FBI Director Christopher Wray last week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.
In remarks at a Vanderbilt University-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice. Well, for whatever it's worth, straight from the horse's mouth...
In remarks at a Vanderbilt University-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice. Well, for whatever it's worth, straight from the horse's mouth...
Quote:FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat
China Is a Singular Threat
Vanderbilt's choice to focus this year's summit on the challenges posed by the People's Republic of China echoes the Bureau's own assessment of that threat—an assessment we've been beating the drum on for years—because, from the FBI's perspective, these threats are not over the horizon. They're upon us now.
I'm talking about everything from indiscriminate hacking to economic espionage to transnational repression to fentanyl and the precursor chemicals that are coming out of China and ending up in our communities. What we're facing today is the CCP [Chinese Communist Party] throwing its whole government into undermining the security of the rule-of-law world.
At the FBI, PRC [People's Republic of China] aggression and criminality has required us to commit our counterintelligence, cybersecurity, and criminal investigative resources because the Chinese government's actions have proven, again and again, that it's a combined counterintelligence, cybersecurity, and criminal threat. Part of that threat is driven by the CCP's aspirations to wealth and power. Through plans like "Made in China 2025" and its series of Five-Year Plans, Beijing is seeking to seize economic development in the areas most critical to tomorrow's economy.
And they don't have any reservations about stealing their way to the top. We've seen Beijing hit just about every industry we have—everything from biotech to aviation, to advanced technologies like AI [artificial intelligence], to different forms of healthcare and agriculture—to steal our intellectual property, technology, and research. You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it. The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world, leveraging its most powerful weapons, starting with cyber.
To give you a sense of the scale of China’s cyber activity, if all of the FBI’s cyber agents and cyber intelligence analysts focused exclusively on China—and not on ransomware, Iran, or Russia—Chinese hackers would still outnumber FBI cyber personnel by at least 50 to 1. And that's probably a conservative estimate because the Chinese government is also showing a penchant for hiring cybercriminals to do its bidding—in effect, cyber mercenaries—further supplementing its cyber workforce.
One thing is clear: China’s hacking program is larger than that of every other major nation, combined. And that size advantage is only magnified by the PRC military and intelligence services’ growing use of artificial intelligence—built, in large part, on innovation and data stolen from us—to enhance its hacking operations, including to steal yet more tech and data.
And the PRC cyber threat is made vastly more harmful by the way the Chinese government combines cyber with traditional espionage and economic espionage—and with its efforts to export its repression and malign influence to other nations, including our own.
A few years ago, we might have said China represents the most significant long-term threat. That’s no longer the best way to describe the danger. The Office of the Director of National Intelligence assessed last year that Beijing is trying to build the capability to deter U.S. intervention in a crisis between China and Taiwan by 2027.
2027 is not exactly long-term. In reality, it’s not even “around the corner.” We’re feeling some of the effects today.
In government, we’re looking at the 2024 budgets being written now as the determinants of what resources we’ll have ready to confront China in 2027.
In the private sector and academia, too, the investments, partnerships, security, and capabilities you’re building today will dictate how those sectors are prepared—or not—three short years from now. And, as we’ll discuss, we’re also already battling today preliminary steps, which include cyber intrusions and criminal activity, that China is already taking along their march to preparedness.
Critical Infrastructure Threats Are Particularly Alarming
The subject of the PRC’s desire to dictate America’s responses to its aggression is a good segue to our discussion of critical infrastructure because, at the FBI, we’re particularly concerned about the threat Beijing’s activities pose to those sectors.
And there’s no better way to close out this summit than to spend a few minutes reflecting on this singular threat and on what the FBI and our partners—including those here today—can do to safeguard our nation.
To the average person, critical infrastructure is largely invisible. These are sectors whose existence we don’t often think about or appreciate as long as they’re working right. But these vital sectors—everything from water-treatment facilities and energy grids to transportation and information technology—form the backbone of our society.
And what many Americans may not be tracking closely is that China is positioning its enormous hacking enterprise—remember, 50 to 1—for more than "just" the outrageous theft campaign I described a few minutes ago. It’s using that mass, those numbers, to give itself the ability to physically wreak havoc on our critical infrastructure at a time of its choosing.
The PRC has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.
We’ve been countering this growing danger for years now. China-sponsored hackers pre-positioned for potential cyberattacks against U.S. oil and natural gas companies way back in 2011. And while it’s often hard to tell what a hacker plans to do with their illicit network access—that is, theft or damage—until they take the final step and show their hand, these hackers’ behavior said a lot about their intentions.
When one victim company set up a honeypot—essentially, a trap designed to look like a legitimate part of a computer network with decoy documents—it took the hackers all of 15 minutes to steal data related to the control and monitoring systems while ignoring financial and business-related information, which suggests their goals were even more sinister than stealing a leg up economically.
That was just one victim, and we tracked a total of 23 pipeline operators targeted by these actors.
More recently, you may have heard about a group of China-sponsored hackers known as Volt Typhoon. In that case, we found persistent PRC access in our critical telecommunications, energy, water, and other infrastructure sectors. They were hiding inside our networks, using tactics known as “living-off-the-land"—essentially, exploiting built-in tools that already exist on victim networks to get their sinister job done, tools that network defenders expect to see in use and so don’t raise suspicions—while they also operated botnets to further conceal their malicious activity and the fact that it was coming from China. All this, with the goal of giving the Chinese government the ability to wait for just the right moment to deal a devastating blow.
This kind of specific targeting of critical infrastructure is on top of China’s scattershot, indiscriminate cyber campaigns that hit critical infrastructure along with thousands of other victims. One of the most egregious examples of this in recent memory was the 2021 Microsoft Exchange compromise.
In that case, hackers operating out of China exploited previously unknown vulnerabilities—called “zero-day” exploits—and compromised more than 10,000 U.S. networks, moving quickly and irresponsibly to do so before those vulnerabilities were disclosed to the public. The hackers targeted networks across a wide range of sectors, from infectious disease research to defense contractors, and their method was to plant malicious code that created a back door and gave them continued remote access to the victims’ networks.
That campaign echoed earlier PRC attacks on managed-service providers, compromising the companies that serve as gateways to thousands of others who rely on the MSPs [managed-service providers] for data services—and then compromising those customers, in turn.
So, while the recent Volt Typhoon story understandably caused a stir because of the sheer magnitude of the operation, the fact is the PRC’s targeting of our critical infrastructure is both broad and unrelenting.
The FBI Is a Defender and a Partner
But you know what they say about the best-laid plans. At the FBI, we’ve mobilized across the organization to thwart China’s schemes to steal and sabotage their way to the top. And I think it’s fair to say that there are few parts of the FBI not involved in the China fight—across our 56 field offices, at Headquarters, and in our offices around the world.
One key to being successful in this fight is the FBI’s dual and complementary mission: enforcing federal law and protecting national security. At the Bureau, we’re empowered not just to collect intelligence, but to act on it, and those actions cover a wide range of forms.
To prevent cyberattacks, we can often share what we learn through our collection with network defenders and Intelligence Community partners.
Last year alone, in addition to our individual warnings to potential victims, the FBI published nearly 80 advisories on cyber threats to the private sector, arming network defenders by highlighting new threats and describing adversary technical indicators and tactics. We also exercise our technical capabilities to stop intrusions and protect victims, no matter who is behind the activity. And we take other law enforcement actions, too—steps like seizures and arrests, which are key instruments of disruption and deterrence.
In the China context, we hardly ever take those kinds of steps by ourselves. Our strategy is to lead joint, sequenced operations that bring to bear our authorities—and those of our many partners—in coordinated actions for maximum effect.
As part of those operations, we’re often sharing targeting and other information with partners like U.S. Cyber Command, foreign law enforcement agencies, the CIA, and others—and then acting as one. When it comes to both nation-state and criminal cyber threats, we plan operations with our sights set on all the elements we know from experience make hacking groups tick.
So, we’re going after their people—a term we define broadly to include not just hackers and malware developers, but also the facilitators they depend on, like bulletproof hosters and money launderers. We’re also going after their infrastructure, like their servers and botnets. And we’re going after their money—the cryptocurrency wallets they use to stash their ill-gotten gains or hide financial connections, hire associates, and lease infrastructure.
So, to take the PRC’s Microsoft Exchange compromise as an example, we leaned on our private sector partnerships, identified the vulnerable machines, and learned the hackers had implanted webshells—malicious code that created a back door and gave them continued remote access to the victims’ networks. We then pushed out a joint cybersecurity advisory with CISA to give network defenders the technical information they needed to disrupt the threat and eliminate those backdoors.
But some system owners weren’t able to remove the webshells themselves, which meant their networks remained vulnerable. So, working with Microsoft, we executed a first-of-its-kind surgical, court-authorized operation, copying and removing the harmful code from hundreds of vulnerable computers.
And those backdoors the Chinese government hackers had propped open? We slammed them shut so the cyber actors could no longer use them to access victim networks.
Similarly, when we discovered Volt Typhoon’s malware being used against critical infrastructure, we joined our U.S. and international partners last spring—and again this February—to first author a series of joint cybersecurity advisories about what we saw, effectively calling out the hackers and sharing technical information victims can use to protect themselves. And then, we followed up those warnings with action aimed at the hackers.
Working with our partners in the private sector, the FBI was able to identify the threat vector and conduct a court-authorized operation—in coordination with others—to not only remove Volt Typhoon’s malware from the routers it had infected throughout the U.S. but also to sever their connection to that network of routers and prevent their reinfection.
What We Need From You
You’ve heard me say several times now this afternoon that private companies, like those represented here, and academic institutions like Vanderbilt are exactly the kinds of partners that have important roles to play when it comes to protecting our most essential networks—and not just as key participants in many of those joint, sequenced operations I mentioned.
The private sector owns the vast majority of our critical infrastructure, so it plays a central defensive role, and also generates vital information about what adversaries are doing—or preparing to do—against us.
But the first thing private industry can bring to the table is vigilance because everything we do in the government and law enforcement space has to be combined with the public’s role in being more discerning and more cyber-literate.
That includes resiliency planning—things like developing an incident response plan, actually testing and exercising that plan, and fortifying networks and devices to make the attack surface as inhospitable as possible. Companies need to familiarize themselves with each specific threat and its particularities, create a plan tailored to each of those threats, and then actually run through those plans with tabletop exercises. Most importantly, know where your crown jewels are, know how to get back up and running in the event of a breach, and know at what point you’re going to call the FBI for help.
There’s also hardware and supply chains to worry about. I’m sure many of the folks here today are familiar with Solar Winds, the Russian SVR’s supply chain campaign that compromised widely-used IT software and caused thousands of Solar Winds customers to upload malicious backdoors hidden in innocuous-looking software updates. Vetting your vendors, their security practices, and knowing who’s building the hardware and software you’re granting access to your network is crucial, so push for transparency into what vendors and suppliers are doing with your data and how they will maintain it.
That brings me to the final thing we need to build a strong defense, and that’s solid partnerships—as we've discussed, the very foundation of our work confronting Beijing.
When something goes awry, we need victims to reach out to us immediately because that first victim who reports an intrusion can supply the key information that will enable us not just to help them recover, but also to prevent the attack from metastasizing to other sectors and other businesses. In fact, Volt Typhoon was taken down thanks, in part, to help from the private sector—to companies coordinating with us.
We’ve seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem because that put everyone on the same page and contributed to the company’s readiness. And it’s not just companies. The FBI has long put a premium on building relationships with academic institutions, too.
Building those partnerships means that we can better understand the issues academia faces every day interacting with the PRC, and academia can get a better understanding of national security threats and make informed decisions about how to deal with them.
Speaking of academia, since I find myself here at one of the top universities in the country, I’d be crazy not to talk a bit about the people we need to keep hiring to do all this vital, cutting-edge work.
We need even more smart, driven, talented people in the field to keep America safe—people with the technical skills to keep our cyber workforce world-class.
So, while I’m here at Vandy, among some of our nation’s best and brightest students about to enter the workforce, here’s a plug for both them and the professors in the audience that those students look to for guidance: We need more people to join our elite team, determining who’s responsible for cyberattacks; planning and running those joint, sequenced operations, to knock our adversaries back; working with victims; and, often, doing all those things in the same day.
We need talented people on our rapid-response Cyber Action Team—deploying across the country often within hours to respond to major incidents—and working with international partners in our offices overseas, seeking justice for victims of cyberattacks.
A job with the FBI could take you anywhere, and there’s no better way to serve a mission you’re proud of while doing work that’s the envy of your friends slogging it out elsewhere.
The FBI doesn’t do easy. We focus on what’s hard, what no one else can do—measured both in our own work and in the adversaries we go up against: the most dangerous intelligence services and criminals in the world.
As we’ve talked about today, the threats America faces—from the PRC and many others besides—are immense, and we’re confronting them right now.
Our way of life—and, in some cases, our very lives—need defending, so think about applying to join us or sending your best and brightest our way.
"It is hard to imagine a more stupid or more dangerous way of making decisions than by putting those decisions in the hands of people who pay no price for being wrong." – Thomas Sowell