How should the United States address the multiple cyber “typhoons” emanating from China? Over the past year, Chinese cyber threat actors have gained access to important U.S. networks. The most high-profile of these are Volt Typhoon, which burrowed into U.S. critical infrastructure, potentially to preposition cyber assets in the event of a crisis or conflict with the United States, and Salt Typhoon, which penetrated multiple telecommunications networks to spy on Americans.
There are two fundamental problems with the current state of the policy debate. The first is that Volt Typhoon and Salt Typhoon are fundamentally distinct, but policymakers tend to treat them interchangeably. The second problem, which follows from the first, is that policymakers are grasping for the same policy levers — especially deterrence — to address these threats when they suggest different solutions.
With a new administration confronting these daunting challenges, there is an opportunity to get things right when it comes to how we talk about and distinguish between cyber threats and therefore the policy choices appropriately matched to address them. For threats like Salt Typhoon, a large-scale espionage operation, policymakers should emphasize incident response and improve future defense and resilience. For threats like Volt Typhoon, which represents operational preparation of the environment, leaders should focus first and foremost on deterring war and, should that fail, try to deter attacks against civilian targets and improve resilience for military targets.
Two Distinct Threats
At first blush, Volt Typhoon and Salt Typhoon share several things in common. First, they have a similar naming convention. This reflects Microsoft’s taxonomy for naming cyber threat actors linked to a particular nation-state. Second, both entailed gaining unauthorized access to critical U.S. systems using some similar tactics, techniques, and procedures like “living off the land.”
Third, and most relevant here, U.S. policymakers from both sides of the aisle frequently group these episodes as part and parcel of the same phenomenon, namely an unrestrained China that sees little disincentive for burrowing deep into American infrastructure in cyberspace. National Security Advisor Mike Waltz noted in a December interview with CBS News that the United States must ratchet up its offensive approach and impose costs in cyberspace, including against “private actors and nation state actors that continue to steal our data, that continue to spy on us, and that even worse, with the Volt Typhoon penetration, that are literally putting cyber time bombs on our infrastructure, our water systems, our grids, even our ports.” Former National Security Advisor Jake Sullivan reasoned similarly at the end of the Biden administration.
When it comes to operational and strategic objectives, however, these two “typhoons” represent fundamentally different kinds of threats. Salt Typhoon, by all accounts, appears to be a classic — if somewhat breathtaking in scope — case of espionage. The intrusion, which entailed gaining access to unprecedented amounts of extremely granular information from some of America’s largest telecommunications companies including Verizon and AT&T, was an intelligence bonanza for China. According to major reports, hackers gained access to extremely high-value targets, including then President-elect Donald Trump’s and Vice President-elect JD Vance’s cell phones.
Unlike some cases of cyber espionage, the ostensible goals of this operation appear to have had national security aims in mind, as opposed to many known past cases of Chinese cyber espionage, which primarily had to do with intellectual property theft. In this sense, Salt Typhoon is a close cousin of some of the largest cyber intelligence breaches over the last decade. Back in 2015, for example, China broke into the Office of Personnel and Management, stealing sensitive records of millions of federal employees. Five years later, Russia carried out a supply chain hack against SolarWinds, gaining access to and exfiltrating data from multiple government department and agency networks.
Volt Typhoon represents a different sort of breach entirely. U.S. officials, together with Five Eyes intelligence partners, described in early 2024 how Volt Typhoon “has been pre-positioning themselves on U.S. critical infrastructure organizations’ networks to enable disruption or destruction of critical services in the event of increased geopolitical tensions and/or military conflict with the United States and its allies.” Then-director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, warned in Congressional testimony about how Volt Typhoon could “well endanger the lives of Americans here at home — through the disruption of our pipelines, the severing of our telecommunications, the pollution of our water facilities, [and] the crippling of our transportation modes” in a future crisis.
This is not the first time adversaries have gained access to U.S. critical infrastructure. In 2018, the U.S. government accused Russia of penetrating several critical infrastructure sectors, including energy, nuclear, water, aviation, manufacturing, and commercial facilities. But as of the time of this writing, it does not appear Russia has exploited that access for cyber effect operations against the United States — despite fears that Russia would do just that during its 2022 invasion of Ukraine.
As should be clear, Salt Typhoon and Volt Typhoon differ in terms of their operational objectives and their temporal dimension. For Salt Typhoon and other forms of cyber espionage, the objective is to stealthily steal information in support of an adversary’s intelligence collection priorities. Moreover, such access can be actively exploited. In contrast, Volt Typhoon represents cyber operational preparation of the environment. The immediate operational objective is ostensibly to gain access and preposition capabilities to use at some future date. China may seek to launch disruptive or destructive attacks against U.S. and allied critical infrastructure for coercive purposes or to impede America’s ability to mobilize key military assets and capabilities during a crisis or conflict. Importantly, however, the effects are (currently) held in reserve and may potentially be employed at some future date.
Responding to Salt Typhoon
Despite the fact that Salt Typhoon and Volt Typhoon represent different cyber threats, policymakers seem to be taking a one-size-fits-all approach to address them — one that is largely anchored in some form of deterrence strategy. As described above, the Trump administration is leaning toward a more muscular, offensive approach to “reestablish deterrence” of Chinese cyber threat actors. But the same factors that distinguish these threats also suggest different courses of action — and reveal the limitations of relying on deterrence theory alone to confront the panoply of threats in the cyber domain.
For Salt Typhoon, the big challenge policymakers face is that while cyber deterrence in general is always difficult, it is especially tough to deter cyber espionage specifically. Deterrence entails the credible threat of force to prevent an adversary from taking some unwanted action such that the costs of compliance are seen as less than the costs of defection. In the case of Salt Typhoon, China has already captured sensitive information from its unauthorized access to U.S. telecommunications providers, and is likely acting on the intelligence, making deterrence for this particular operation moot.
Deterring future Chinese cyber espionage is also problematic for several reasons. Most obviously, espionage relies on secrecy and stealth for operational success, and such deception complicates deterrence. Moreover, threats to deter cyber espionage may not be credible. The value China likely perceives in these sorts of intrusions is enormous, making it difficult for the United States to credibly threaten to impose a level of consequences that outweigh the benefits (especially without unduly risking escalation).
On top of all this, espionage for national security purposes is an implicitly, if begrudgingly, accepted state practice — it is simply what states, including the United States, do. When the United States uncovered the Chinese hack of the Office of Personnel Management in 2015, then-Director of National Intelligence James Clapper famously remarked, “You have to kind of salute the Chinese for what they did.” If China perceives America engaging in the same behavior, it is especially unlikely to restrain itself. Indeed, the United States has tried time and again to deter cyber espionage and come up short. America’s response to SolarWinds entailed a combination of naming and shaming, indictments, and economic sanctions, but it’s not clear that Moscow was deterred from conducting cyber espionage as a result (or Beijing, for that matter).
Rather than lean on deterrence, the United States should situate cyber espionage where it really belongs, namely in the context of intelligence and counterintelligence. Salt Typhoon, of course, demands immediate incident response: assessing the full scope of the compromise, containing the damage, removing threat actors from affected networks, and, likely in this case, upgrading and rebuilding telecommunications equipment to make it less susceptible to future intrusions. Over the long term, the United States must invest in improving its defense, resilience, and counterintelligence capabilities to make it harder for threat actors to gain access and less consequential if — and more realistically, when — they do. This requires doing a better job of identifying and anticipating adversary intelligence collection priorities, which can guide policymakers in identifying which sectors and entities are more likely to be targeted.
Policymakers may also consider a “defend forward” counter-cyber response in the hopes of degrading China’s ability to conduct similar types of cyber espionage campaigns in the future. Indeed, this will ostensibly be most appealing to the Trump administration, not simply because the concept was introduced during Trump’s first term, but also because it aligns with a more muscular, military-centric approach to cyber threats.
But several notes of caution are warranted here. First, such an approach should not be the only solution and cannot replace the measures described above. Second, if the aim of a counter-cyber campaign is simply to degrade China’s cyber espionage capabilities, that would be one thing. But threatening or even imposing costs for the purposes of shaping Chinese behavior in the future – which would go beyond the conventional understanding of defend forward – is unlikely to work for all the reasons noted earlier. Relatedly, policymakers must consider the downstream implications of conducting offensive cyber operations in response to cyber espionage. Put simply, it may set a precedent that the United States should expect the same response in kind.
Responding to Volt Typhoon
Volt Typhoon is a different story. Unlike Salt Typhoon, where the benefits to China are effectively immediate from access to telecommunications networks, in this case, the actions the United States most wants to deter — disruptive or destructive cyber operations against critical infrastructure — have not yet taken place. China is holding a capability in reserve, and its access is primarily valuable insofar as it gives China tools it can use later. This creates a window for deterrence. Several implications follow.
Most obviously, it means China is unlikely to deliberately activate its pre-positioned disruptive or destructive cyber capabilities unless there is a crisis or a war with the United States. As a result, to deter such cyber operations, the United States should primarily focus on deterring conflict with China — rather than narrowly concentrating on the cyber dimension of the threat. This may seem like stating the obvious. However, policymakers who focus on cyberspace sometimes neglect the broader geopolitical dynamics, homing in narrowly on the cyber issue but failing to situate it in the bigger picture. Volt Typhoon is not only a cyber policy challenge, it is one tool in the broader Chinese toolkit for potential conflict with the United States and its allies and partners. In short, to deter Chinese activation of Volt Typhoon, policymakers must deter war with China.
And what if the United States fails to deter war? The question then becomes whether the activation of these exploits can be deterred in the event of conflict. To better understand this issue, we need to distinguish between counterforce versus countervalue targeting. The former in this instance refers to activation of Volt Typhoon exploits specifically oriented toward military bases, facilities, and other infrastructure that could impede effective military mobilization and operations. The latter captures cyber operations aimed at civilian populations with the intention of disrupting daily life, sowing chaos, and causing pressure on American policymakers as a result.
If China ultimately believed the United States would fight for Taiwan directly, and Chinese leader Xi Jinping still decided to initiate a war, there is likely little that could be done to deter Volt Typhoon actors from trying to activate any available exploits against counterforce targets. The reason is straightforward. With direct fighting assumed, it is unclear what would prevent China from attempting to use all available tools to slow down the U.S. effort to defend Taiwan. The real solution, then, would be to focus on improving the resilience of the targets, actively removing malware, ensuring secondary and tertiary capabilities, and so on.
Deterring China from activating countervalue exploits is a bit more complex. One potential source of deterrence may simply be that China fears such disruptions would backfire. While it is possible, according to one analyst, “the [United States] might refrain from aiding Taiwan in times of crisis for fear of domestic disruption,” it is equally plausible that major attacks on U.S. critical infrastructure could backfire and galvanize the American public behind a robust response.
Another potential source of deterrence is “mutually assured disruption,” which National Security Advisor Waltz himself has alluded to. The logic here is that Washington could deter the activation of countervalue exploits associated with Volt Typhoon by threatening to impose equivalent costs on Beijing in cyberspace. Even if the United States sought to refrain from directly targeting civilian infrastructure, there are alternative options to include “holding something other than Chinese infrastructure at risk — something the Chinese value more highly (like, say, their control of information flows into China).” The real challenge here is that, to be effective, the United States would have to credibly signal such activity to China beforehand. While not impossible, this is a notorious challenge in cyberspace.
Implications
Many policymakers have been treating the cyber threats emanating from China, specifically Salt Typhoon and Volt Typhoon, as essentially the same. In turn, they are reaching for a similar set of policy tools to address them. As demonstrated, this is problematic. These threats represent different types of cyber operations in support of radically different strategic objectives.
Instead of lumping these threats together, policymakers would be more successful if they evaluated how they fit into distinct, longstanding concepts in international politics, whether it be espionage, warfighting, or deterrence and coercion. The fact that Salt Typhoon was carried out through cyber means does give rise to unique challenges and may suggest certain policy tools in response, but conceptually it is part of a broader umbrella of intelligence and counterintelligence. The same goes for Volt Typhoon. China’s cyber operational preparation of the environment is part of a broader strategic effort by Beijing to plan and build capabilities for a future military engagement with the United States. In turn, the United States should see Volt Typhoon through the lens of deterring conflict writ large with China, while preparing to be resilient and prevail if deterrence fails.
Erica D. Lonergan is an assistant professor in the School of International and Public Affairs at Columbia University. Previously, she served as a senior director on the Cyberspace Solarium Commission. She is the co-author, with Shawn W. Lonergan, of Escalation Dynamics in Cyberspace (Oxford University Press, 2023).
Michael Poznansky is an associate professor in the Strategic and Operational Research Department and a core faculty member in the Cyber and Innovation Policy Institute at the U.S. Naval War College. He is the author of In the Shadow of International Law: Secrecy and Regime Change in the Postwar World (Oxford University Press, 2020).
The views expressed here are the authors’ alone and do not reflect the policy or position of any U.S. government organization or entity with which they are or were previously affiliated.
Image: MSgt Jonathon Alderman via DVIDS.
Jesus Christ is King
