What would it take for China to gain the upper hand in a potential confrontation over Taiwan? Interrupting American telecommunications would be a good start. So the recent news that China successfully infiltrated critical telecommunications systems in Guam – home to an American airbase that would be central to any potential confrontation over Taiwan – raises urgent questions about America’s cybersecurity and that of its key allies.
Cyber competition and preparation for cyber warfare is at the forefront of the contest between the United States and its democratic partners, on the one hand, and authoritarian adversaries such as China and Russia on the other. And just as autocracies support each other in their malign activities in the digital space, America must lead a coordinated campaign to shore up cybersecurity within the democratic world.
Coupled with direct attacks on American assets, China and Russia use cyber-attacks to undermine the internal politics and institutions of U.S. allies and democratic partners. Pro-Kremlin hackers recently used distributed denial-of-service (DDoS) attacks to crash France’s National Assembly website and Polish e-government websites. Pro-Beijing actors have increasingly integrated cyberattacks and disinformation campaigns. Last year, after U.S. Speaker of the House Nancy Pelosi’s visit to Taiwan, cyber attackers disabled the website of the Taiwanese president’s office and its Ministry of National Defense, and propagandists spread disinformation about the Taiwanese government’s actions aimed at undermining confidence in the government’s handling of the coronavirus pandemic. RedAlpha, a hacking group linked to China, has consistently targeted civil society groups that the Chinese Communist Party calls the “five poisons”: Tibetans, Uyghurs, Taiwanese, democracy activists, and the Falun Gong.
These activities have already proven to be incredibly disruptive and destructive. A more aggressive campaign could be used to devastating effect in the event of an international crisis, such as a Chinese invasion of Taiwan, or as a means of interrupting core governmental functions, such as attacks on the machinery of elections. Absent a strategy and associated resourcing to prevent, mitigate, and counter cyber-attacks, China and Russia will continue using existing and evolving tools – from DDoS to generative AI – to support autocrats and weaken our democratic allies.
Important Steps
The United States has taken important steps to address this threat generally – and with respect to democracy assistance in particular. The State Department established a Bureau of Cyberspace and Digital Policy, including a unit on International Cyberspace Security (ICS), with the goal of using foreign assistance funding to build cybersecurity capacity globally. The U.S. Agency for International Development (USAID) created its “Cyber Cavalry,” a mechanism that leverages America’s private sector to deliver cybersecurity technical support to the agency’s democracy-building partners and beneficiaries abroad – particularly those threatened by malign actors and influences.
While such initiatives represent a step in the right direction, they are far from sufficient. For example, even though 98 percent of the USAID budget is earmarked, or directed for a specific purpose, none of these pre-allocated funds are dedicated for cybersecurity. This means the United States has little, if any, resourcing available to support a strong defensive posture for partners to prevent attacks in the first place. And while the United States has implemented and allocated some resources for cybersecurity assistance to allied governments (through USAID as well as the Department of Defense) and, to a less extent, to vulnerable NGOs, the assistance level needs to be substantially higher and matched equally with a more intentional and more coordinated approach to cyber defense.
Simply put, the U.S. approach to protecting its partners against cyber threats has not kept pace with the scale and scope of cybersecurity challenges. The lack of sustained funding has made it difficult for the United States to develop a forward-looking, coordinated strategy and operational plans with local partners to not only respond to attacks but, more importantly, to firm up defensive posture for future deterrence. To change this, Congress and the relevant agencies and departments within the U.S. government should consider four specific measures.
Sustained and Predictable Funding
To begin with, policymakers must find a way to allocate sustained and predictable funding to bolster the cybersecurity capabilities of key democratic allies, with an emphasis on those in the Global South that lack the required resources or capacity. This could involve Congress establishing a fund that would support partner governments and civil society organizations with their cyber defenses or augmenting existing democracy and governance resources.
Second, the United States can help partner nations strengthen their domestic laws and regulations to improve cybersecurity. Such interventions could support executive branch institutions, judicial institutions, and legislatures, as well as bolster awareness and training within political parties and civil society. (Full disclosure: our organization receives U.S. government funding to implement democracy and governance projects.) Subsequent support could be provided to ensure implementation across national and subnational governments. The U.S. House Democracy Partnership, a congressional diplomacy initiative, could leverage its global platform to spotlight and share comparative examples of quality cybersecurity frameworks with allied governments for consideration and adoption.
Third, the United States should require that the information systems of all partners and implementers meet or exceed minimum standards and requirements for best practices. That might mean, for example, accelerating movement to secure cloud services, and ensuring investment in technology and personnel to match these goals. This could involve an Executive Order applying to foreign aid comparable to that on improving the cybersecurity of the United States. To address resource and capacity constraints, partners should adopt a risk-based approach which prioritizes the most critical assets and systems.
Finally, to understand the threat landscape better, the United States can encourage partner governments and organizations to increase the sharing of cyber incident and threat information. This could include a more coordinated and centralized cataloging of incidents, tactics, and countermeasures. The U.S. should also engage directly with civil society organizations and activists — who often are in the crosshairs of China, Russia, or the autocrats they enable — to inform U.S. interagency cybersecurity working groups and promote information and resource sharing. These groups can share insights with the United States on the latest tactics the CCP or Kremlin are using to infiltrate their organizational technology infrastructure, which the United States can then use to inform tool and resource development.
The cyber domain is pivotal in the contest between democracies and autocracies. As leader of the free world, it is past time for the United States to spearhead a robust effort to inoculate the democratic world against the predations of its adversaries.