Typhoons in Cyberspace

In a world of extraordinary geopolitical volatility, the threat to Western nations and interests from cyber attacks has, contrary to expectations, remained remarkably stable. Asked to name the leading anti-Western nation state actors in 2015, any expert would have listed Russia, China, Iran and North Korea. Asked to do so in 2025, experts would give the same list. Moreover, in the 2020s, the sort of serious disruption to critical infrastructure – to energy facilities, healthcare and other sectors – long feared by governments have, insofar as they have materialised at all, been caused by Russia-based cyber-criminals. The biggest nation-state threat actors have, by-and-large, kept much of their cyber powder dry. Even in its invasion of Ukraine, Russia’s cyber forces underperformed as badly as their conventional ones in their illegal assault on Kyiv, and there was no serious attempt to use cyber disruption to deter western countries from backing President Zelenskyy’s fight for national survival.

As ever, this relatively stable picture – one of significant threat but little actual change in that threat – has been accompanied by a steady drumbeat of commercial hype about how the cyber threat to anyone and everyone is getting worse all the time. That this is objectively untrue has not arrested the spread of the narrative. But such unrealised and unspecific scaremongering means we risk failing to notice when important shifts in the threat picture actually emerge. And there has been one profoundly important shift in the threat picture recently: over the past two years we have learned of a transformation of China’s cyber capabilities into a far more formidable strategic threat.

This is, by far, the most significant shift in the cyber threat landscape in well over a decade. As a cyber actor, China has changed in three ways. First, the objectives of its cyber capabilities have shifted from economic to political ones. Second, its operations have changed from being opportunistic to strategic. Thirdly, and most importantly, it has moved beyond being simply a passive actor to an being active one. In other words, it does not just spy and steal anymore; it has also laid the ground for hugely disruptive cyber operations against western critical infrastructure, which hitherto it had shown no signs of doing.

The Cyber Typhoons

Two major cyber operations by China were uncovered in 2023 and 2024. They were, unhelpfully, given very similar codenames: ‘Salt Typhoon’ and ‘Volt Typhoon. But although only two letters distinguish them, they are profoundly different.

Salt Typhoon is a state intelligence service sponsored operation. It has comprehensively penetrated the United States’s telecommunications system, leading to panicked guidance from the US Government to the nation’s elite to use end-to-end encrypted messaging services, or else assume their data and message content are transiting to Beijing. Think of it, in effect, as China doing a ‘Snowden’ to America; gaining vast access to the nation’s communications via a strategic spying operation of breathtaking audacity.

Volt Typhoon, by contrast, is a military operation for strategic political and potentially military purposes. Run by the cyber unit of the People’s Liberation Army, it involves putting preparatory implants – ‘digital booby traps’, as some have called them, into all manner of American critical infrastructure. In its official assessment of the operation, the Biden administration listed manufacturing, utilities, transportation, construction, maritime, IT, education & government (though, interestingly, not healthcare) as the sectors affected. The implants are, in the view of US officials, not there to spy and great care was taken to avoid detection. The US view, endorsed by all the other Five Eyes countries, is that these implants were strategic assets to be detonated in the event of a major confrontation between China and the West, most probably over Taiwan.

If Salt is a strategic spying scare story, Volt is a direct military threat to the western way of life. The consequences can be imagined thus: think of one of the major ransomware attacks the west has suffered, such as the Colonial Pipeline outage; or the 2019 attack on a private company which left English policing short of half its criminal forensics capabilities; or the small English local authority scrambling to restore its services for vulnerable children after an attack in the same year. Now think of dozens or even hundreds of them at the same time – “everything, everywhere, all at once” in the words of Jen Easterly, recently departed head of the US Cybersecurity and Infrastructure Security Agency. Then think of this as ransomware without ransoms – the affected victims cannot pay their way out of trouble because the objective is political, not financial. The economic, social, and even public safety impact of such an operation would be huge.

This is a completely new and extremely troubling scenario. China, for all its many violations of international cyber norms over the years, has no history of disruptive cyber attacks that stop networks from working. It has spied and stolen. And it’s now much better, and more strategically focussed, at that too. That is why both Salt and Volt have Washington and other western capitals rattled.

How did this happen, and what are the implications for western governments and those charged with its cyber defence?

China’s Cyber Attack Capabilities – A Third Phase?

To tell the story of how, in the words of the Wall Street Journal in January, “Chinese hackers graduated from clumsy corporate thieves to military weapons” it is necessary to look to the history of China’s cyber operations. These can broadly, and a bit crudely, be fitted into three different phases.

The first phase ran from the dawn of the digital age till about 2013. The Communist Party regime was initially terrified of Internet based communications, and focused on developing ‘protections’ for itself such as The Great Firewall. But it also, at this time of rapid economic expansion in China, spotted an opportunity. Insecure western corporate systems were easy pickings for major corporate theft (as indeed were lower classification government systems for more traditional espionage). Industrial scale hacking of research, designs and so on began. While all of this was sponsored by the state, only some of it was done by full state employees; groups of opportunistic hackers sprung up with loose relationships with the regime. Their hacking was noisy, clumsy, and easy to spot – but only after it happened. And the noise did not matter: even before the seminal Mandiant report of 2013, the first major public attribution of this activity, many in the cyber security community, spoke openly about China’s corporate theft. There were no consequences for such actions, and many rewards as a grateful state and corporate sector happily paid for the valuable stolen information. Thus, China’s cyber capabilities were born out of economic objectives, unlike Russia’s, which have always been political.

This began to change with the dawn of the second phase of Chinese cyber activity, from about 2013 to about 2020, saw a centralisation and consolidation of China’s capabilities. Three individuals helped shape this, whether intentionally or not. The first, inevitably, was Xi Jinping. The messy, distributed and often chaotic web of actors licensed in some way by the Chinese state ran against his centralising instincts. So his institutional reforms to Chinese administration more generally extended to cyber, with the streamlining of both intelligence and military cyber command structures, and the establishment of a policy agency, the Cyberspace Administration of China, to work out more strategic objectives about what Beijing wanted from cyberspace.

The second key player here was President Obama and his team. His interventions were prompted by the genuine fury in America’s business community about corporate IT theft. (Washington was also rattled by the extraordinary strategic reversal of the hack of the Office of Personnel Management’s security clearance database, when the sensitive security records of more than 20 million federal government officials went missing, reflective of the simultaneous focus by China on government espionage). Consequently, the Obama administration started publicising details of Chinese commercial espionage and threatening Xi’s government with sanctions. This forced an agreement in 2015 which, however imperfect, led to several years of relative quiet on the commercial espionage front, with some notable exceptions. By definition, the agreement required further centralised control over the nation’s hackers, adding further impetus to Xi’s centralisation of capabilities.

The third, and arguably most important, cause of the shift was, however unintentionally, Edward Snowden. It is generally under-appreciated in the West just how important Snowden is in the history of China’s approach to technology. Beijing was stunned at the extent of the US operation revealed by the former National Security Agency contractor, triggering effectively a Sputnik moment in its approach to its technology strategy. According to the US Ambassador to China at the time, the distinguished former Senator Max Baucus, “the Snowden leaks dramatically changed Chinese policy towards the internet, its own people, the United States, and the world, with respect to the internet and cyber security”. Many Sinologists believe Snowden helped to precipitate the Made in China 2025 strategy, published two years after his leaks and setting out an extraordinary level of ambition for Chinese tech. Set against the Snowden era competition for geopolitical supremacy in technology, commercial hacking – the initial foundation of China’s cyber operations – was now, for Xi’s regime, a sideshow.

Thus, the third phase of China’s cyber operations, running from about 2020 to the present, is a logical extension of the consolidation and refocussing of cyber operations in the second half of the last decade. It comes amidst the backdrop of the epochal geopolitical contest between the US and China for dominance in the technologies of the future. But unlike the ‘tech war’ of mutual sanctions, industrial production expansion in both the US and China, the cyber aspect of the contest was designed to remain a covert part of China’s strategy. Both Salt and Volt Typhoon were in play for years before being detected. And they are strategic compromises of the west on a scale hitherto unseen by any other cyber power.

These twin typhoon threats – one of massive scale strategic espionage, the other about military disruption of key services – are accompanied by other threats such as the large scale theft of strategic data and increasing, though at this stage mostly poor quality, attempts by China to undertake influencing and disinformation operations via digital means, attest to the most significant change in the cyber threat picture in recent years: China’s cyber capabilities are now more strategically and politically focussed, and in general it is much better at this than it used to be.

What is to be done?

Where does this leave western policy makers and cyber defenders? As always, the debate risks generating more heat than light, with outraged but incoherent calls for ‘imposing costs’, ‘striking back’ and so on. The reality is more nuanced – there are fundamental issues for both the domestic defence of western economies and the organisations within them, particularly in the private sector, but also for statecraft.

In all, there are five issues to consider when framing a Western response.

The first is about further development of our own cyber detection capabilities. The official US Government guidance to victim organisations for both Salt and Volt Typhoon are commendably honest and therefore make for difficult reading: they openly say how hard it is to detect these intrusions. One technique in particular, called ‘living off the land’ in the trade, is hard to find as the intruder takes great care to look like a normal network user. This presents a significant challenge for the cyber security industry to develop effective mitigations, but it is essential.

The second is about resilience. This is becoming a cliché, and plenty of more hawkish cyber defenders and geopolitical analysts push back on the notion that you can defend your way out of the problem. But when it comes to resilience, there seems to be little choice but to learn how to cope with the loss of a major network. The British Library in the UK is an instructive example: one ransomware attack by criminals crippled the basic functionality of a key UK institution for months. The essence of the Volt Typhoon threat is dozens or hundreds of such attacks at the same time. So, just as the Covid-19 pandemic prompted soul-searching about just-in-time supply chains, our cyber security vulnerabilities require the same self-examination about fragile services dependent on hackable IT.

The third is about the quality, age and sourcing of our infrastructure. What is now known publicly about the Salt Typhoon spying intrusion in particular is that central to the operation was the exploitation of out-of-date kit. This is a long-standing and well-known problem, especially in the telecommunications sector. Yet, most of the policy debate about telecoms security has been, for nearly a decade now, dominated, virtually to the exclusion of all other subjects, by banning Chinese companies, particularly in the United States. Indeed, Congress’s ‘response’ to Salt Typhoon was finally to confirm a languishing $3 billion programme to replace the remaining Chinese kit in US telecoms infrastructure.

The problem is that the hack had nothing to do with Chinese kit. Every part of the Chinese campaign exploited vulnerable western manufactured infrastructure. The issue of the general security of often decrepit telecommunications infrastructure, as distinct from who built it, is too often forgotten, particularly in the United States.

This leads to a more general fourth point about policy and regulation. The vast majority of the national security risk presented by Chinese cyber aggression is held in the private sector, in the US and elsewhere in the west. Absent specific rules, governments are relying on the companies voluntarily to foot the bill for expensive backup plans for the resilience challenge, or even more costly equipment upgrades for the infrastructure ones. Many will do their best, partly out of commercial incentives, and partly because of a sense of public duty and a desire not to be the cause of a national security crisis. But this will often not be enough. In 2022, the UK Parliament passed the Product Security and Telecommunications Infrastructure Act, which explicitly requires Britain’s telcos to upgrade their infrastructure security. Importantly, this bill was enacted at the request of the industry, who explicitly told the government that requests from the state to spend on security was no longer a viable model for a highly competitive industry. The UK Government is, following a similar measure in the EU, also preparing to place into law more general cyber resilience obligations on critical infrastructure providers. There is no sign of the US going down this route, given the deregulatory zeitgeist in Washington at the dawn of the second Trump administration. But both Volt, and especially Salt Typhoon show how exposed the US is, and how difficult it will be to move the dial without some form of compulsion.

Finally, what is prevalent in Washington is a narrative that the challenge can be met with a more robust response, including by direct action by the US itself against China. There is something in this, as the Obama administration’s success in quieting commercial espionage in 2015 showed. But the reason deterrence in cyberspace has not worked so far is not because we are not ‘striking back’ hard enough. It is because it is very, very difficult. And in particular, like-for-like activity makes little sense.

The US on its own is, by some distance, the most capable cyber power on the planet, and, combined with its allies, further ahead still. Talk of ‘retaliation’ for the Salt Typhoon espionage campaign makes absolutely no sense: the US gains considerable strategic advantage from its intelligence services and to call into question the legality of digital espionage against other states would work against its interests. Moreover, one assumes that the US is conducting extensive espionage operations against China, so ‘retaliation’ for Salt Typhoon is oxymoronic.

For Volt Typhoon, China has not activated any of its digital booby traps yet, and according to the US Government, there is no sign that it intends do. So, there is no activity to ‘punish’ or ‘retaliate’ for yet. That is where deterrence comes in: the US should, as it has been, make it clear to China that the disruption of critical services in the US or allied territory would be absolutely unacceptable and would come with severe consequences. It is also important that Western offensive cyber capabilities are primed to engage properly should the need arise. But what is important is that policymakers of whatever persuasion are not seduced by a false narrative that there is an easy solution based on cyber power, deterrence and threats of retaliation that we have just been too timid to use.

A paradigm shift

All of these measures: improvements in detection, resilience and the quality of infrastructure; reforms to policy; and a realistic approach to deterrence, are needed if this new threat from China is to be met. But the challenges of domestic protection of critical private sector assets seems to be the most pressing, not least because, in the medium- to long-term, other actors with less cautious political calculations than China could exploit it.

In this sense, cyber security – reducing the vulnerabilities that have been so gapingly exposed – is hard power. And the starting point to getting there is realising that amidst all the noise and hype about cyber threats one thing has genuinely changed: the threat from China is significantly more serious than at any point in the digital age.

© RUSI, 2025.

The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.

For terms of use, see Website Ts&Cs of Use.

Have an idea for a Commentary you’d like to write for us? Send a short pitch to commentaries@rusi.org and we’ll get back to you if it fits into our research interests. View full guidelines for contributors.