Leading in the Cyber Competition with China
Cyber and emerging technology play a critical role in the strategic contest between the United States and the People’s Republic of China. The US needs to secure its advantages on computer networks, semiconductors, critical infrastructure, and artificial intelligence to avoid having its competition with the PRC devolve into crisis or conflict.
National Security Council Director for Cyber Policy Israel Soong joins Hudson’s Miles Yu for a conversation on why technology is crucial to Beijing’s plans and how the US can maintain the lead in its cyber and technology competition with China.
Event Transcript
This transcription is automatically generated and edited lightly for accuracy. Please excuse any errors.
Miles Yu:
Good afternoon everyone. Good afternoon. Thank you very much for coming and my name’s Miles Yu. I’m the director of China Center here at the Hudson Institute and today we have a distinguished guest not far from us, several blocks away from the White House.
The topic is about cyber, cyber policy. So we’re very excited to have this event and because that’s a talk of the town, everybody talk about cyber. When we talk about national security, when we talk about privacy, we talk about the even food safety has a lot to do with cyber. So cyber is the front and center in our national awareness.
Our speaker today is Israel Soong. He’s the director of cyber policy for East Asia and the Pacific for the National Security Council in the White House. In his current capacity, Israel coordinates inter-agency efforts to counter nation-state cyber threats to the United States critical infrastructure, and bolstered the cyber security of allied and partner nations.
Before entering government service, Israel was a senior vice president for strategy at a software company in the United States. And regional vice president for an IT security company based in Asia and the Middle East. He graduated from Cornell with a BS in policy analysis in 1996 and obtained a JD from Harvard Law School and an MPA from the Kennedy School of Government at Harvard in 2001.
He enjoys kayaking, biking, and hiking Civil War battlefields. So the battle obviously continues, is not a civil war, is international war of global significance. So without further ado, I give you Mr. Israel Soong. Thank you.
Israel Soong:
Thank you so much, Miles. Thank you so much. Good afternoon everyone. How’s everyone doing? It’s hot outside. Thank you for making the trek. I hope we didn’t lose anybody coming to this venue. It’s really hot outside, so stay hydrated.
Anyway, it’s good to see you all. Like Miles said, my name is Israel Soong. I’m a director of East Asia Cyber Policy at the White House National Security Council. At the NSC, I’m responsible for policies to counter the cyber threat posed by the PRC, China, and for policies that strengthen the national security networks and critical infrastructure of allied and partner countries in the Pacific.
Working daily with my counterparts at the NSC and the Asia and technology and national security director, it’s together we execute the administration strategy to invest, align, and compete with the PRC. Investing at home, aligning with allies, and challenging the PRC when necessary.
I want to express my deep thanks to Hudson Institute inviting me to address you on what I think is one of the most important topics in national security today. And I’m really grateful to have the opportunity to address such a distinguished group. And a special thank you to Miles and the Hudson Institute. Thank you for leading policy conversations in this area already. Thank you.
Today I want to talk about leading in the cyber competition with the PRC. But in addition to cyber, I also want to talk about the whole gamut of foundational technologies on which cyberspace is built, including software, networks, and chips, among others. And I’m going to talk about this through the lens of the US-China strategic competition.
I’m going to make three points this afternoon. The first point is the PRC is the only state with both the intent to reshape the international order and the economic diplomatic, military, and technology power to do it. Beijing sees cyber and emerging technology as critical to its strategy to reshape the United States-led international order to be more favorable to the priorities of the Chinese Communist Party, the CCP.
Number two, the novel and unique nature of internet-connected goods require that the United States must stay ahead in this cyber and technology competition. To ensure that we lead on the sources of technological and economic growth while also ensuring that sensitive technologies our companies are developing do not become a source of vulnerability.
Third point, staying ahead of the PRC requires us to do certain things. A) to adopt carefully tailored policies to protect US technology for being used to undermine our national security. B) massively invest in cybersecurity, cyber talent, and capabilities so that we lead in critical technologies. And C) forge mutually reinforcing partnerships with nations committed to an affirmative vision of cyberspace.
Now, Hudson Institute’s scholars and thinkers have already done an excellent job highlighting Beijing’s strategic intent to challenge the democratic rules-based US-led global order and reshape it. There are other scholars who have made this point eloquently, although by quoting them, I’m not endorsing them characterizations word for word. I’m just saying these are very eloquent summations what has been done before.
So for example, Elizabeth Economy from the Hoover Institution has written, “By now Chinese President Xi Jinping’s ambition to remake the world is undeniable. He wants to dissolve Washington’s network of alliances and purge what he dismisses as western values from international bodies. In his multipolar order, global institutions and norms will be underpinned by Chinese notions of common security and economic development, Chinese values of state-determined political rights, and Chinese technology.”
Rush Doshi from Brookings has written, “At the global level, Chinese order would involve seizing the opportunities of the great changes unseen in a century and displacing the United States as the world’s leading state. This would require successfully managing the principle risk flowing from the great changes, Washington’s unwillingness to gracefully accept decline by weakening the forms of control supporting American global order while strengthening those forms of control supporting a Chinese alternative.”
Now I’m citing this scholarship because I don’t intend to cover this ground again today. My objective today is to bring to this conversation an understanding of how crucial cyber and technology is to Beijing’s plans. Our bilateral relationship with the PRC has gone through ebbs and flows. And one of our primary objectives has been to manage the tensions that come with this competitive relationship with the PRC in which we have many differences.
But here’s the point. Deep under the surface, cyber and technology competition with the PRC is intense and on a massive scale. And like a deep ocean current, it is this competition that could ultimately decide what happens on the surface. Let me talk about the first point about PRC being the only state with the intent to reshape the international order.
When I say that Beijing sees cyber and emerging technology as crucial to its strategy to reshape the US-led international order to be more favorable to the priorities of the CCP, what I mean is that the PRC has mounted a large scale effort to actively and intentionally dominate these areas in a strategic way.
Many of you are aware of the PRC’s massive espionage effort against the US using cyber. In a campaign that has lasted over a decade, the PRC has been able to steal technology secrets from many sensitive weapons programs. You’re also probably aware that the PRC has for many years pre-positioned on US critical infrastructure for a potentially disruptive cyberattack. Setting up back doors to enable it to cripple vital assets and systems in the event of crisis or conflict.
And by critical infrastructure, I mean transportation hubs, power generation, electrical grids, communications, water supplies, and the like. What is public but is less well known is that the PRC has been doing the same pre-positioning to many other countries around the globe, including some who are allies and partners.
This global pre-position activity is truly massive in size and breathtaking human scope. For the PRC to have a potential to disrupt the critical infrastructure in all these countries has required their state-sponsored hackers to persistently and aggressively maintain this cyber access for years on end.
Let’s talk about semiconductors, arguably the foundational technology of cyber. This administration has pursued a small-yard, high-fence policy to restrict the export of the most advanced chip technology to the PRC, appropriately scoped to protect National Security without unduly limiting trade and investment.
However, not only is the PRC now investing even more heavily in the indigenization of chip production, it is also actively and illicitly circumventing export controls. But it’s not just self-sufficiency that the PRC is seeking. The scale of resources that the PRC has poured into its industries is not just a catch-up, but it’s indicative of an intent to surpass.
Many Americans know about the strategic nature of semiconductor chips due to the work of Chris Miller, Dmitri Alperovitch, and others. But many Americans have less awareness of the risks of a PRC dominance of the global network of port infrastructure. The world’s market for ship to shore cranes is dominated by one PRC company ZPMC, and I don’t know if many of you’re tracking on this.
No matter where they’re located, these cranes may be controlled and serviced and programmed for remote locations and these features potentially leave them vulnerable to exploitation. Transcom’s mobilization plans for the US, heavily rely upon commercial ports, ports in which these cranes are positioned that have the potential to disrupt a US military mobilization.
Consider also China’s state-supported information port management platform called LOGINK. Because the software is so dominant in the global market for port logistics, it can help consolidate Beijing’s influence over the global maritime transport system. During crisis or conflict, this software has the potential to be leveraged to provide intelligence to the PRC or possibly even influence port operators who use it.
Threats are these are why President Biden recently issued an executive order to bolster the Department of Homeland Security’s authority to directly address maritime cyber threats. Including through cybersecurity standards to ensure ports are secure.
Or consider artificial intelligence a hot topic in Washington these days. PRC companies are under pressure to lead globally, but so far many of the PRC’s generative AI efforts continue to rely upon US-based, large language models. They’re called LLMs. Because the PRC’s versions are still lagging behind.
However, the PRC has declared by 2030 that it wants to lead the world in AI, a technology with many, many military applications. And whose development would allow the PRC to achieve technological influence in many regions to undermine US National Security objectives. And the PRC has pledged billions to Chinese researchers and firms supporting their own AI development.
In addition to carefully tailoring policies to restrict the export of the most advanced AI chips, the Biden Administration has also ruled out historic measures to promote investment in AI innovation, the Chips and Science Act, while issuing a major executive order to ensure that America leads the way in seizing the promise and managing the risks of artificial intelligence.
Or when it comes to quantum. When it comes to building crypto-analytically relevant quantum computers, the competition between the PRC and the US is even more pronounced. While the US has invested five billion into quantum research, the PRC has poured 15 billion. Although these numbers do not include private sector investments.
In 2023, there were some indications that scientists in the PRC had achieved milestones in constructing a quantum computer that could out-compute those currently under development in the US. If the PRC had a breakthrough in quantum crypto analysis before the US did, the consequences for our national security would be dire.
Every communication that has been collected by the PRC, and many communications are collected by the PRC, every communication is potentially de-cryptable by a crypto-analytically relevant quantum computer and therefore would be placed at risk. Here again, this administration has taken a range of proactive steps including a National Security Memorandum, identifying key steps needed to maintain our competitive advantage in quantum while mitigating the risks of quantum computers to our national security.
There are many other topics that I could discuss. Data, cyber, electric vehicles, aerial drones, telecommunications, undersea cables. The areas in which technology touch are so encompassing and they’re all relevant to our national security. Now in my personal opinion, if the PRC’s efforts in cyber and emerging technology were purely for its own economic development without regard to geopolitics, I think we would have fewer concerns. But such PRC policies don’t just have implications for China’s economic development or US companies economic competitiveness.
They directly implicate US national security and our capacity to defend allies and partners around the world. The PRC is purging Western technology from its networks in China, stealing intellectual property at a massive scale, developing its own indigenous versions of that technology, and subsidizing and investing heavily in its own technology companies. Some of whose products pose considerable cybersecurity risks.
Now let me move on to my second point about the unique nature of internet-connected goods. I want to answer the question of so what? Why isn’t just keeping pace with China in cyber technology good enough? Why does United States have to lead in this area? What are the consequences if we don’t?
The answer to these questions lies in the novel and unique nature of internet-connected goods. So for example, cyber and technology are internet-connected. Their functionality is dependent upon their connection to the internet. When you purchase one of these goods, you’re buying its functionality, but you could also be relinquishing some control over it.
Now, in most cases where an internet good is produced has few national security consequences. But in the case of the PRC, we have to think of a few more things We can’t ignore that the PRC enterprises that produce internet-connected goods, they have to operate in a different political context, including a lack of rule of law protections against PRC government interference.
Moreover, the PRC’s civil-military fusion strategy supports the modernization goals of the People’s Liberation Army by ensuring that it can acquire advanced technologies and expertise developed by PRC companies, universities, and research programs that appear to be civilian entities. Therefore, the unique and novel nature of internet-connected goods is such that someone’s private decision to purchase such a good produced in the PRC, could have potentially significant national security implications.
Now in my personal view, the PRC has long recognized on a strategic level this potential for internet-connected goods to advance their national security objectives. Now I’m not saying that we should have a policy to oppose trade and all internet-connected goods from the PRC. This is not about protectionism.
But I think we need to carefully assess and tailor measures that will continue to protect US national security when it comes to our most sensitive and advanced technologies. Because we have to ensure that these kinds of vulnerabilities don’t impact our national security over the long run.
Let me give you a concrete example. Let’s take connected vehicles. New vulnerabilities and threats could arise with connected vehicles if the PRC gained access to these electric vehicle systems or data, right? Connected electric vehicles collect large amounts of sensitive data on their drivers and passengers, regularly use their cameras and sensors to record detailed information possibly on our infrastructure, interact with critical infrastructure, and in some cases can be piloted or disabled remotely.
Connected autos that rely on technology and data from the People’s Republic of China could be exploited in ways that impact national security. Now the Department of Commerce is issuing an ANPRM, an Advanced Notice of Proposed Rulemaking to investigate the national security risk posed by connected vehicles from countries of concern, including from China. Commerce will gather information from the industry and the public on the nature of these risks and try to determine what potential steps that can be taken to mitigate them.
The administration goal is to manage competition with the PRC, finding mutual areas of competition, and preventing competition from veering into conflict. But because Beijing has a longstanding, ongoing effort to channel resources into emerging technology and breakthrough industries, we have to be very careful from a national security point of view. These areas in which cyber, semiconductors, quantum, and AI, they all have significant dual use applications.
My point is technology itself is an extension of geopolitical power. Where technology is made, how is it produced, and what countries have control over technology have absolutely national security consequences. Which means we can’t just pace the PRC, we have to stay ahead of the PRC in the cyber and emerging technology competition, particularly in those foundational and sensitive areas. Our approach is about protecting technology advantages and preventing our competitors from using technology against our national security interests.
Okay, my third and last point. My third and last point was, so what are we supposed to do in terms of tailoring policies, in terms of vesting in cybersecurity and talent, in terms of forging mutually reinforcing partnerships with allies around the globe? What do we do about this? Okay, how do we stay ahead of the PRC in the cyber and emerging competition? What does staying ahead look like?
Let me give you a few thoughts. First off, I don’t want to just tick off a laundry list of policy options. And what I’d rather do instead is set out some kind of strategic direction and let very capable subject matter experts, here at Hudson, at other think tanks, and in other industries, figure out what policies are feasible and effective under these broad brushstrokes.
First, let’s talk about cyber and emerging technology. There should be continual dialogue between industry and government on trends in critical and emerging technologies, the opportunities and risks they pose, and the appropriate application of tools to mitigate the risks. Safeguard our most sensitive technologies and extend our technology leadership.
So for example, the administration’s current policy of small-yard, high-fence has been applied to things like advanced computing and semiconductors, and these are critical to our national security. I don’t think anyone would dispute that. But there’s another technology space that is kind of at the frontier, which is cloud computing.
Developing countries across the globe are considering whether to move their government’s most essential assets and services to the cloud. Now the PRC has been aggressively pushing these countries to select cloud services from PRC companies and enterprises.
And the US should continue to highlight to these countries the national security risks to them from using PRC providers. But more than this, we should be investing early and often with US and allied nation cloud providers to develop a diversity of alternatives to the offerings from the PRC.
My second point is about massively investing. I said before we need to massively invest in cybersecurity, cyber talent, and the capabilities to produce advanced technology. The steady drumbeat of attacks we’ve seen over the last three years highlights the limitations of a purely voluntary approach to protecting our critical infrastructure.
It’s essential that we start requiring each of our critical infrastructure sectors to adhere to baseline cybersecurity measures. Things like making sure you have a cyber incident response plan, require multifactor authentication, requiring encryption, and require logging just to name a few basics. To codify this approach, this administration recently released the National Security Memorandum 22. It elevates the importance of minimum security and resilience requirements within and across critical infrastructure, and it places increased expectations on our risk management agencies to implement those requirements.
In addition to critical infrastructure, we need to continue to protect our defense industrial base. As we’re doing everything from investing and building more submarines, producing more critical munitions for our allies around the globe. We have to safeguard our military secrets so that the United States can make what is necessary to sustain deterrence in competitive regions.
It makes no sense for the American taxpayer to pay billions for advanced weapons programs that defend American interests, only to lose military secrets to the PRC for what are really pennies on the dollar because of lax cybersecurity. Now there’s good news on this front. The DOD is amending the Defense Federal Acquisition Regulations, DFARs, to require defense contractors to adhere to a consistent comprehensive framework certified by a third party to enhance cybersecurity for the defense industrial base.
But there’s more that needs to be done. This is a much-needed change in our approach. So when the Pentagon purchased advanced weapons systems for a possible future conflict with the PRC, that financial commitment should also reflect some kind of reasonable certainty that the technology underlying those weapons has not and will not be easily compromised by the PRC’s Cyber Espionage Campaign. Because the defense contractor has gone above and beyond to maintain the high standards of cybersecurity.
So I’ve talked about our critical infrastructure and our defense industrial base. Now I want to talk about talent, human talent. Investing in cybersecurity means investing in our pool of STEM talent. In 2023, more than 750,000 cybersecurity jobs in the United States went unfilled. In 2022, universities in the United States awarded 435,000 STEM degrees, STEM bachelor’s degrees.
Now that seems like a lot, doesn’t it? Until you realize that on average universities in the PRC award more than four million bachelor STEM degrees every year. Now I know the PRC has a greater population. Some rankings suggest that the quality of the STEM education in the US is higher than that of the PRC. And many talented scientists and engineers from China eventually relocate to the west through graduate study and employment. But my point is that the weight of engineering and scientific resources that the PRC can bring to this competition should not be discounted.
The United States need to increase its STEM talent to ensure that we can sustain our research enterprise, drive innovation, and support our national competitive edge in cyber and technology. In addition, we have to have corresponding investment in a national renewal of capabilities to produce advanced technology.
Over the past 18 months, this administration has prioritized semiconductor fabrication in America, investing $39 billion in Arizona and Ohio. This is a strong start. And as we execute the invest portion of invest, align, and compete, let’s continue to have conversations over what areas in cyber and emerging technology we need to be leading in.
In addition to those areas already identified, what future critical areas should we be investing in? And the areas that are not critical to US national security might we find synergies in cooperation elsewhere. For those future areas of cyber and emerging technology we think are critical, what does it take to invest in the human talent, to invest in process engineering, and infrastructure in order to make this happen?
In some cases, these may be mutually reinforcing. So for example, large scale investments in semiconductors may also need to accompany investments in quantum that underline our digital future.
I want to speak one point about AI as it relates to cyber. We’ve already discovered now that AI has demonstrated the ability to help produce exploit code, discover software vulnerabilities, create spear phishing attacks, and automate cyber intrusions. As AI research continues to advance, these dual-use cyber capabilities are likely to grow.
Today the PRC lags behind leading American companies in frontier LLM development. But we need to invest appropriately in cybersecurity to protect things like proprietary AI source code, the model weights, and the training data we’re using for these AI models. These technologies have to be safeguarded to prevent the PRC from co-opting US innovation for National Security purposes. But at the same time, we have to continue to allow our developers to lead in global markets and contribute to a thriving open source innovation community.
We need to protect our data. We need to protect the interconnected infrastructure of banking, communications, virtual platforms, and computer networks, especially those that support our electoral process.
Lastly, and this is my last point here, we need to extend this successful strategy of multilateral partnerships to the cyber and emerging technology domain. Over the last three years, the United States has accelerated a lot of these foreign partnerships based upon geopolitical alignment and cooperation to compete with China. So AUKUS, Quad, right? These are some of the examples.
We need to start asking ourselves more. What are the best ways to align with foreign partners on national security and economic concerns around things like semiconductor lithography and ship fabrication technology? I suggest that we do the same for cyber and emerging technology. How can the United States expand and enhance multilateral partnerships with like-minded nations to share cybersecurity information and build joint resilience together?
Is it possible for the United States to form groupings of nations to reduce the flow of the most sensitive national security technology to the PRC and other adversaries? We could extend it to quantum, artificial intelligence, even future 6G telecommunication standards.
Okay, I want to make two last points and then I’ll conclude. One is that in leading in the cyber and emerging technology competition, we have to avoid endangering our own efforts by decoupling from centers of innovation. History teaches that societies that isolate themselves from the greater world out of a fear of competition or influence, they eventually undermine their own forward progress.
And this is the kind of overreaching that we need to avoid most as the United States. That in the name of competing with the PRC, we end up starving our digital economy of foreign talent, competitive pressure, and innovation. Because all those things are important to innovation.
There is a great danger in defining yourself simply by what you’re against. Instead, when it comes to cyber and emerging technology, I want us to define us, ourselves by what United States stands for in this area. In a way that counters the PRC narrative that the West is only interested in its own wealth and not the prosperity and wellbeing and development of other countries, including the global south.
We need to have an affirmative vision of cyberspace, an affirmative vision of cyber and emerging technology. Our affirmative vision of cyberspace should be a future in which people around the world can reliably access critical services from their government, use technology to securely communicate, express their views online without fear of censorship or political retribution, and depend on a digital infrastructure that drives economic growth for all levels of society.
And this is how cyberspace and emerging technology can promote human flourishing. Human flourishing is the idea of the physical and mental wellbeing of individuals and the communities they live in. I argue that only the United States and its allies and partners, with our commitment to individual dignity and freedom, can deliver such a vision to the rest of the world. Thank you very much for listening and I really look forward to your questions.
Miles Yu:
Thank you, Israel.
Israel Soong:
Thank you so much, Miles. All right.
Miles Yu:
Great. So now we’re going to have a few minutes, just have some conversation based on what he talked about in his wonderful speech. And then after that we have a question and answer from the audience.
Israel Soong:
Okay.
Miles Yu:
Israel, thank you for that wonderful speech. You mentioned cloud service as a very essential in cyber. Now cloud of course involves servers. Recently the nation had a very robust conversation, a dialogue about TikTok. TikTok escaped our scrutiny, largely by agreeing to move the servers outside of China, but now they moved to mostly Singapore.
The question still remains who has access to the full servers outside of China? Obviously Chinese government has total access to that. Conversely, the issue of cloud services also very important. Apple, that makes this wonderful device here, it has a huge customer base in China. Apple’s servers of all China-based customers are in Guangzhou, China.
Israel Soong:
That’s right.
Miles Yu:
So Chinese government has total access to that. Now you cannot really separate the Apple sold in China totally from Apple used here in the West. So there’s a lot of interconnection over there. But how do you secure this kind of, it’s not just a business transaction, it something to do with the national security policy. How would you address that since you’re a director of cyber policy for East Asia?
Israel Soong:
Miles, thank you for this question. This is a great question and great examples, both Apple and TikTok. If things are being stored in servers that are located overseas from the United States, how do we protect our citizens’ data? How do we protect our information? Particularly from a country in which there’s civil-military fusion?
The companies in China that may be running these servers, they don’t have a rule of law. They don’t have any kind of rule of law system that allows them not to accept a demand from the Chinese Government to access this information. So let me confine my comments to very specific instances of national security because I definitely don’t want these comments to be construed that we need to cut off all digital trade.
But I think that the ambit of areas of concern about our servers and our information being located for goods in China, I think we need to start expanding that ambit of concern. Because it’s just not national security technologies that are at risk. The ordinary data of American citizens, and especially American citizens and Americans here in this country, who are expressing freely how they feel about certain geopolitical issues, that kind of freedom is also at stake.
So what I’m saying is that technology is really changing the landscape of what it means to have your data protected and it’s certainly something that we need to pay more and more attention to. I can make the same arguments about so many other kinds of technology since we’re no longer storing information on a premises’ server somewhere in the United States.
In fact, at some points we may not even know where the servers storing our information are in these huge data warehouses around the world. This is a new and novel issue that I think we’ll pay attention to. Even in this administration, we’re paying attention to it. Whatever comes next in the next administration, we should absolutely broaden that ambit of perspective and think what are the national security implications of cloud computing?
Now, I mentioned the developing countries making a decision whether to accept the PRC cloud infrastructure or maybe a cloud infrastructure based upon some US companies here. And a lot of companies are concerned about, well what about the sovereignty implications? If I have to choose between the PRC and the US, what do I choose?
One possible answer to that is who has the civil military fusion? And who has rule of law protections going on? Which society is more dedicated to things like the affirmative vision of cyberspace, free expression, the lack of online censorship, individual dignity, human rights? And so I think when presented with that choice, I think that could be a very compelling argument for these countries.
But of course the PRC, what is their advantage? It’s cost. It’s cost. And one of the things I want you to take away from this talk is be able to question this idea of, well, for American economy to work, it doesn’t matter where we outsource things, it doesn’t matter where our cloud computing servers are. These things doesn’t matter as long as we’re providing things to the cheapest cost to the American consumer.
And I just want to question that and say from national security perspectives, that may not always be true all the time. The lowest cost may have a national security implication that we need to be tracking. Thanks for that question, Miles.
Miles Yu:
Great. I have another question for you.
Israel Soong:
Go, shoot.
Miles Yu:
Now you mentioned about the sovereignty. Now if one nation’s sovereign domain is being invaded, then that normally is considered as a war. But when we talk about war, we talk about mostly kinetic confrontation. If you broaden the definition of sovereignty and the invasion of a sovereign domain can take place in many, many aspects.
Now, let me just in the cyber domain. Let’s say this. This is what China has done to this country. 2015 China state-sponsored hackers stole 21 million records from the Office of Personnel Management, that’s the entire Federal Government workforce. Also in 2015, 80 million records stolen by the Chinese of the second-largest insurer, Anthem Incorporated. 2017, 147 million people’s financial credit records were stolen from Equifax, one of the three largest credit rating system in the United States.
2018, 383 million customers records were stolen from Marriott International Hotel, the data center. And then 2021, Microsoft Exchange Server, hundreds of millions customers information was stolen by Chinese hackers. 2022, US Naval Undersea Warfare Center in Newport, Rhode Island. The data center was breached by the Chinese hacker. Unknown quantity of US submarine technology and capability that were stolen.
Now we have a general sense of indolence, helplessness when deal with China. There’s a massive scale of a cyberattack. If that’s not the war, what else this? So what’s the official response from the White House?
Israel Soong:
That’s a great question. It’s also a very challenging question. So in the cyber world, we make a distinction between cyber espionage and cyberattack. And we’ve actually made it very clear to other countries and adversaries, if there is a cyber event that happens in the United States that impacts critical infrastructure and harms America, that would be considered an attack on the United States.
But your question is asking about what about the theft of intellectual property, personal records, private information, does that constitute an attack? And that’s harder to say. But I don’t want to leave you with the impression that there is little that we can do against the PRC cyber actors stealing our information. There’s actually a lot we can do, which is why cybersecurity is such a priority for this administration. How do we get critical infrastructure providers to maintain minimum cybersecurity standards? How do we get defense industrial based to improve their cybersecurity?
These are all really good things. I’m afraid that when I talk about cybersecurity to non-cyber audiences, I’m afraid, and I don’t want to leave audiences with the impression that these attackers are so skilled that there is little we can do. We can actually do a lot. We can actually improve our cybersecurity a lot. We can actually warn our allies and partners about what the PRC is doing.
And we can do a lot of things to make it more costly for the PRC to actually do these kinds of activities. In some cases, however, Miles, I want to say there’s a lot of things that a Americans can do as kind of a whole society cybersecurity perspective. In the White House, in the NSC, in the cyber directed, we’ve seen pretty egregious examples of manufacturers of security hardware putting things on the market that have vulnerabilities that are easy to exploit by PRC hackers, not issuing patches for them quickly.
We have seen critical infrastructure providers using default passwords even after being warned they shouldn’t use default passwords on their systems. So I think there’s a lot more that we can do as a country to increase the cybersecurity awareness.
So for example, let me ask this audience, how many of you have MFA enabled in all of your accounts? I hope most of you do, right? I see a few hands, right? But when we talk about cybersecurity, let’s talk about something as a whole of Americans, society awareness. That all of these things, defense industrial base, the information from OPM, Equifax credit card information. There was a recent hack of AT&T of all its customers. Together as Americans and American private enterprise, we need to get around the idea that there are certain things that we should do for cybersecurity and that’s been a big push from this administration.
Miles Yu:
Yeah.
Israel Soong:
Go ahead. Go ahead.
Miles Yu:
Well, I think one reason why China has the almost insatiable appetite for stealing all kind of data is because all this collection of data on a massive scale serves one purpose. That is to create a very efficient AI system. Because AI is almost entirely dependent upon the completeness of your data collection. And now China has pretty much biometrics and all the information, financial, otherwise. Your social credit score for example. In your data systems so they can identify who you are and they can exercise control.
Now let’s move to another direction over there. You mentioned about obviously China has this global ambition for dominance. Mostly right now, not necessarily through outright ideological export, export of revolutionary rhetoric and arms of kinds in the ‘60s and ‘70s of last century. But through basically created a global dependency by the world on technology and on economy.
So technology is today’s topic. To what extent do you think that China’s focus on technology is for military purpose primarily? Or to what extent is for a much broader sense?
Israel Soong:
Miles, this is a great question. I’m so glad you asked it. So let me give my personal opinion on this. This is my personal opinion here based upon my work at the NSC. Yes, there’s always the possibility that in acquiring advanced technology that the PRC will be able to achieve military capabilities directly to contest the United States. Yes, that’s a huge concern.
And when we talk about issues like Taiwan or the South China Sea, that is incredibly a big concern. And this administration, and I’m sure whatever administration follows, will do tremendous amounts of work to make sure our military capabilities stay on top. But my biggest concern isn’t that eventuality. My biggest concern is a world in which China over decades because of its investments, because of what it’s doing, has been able to corner the most sensitive and advanced future technologies that future digital life will depend upon.
And, Miles, you mentioned creating a technological dependence. And part of the reason why I bring the examples in my speech of the cranes, why I bring examples of port management infrastructure, or other kinds of things, is that as China moves and takes greater portions of these areas of future economic and technological development, my concern is that if we don’t do something as the United States to contest that in those technology areas, not only will we fall behind, but we may be faced with the decision that is increasingly difficult to contest the PRC in the technology domain.
That’s why I say that we have to lead. China is great at taking advanced technology and producing it at scale. A lot of the things that we’ve done in the preceding decades in the United States is try to outsource all the technology. We design it, but we outsource it. The process engineering takes place in other countries.
And I guess one of my concerns is, but in outsourcing it to other countries, might we be giving up a little bit of national security concern here? So questions to ask yourselves in the national security establishment is how do we create an environment where we and our allies and partners are not technologically dependent upon China? Particularly for the things that have such wide variety of dual-use applications?
Miles Yu:
Very, very good. So you mentioned about affirmative vision of cyberspace, which is a very interesting concept. Obviously I’m in total agreement. Now the PRC obviously has a different vision of cyberspace. How do you convince the West versus the rest? So how do you convince the rest of the world to go along with our vision of cyberspace?
Israel Soong:
That’s a great question. I think that, as I said before in my talk, simply defining what you’re against can be dangerous as an argument, right? We need to define what we stand for as Americans. And I think taking the values before the internet revolution of individual dignity and freedom, and trying to articulate those when it comes to digital, a digital economy, a digital infrastructure, a digital future. That’s one of the greatest challenges that we have before us.
When we talk to other countries, particularly in the global south, we have to make the case that it’s not just about what is cheapest? It’s about what technology will enable your development, but will also allow your citizens and your people in your country to experience the same kind of digital freedom, the creativity, the freedom of expression online that we Americans enjoy?
I think this administration has done work in this field. The preceding administration has done work in this field. But I still think there’s more work to be done in articulating this digital future that we’re building through AI, through all these advanced technologies. How is that technology going to be in the service of the values that we embrace as Americans?
One of the things I hope you’re taking away from this talk is that technology is not a value neutral thing. Technology itself is imbued with so many different values. It’s just not engineering and science put together. The way we use it, the way it gets used in our societies, has an implication for the values that we espouse.
So in discussing this PRC/US competition as well as all the policies that come with securing our national security, we also need to continually message about the policies that protect the values that we know citizens from other countries also want. And articulate how using the PRC technology can infringe on those freedoms and put those freedoms in jeopardy.
Miles Yu:
To follow up on that very question, in the previous administration, we had an enormous problem working with friends and allies. Now we’re talking about the global north friends and allies. And particularly on the issue of 5G by Huawei. We’re the first country to say this is dangerous. 5G would not distinguish it what’s on the edge and what’s in the core. Once you’re in the system, everything goes.
But we had an enormous problem convincing our friends and allies, even some of the Five Eye countries, let alone most of the NATO allies thought we were just a little bit of alarmist. And so friends and allies sometimes can be also very cranky and difficult too on issues like this. Gradually they have turned around as a result of COVID, as a result of our persuasion. As a result of China’s own behavior and their own constant hacking attacks on not just America, but also many countries in Europe and Japan, Australia, this country.
So when we talk about important countries, you mentioned in your talk about the important countries we have to really create what you call the mutually enforcing partnerships with other countries. What countries do you have in mind? Can you provide examples of successful collaboration in cybersecurity and technology with the international partners?
Israel Soong:
Yeah, let me give three kinds of examples because this is a great question too. I think, Miles, totally echo your comments. The alliances that we’re building, the partnerships, the latticework of alliances to manage competition responsibly with the PRC and prevent competition from bringing into conflict, alliances are extremely important part of that.
So I can think of we have the traditional Five Eyes Alliance, which is actually an intelligence partnership. In this unclassified setting, there’s not too much I can say about this, but I will say that among the Five Eyes Alliance, there’s a great deal of cybersecurity and technology cooperation going on.
Recently, earlier this year in February, was the first time that agencies of the United States, Australia, Canada, and United Kingdom got together to issue a joint mutual cybersecurity advisory about Volt Typhoon, about PRC cyber actors. That’s only the start. We can do a lot more of those kinds of joint cybersecurity advisories and involve more countries.
So that’s one kind of alliance. Using existing alliances and making sure that they also address cyber and technology. There’s also new alliances that are actually based upon science and technology. I’m thinking of the AUKUS kind of alliances. Most people know about AUKUS Pillar 1, about the submarines. But a lot of people don’t know that AUKUS also has other parts of it that deal with collaborating and sharing with different countries about how to cooperate in the emerging technology space.
And then I think about the new alliances that are developing, particularly in the Indo-Pacific. I can’t give any specific, name any specific countries in this example. But you can think of a map of Taiwan, think about the surrounding countries, and allies and partners that we are dependent upon for US military mobilization to get and move forces into theater in the event of a cross-strait crisis.
Those countries are benefiting from the United States directly engaging, hardening national security networks, bolstering the security of critical infrastructure. It’s a work in progress, but it’s great work. And those are the kinds of new alliances, that third category, is the one that I’m most excited about.
There are a lot of other countries around the world. We just had the NATO Summit here in Washington. Very successful. We’ve had a lot of opportunities to build new alliances that incorporate or are based on cyber and emerging technology. AI is one of the things that I think has the most promise.
There are other countries, and I will name one country for example, like Japan, who has such an impressive scientific community. And we are talking with Japan about being partners in AI. And I think there are other countries who we can also partner with in AI. Those who share our affirmative vision, those who share our values about what should AI be used for? And how do we keep AI from being used against our national security interests?
Miles Yu:
Well, I just visit, because the summertime, so everybody travels. I’ve been traveling to Europe and to Asia the last couple months. And every country is very actively involved in its cyber issue and particularly to form partnership. Not because it’s important, not only because it’s important to them to everybody’s economy, but also there’s a very strong sense that everybody feels a common threat.
Common threat is a foundation for common defense. And a common threat primarily comes from China. If you listen to our national leader’s pronouncements about the cyber threat from China, it’s at a scale of unmatched in human history. You listen to a Director Rays talks. So it is just mind-boggling how much of China has been involved in this.
And it’s just like our national policy level. We’re still doing this kumbaya dance with China, as if China is just one another normal country who misbehaved occasionally. It’s very systemic. It has a very, very ambitious intention to upend the existing international order.
Now let me with the interest of time, so I have several questions, but I’m going to just stop here and listen here what you have to say from the audience. Okay. Please. Here. Please state your name and affiliation.
Alex Alper:
I’m Alex Alper with Reuters. And I just wanted to ask, you mentioned the importance of safeguarding AI. You mentioned the model weights, the code, the training data. As far as I understand it, we don’t even have the tools right now. Certainly Facebook has made its model public and they say that China’s AI models are mostly based off of Facebook stuff.
We saw the G42 deal where even some of the proprietary stuff, which could be controlled under export rules if they did one, going abroad to countries that have close ties to China. So I guess my question is A, is the administration really doing that if it’s allowing the G42 deal? And B, what tools, what do you need I guess to even really control that?
Israel Soong:
That’s a great question. There are other colleagues from other directors that are much more expert on AI than I am. I’m going to refer to them. But I think what your question is getting at is how do we address AI? How do we make sure that the AI technology that the US firms have spent so much time developing, how do we make sure that they’re not siphoned away by adversarial countries and used against their national security interests?
The Biden Administration is definitely trying to lead on that area by introducing a national security memorandum on AI. We’re going to address the threat to US technology firms from the IP theft from the PRC, as well as the broader cybersecurity threats from AI. And we’re also going to accelerate the US national security’s adoption of cutting-edge tools to benefit our national security objectives. Most importantly, we’re going to reinforce efforts to develop, attract, and retain AI talent.
That last point is something really, really important and it goes along with the points I made earlier in my talk. Which is, as a country, as Americans, what are the ways that we can put more power behind our STEM talent, to hire more cybersecurity specialists, to make cyber and STEM more interesting to young people across our country? To attract and retain cyber and AI talent?
I talk about the missing cybersecurity jobs that we have every year. Well now we’re also going to have a new category of jobs, AI jobs, that we’re also missing every year. So what I encourage discussion on and policies in the future towards is how do we develop and nurture all those talents? How do we make STEM even more attractive than it currently is to the next generation of young people? That’s a great question and thanks so much for asking.
Miles Yu:
You should run for public office because everything you started with, that’s a great question.
Israel Soong:
These are great questions.
Miles Yu:
Great. Over there.
Abhi Shri:
Hi, I’m Abhisri from ORF America. And I just wanted to ask in terms of allies and partners, if you’re looking towards say some Southeast Asian countries, a lot of them do have a common threat that we just identified China, in terms of a lot of attacks on their data centers.
However, they do have a very unique geopolitical constraints and are quite often hesitant for attribution. And I was just wondering how US may engage with these allies and partners and bodies like say ASEAN countries in order to reconcile cyber resiliency, cyber capacity building, along with their hesitancy for attribution? Thank you.
Israel Soong:
I will say on hesitancy for attribution, you’re right, historically many Southeast Asian countries are trying to walk a fine line between the United States and the PRC. But I think we’ve actually seen a couple of changes. So for example, Philippines recently attributed two hacks to PRC cyber actors. I think one happened in February and one happened actually very recently, I think in May actually.
But they both publicly announced, “Hey, we think and we assess that these are actually the actions of the PRC.” And that’s a really welcome change than what has happened before. Obviously the Philippines in a slightly different position than many ASEAN countries.
But I will say that absolutely in favor of engaging ASEAN, right? Engaging ASEAN on cyber capacity building, not just about the PRC threat but also things like cyber criminality. We have something called the Counter Ransomware Initiative, which gathers a coalition of countries together to combat cyber criminals.
We have a policy pillar, we have a Counter Ransomware Task Force. That kind of collective cybersecurity and cyber criminality is also very useful for shoring up cyber defenses in general. So there has been engagement with ASEAN. I agree with you, there should be more. The ASEAN are key partners in this space, particularly given their geographical location. So thanks for the question.
Miles Yu:
All right. Go ahead here. And then one more following it.
Speaker 5:
Thank you very much for your remarks. When listening to you and to other people, one feels that China’s extremely successful penetrating cyber security. Their attacks all the time, often successful or partially successful attacks.
My question to you, though it may be difficult to answer, I understand. How successful is the United States in penetrating Chinese cyber security defenses? Or other Russia? We know from Russia’s war in Ukraine that American intelligence was extremely good regarding the impending attack. So I reckon something similar is probably in a way successful also regarding China and cyber security. And as we have small audience perhaps you can be quite frank.
Israel Soong:
Well, thank you for your question. In this unclassified setting, of course I can’t be as frank as I’d like to be, but I will answer your question in one way, which is the PRC success in cyber. And so again, to reiterate a point I made earlier, I don’t want any of you to leave this talk with the idea that the PRC is unstoppable in cyber. It is actually not.
With the correct cyber security, we can make a huge difference for American companies and for our allies and partners abroad. By mere virtue of the fact that we’re able to talk about PRC cyber, and many others have done as well, Director Chris Ray, Jen Easterly, a lot of commentators have talked about what we know about PRC cyber actors. The mere fact that we are able to talk about this and identify it and call it out, is a sign that they’re not completely successful.
We know what they’re doing, we know what they have done. We’re tracking them very closely. Through the efforts, a lot of our partners through the inter-agency. I wouldn’t say this is a complete success story, but it is successful in the sense that their behavior is not being unnoticed.
What would be not good is if we were not able to talk at all because we had no inkling of it. But actually the contrary is true. We actually have very, very good understanding of what’s going on in some cases. So I’m sorry I can’t answer anymore in this setting. Thanks very much for your question.
Miles Yu:
But I want to add that to what Israel said. America is a country of innovation. America is a country of enormous energy and creativity. So we have capabilities. The issue that really we’re talking about is leadership and also specific policy. So a knock ground if the country really gets act together and we have been unstoppable.
And I think if you look at the Chinese leaders in cyber, they’re mostly trained in the United States. So they learn the skills and for a very purposeful, in a very purposeful direction and serve the country in the state. So if the US government had policy right, and then people are mobilized and I think we will. We have powerful companies in Silicon Valley, look at Google. Google commands enormous amount of data that human activities. But they have been very prudent.
And Chinese government is really good at weaponizing any technology in its position. And we are a country of democracy. We don’t do that all the time. Mostly there’s a clear line between government and private business. One more question please. Yeah?
Israel Soong:
Wait, before we ask that question, can I just add on to that one?
Miles Yu:
Oh absolutely, yeah.
Israel Soong:
I absolutely agree. This country has amazing resources, amazing talent, amazing innovation. And if we put our minds to it, we actually definitely can lead in the cyber emerging technology and we can do it.
What it takes though is a recognition. And that’s part of the reason why this administration and other administrations, other people in the cyber community are raising this message of, “Hey, we need to focus on what is the national security threat when it comes to cyber emerging technology? And how do we invest massively in the resources to overcome the challenge?” So thanks.
Miles Yu:
All right, great.
Israel Soong:
Okay, last question.
Miles Yu:
Great. So last question please.
Yuko Makai:
Thank you for doing this. My name is Yuko Mukai from Japanese newspaper Yomiuri Shimbun. And my question is about what you mentioned about Volt Typhoon and Five Eyes. And so you mentioned that Five Eyes start united and as a counterpart after Volt Typhoon, which I understand that was malware hidden in the Guam base and Guam infrastructures. And what is the analysis why it happened? What was their intention? And how it’s relevant with their plan to invade Taiwan?
Israel Soong:
That’s a good question. Let me answer it this way. Going back to one of the first points I made early in the talk about PRC pre-positioning. What is their intention behind pre-positioning on critical infrastructure, on US critical infrastructure, and on infrastructure in other parts outside the US?
It’s definitely a potential for disruptive cyber effect, a cyberattack, in a time of crisis and conflict. And so that’s their motivation behind doing it. There are several things that we can do. One of the most important things is making sure our critical infrastructure providers, and other places outside of the United States as well, our critical infrastructure providers adopt those cyber security measures that are most important to remediating the vulnerabilities in the network.
So I hope I answer your question by saying what is the intention of the PRC behind pre-positioning? What do they hope to gain from it? And what we can do about it as well? So I hope that answered your question or maybe I didn’t understand it. Please ask it again if I mis-answered.
Yuko Makai:
[Inaudible]
Israel Soong:
I hesitate to connect it to any particular scenario, but I will say that Taiwan is one of the potential crisis points in which preposition could be useful to them.
Miles Yu:
Let me just add the final thoughts to that. This is not just about the PRC obviously. We in the United States, also in the West to a larger extent too, we have incorporated cyber into our sort of war platform. Used to be C4, that’s a command control communication computer. Now it’s a cyber C5 now.
So this definitely in the domain. Cyber definitely is catchphrase of a decade if not the century. So, so much so there is a truck, the name with the cyber on it. So it has nothing to do with cyber. But the key point is that our life will forever be changed by the infusion of the element called cyber and to a large degree artificial intelligence.
Thank you very much, Israel, and for this wonderful conversation. I’m sure this conversation will continue. Please check out our website at the Hudson.org. And we have events like this all the time. Thank you very much and good afternoon.
Join Hudson Senior Fellow Bryan Clark for an event with Chief Digital and Artificial Intelligence Officer Dr. Radha Plumb.
Congressman Mark Green will join Hudson’s Dr. Jonathan Ward to discuss the importance of cybersecurity, critical infrastructure defense, maritime and border security, the fentanyl crisis, and more.
Join Hudson for a discussion on the trade and technology relationship between Washington and Taipei with US-Taiwan Business Council President Rupert Hammond-Chambers and Taiwan Semiconductor Manufacturing Company Senior Vice President Peter Cleveland.
Join Hudson for a discussion with renowned intellectual property experts including former United States Patent and Trademark Office Director Andrei Iancu, Dinsmore’s Brian O’Shaughnessy, and the Special Competitive Studies Project’s Rama Elluru. They will explore potential policy changes, challenges, and opportunities for the innovation and creative sectors in the new administration.