less subject to deterrence dynamics than they are by kind of standard operating procedure MOs.

I think one of the strong norms that I would argue that we have in place is that touching the nuclear command and control is an absolute red line for any cyber-capable nation. I feel confident saying that, not having access to high-side intel on the matter, just because that is a carryover from the way that we behave during the Cold War. And so we have broken issues of deterrence and cyber kind of into these two buckets.

I think up until now, the conversation has largely been focused on can you actually deter cyber operations from occurring? Can we say, or can we do a thing that deters China from taking intellectual property or, you know, doing this type of operational preparation environment for destructive attacks? And so, I think the conversation has kind of flowed back and forth between what can we carry over from this period of nuclear deterrence, to a domain that is kind of the purview of intelligence agencies, less so than kind of military posturing on a border.

Eugenia Lostri: I think an interesting example of the adoption of the idea of deterrence is back in 2018 when we get the Trump administration's national cyber strategy.

It actually establishes attribution and deterrence of unacceptable behavior in cyberspace, as kind of one of the key actions to preserve peace through strength. That was the name of the pillar under which deterrence was placed. And, you know, thinking back to then, it was kind of famously, right, like there was a lot of debate about the fact that it stated that all instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States.

And, you know, we all rushed out to write about our nuclear weapons going to be used to deter cyber operations. But it also talks about having an international cyber deterrence initiative. It talks about swift and transparent consequences, right? So it kind of, I think if we use 2018 and the National Cyber Strategy as a starting point, we can see the different ways in which agencies and departments start to incorporate the idea of cyber deterrence into some of the activities.

So, if you could maybe give us a walkthrough of what can it look like to try to deter a cyber adversary, if you're placed in the State Department, or if you're at the NSA, or if you're in the FBI, that can look very different for different people, all while falling under the general umbrella of deterrence.

Dakota Cary: Yeah, absolutely. The issue that grounds this conversation for me is the way in which we think deterrence is possible. So, there's kind of the two buckets in conversation around cyber deterrence. Shout out to Jay Healey for recommending his Defense Science Board paper on this issue. But the two buckets are generally talked about as deterrence by denial, or deterrence by punishment, or cost imposition.

And I personally think that deterrence by denial is one of the weaker lines of argumentation, kind of, in the conversation around cyber deterrence, specifically because it is about improving defenses to the degree that which the attackers don't believe that they can have the intended impact that they seek, right?

So this can be that you're continually cutting them off of the knees, at the early stages of the cyber kill chain, or you're demonstrating or have the ability to have such resilient operations that even if they are successful, that they don't have the strategic impact that they're, kind of, seeking, right?

The other side of this is deterrence by cost imposition, right? Clearly articulating what the punishments are for taking a particular action. You know, it's very easy to think about when it is bean counting the tanks on the border and you kind of have this, like, decision matrix where everyone has kind of good information about what the other person or the other country is capable of doing, how they're posturing, et cetera.

Whereas in cyberspace and cyber operations, the questions around, you know, even doing attribution, particularly for like the best state teams, are long questions. They can be done, they can be done well, but it's very difficult sometimes to establish which actor is behind a particular intrusion set and therefore questions around deterrence are much more difficult when you actually don't know, in the moment, who it is you're trying to handle.

I think a separate conversation, one that's interesting and probably gets more play in the cybersecurity community than in the policy community, is deterrence against cyber criminals or cyber criminal groups. So people who go after, you know, important institutions, businesses, hospitals, education, et cetera for cash, right? They are specifically in the business of ransoming either individuals or companies for money.

And it's easy, very easy for a nation state to try and deter the activity of individuals that are operating, obviously, at the sub-state level, right? If you're a ransomware crew of 15 people, the government has many more levers that they can use to try and prevent those people or to influence the way that those people think about the decisions they're making.

So then we get to this question of like, okay, so where does deterrence exist? It exists in the mind of the people that are carrying out these operations or they're authorizing them. And for me, I think that is probably the part that's most missing from the conversation cyber deterrence is which, you know, where in the decision making process are these operations being authorized? And when would they actually be used to the ends that we're concerned by?

And so we can get into the conversation about Volt Typhoon in a minute, but I think that as it relates to, you know, intrusions for intelligence collection. I don't think that there is a very clear way for any government to make, or statements or to take action that would successfully deter that because the payoff is just so high. And the difficulties around knowing who you're dealing with, handling that in a timely fashion, et cetera, kind of makes that even more difficult for the actors.

Eugenia Lostri: So maybe we can talk a little bit though, before we go into Volt Typhoon about an aspect of deterrence that I think I'm particularly interested in, which is the naming and shaming, right? It's this attempt at calling out this malicious behavior of saying, you've done, we're going to find you, you know, it doesn't matter who you are, where you are, this is something attribution to nation states, but also to these cyber criminals that you were talking about.

So can you talk a little bit about how that plays into this debate?

Dakota Cary: Yeah, absolutely. Max Smeets at ETH Zurich has a forthcoming book that discusses this specifically around, kind of, criminal ecosystem. And his argument, which I find most convincing is that victims engaging with these criminal groups are impacted by the trust that these groups will do what they're saying they will do, that they will delete the data once you pay them or that they have the ability to de-encrypt, you know, the systems that are being held for ransom.

And Max's argument is that these criminals have largely benefited from the notoriety that is bestowed upon them by either media coverage or analysis, threat intel, et cetera, and that one of the most effective ways to impact this ecosystem is actually to remove the trust or to decrease the trust that victims implicitly have, or that these groups try to demonstrate to them, in order to disincentivize the payments by victims.

If you think that this group won't delete your data after you pay them. You're unlikely to, you're less likely to, right? You may discount heavily the amount that you're willing to pay if you believe that they're not going to delete the data. And so I think some of the most effective operations against cybercriminal groups, again, that Max highlights are against that barrier of trust with those actors.

And so I think that is particularly interesting on the cyber criminal side and folks who are interested in that, should look at Max Smeets’s forthcoming book on that issue.

Eugenia Lostri: That's super interesting. One of the, as I was preparing for our conversation today, one of the things that I was thinking about was, and maybe this relates more to the information and or influence operation space, but I think it's still relevant to this conversation in a recent great podcast that my colleague Quinta Jurecic did with Thomas Rid, he spoke about, I think he called it a weird constructivist feedback loop, and basically he was saying that sometimes because we think something is a huge threat, it becomes a significant threat, right?

Even when maybe the malicious actors are not as good as they would want their victims or the people that hire them to believe that they are. And so I think that there's something super interesting about the ways in which we report and we discuss the threats that informs how hard it becomes to counter it, both by creating this sense of trust in people who are likely to be victims that this is going to be resolved, but also by giving more credence to the actors. Do you think that makes sense?

Dakota Cary: Yeah, absolutely. I mean, I think the simplest thought that I have on this frequently is, you know, there are discussions sometimes of adversaries in cyberspace where analysts will observe initial intrusion and then many months later, the actor begins to move across the network and we often assign the value of patience to this type of behavior.

And my question is, are they just bureaucratic? Is it that they got into the network and then they filled out their paperwork and they sent it off to a different department and it just sat there for 6 weeks before somebody else picked it up? And so I absolutely sympathize with that line of argumentation where we can inadvertently ascribe values to the threat actor in a way that is actually not borne out by the facts if we had complete information about why they're making certain decisions.

Eugenia Lostri: That's really interesting. So, let's go back to your article, and you talk about Volt Typhoon in particular. You argue that the U.S. cannot deter Chinese hacking operations against critical infrastructure, and you also point to similar statements that come from leadership at the NSA, at the FBI. So walk us through that analysis. Why do you think that deterrence is not working for Volt Typhoon?

Dakota Cary: Yeah, absolutely. So, Volt Typhoon, aligned with the People's Liberation Army, is likely mapped back to a PLA organization, and their job, as any military job, is to provide their policymakers with decisionmaking latitude, right? It is not necessarily a mission set that's done in the same way that we don't build missiles or particular tools to immediately use them.

But they become kind of an option in the policymakers playbook to address problems, right? And there's an institutional incentive to make sure that the leadership of the CCP and the CMC in China has the ability to pull as many levers as possible in the path of escalation to armed conflict, or even during armed conflict.

And so the question comes back to deterrence around either denial or cost imposition. If you're thinking about denial as your means of deterrence for this type of intrusion, right? Volt Typhoon is setting up access, persistent access to critical infrastructure that has no intelligence value, but is valuable to disrupt or to impact the operations of, in order to have an impact on, either military operations or civilians.

The question of denial, or deterrence by denial, it becomes really finicky though, because you're asking what are in many cases, very small organizations. Municipal water supplies, critical infrastructure operators that people, you know, even that are receiving their services as a consumer could not name who is processing their water, right? They have to stand up to, from a denial standpoint, if that's your argument, PLA bureaus that include tens of thousands of people whose job it is to procure and maintain access to those networks.

When we pull it back away from deterrence by denial, right? Cutting them off at the beginning of the kill chain, particularly for military bases or military facilities that seek to maintain kind of operational continuity in the face of a cyber-attack, I think we have more leeway, right? There is greater latitude for the U.S. military to spend money on resilience in the face of a cyber-attack and more to the point, they have a mission that requires them to do so, right? And so there are efforts underway to procure a small modular nuclear reactors to power military bases so that they're not dependent on nearby local, you know, critical infrastructure, right?

And so, there are a number of actors that are kind of responding or at the end of Volt Typhoon attacks. They're on the receiving end. And they have different capabilities.

But the idea that we could ask some of these organizations that are victims of Volt Typhoon to implement a deterrence by denial strategy is so far from possible that it, I can't consider it within the next decade based on the maturity of some of these organizations. And what we're asking, you know, victims to stand up against. It's a military with tens of thousands of people kind of dedicated to this issue.

So then we get to, like, the cost imposition, right? What can the U.S. do around these intrusions from a cost imposition standpoint? And I don't think naming and shaming is doing anything. You know, we talked about the cyber criminals, but on the state side, I don't think naming shaming is effective for deterring any of this type of stuff. And I don't think that the people who are named in these indictments feel that way.

You know, the iSoon leaks very clearly have chat records about where they're bragging. You know, about U.S. indictments, just as you know, we kind of anticipated. And so then we get to pull back and go, okay, well, if they're going to maintain access to these networks, where, and when does the People's Liberation Army actually choose to exercise that attack option that it is procuring access to? Where in conflict, where in escalation ladders, do we think that China would go, okay, now is the time to attack civilian critical infrastructure in the United States?

I think that's a really hard question to ask, and if I could say anything to U.S. policymakers, it would be focus your analytical efforts on determining where in that crisis China makes that decision, because that will be a lot more instructive as to your own deterrence, right? Because at that level, if you determine China will only conduct these types of cyberattacks if, you know, we're in the middle of conflict already, then your decision making is very different for deterrence, than if you're not in conflict.

If you're concerned about the exercise of this option that China has over civilian critical infrastructure, prior to conflict your decision making is also very different. The levers of U.S. deterrence that you have at your disposable just differ incredibly based on when and how the option is exercised. And because deterrence is fundamentally a question of the leadership of another organization or country making a decision, it's really important to know when they would even put that decision on the table. But I don't think from an intrusion standpoint, we can deter these continued kind of, procuring access into these networks, as it were.

Eugenia Lostri: So how do you think this analysis transfers to the other types of groups that China has at its disposal? Some of the ones that we mentioned at the beginning of the conversation. Do you think it's similar or, you know, this is just about access to critical infrastructure?

Dakota Cary: Yeah, it's a really good question. I saw a recent interview with Kevin O'Leary. He's, you know, kind of like a financial influencer who's on Shark Tank, who will probably get mad that I call him a financial influencer.

But in the interview, he's basically arguing that tariffs on China are a good thing because he's been doing business for there, for a very long time and they continue to take his intellectual property. And, you know, these kinds of carte blanche tariffs are the answer, at least in his mind to the issue.

I bring that example up because the actors that are making these decisions kind of across China's, or I would say our threat landscape, but across China's actors, kind of all have different incentives, right? If you were really trying to impact intellectual property theft by any of the Chinese hacking groups, it would be most effective if you could tailor whatever U.S. response there is specifically to the organizations that are benefiting from that IP theft and carrying it out effectively, right?

There's a really great report that has been taken offline, but was the genesis of the Turbine Panda threat actor group, right? It was named Turbine Panda because the Jiangsu MSS Bureau was so focused on procuring information related to airplane turbines so that China could build its own jet commercial airliner, right?

It's the CJ-19 is the model that they procured that information for. If you're a U.S. policymaker, your goal should be to target your decision making as much as possible to the individuals that are involved in either that operation or that benefit from it as a company, or that benefit from that company kind of as a political actor, right?

So which provincial or municipal committees of the CCP are facilitating and authorizing those intellectual property theft operations, and then targeting your response to that cluster of people, rather than having like a carte blanche, broad stroke approach to trying to deal with some of these issues.

Whereas for actual political intelligence collection, traditional espionage that does not fall under the intellectual property side. I think it's just incumbent on the U.S. and other countries to up their game on the defense. I don't think that we're going to whine our way into better protections against foreign intelligence. I think we just have to do a better job protecting what matters to us.

Eugenia Lostri: You said before that you're a little bit skeptical, at least, of naming and shaming, right? But you also, part of your work, you report on at least some of the effort that goes on in China of actually trying to counter the narrative that they are the ones behind many of these incidents.

So, some of these reports not only try to say that they didn't do it, but they also try to say that the U.S. is framing other countries for American operations. So does that have nothing to do with a little bit of the international sting that may come with name and shame, or is the audience for this type of reports completely different and it's not affected by the fact that it was attributed.

Dakota Cary: Yeah, the question of naming and shaming as kind of a deterrent, I've talked about and we'll put that to the side, right? But there is kind of a larger issue, particularly one that the Chinese Communist Party does care about, which is, kind of global public opinion and this right to speak.

And so there's a report that I wrote at the beginning of 2024 that puts together kind of a timeline to show that, following the Microsoft Exchange server attacks by Hafnium, the United States, the EU, and U.K. put out a joint statement, so it's like 28 countries, put out a joint statement condemning China for the operation, the way that it was kind of escalated from a very small group doing intelligence collection and then suddenly having those vulnerabilities exploited by a very large ecosystem, kind of, indiscriminately leaving behind shells that they could access. To attack victims down the road, even after these had been passed, right?

It was the first time that the FBI had gotten authorization to go in and remove the implants that were left behind by Chinese hacking teams. It was a very significant event. And for the Chinese Communist Party, it was the first time that the U.S. had gotten the entirety of the EU and the U.K. to come together to make a joint statement about China's actions in cyberspace.

And up until that point, China had been very effective at peeling off one to two countries in the EU so that there was never consensus or rarely consensus on an issue regarding China, so following this kind of public statement by all of these countries, China went to work with its own cybersecurity companies, the Computer Virus Emergency Response Center, and typically The Global Times is involved in the promotion of these reports. They kind of like rehash through leaked U.S. intelligence documents to push the narrative that the U.S. is actually the one behind all of, you know, hacking. And that we are the, I think there's an MFA quote that calls the United States the empire of hacking, right?

And so they're very clearly trying to push this narrative and it falls in line with the way that China thinks about information warfare, the right to speak in the international ecosystem, right? The right to be heard by other countries. And so the most recent CVERC report blames the United States in part for Volt Typhoon operations.

Previously, they had said it was a criminal group, right? They found some CTI reporting that had overlapping indicators of compromise with a criminal group, right? And they said, aha, this is the evidence. The behavior was actually separated by many months, right? And so shared infrastructure that a company providing this had just, you know, reapportioned to a different website or a different customer, right? And so the threat intel behind that was actually not adequate to make those claims.

But in the most recent report, China, kind of, the authors, at least, overextend themselves, right? They don't have a bunch of evidence to rest this argument on. And so, in between all the pages where they readdress old USG documents, they kind of tip the hand on what their actual argumentation is, in that they're trying to stir up conversation around Section 702 around Microsoft and try and create friction between the United States and the EU.

Eugenia Lostri: So just to oversimplify this a ton, it sounds like this is a credibility contest in a way. And so, if China is so interested in the global discourse and its right to be heard, how are these reports being perceived? Is this, you know, tipping the scales in its favor with some of its allies? Is it just understood by everyone that, okay, you did the thing, check the box, that you counter the narrative, but we all know what actually happened?

How is this actually affecting the understanding from the rest of the world about how these two giants are actually engaging?

Dakota Cary: Yeah, that's a really good question I would tip that over to should be studied for further research, right? As like, how do we measure the impact of these reports in say third party countries, right? I think a lot of the iSoon leaks content was about how the Ministry of Public Security or this contracting group iSoon was hacking into governments across Southeast Asia. I think that was like a very transparent moment for countries that frequently interact with the PRC, that live in its shadow just by close proximity, et cetera.

And so what they think does matter. And so there is a third audience when we do naming and shaming, and that's people that are not inside China, right? But the question of the credibility of that is always, well, is the United States just saying that to try and change our opinion of China, right? That's clearly what they're trying to do vice versa.

What's interesting to me is that there are some claims that hold up and others that don't, right? So if you have the technical analyst to go through cyber threat intelligence reports from most Western countries you can see and you can track the information online through the tools that you have access to verify what the reports claim about certain activity and the lack of that information in China's reports about U.S. operations, again that's why they go back to relying on leaked U.S. intelligence documents, is they’re trying to make that argument when I think that they're held back by state secrecy laws by from providing the information that might substantiate the claims that they wish they could make. And so it's a very weird information ecosystem. I don't know how these are being received.

I would note though, that the most recent CVERC report that blames the U.S. for Volt Typhoon was published in English, Mandarin, Japanese, German, and French. And this is the first time that they had done a report in that many languages. It's typically only ever been in Mandarin and in English.

Eugenia Lostri: Wow, I wonder why those languages.

Dakota Cary: It's a good question. It might have something to do with the section where they highlight that the U.S. government previously collected on German, on Germany and France, right? And it's right at this time where there's kind of a growing consensus in the EU around having to do something about their relationship with China.

Germany's kind of slowly getting on board now that the automotive industry is suffering significantly from its previous market share inside of China, and both countries throughout Chinese intelligence officers in 2024. And so I think at least particularly related to that section, it seems as though China is trying to throw sand into the gears that are moving towards kind of a growing consensus between the United States and the EU that like, okay, we do have to address this problem, if not from a military perspective, which I think is completely separate from our relationship with the EU, but from an economic perspective, how do you engage with a country that behaves the way that it does in global trade and intellectual property norms?

Eugenia Lostri: So you've been hinting at this and mentioned some of the actions, but if we go a little bit deeper into, you know, if the actions that the U.S. government is currently undertaking for deterrence are not enough, where would you focus your attention to try and counter this type of malicious activity?

Dakota Cary: Yeah, absolutely. So I think that U.S. policymakers could do a better job of deciding what they want to deter and what they think is feasible.

I personally don't think it's feasible to stop these intrusions against U.S. critical infrastructure by having public statements or committee hearings or anything of that nature. I think that when you identify when and how this operational preparation of the environment is most likely to be used, right? When will China actually execute attacks against civilian critical infrastructure? Then you can start building your deterrence posture around what those moments in time look like, right? Is this something that occurs pre-conflict?

Is China, you know, building up forces ready to move against Taiwan or another neighboring country, and does this at the outset to prevent the U.S. from becoming engaged, right? Do they just want a short term operational delay of U.S. military assets? Or is this something that, you know, because it may have a longer term impact than just a few short days, is it something that they would do during conflict, right? Is this the conflict is going well for the United States and then China reaches for this lever?

When you figure out where in this kind of a scale between benign relationships and outright war between the two countries when you figure out where China is most likely to make the decision to attack critical infrastructure. That's what you should base your deterrence theory around. Whereas the conversations we have now and the statements that are being made by officials at the FBI and at NSA that we've not been able to deter these intrusions, if I could speak for those individuals, we're not going to deter these intrusions from occurring.

And so the question is, how do we build our deterrence strategy around when they may choose to execute that option? I think that will put everybody in a better headspace. And in the meantime, it allows folks that are in the crosshairs for Volt Typhoon or for other Chinese threat actors to improve their defenses and to make it more difficult to achieve that operational objective of disrupting the environment.

Eugenia Lostri: Here's what you think the mechanisms are in order to achieve this different headspace. You know, do you envision this needing actual regulation, or, you know, when it comes to raising the standards, are we supposed to wait for, you know, all these voluntary commitments and nice words to kind of kick into gear?

Dakota Cary: Yeah, so I think the first step is doing interviews like this, where hopefully they have an impact on the way that people expect the government to function and what they think is achievable and what the goal should be. The second part is there are huge benefits to the partnerships between the U.S.  government and the private sector, the people who operate critical infrastructure and from what I've seen personally, I think that those do work very well when critical infrastructure operators are in a position to act on the information that they receive and that they are, like, organizationally mature enough to address the problem.

I've worked with organizations where regulations were the only thing that could move the rest of, kind of, the executive suite at a company, to allocate additional resources to the cybersecurity team.

And if it wasn't for additional regulations on that particular sector, that, you know, CISO and their staff would not be getting the resources that they were getting in that particular financial year. And so there are, in a lot of ways, regulations on a per industry basis that can enable better cyber security because it changes the politics inside of the business where those decisions are being made.

I think that is a hugely undervalued side of the impact of regulations, is it allows people a tool within their workplace to actually increase the resources that they have and to deploy this more effectively, and to be backed up by their legal team that says we have to do these things or we will not be in compliance.

And so I do think that on a case-by-case or industry-by-industry basis, there's opportunities for improvement. I don't know what those look like across all industries, I'll be frank with you, but I do know that they provide the security teams a very important tool to addressing problems that they have.

Eugenia Lostri: Now, before we wrap up, is there anything else you'd like to add? Maybe something that we didn't get to cover today, but that you think would be important for our listeners?

Dakota Cary: So there's two pieces that I would offer before we leave. There is an excellent report or a chapter in a NBR publication on modernizing deterrence by Nathan Beauchamp-Mustafaga about how part of Chinese deterrence theory as it relates to cyber, is the need to demonstrate capabilities in order to convince the other party that they're both able and willing to do those things.

And so when we think about the Volt Typhoon intrusions against critical infrastructure, it very much aligns with conceptions of deterrence as it relates to cyber by China that they have to demonstrate that they're able to do these things in order for it to have a deterrent effect, right? And so the behavior we're witnessing aligns very well with what we would expect to see from China as it tries to use the cyber domain for a deterrent effect.

The second part of this is that I think in considering where and how attacks against critical infrastructure are operationalized, there's a really good report out from the Atlantic Council at the end of September called “Adapting U.S. strategy to account for China’s transformation into a peer nuclear power.” The authors, David Shullman, John Culver, Kitsch Liao, and Samantha Wong, at one point, identify and make the argument that if Xi Jinping moves on Taiwan during his time in office, it is such an existential risk for the regime that nuclear use is on the table if it does not go well.

And so, I really want to highlight and underline that there is a lot of space between our current relationship with China and one in which we're considering or in armed conflict.

And that significant distance should include a lot of distances between getting access to critical infrastructure and then actually exercising the option to attack that critical infrastructure so much so that, you know, these authors identify that nuclear use, in a scenario like that, is on the table.

And so I think it's really important when we have a conversation around what can we deter, what is acceptable in cyberspace, do we have to live with these intrusions versus where do we want to try and push back? I think it's really important to contextualize what is at stake, and when China would actually choose to reach for this particular policy lever that they have access to.

Eugenia Lostri: Dakota, thank you so much for joining me today.

Dakota Cary: Absolutely. It was a pleasure.

Eugenia Lostri: The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters.

Please rate and review us wherever you get your podcasts. Look out for our other podcasts including Rational Security, Chatter, Allies, and the Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org. The podcast is edited by Jen Patja, and your audio engineer this episode was Max Johnston of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.


Eugenia Lostri is a Senior Editor at Lawfare. Prior to joining Lawfare, she was an Associate Fellow at the Center for Strategic and International Studies (CSIS). She also worked for the Argentinian Secretariat for Strategic Affairs, and the City of Buenos Aires’ Undersecretary for International and Institutional Relations. She holds a law degree from the Universidad Católica Argentina, and an LLM in International Law from The Fletcher School of Law and Diplomacy.
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.

Subscribe to Lawfare