I’m no military expert, but I know this much: The next world war won’t be fought with missiles, tanks, and guns but in cyberspace where control of America’s critical infrastructure and business operations now lies. To the victor will go the digital spoils.
China has already aggressively attacked the U.S. on several fronts. It’s conceivable America has already been defeated without China ever having declared war.
If this sounds like overwrought hyperbole, I urge you to read this story published in the April 21 issue of the Washington Post headlined, “Chinese Hackers Compromise Dozens of Government Agencies, Defense Contractors.” WaPo readers are forgiven if they missed this story; it was buried in the “World” section on the publication’s home page. The Post understandably doesn’t want to cause the Biden Administration any undue negative publicity or embarrassment.
As people rarely click on links, allow me to share the first seven paragraphs of the Post story, which if you care about the security of the United States, should cause you considerable alarm.
Sophisticated Chinese government hackers are believed to have compromised dozens of U.S. government agencies, defense contractors, financial institutions and other critical sectors, according to a private cybersecurity firm working with the federal government.
The intrusions are ongoing, the FireEye security company said, and are the latest in a series of disturbing compromises of government agencies and private companies.
The investigation is in its early stages but already has turned up evidence that the intruders breached sensitive defense companies, according to FireEye. That was not the case with the Russian SolarWinds campaign, which compromised nine federal agencies but not the Pentagon or its contractors, U.S. officials said.
And the recent discovery of a separate Chinese operation targeting Microsoft Exchange email servers — one that affected potentially more than 100,000 private-sector companies — did not hit U.S. government agencies.
The Defense Department is not known to have been compromised in the current campaign, but the investigation is still ongoing, said one U.S. official who spoke on the condition of anonymity because of the matter’s sensitivity.
The hacking group involved was “very advanced” in its steps to evade detection, said Charles Carmakal, chief technology officer of Mandiant, a division of FireEye. The campaign was targeted, focusing on high-value victims with information of value to the Chinese government, he said.
“This looks like classic China-based espionage,” Carmakal said. “There was theft of intellectual property, project data. We suspect there was data theft that occurred that we won’t ever know about.”
Data theft we won’t ever know about? Such is the state of America’s cybersecurity defenses that China can pillage America’s digital infrastructure and the government might never know the extent of the breach?
Politico is looking rather smart. The publication recently published an article about CISA headlined, “America’s digital defender is underfunded, outmatched and exhausted.” The subhead further explained “the agency that protects the U.S. from hackers is hobbled by funding woes, a talent shortage and growing pains that are jeopardizing its ability to counter sophisticated threats.”
A cybersecurity expert I know tells me that its believed that China already has the health records of 80 percent of Americans. The expert says U.S. hospital managements are rank amateurs when it comes to understanding and acting on cybersecurity risks. In fact, he says, hospital systems are hacked all the time and managements have no clue. That’s why hospitals are among the leading global targets from hackers. They lag behind other major industries in securing vital data.
A recent announcement by Trinity Health, a Michigan-based company with a network of nearly 100 hospitals, makes clear my expert knows what he’s talking about. Trinity announced last month that more than 580,000 patients were impacted by a data breach. Trinity said it only learned about the breach after a vendor advised that it had been hacked. Healthcare insurer Centene, Kroger Pharmacy, and Stanford Medicine were also impacted by the vendor’s breach; known patients impacted by the attack is now more than 3.3 million.
Trinity is one of the more responsible hospital networks. The company in the past year yanked its Alaris drug infusion pumps, which have been subject to more than a dozen FDA recall notices in the past 15 months, including some with warnings about deaths and injuries. The Department of Homeland Security issued a warning last year ranking the Alaris pumps 6.5 out of ten on a vulnerability scale. Alaris pumps are used in about 70 percent of U.S. hospitals.
Nicholas Eftimiades, one of the leading authorities on Chinese Intelligence Operations, last October published this insight:
Beijing has evolved to become the world’s first ‘digital authoritarian state’. Its creativity and ability to combine all the elements of ‘societal power,’ including espionage, information control, industrial policy, political and economic coercion, foreign policy, threat of military force, and technological strength challenges the world’s rules-based international order.
China has made no secret of its superpower ambitions. Chinese President Xi Jinping has called on China to “lead the reform of the global governance system” and to disrupt international rules, institutions, and enforcement mechanisms used to solve common global problems.
It’s distressing that Microsoft products are being used in America’s defense infrastructure. Microsoft is synonymous with bug-ridden software that’s been responsible for legions of breaches. Yet the Defense Department last year awarded Microsoft a $10 billion cloud computing contract.
If President Biden ever has to activate the nuclear codes, it wouldn’t surprise me if he gets an error message. Given Microsoft’s offshoring of its horrific customer support, it also wouldn’t surprise me if Microsoft’s Defense Department customer support is located within a call center in Wuhan.
China’s technology companies are said to beholden to the Communist country’s leadership, while the U.S. technology companies show no such allegiance to supporting U.S. government interests. Google employees resisted working on U.S. government projects but were glad to further Chinese government initiatives. I’m mindful of Facebook director Peter Thiel’s comment that Google engaged in “seemingly treasonous activity.”
What’s disheartening is that a Chinese takeover of the U.S. wouldn’t change life in America all that much. Hollywood already edits its films to comply with Chinese sensors, organizations like the NBA kowtow to the country’s leadership, and executives like Elon Musk treat Chinese regulators with a certain respect he doesn’t extend to their U.S. counterparts.
Perhaps the WaPo story will capture the attention of Delta CEO Ed Bastian, whose airline last year doubled its daily number of flights between the U.S. and China. Bastian publicly railed against provisions in Georgia’s election law that include requiring voter identification. I imagine Bastian has some concerns about China’s political system, where Xi Jinping is designated as “president for life.”
Call out China for its human rights violations and attacks on the U.S.? Bastian wouldn’t dare.