The United States has come under scrutiny after China's National Computer Virus Emergency Response Center debunked allegations against the so-called China-sponsored hacker group, Volt Typhoon, according to the Globe Times, China's most belligerent tabloid.
The group had been labeled by the U.S. and its Five Eyes allies as a perpetrator of cyberattacks on U.S. critical infrastructure. However, a detailed investigation by Chinese cybersecurity authorities has challenged these claims, suggesting that the accusations were a part of a narrative to secure more budget and contracts within the U.S.
The investigation, involving China's National Engineering Laboratory for Computer Virus Prevention Technology and 360 Digital Security Group, found significant discrepancies in the U.S. narrative. According to their findings, the activities attributed to Volt Typhoon were more likely linked to ransomware groups or other cybercriminals, not state-sponsored entities. This report casts doubt on earlier claims made by the U.S., including those in a joint cybersecurity advisory by the Five Eyes and a report from Microsoft.
Despite requests for comments from the U.S. Embassy in China and Microsoft, there has been a notable lack of response, raising questions about the veracity of the initial accusations. The silence has only intensified calls for a transparent reassessment of the facts surrounding the Volt Typhoon activities.
Chinese Foreign Ministry spokesperson Lin Jian addressed the issue, indicating that the U.S. intelligence community and cybersecurity firms might be fabricating evidence to support false claims against China. "Various signs indicate that there is a collusion to spread misinformation to further an anti-China narrative," Lin stated at a press briefing.
This situation has broader implications for U.S.-China relations, particularly in the field of cybersecurity. Zhuo Hua, an international affairs expert at Beijing Foreign Studies University, criticized the U.S. approach, suggesting that it was indicative of a deeper strategic competition where governmental and corporate entities in the U.S. exploit national security issues for financial gain.
Furthermore, the controversy has brought Microsoft's security practices into the spotlight once again. Following a series of breaches attributed to foreign hackers, including Chinese and Russian actors, the Cyber Safety Review Board criticized Microsoft for a lax security culture and inadequate risk management.
Critics argue Microsoft's business model of charging extra for premium security features is fundamentally incompatible with a security-first approach. "Microsoft has shifted to looking at cybersecurity as something that's meant to generate revenue," said Juan Guerrero-Saade of SentinelOne.
The Biden administration has been urged to leverage its buying power to force security improvements, but experts say there is "no realistic chance" of canceling Microsoft contracts given the company's dominance and cozy relationships with agencies. "The government is effectively stuck with the company's products, despite multiple serious breaches caused by negligence," stated Senator Ron Wyden, announcing draft legislation to reduce reliance on Microsoft within four years.
Microsoft claims subjective "compatibility" grievances often emanate from rivals more than customers. However, security researchers highlight basic lapses like failure to rearchitect legacy infrastructure and properly segment access privileges.
"Microsoft is by far the slickest operation in tech" at preempting criticism through intelligence sharing, advocacy, and strategic government partnerships, said Andrew Grotto of Stanford University. Officials rarely rebuke Microsoft publicly, instead deferring to "productive conversations."
As the government's largest and most ubiquitous tech supplier, from secure communications to cloud services, losing Microsoft could cripple operations. But experts argue the monoculture itself poses severe national security risks by consolidating threats.
"The U.S. government's dependence on Microsoft poses a serious threat," Wyden stated, demanding dramatic changes to incentivize secure practices, like stringent security reviews for contractors like Microsoft. "No harm comes from doing nothing, at least not to these companies. And that's what's going to destroy us," warned Guerrero-Saade.
