FBI Director Christopher Wray warned Thursday that the threat posed by Chinese hacking operations to U.S. critical infrastructure has become more urgent, as intelligence agencies have said that groups like Volt Typhoon are preparing for the possibility of widespread disruptive actions as early as 2027.
Wray said during a speech at Vanderbilt University that China has targeted dozens of oil pipeline entities since 2011, in some cases ignoring business and financial information entirely while stealing data on control and monitoring systems.
More recently, Volt Typhoon has conducted broad targeting of American companies in the water, energy and telecommunications sectors, among others, which U.S. officials have described as “pre-positioning” for future attacks that could disrupt or halt systems responsible for critical services upon which Americans rely. Dragos, a private threat intelligence company that focuses on critical infrastructure, said in February that the group has also been observed targeting entities that provide satellite and emergency management services.
The ultimate purpose of this activity is to give Beijing “the ability to physically wreak havoc on our critical infrastructure at a time of its choosing,” Wray said.
The comments mark something of a shift in how the bureau and other national security officials have described the threat posed by Chinese hackers in the past.
U.S. officials have long sounded the alarm on the broader threat posed by China’s hacking operations, in particular the pervasive targeting of American companies in order to steal sensitive technologies and intellectual property that can be passed along to Chinese industry. This kind of economic espionage has persisted for decades, even after U.S. President Barack Obama and Chinese President Xi Jinping announced a deal in 2015 promising to curb such activity.
Law enforcement and intelligence agencies have also warned that Chinese hackers — which Wray said are so numerous that they outnumber the bureau’s total cyber personnel 50 to 1 — threaten American critical infrastructure and government agencies, but have historically described Beijing’s operations as more of a slow-burn, longer-term concern compared to other countries, like Russia.
“I kind of look at Russia as the hurricane. It comes in fast and hard” while China “is climate change: long, slow, pervasive,” Rob Joyce, NSA’s former cybersecurity director, told reporters in 2019 at the RSA Conference in San Francisco.
Wray said Thursday that the FBI and other federal agencies were preparing 2024 budgets with an eye towards the kind of resources they’ll need to defend against a potential broad attack on critical infrastructure.
He noted that the Office of the Director of National Intelligence assessed last year that Beijing is trying to build the capability to deter U.S. intervention in a crisis between China and Taiwan by 2027. That timeframe “is not exactly long-term” and some of the planning for that possibility is being carried out now.
“A few years ago, we might have said China represents the most significant long-term threat. That’s no longer the best way to describe the danger,” Wray said.
An annual threat assessment from ODNI last year assessed that China was “working to meet its goal of fielding a military by 2027 designed to deter U.S. intervention in a future cross-Strait crisis.” The 2024 version of that report noted that activity from Volt Typhoon was likely “intended to pre-position cyber attacks against infrastructure in Guam and to enable disrupting communications between the United States and Asia.”
Wray’s comments built on a series of increasingly pitched warnings U.S. officials have made since the start of the year around Chinese targeting of U.S. critical infrastructure. However, despite the alarms, digital defenders in critical infrastructure have expressed frustration at the lack of detail these warnings contain, as well as an explanation for how China’s actions over the past year differ from the kind of activity that the bureau acknowledged has been ongoing since at least 2011.