⚡NIMITZ TECH NEWS FLASH⚡

“End the Typhoons: How to Deter Beijing’s Cyber Actions and Enhance America’s Lackluster Cyber Defenses”

House Select Committee on the Chinese Communist Party

March 5, 2025 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked here):

• Mr. Rob Joyce: Former Director of Cybersecurity, National Security Agency

• Dr. Emma M. Stewart: Chief Power Grid Scientist, National and Homeland Security, Idaho National Laboratory 

• Ms. Laura Galante: Former Director of the Cyber Threat Intelligence Integration Center, Office of the Director of National Intelligence

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE COMMITTEE AND SUBCOMMITTEE

• Chairman Moolenaar opened the hearing by highlighting the Chinese Communist Party's (CCP) relentless cyber warfare against the United States. He explained that hacking groups like Salt Typhoon have infiltrated major telecommunications firms, including Verizon and AT&T, to access sensitive data and communications. The chairman also discussed the Volt Typhoon group, which has pre-positioned itself inside critical U.S. infrastructure, preparing to disrupt vital services in the event of a crisis over Taiwan. He emphasized that the CCP's goal is to sabotage the American way of life and undermine national security through these coordinated cyber operations targeting everything from water utilities to oil pipelines and the power grid. The chairman stated that there must be consequences for these Chinese cyber operations that endanger the American people, and that CCP-linked companies enabling cyber warfare should be barred from critical infrastructure.

• Ranking Member Krishnamoorthi expressed grave concerns about the Salt Typhoon hack, which allowed the CCP to geolocate millions of individuals and potentially record phone calls, including those of senior government officials. He called for bolstering U.S. defenses, particularly around edge devices that serve as entry points for networks, as well as strengthening cybersecurity standards for the telecom sector. The ranking member also stressed the need to increase the cyber talent pipeline and impose serious consequences on the CCP for their attacks, including through offensive cyber operations and international cooperation.

SUMMARY OF WITNESS STATEMENT

• Mr. Joyce testified that the PRC is conducting a comprehensive campaign against the United States, and that current defenses are not keeping pace. He explained that Chinese state hackers have pre-positioned malware within critical infrastructure, tapped into telecommunications to spy on Americans, and stolen technological innovations. Mr. Joyce emphasized the need for a comprehensive deterrence strategy, including offensive cyber operations, targeted economic sanctions, public indictments, and diplomatic pressure, to impose costs on the CCP and deter future attacks. He also stressed the importance of strengthening defenses and ensuring resilience in the face of successful cyber attacks.

• Dr. Stewart discussed the threat the CCP poses to the U.S. power grid, highlighting the reports on Volt Typhoon and Salt Typhoon that describe the CCP's capabilities to gain access and control over critical infrastructure. She emphasized the need for a coordinated deployment strategy to address vulnerabilities, including the CCP's dominance in the battery storage supply chain. Dr. Stewart also underscored the importance of cyber-informed engineering to secure critical infrastructure and enable secure operation despite malicious supply chain actions.

• Ms. Galante explained the CCP's use of Chinese-sponsored intelligence operations, like Salt Typhoon, to compromise U.S. telecom networks. She detailed how the Ministry of State Security (MSS) has maintained strong ties with multiple computer network exploitation companies, which serve as contractors to conduct these espionage activities. Ms. Galante warned that as the CCP refines its domestic surveillance and censorship tools, particularly with the application of AI, the U.S. should expect them to deploy these capabilities against American interests and allies.

SUMMARY OF KEY Q and A

• Chairman Moolenaar asked about the preparedness of U.S. cyber defenses in the event of a Chinese military operation. Mr. Joyce explained that China would likely seek to disrupt U.S. military transport and critical infrastructure, creating domestic chaos to weaken national resolve. The Chairman then asked about improving cyber defenses, and Dr. Stewart emphasized the need for increased funding and resources, particularly for power grid security. The Chairman further inquired about the threat posed by TP-Link routers, to which Mr. Joyce explained that these devices could allow Chinese cyber actors to bypass traditional defenses by operating within U.S. networks. When asked about potential action from the Commerce Department, Mr. Joyce recommended barring the sale of TP-Link devices in the U.S., stating that Congress has the authority to act swiftly.

• Ranking Member Krishnamoorthi presented data indicating that China is responsible for more state-sponsored cyberattacks than Russia, North Korea, and Iran combined. He confirmed with Ms. Galante that Chinese hackers had accessed sensitive telecom data, which could be used for blackmail and coercion. He then asked about the importance of encrypted messaging, to which Mr. Joyce affirmed that using encrypted platforms like Signal enhances security. The Ranking Member shifted the discussion to edge device vulnerabilities, highlighting TP-Link as an example. Ms. Galante confirmed that such devices provide an entry point for Chinese cyber intrusions. He then posed a provocative question about hacking back against Chinese cyber actors. Mr. Joyce agreed that a comprehensive approach, including offensive cyber operations, was necessary. Ms. Galante supported targeting Chinese enablers, and the Ranking Member suggested that private sector actors could also play a role in offensive cyber operations.

• Rep. LaHood asked about China’s goal of becoming a cyber superpower. Mr. Joyce stated that China has rapidly advanced its cyber capabilities through scale, experience, and adaptability. Rep. LaHood referenced a recent cybersecurity report showing a 150% increase in PRC-related cyber threats and asked why China was escalating its operations. Mr. Joyce explained that cyber espionage continues because it yields economic and strategic advantages with little consequence. Rep. LaHood concluded by asking for recommendations on U.S. countermeasures. Mr. Joyce argued for a more aggressive, multi-pronged approach, including offensive cyber operations, diplomatic responses, and economic leverage, urging policymakers to increase cyber resilience rather than retreat.

• Rep. Carson asked about the cybersecurity and operational challenges U.S. businesses face in China. Ms. Galante emphasized that espionage remains a primary concern, as Chinese actors have consistently targeted intellectual property to benefit state-owned enterprises, necessitating robust cybersecurity programs. Rep. Carson then asked how Congress could accelerate the "rip and replace" program for small telecom providers. Ms. Galante highlighted the need to identify and remove high-risk Chinese technology, citing previous actions taken against Kaspersky Labs. Mr. Joyce added that funding these efforts is crucial, as small telecom providers cannot afford to replace Chinese infrastructure on their own. Dr. Stewart further noted that securing replacement devices is equally important to avoid introducing new vulnerabilities.

• Rep. Dunn asked about legal limitations in addressing cyber threats. Mr. Joyce explained that China's strategy exploits the ambiguity of cyberspace, making it difficult for U.S. law enforcement to pursue cybercriminals hiding behind domestic networks. Rep. Dunn then inquired about the societal panic China could induce during conflicts. Mr. Joyce pointed to the Colonial Pipeline attack as an example, where panic-driven fuel shortages demonstrated how cyberattacks can disrupt daily life and critical infrastructure.

• Rep. Tokuda raised concerns about the recent firing of cybersecurity personnel at CISA and its impact on national security. Ms. Galante agreed that these dismissals weaken the federal cybersecurity workforce and diminish global confidence in U.S. leadership. Dr. Stewart added that losing experienced professionals would hinder future cybersecurity coordination and defense. Rep. Tokuda then asked about the alignment between China and Russia in cyberspace, to which Ms. Galante confirmed that both nations have been key cyber adversaries for over a decade. Mr. Joyce warned that reducing U.S. cyber operations would embolden adversaries and lead to increased cybercrime. Rep. Tokuda concluded by asking whether China has stopped its efforts to interfere in U.S. elections. Mr. Joyce stated that he had no reason to believe China had ceased such activities.

• Rep. Hinson then shifted the discussion to AI, noting its benefits for various sectors while also posing security risks. Dr. Stewart advised that organizations should prioritize cybersecurity best practices, including selecting secure devices and eliminating fixed passwords. Rep. Hinson asked about safeguarding AI systems, and he stressed the importance of proactive research, adversarial testing, and collaboration between industry and academia. She also asked about removing Chinese technology from federal infrastructure, to which Mr. Joyce responded that action was long overdue, emphasizing the need for American businesses to compete against low-cost Chinese alternatives.

• Rep. Stanton asked how federal grants and programs impact telecommunications security. Ms. Galante stressed the importance of maintaining funding for cybersecurity programs, particularly in rural and underserved areas, and highlighted CISA's crucial role in communicating with state and local entities to secure networks. Rep. Stanton then asked about necessary cybersecurity investments and baseline standards. Ms. Galante pointed to the financial sector as a model, advocating for cybersecurity minimums across other critical infrastructure sectors.

  Rep. Stanton also asked about the need for a diverse and secure semiconductor supply chain to protect power grids. Dr. Stewart explained that the U.S. currently lacks the manufacturing capacity to secure its supply chain and emphasized the need for funding and coordination to build a reliable domestic semiconductor industry.

• Rep. Johnson (SD) raised concerns about Chinese control over the LIDAR market and asked Mr. Joyce to explain the relevance of this issue to everyday citizens. Mr. Joyce emphasized that the real concern lies in who controls the software behind such technologies, as software written in China is subject to CCP influence and could be updated or manipulated to pose security risks. Rep. Johnson then asked about policy measures to address software vulnerabilities. Mr. Joyce suggested that restricting software development by Chinese entities could be a reasonable approach. Rep. Johnson inquired about industrial policy to counteract Chinese dominance in key markets. Dr. Stewart noted that China has gained control over industries like batteries and suggested the U.S. must regain control through contractual oversight and supply chain security. Rep. Johnson proposed limiting government purchases from Chinese companies, and Dr. Stewart agreed that while this is a reasonable approach, some essential components are currently unavailable domestically.

• Rep. Brown asked about the role of agencies like CISA, NIST, and the FBI in national cybersecurity. Mr. Joyce explained that these agencies form an interconnected chain of defense, but workforce reductions could discourage top talent from entering government service. Dr. Stewart added that the Department of Energy plays a critical role in cybersecurity for the energy sector and warned that losing key personnel could weaken national defenses.

• Rep. Bilirakis referenced the 2021 Colonial Pipeline ransomware attack and asked Mr. Joyce to explain how China exploits home routers like TP-Link to access critical infrastructure. Mr. Joyce detailed how Chinese cyber actors use compromised home routers to mask their attacks and avoid detection. Rep. Bilirakis then questioned why the Federal Acquisition Security Council (FASC) has not used its authority to remove risky technology from supply chains. Mr. Joyce admitted he was unsure of the reasons behind FASC’s inaction.

  Rep. Bilirakis asked how FASC could collaborate with the FCC’s Cyber Trust Mark program to establish security standards for critical infrastructure. Dr. Stewart highlighted the importance of certification programs like Cyber Trust Mark in helping consumers identify secure devices and emphasized the need to determine appropriate security levels that balance cost and effectiveness.
  

• Rep. Moulton asked how the government could better incentivize private sector engagement in strengthening cyber defenses. Mr. Joyce highlighted the progress in government-industry collaboration but suggested that cybersecurity measures need to be mandated, much like safety features in the automotive industry. Rep. Moulton then asked whether current telecom regulations were sufficient to counter national security threats. Mr. Joyce responded that while the regulations were generally strong, vulnerabilities persist due to outdated legacy systems. When pressed on ensuring telecom companies prioritize security over cost, he pointed to restrictions on Huawei as a step in the right direction but stressed the need to extend such measures to edge devices.

• Rep. Moran likened the cyber threat landscape to the plot of Live Free or Die Hard and asked which tools the U.S. is failing to use effectively. Mr. Joyce argued that excessive bureaucracy hinders decisive action in cyberspace and called for streamlining authorities to disrupt botnets and mount economic and diplomatic pressure on adversarial nations. Rep. Moran supported offensive cyber operations, echoing the Ranking Member’s call to "hack the hackers." Ms. Galante agreed, emphasizing the need to target Chinese private sector enablers of state-sponsored cyberattacks. She described China's longstanding cyber espionage ecosystem, particularly in Chengdu, as a highly skilled and well-funded network that must be disrupted. Rep. Moran then asked about recruiting and retaining cybersecurity professionals in government. Dr. Stewart stressed the importance of early education, advocating for initiatives to attract students into engineering and cybersecurity careers from high school onward.

• Rep. Stevens shifted the discussion to post-quantum cryptography (PQC), asking why government and industry are slow to prepare for the transition. Mr. Joyce praised NIST’s development of PQC standards but noted that organizations need to inventory their encryption use and implement agile systems capable of adapting to emerging threats. Rep. Stevens asked how Congress could incentivize PQC adoption. Mr. Joyce mentioned an executive order and NDAA provisions requiring quantum-resistant encryption by 2034 but suggested continued congressional oversight. Dr. Stewart added that encryption is not always applicable in operational technology (OT) environments, warning that misapplying standards could compromise critical infrastructure functionality. When asked about financial barriers, Dr. Stewart agreed that federal funding is necessary to support secure technology adoption.

• Rep. Newhouse highlighted the cyber threats posed to U.S. critical infrastructure and asked Dr. Stewart to elaborate on the importance of prioritizing the most vulnerable sites. Dr. Stewart advocated for "cyber-informed engineering," where cybersecurity and engineering teams collaborate to implement fail-safe mechanisms that prevent worst-case scenarios, such as the Colonial Pipeline shutdown. Rep. Newhouse then asked if diplomatic options could deter China’s cyber aggression. Ms. Galante argued that cyber deterrence must be multifaceted, combining diplomatic messaging with punitive trade and economic measures. She stressed that the Chinese military has pre-positioned access across U.S. critical infrastructure, requiring a coordinated national response to impose meaningful consequences.

• Rep. Torres asked what might trigger a Volt Typhoon cyberattack. Mr. Joyce explained that China’s intent is not just deterrence but disruption, aiming to create societal panic that forces the U.S. to focus inward rather than supporting operations abroad. Rep. Torres then asked if U.S.-China cyber relations mirror Mutually Assured Destruction. Mr. Joyce rejected the comparison, stating that the U.S. operates within international law, whereas China engages in cyber terrorism. Rep. Torres cited former FBI Director Christopher Wray’s assertion that China’s cyber personnel vastly outnumber the U.S. and asked if China has qualitative cyber advantages. Mr. Joyce acknowledged China’s rapid improvement but reaffirmed that the U.S. remains the global cyber superpower, though the gap is narrowing. Rep. Torres questioned whether the decentralized nature of U.S. critical infrastructure is a disadvantage. Ms. Galante confirmed that securing such a diffuse system requires a significantly larger cybersecurity workforce to standardize defenses across varied operational environments.

• Rep. Nunn asked whether the Chinese Ministry of State Security (MSS) coordinated the Typhoon attacks. Ms. Galante confirmed that the MSS directed them through contractors and was responsible for attacks on U.S. telcos and the Department of Treasury. Rep. Nunn further established that every American using affected telecom providers became a target. He questioned whether any Chinese cyber actors operate autonomously, and Ms. Galante stated that all major actors are directed by the MSS or the PLA. Mr. Joyce concluded that the U.S. should treat China’s cyber pre-positioning in critical infrastructure as equivalent to placing explosives in key locations, requiring an urgent and forceful response.

• Rep. Kim asked what the U.S. cybersecurity strategy’s top priority should be. Mr. Joyce emphasized deterrence, improved defenses, and resilience to maintain functionality despite cyber disruptions. Rep. Kim then asked how the U.S. could enhance cyber cooperation with allies. Ms. Galante highlighted growing interest from East and South Asian allies, such as India and the Philippines, who seek intelligence-sharing partnerships with the U.S. to bolster their defenses. Rep. Kim followed up by asking how Congress could strengthen critical infrastructure against attacks like Salt Typhoon. Dr. Stewart advocated for a unified approach that integrates federal agencies and private entities in a coordinated cybersecurity effort. Rep. Kim then asked which deterrence measures should be prioritized. Dr. Stewart recommended eliminating easily exploitable vulnerabilities and confirmed that sanctions can be effective but must be paired with stronger infrastructure protections. When asked about the effectiveness of international legal frameworks, Mr. Joyce stated they are inadequate, as adversarial nations provide safe havens for cybercriminals. In response to a final question on how to change China’s cyber behavior, Ms. Galante suggested linking China’s cyber actions to broader punitive measures beyond cyberspace.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.