Tensions between the US, China, and Taiwan have far-reaching impacts beyond semiconductor saber-rattling and trade restrictions. There is an enterprise security angle that CISOs should be on guard to tackle, according to US intelligence.
NSA Director of Cybersecurity Rob Joyce has some critical lessons on how companies can withstand an escalation in China-Taiwan tensions and what such conflicts matter in the first place.
“We had advance warning of the Russia invasion” of Ukraine, said Joyce during a keynote at Mandiant’s mWISE security conference today. “What would you do if tomorrow you got advanced warning of a China-Taiwan conflict? What business decisions would you have to make?”
As China flexes its military might in a show of force against the island, there’s been an uptick in distributed denial of service attacks against Taiwanese government websites, although these haven’t been formally attributed to Beijing.
State-sponsored cyberespionage and information operations pushing pro-China propaganda and criticizing America and its allies aren’t new tools in President Xi Jinping’s arsenal. But as Beijing’s threats to annex Taiwan grow louder, and US bans on Chinese tech escalate, corporations need to start considering their supply dependence and partners, as well as their resiliency in case of any cyberattacks that coincide with — or proceed — a ground war.
“If you’re in cybersecurity, think about your company and your partnerships,” Joyce said this morning. “What does it mean in a China and Taiwan conflict?”
Joyce urges teams to execute table-top exercises with executives and board members and practice responses to potential cyberthreats. “Run through that same scenario and scratch out the names Russia and Ukraine,” Joyce said. “Put China and Taiwan instead. It’s a scary thought, right? But it’s something you need to consider. It’s a non-zero change. Look at the tensions in recent months, how they escalated and changed.”
In the interests of balance, there were grave warnings of Russia unleashing cyber-hell on the West in retaliation for not only its opposition to President Putin’s assault on Ukraine but also for supplying weapons and support to Kyiv. However, your mileage may vary: in the days after the invasion started in February, there were no signs of significant cyberattacks for most, while some – particularly those in Ukraine – noticed a large uptick in online hostilities.
Ukraine just recently said, in a warning to its allies, that it was braced for further cyber-warfare from the Kremlin, echoing advice from the US government in April. Plan for attack, and don’t be surprised if the worst does or doesn’t happen, seems to be the message. Also, bear in mind: Russia has been probing and messing around with Ukraine’s systems since at least the annexation of Crimea in 2014.
Conflicts go global quickly and “the consequences of their cyber actions transcend international borders,” Joyce said. “As we saw in Ukraine, the line between wartime and peacetime is increasingly blurred.”
Earlier this month, the NSA, along with the FBI and Homeland Security’s Cybersecurity and Infrastructure Security Agency, issued a joint advisory naming the 20 most-exploited vulnerabilities by Beijing’s snoops since 2020.
The list reads like a good diet of software snafus, with remote code execution holes in Log4j and Atlassian topping the charts, as well as a handful of Microsoft bugs.
“That’s the playbook that says, you’ve got a door unlocked. Let’s close it down,” Joyce said. “You will see complex and elaborate new ways of exploitation. But if we’ve got a CVE that’s five or seven years old, and the Chinese nation state actors are still ripping through industry by exploiting it, we’ve got a problem.” ®