volt typhoon

hello folks, I said a few things for an article:

Chinese hackers want to wreak ‘disruption and destruction’ on US critical infrastructure

 But Easterly’s proclamations could reflect the evolving political situation, rather than an actual heightening of risks for businesses, says Anna Pagnacco, cybersecurity policy analyst at Oxford Information Labs. She says that “international relations in cyberspace follow a playbook of their own because the cyber landscape is meaningfully different from traditional domains of state operation.”

In the face of state-sponsored groups having

“plausible deniability for offensive conduct, naming and shaming is a powerful tool to conduct cyber diplomacy,” Pagnacco argues.

Ongoing tension between the US and China, which has led to a trade war between the two countries, makes it both

“more likely that China may plan more offensive cyber operations, and that Western intelligence pays more attention to any developments,” she says.

None the less, Pagnacco says critical infrastructure providers should be

“aware they are potential targets for nation-state activity.”

“The ideal response to this rising level of offensive cyber activity is a hardening of cyber defences throughout all sectors, so that malicious actors have a harder time finding opportunistic access pathways,” she says.

I think this mostly captures how I feel about this topic. I’d just object to the framing of this as politics instead of an actual threat – I wouldn’t want to minimise the threat connected to cisa’s advisory, and volt typhoon, and in general china-related apts.

it’s just really hard to succintly get the point across – two things can be true: that a thing can be a legitimate cybersecurity threat, and that its acknowledgement and public attribution to a nation-state (the prc) by a representative of a country (jen easterly) is a political choice.

the choice to raise awareness around a new or heightened threat is not political. the choice to publicly and officially attribute that threat to the prc is.

btw: “political” doesn’t mean wrong.

thanks Claudia for having me!

p.s. there is something to be said about intelligence collection and analysis efforts focusing on a country’s current political priorities, in this case concerning the tensions between the us and china. I feel like this point was represented pretty well in the article, but again, it’s not about faking a threat.

it’s not about the threat being there or not. it’s about where you choose to look.