China Cyberattacked The US. Corporations Are On The Front Lines.

This week, news broke that China cyberattacked the US homeland. The attackers breached critical infrastructure in Guam, an often-forgotten US territory critical to US defense and power projection. The sophisticated attack infiltrated computer networks used for both civilian and military purposes. Microsoft
MSFT
assessed with “moderate confidence” that the attackers are laying the groundwork for cyber capabilities that could threaten communications infrastructure in the future. The cyberattack is a serious event that presages a cruel reality of any future conflict with China—civilians are on the front lines, and corporations will need to defend them.

The cyberattack was revealed by Microsoft and the intelligence-sharing group known as the Five Eyes: the United States, United Kingdom, New Zealand, Australia, and Canada. Microsoft and agencies from each of the Five Eyes countries attributed the attack to a China-sponsored group called Volt Typhoon, which has targeted infrastructure organizations in Guam and the US since mid-2021. Volt Typhoon is capable of infiltrating corporate systems and stealing user credentials while avoiding detection for as long as possible. Microsoft directly notified customers who were targeted or compromised and provided necessary information to secure their businesses. China has denied the attack, calling it a “sophisticated disinformation campaign” by the Five Eyes.

Many Americans cannot locate Guam on a map. Legally, however, a cyberattack on Guam is equivalent to an attack on Silicon Valley. Guam, with a population of nearly 154,000, is indistinguishable from the 50 states for the purposes of defense under international and domestic law. It would also be vital to US military operations in any conflict over Taiwan. The Guam Defense System, the defense architecture surrounding Guam and the Mariana Island Chain, is the top homeland defense priority of the current commander of the US Indo-Pacific Command, Admiral John Aquilino. Guam contains the United States’ largest refueling and armament stations in the first and second island chains that provide lines of defense against China. The 2023 National Defense Authorization Act also announced $1.4 billion for defense projects in Guam, and the U.S. Marine Corps is building its first new base in 72 years there. Guam has among the highest military recruitment levels in the United States. In recognition of Guam’s military importance, China calls its DF-26 intermediate ballistic missile, which has a 2500-mile firing range, “the Guam Killer.”

China’s “peacetime” targeting of critical infrastructure that is used by both civilians and the US military erodes the principles of the law of war. The principle of distinction ordinarily forbids targeting civilian objects, such as civilian property and infrastructure. However, many computer networks are used for both civilian and military purposes. Such “dual use” objects may be targetable based on their nature, purpose, and use. However, combatants must still comply with the other principles of the law of war: military necessity, proportionality, and avoiding unnecessary suffering.

The law of war only applies within armed conflict. However, the exact moment that hostilities begin between the United States and China may not be clear. For now, it appears that Volt Typhoon has infiltrated Guam’s infrastructure without distinguishing between civilian and military assets, in a way that may later be leveraged indiscriminately during armed conflict—putting civilians at risk of tremendous and unnecessary suffering.

Microsoft and US officials have raised the alarm. According to Microsoft, Volt Typhoon has targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government information technology, and education sectors. According to Admiral Aquilino, China’s “cyber efforts remain focused on developing capabilities to enable warfare activities targeting US and partner critical civilian electric, energy, and water infrastructure to generate chaos and disrupt military operations.” Jen Easterly, the Director of the US Cybersecurity and Infrastructure Security Agency stated this week that a Chinese invasion of Taiwan might be accompanied by “the explosion of multiple gas pipelines, the pollution of our water systems, the hijacking of our telecommunication systems, the crippling of our transportation nodes.” She noted that these are “All designed to incite chaos and panic across our country and deter our ability to marshal military might and citizen will.” The US State Department issued similarly dire warnings.

As tensions with China rise, continued cooperation between corporations and the government will be critical to protecting civilians. The Five Eyes reports noted the private sector’s close cooperation in discovering and exposing the cyberattacks. Such cooperation must tighten and continue. Ninety percent of cyberspace is owned by the private sector. The United States government is hamstrung from regulating cyberspace, not just because of Congressional gridlock, but because of the First Amendment and other freedoms that Americans hold dear. US corporations often fear working with government, and fear regulation even more. However, the corporate goal of de-risking from China is aligned with the government’s goal of protecting its citizens from harm in peacetime and wartime. Public-private partnerships have never been so critical for national security—and for protecting Americans from unnecessary suffering.