The rivalry between the United States and the People’s Republic of China (PRC) is often characterized as a challenge requiring “a whole-of-society response.”1 Unlike traditional geopolitical and security issues that are considered the exclusive purview of the military and the federal government, competition between the United States and the PRC frequently spills over into news studios, corporate boardrooms, and college campuses.
The cyber dimension of this conflict is a case in point. Much of the infrastructure—everything from cell towers to cables to personal devices—that both the public and the government use to communicate is commercially owned and operated. This infrastructure is both a tool and a target for adversaries, making the private sector a key player in technological competition whether it wants to be or not.
The influential role of the private sector in cyber competition adds an additional layer of complexity into geopolitical competition between two powers, creating a “two-level game” where each government must simultaneously interact with its opponent as well as its own private sector.2 The private sector’s interests will not always align with its government’s interests, and the government will not always have full authority to dictate how the private sector behaves. These bounds of possibility are driven by each side’s political, legal, and cultural contexts, which combine to create a “cyber regime” under which each nation’s respective technology sectors operate. These different contexts pose differing challenges and opportunities for both American and Chinese leaders and make the role of the commercial actors more nuanced than a simple dichotomy of pro-government or anti-government.
Rather than assuming their corporate counterparts will patriotically accept the primacy of national security concerns, American military commanders and policymakers must appreciate the technology sector’s legal and political challenges to craft effective and sustainable partnerships to secure critical infrastructure from foreign cyber threats. While the government and private sector will almost certainly diverge in perspectives on cybersecurity in some cases, the private sector still provides clear advantages for national security: warning, innovation, resilience, and emergency response. The power of these assets greatly outweighs any perceived benefit from adopting a more coercive model of government-business relations in cyberspace as exemplified by the PRC.
How Cyber Regimes Shape the C-Suite’s Perspective
While corporations are generally subject to the laws of the countries they operate in, their actions and interests are central to the character of a country’s cyber regime—the policies, values, and norms that shape how freely or restrictively information flows through cyberspace.
Cyberspace is an inherently artificial domain. Unlike ground, maritime, and air domains which are all profoundly impacted by the elements and the laws of physics, the cyber domain is almost exclusively shaped by human decisions. Vulnerabilities in software, configuration of networks, and the design of communications infrastructure are all the result of deliberate decisions made by an individual or group. Therefore, the cyber landscape in the United States and China looks markedly different, as both societies perceive and leverage technology differently.
Military-Civil Fusion and the Chinese Cyber Regime
Like many other facets of life in China under the rule of the Chinese Communist Party (CCP), the Chinese cyber regime is predominantly shaped by the primacy of the CCP and its total control of the Chinese economy and society. The CCP views information control as a critical tenet of regime security, driving the party-state’s fixation on controlling the digital means for information to move into and throughout China.3 According to one independent study, the Chinese government imposes over 60,000 rules on the information that search engines are permitted to disseminate.4 While rigidly directed and overseen by the party-state, internet-service providers (ISPs) are responsible for the implementation of censorship. As a result, internet controls are baked into both the hardware and software available for use by Chinese citizens.5
A core principle that governs relations between Chinese businesses and the party-state is the concept of Military-Civil Fusion (MCF), a strategy that aims to leverage Chinese science and technology for military purposes.6 This approach deliberately blurs the distinction between the civilian and military spheres of Chinese society to pool the resources available to satisfy national objectives. A manifestation of MCF in the cyber domain is the Chinese government’s policy on cybersecurity vulnerability disclosure, which requires companies operating in China to share vulnerabilities directly with the government while simultaneously prohibiting public disclosure.7 Such a practice of hiding known vulnerabilities would be considered gross negligence in the American system, where companies often have ethical and legal obligations to disclose and remediate vulnerabilities in their products in order to protect their customers. This arrangement allows the Chinese government—and by extension, the People’s Liberation Army (PLA)—to hoard vulnerabilities and possibly weaponize them against other countries.
MCF also enables industry to benefit from the actions of the party-state, such as through the PRC’s persistent campaign of cyber-enabled intellectual property theft. In open-source data, the PRC has been the most common perpetrator of cyber espionage.8 The theft of intellectual property relieves the Chinese science and technology sector from the need to invest time, money, and personnel in research and development that may or may not result in a viable end-product. Moreover, the Office of the U.S. Trade Representative has published evidence that Chinese state-owned enterprises are able to leverage information collected by Chinese intelligence services to gain a competitive advantage over American competitors.9 While there are fewer restraints on the government’s ability to coerce organizations and individuals in the Chinese system than in the American system, the arrangement is largely symbiotic and yields tangible advantages to both the CCP and the Chinese commercial sector.10
The American Dream and Cyber Regime
Meanwhile, in the United States, the private sector is viewed as both a hero and villain within American society. Historians have credited the defense industry with playing a decisive role in World War II, and the technology start-ups in Silicon Valley are commonly regarded as exemplars of the American innovative spirit.11 Other corners of American society are skeptical of “big business” and especially of a “military-industrial complex” that might become so powerful as to skew the federal government toward perennial war, as President Dwight Eisenhower famously warned in his farewell address.12 More recently, the American public has grown increasingly wary of “big tech” and the possibility that social media may have the ability and desire to censor everyday citizens who use their platforms and rely on them for access to information.13
This tension between enthusiasm and skepticism for the defense and technology sectors is in part driven by the long-standing embrace of constitutional principles. The Fourth and Fifth Amendments together provide the legal and political basis for the rights to private property, which in turn creates the foundation for a robust capitalist economy.14 As Alexis de Tocqueville, a French diplomat and political scientist in the 1800s, observed early on in American history, all citizens regardless of their wealth are “led to engage in commerce, not only for the sake of the profit it holds out to them, but for the love of the constant excitement occasioned by that pursuit.”15 The digital sector is perhaps one of the clearest examples of this sentiment; successful technology firms not only pride themselves on being profitable but on their ability to provide convenience and enjoyment to their customers.16
However, these same principles of individual autonomy and initiative that have bolstered the American technology sector also fuel general skepticism toward it. The omnipresence of digital connectivity—including everything from healthcare to banking to personal communications—has heightened the public’s awareness of the risks of data breaches.17 These data breaches present a direct affront to personal privacy and rise to a matter of grave national security concern when they affect large amalgamations of data that the government depends on to function. Fears that “big tech” is either spying on American citizens or at least failing to properly secure their customers’ data drive political pressure for policymakers to more tightly regulate American technology firms.18
Given these concerns, business leaders must contend with cybersecurity concerns from three key audiences: shareholders, regulators, and customers. Foremost in their minds will often be their fiduciary responsibility to act in the best interest of their shareholders. Public exposure of cyber incidents often causes stock prices to decline.19 In fact, cybersecurity incidents and stock performance are now directly linked by policy, due to a Securities and Exchange Commission (SEC) rule implemented in 2023 that mandates publicly-traded corporations disclose material cybersecurity incidents.20 Corporations also face a perception that their pursuit of profit causes them to cut corners in the design of their products and “pass the buck” on security.21
Finally, in order to avoid the ire of both investors and regulators, business leaders are especially attuned to the perceived security of their digital products and services. While advances in data analytics have created new business opportunities for companies with large customer bases, the collection and use of customer data also involves a reputational risk if customers begin to view a company as a poor steward of this data.22 Taken together, pressure from shareholders, regulators, and customers to emphasize cybersecurity among corporate priorities creates a heightened source of risk for business leaders. Besides technology and cybersecurity firms which organize around the provision of cybersecurity tools and services, cybersecurity presents a risk for firms that will detract from their regular operations.
American constitutional principles and capitalist economic norms emanate throughout the cyber terrain in the United States. The extreme digitization of American society and industry has simultaneously created both great prosperity and great vulnerability. While the pursuit of profit and innovation certainly pervades corporate America, this inclination is tempered by how basic individual freedoms can be jeopardized both in and through the cyber domain.
The “WIRE” Framework for Public-Private Cybersecurity Partnership
American strategists and policymakers are at risk of learning the wrong lessons from the recent track record of cyber operations in Ukraine. In the weeks leading up to Russia’s invasion of Ukraine, Russia’s history of malicious cyber activity against Ukraine led pundits to predict that “a cyber attack that’ll go after the grid of the Ukrainians” would be the first phase of Russia’s aggression.23 After months and years of warfare in Ukraine have passed without the cyber catastrophe experts expected, some experts now downplay the role of cyber capabilities in warfare and strategy.24
Such a dismissal of what is possible in the cyber domain is premature and also overlooks the pivotal role that private entities played in the cyber defense of Ukrainian governmental functions and critical infrastructure. In the weeks leading up to Russia’s invasion, Microsoft assisted the Ukrainian government in moving its critical data and processes to Microsoft’s cloud-based infrastructure, which meant that Ukraine’s critical governmental functions would not be solely reliant on physical equipment that resides in Ukraine.25 In the event of destruction of telecommunications and information technology infrastructure, the Ukrainian government would continue to function. Other American technology and cybersecurity firms continue to assist the Ukrainian government in becoming more resilient and more secure.
Russia’s failure to achieve significant military ends via cyber means should not be interpreted as proof that the efficacy of cyber operations is overhyped. Rather, the Ukrainian example is a starting point to understand how a country’s cyber power is impacted by its private sector entities. Military commanders and policymakers must not fail to imagine how offensive and defensive cyber activities can play a more significant role in future contingencies than they have in recent conflicts, especially when collaboration with the private sector is possible.
The private sector can contribute to the cyber protection of critical infrastructure and other core societal functions by fulfilling a number of critical functions that benefit both the public and private sector’s cybersecurity. The private sector can enhance national security in cyberspace by serving as an additional source of warning, innovation, resilience, and emergency response (WIRE). In some cases, these contributions will be functions that the government may not have the authority or resources to perform. In other cases, the private sector may duplicate some of the government’s efforts, but this redundancy will often still be a positive contribution by preventing singular points of failure in complex systems, especially in the context of defending the 16 infrastructure sectors designated as “critical” under National Security Memorandum 22 (NSM-22).26 NSM-22 greatly expands upon an already complex Presidential Policy Directive 21 (PPD-21), which was released in 2013 and delineates even more tasks and responsibilities that the federal government must cover.27 This expansion underscores how the challenge of securing critical infrastructure from cyber threats only continues to grow in terms of scope and complexity. Thus, fully leveraging the capacity and capability that the private sector offers in each of these four “WIRE” functions will be critical for the federal government to meet this challenge.
Warning
During his tenure, former Secretary of Defense Leon Panetta warned of a “cyber-Pearl Harbor that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”28 The stealthy, invisible nature of cyber operations enables the sort of catastrophic surprise attack that has shaped the history of the American national security apparatus. Because such a large quantity of American telecommunications infrastructure is privately owned, such a surprise cyber operation would almost certainly traverse private infrastructure.29 As a result, understanding the full scope and scale of how malicious cyber actors behave would be impossible without access to private sector data.
This reality is especially true in identifying malicious cyber activity emanating from the PRC. In May 2023, Microsoft publicly announced that it had discovered a persistent campaign by a state-sponsored Chinese actor to develop a capability to disrupt critical infrastructure in the United States and Asia.30 This announcement included descriptions of technical indicators of the activity, which enables other cybersecurity analysts to search for the same tactics on their respective networks.31 Moreover, because the Microsoft Windows operating system is prevalent across many sectors, Microsoft’s discovery and subsequent mitigation efforts have a positive cascading effect of securing many entities at once. Microsoft’s publication—in conjunction with government efforts—was key to prevent the cyber-enabled disaster that Secretary Panetta feared. Thankfully, there are already a number of nascent mechanisms that facilitate warning from the private sector to intelligence and other government agencies. The National Security Agency’s Cybersecurity Collaboration Center and the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative both exist as forums where the cybersecurity teams of major companies can directly engage cyber intelligence analysts.32
The extent of digital connectivity across American and Chinese society gives strategic relevance to cyber weapons. Each society contains potentially billions of devices that could be impacted by a well-designed and well-resourced cyber campaign.33 From a strategic standpoint, the scale of this societal vulnerability necessitates prioritizing the most critical networks to expend finite resources to defend—and conversely, aligning resources to the development of offensive capability which are most likely to have the desired impacts in both competition and conflict. This prioritization is further complicated by the fact that many of these critical networks are privately owned and operated. Even if the U.S. government had full legal authority to monitor all vital infrastructure and communications networks within its jurisdiction, intelligence analysts would still be overwhelmed with data and likely unable to differentiate between true threats and benign network traffic. Thus, the private sector has a key role in monitoring networks that defense and intelligence agencies may not be able to devote resources toward defending but that may still be targeted by adversaries to steal American citizens’ personal data or disrupt their daily lives.
Innovation
The private sector plays a central and well-documented role in technological competition with the PRC. In cyberspace, the private sector is a target for malign cyber activity, especially attempted espionage that seeks to steal intellectual property from American technology firms.34 Cyber intrusions are perhaps the most dangerous and difficult to track, as other methods of acquiring foreign intellectual property, such as coerced technology transfer and outbound investment, are more overt.35 The loss of bespoke intellectual property to a foreign government can be especially grave for national security, but such threats can be interpreted differently by industry stakeholders. For example, while the intelligence community’s overriding concern is most often nation-state-sponsored cyber activity, corporate leaders are more likely to be concerned about threats that pose more direct risk to profit and business operations, such as when the WannaCry ransomware attack temporarily shut down microchip production at Taiwan Semiconductor Manufacturing Company Limited (TSMC), the world’s largest contract chipmaker.36
Safeguarding innovation from foreign cyber threats will only become more critical as technological advancements manifest themselves in the form of software more than hardware. An adversary that steals the design of a weapon system, for example, may save on research and development costs, but that adversary would still need to expend resources to actually produce that system if desired. Replicating stolen software or code is much more straightforward. Even more insidious, an attacker who is able to infiltrate systems used to develop software could corrupt the integrity of the software and intentionally introduce flaws into that software without the knowledge of the developer. This tactic, referred to as a software supply chain attack, will be a heightened risk for autonomous platforms as they, by their nature, will not have a human operator who can revert to manual control of the platform.37 This threat creates a vested interest for the government and the military in the cybersecurity of not only weapons systems but also the corporate networks of the producers of those systems.
While the private sector is a large target for Chinese cyber-enabled espionage, its dynamic qualities can still be leveraged to counter cyber campaigns. For instance, emerging artificial intelligence (AI) capabilities may shift cyber competition to the advantage of the defender. Traditionally, stealthy cyber operators often attempt to obfuscate their actions with legitimate traffic, creating a “needle-in-the-haystack” challenge for defenders. Even simple machine learning techniques can aggregate and sort large amounts of network data to help analysts identify anomalies, as some technology firms such as Google are seeking to implement.38 Such an improvement will be significant but not permanent, as attackers will again shift tactics and potentially target these AI capabilities themselves. To keep up with this adaptation, the government and private sector will need to closely coordinate to both protect this innovation from theft as well as facilitate further innovation. Because of the dynamism inherent to high-performing technology firms, they will be instrumental to helping the government and intelligence community expeditiously counter attempts to undermine American innovation and technological prowess.
Resilience
Even with optimal warning, the quantity of key targets that are vulnerable to cyber attacks presents a reality that successful intrusions will occur. The ability to detect and respond to intrusions is as critical as the ability to prevent intrusions. Capturing data and indicators of successful compromises allows cyber defenders to adapt their networks to respond to how attackers abuse legitimate functions and circumvent preventative measures. To ensure that critical infrastructure functions without disruption, both government and the private sector must be constantly postured to quickly identify and fix compromises.
NSM-22 defines 16 sectors as vital to “the Nation’s safety, prosperity, and well-being.”39 In a conflict, critical infrastructure may be targeted to slow down and possibly halt military operations; potential targets include electrical power facilities, pipelines, railroads, and logistics and communications networks to gain a military advantage.40 Monitoring and protecting these 16 sectors is an enormous task and, in a conflict, many if not all may be targeted by destructive cyber operations to potentially slow down or halt military operations or impose costs on American society. Cybersecurity firms should thus be a key element in helping protect the expansive attack surface of American critical infrastructure.
Finally, resilience must also encompass how the government and its private sector partners communicate the impacts of a cyber-enabled disruption. Cyber operations against critical infrastructure pose a psychological threat to everyday citizens as much as a threat to the actual delivery of vital services. This psychological threat was highlighted by the panic buying of gasoline triggered by news reports of a ransomware attack against the Colonial Pipeline company.41 The actions of consumers likely contributed more to the subsequent fuel shortages than the actual disruptions Colonial Pipeline experienced.42 Therefore, while the attack only directly targeted a single energy company, its impact effectively reached millions of American citizens. When a disruptive compromise occurs, the government and private sector firms involved must carefully coordinate how they communicate with the public. Discrepancies between how government agencies and cybersecurity companies depict a cyber event might trigger the public to speculate that one or the other is downplaying the severity, further exacerbating the psychological risk involved in protecting critical infrastructure from cyber threats.
Emergency Response
As the cyber dimension of the Russia-Ukraine crisis demonstrates, the private sector possesses significant capabilities that can be leveraged in an emergency. The opening stages of a cyber event are often marred with confusion, as both the cybersecurity industry and the intelligence community scramble to identify how an intrusion occurred, who is behind it, and how to mitigate the impact. Industry is a key partner in finding answers to these questions as well as forging a path forward to recover.
A central component of emergency response is reconstituting disrupted capabilities. In the Ukrainian example, the ability to rapidly acquire and field Starlink terminals mitigated the grave kinetic and cyber impacts to satellite communications and telecommunications infrastructure.43 Companies that are able to deploy solutions to emergency issues help mitigate some of the bureaucratic burden that the interagency process must navigate in the midst of a crisis. Even if a commercial capability is an emergency alternative, this redundancy can still enhance overall cybersecurity by altering an attacker’s prospective gain. If a reliable alternative exists to nullify the potential impact of a cyber-enabled denial of a given system, that attacker may be hesitant to waste limited time and resources on such a target.
No two emergencies are the same, so it may not be possible or desirable for governmental emergency response plans to always rely on the private sector to perform vital options on behalf of the government. In the context of competition or conflict with the PRC, the involvement of U.S. technology firms in the Chinese economy may be a complicating factor in these companies’ potential assistance to the United States or its allies. One study notes that, out of the 18 American firms that assisted Ukraine in its resistance of Russia’s 2022 invasion, four have “extensive economic linkages with China,” while none of the 18 had similarly extensive links to the Russian economy at the onset of the crisis.44 The nature of private sector assistance in response to a cyber emergency will be contingent on the details of that event, and while certainly impactful, the degree of assistance the private sector will offer in a future crisis most likely cannot be predicted.
Hard-Wired for Collaboration?
All four of these avenues for public-private collaboration on cybersecurity leverage the private sector’s advantage in speed and scale relative to the government. There is no singular “cybersecurity agency” within the federal government, so extensive interagency coordination is the norm. Moreover, even when aggregated, the scope of the government’s ability to understand the cyber terrain—especially domestically—is limited by both legal authorities and resource constraints. Private sector technology and cybersecurity firms provide potential answers to both of these challenges. While certainly disadvantaged in some ways, the government still retains a critical role in the baseline cybersecurity of the nation, especially in its ability to advocate for its own national security interests. The digital reality of modern American society requires that the public and private sectors combine their relative strengths to ensure the protection of critical infrastructure and economic prosperity.
Policymakers must understand the challenges and perspectives of private sector entities to best leverage their cybersecurity capabilities. These advantages predominantly exist because of—and not in spite of—unique attributes of the American political and economic systems that provide technology firms with significant leeway to operate and innovate. Adopting a more coercive posture to attempt to mirror the PRC’s cyber regime is neither feasible nor desirable for the constitutional democracy and market economy that exist in the United States. Rather, opportunities for voluntary collaboration between the American federal government and private sector provide powerful options to thwart Chinese cyber threats without compromising freedom and prosperity that American citizens enjoy in cyberspace.
The views expressed in this article are those of this author alone and do not necessarily represent the views of the U.S. Navy, the Department of Defense, or the U.S. Federal Government.
Image: Ha, Van. Jeff Bezos visits LAAFB SMC, December 31, 2011, from the U.S. Space Force. Retrieved from: https://commons.wikimedia.org/wiki/File:Jeff_Bezos_visits_LAAFB_SMC_(3908620).jpeg, used under Wikimedia Commons.
[1] Christopher Wray, “The Threat Posed by the Chinese Government and the Chinese Communist Party to the Economic and National Security of the United States,” remarks delivered at the Hudson Institute, July 7, 2020, https://www.fbi.gov/news/speeches/the-threat-posed-by-the-chinese-government-and-the-chinese-communist-party-to-the-economic-and-national-security-of-the-united-states.
[2] Robert D. Putnam, “Diplomacy and Domestic Politics: The Logic of Two-Level Games,” International Organization 42, no. 3 (Summer, 1988), https://www.jstor.org/stable/2706785.
[3] Yik Chan Chin, “Internet Governance in China: The Network Governance Approach,”China into the New Era, January 17, 2019, https://ssrn.com/abstract=3310921.
[4] Jeffrey Knockel, Ken Kato, and Emile Dirks, “Missing Links: A comparison of search censorship in China,” Citizen Lab, April 23, 2023, https://citizenlab.ca/2023/04/a-comparison-of-search-censorship-in-china/.
[5] “Race to the Bottom: Corporate Complicity in Chinese Internet Censorship,” Human Rights Watch, August 10, 2006, https://www.hrw.org/report/2006/08/10/race-bottom/corporate-complicity-chinese-internet-censorship#8843.
[6] “The Chinese Communist Party’s Military-Civil Fusion Policy,” U.S. Department of State, last modified January 20, 2021, https://2017-2021.state.gov/military-civil-fusion/.
[7] Catalin Companu, “Chinese government lays out new vulnerability disclosure rules,” The Record, July 13, 2021, https://therecord.media/chinese-government-lays-out-new-vulnerability-disclosure-rules.
[8] “Cyber Operations Tracker,” Council on Foreign Relations, accessed June 17, 2024, https://www.cfr.org/cyber-operations/.
[9] Office of the U.S. Trade Representative, Findings of the Investigation into China’s Acts, Policies, and Practices Related to Technology Transfer, Intellectual Property, And Innovation Under Section 301 Of The Trade Act Of 1974 (Washington, DC, 2018), 164-167, https://ustr.gov/sites/default/files/Section%20301%20FINAL.PDF.
[10] “Freedom on the Net 2023: China,” Freedom House, accessed June 17, 2024, https://freedomhouse.org/country/china/freedom-net/2023.
[11] Arthur Herman, Freedom’s Forge, (New York: Random House Trade Paperbacks, 2013).
[12] Dwight Eisenhower, “Farewell Address,” January 17, 1961, https://www.archives.gov/milestone-documents/president-dwight-d-eisenhowers-farewell-address.
[13] Sean Kates, Jonathan Ladd, and Joshua A. Tucker, “How Americans’ confidence in technology firms has dropped,” Brookings Institution, June 14, 2023, https://www.brookings.edu/articles/how-americans-confidence-in-technology-firms-has-dropped-evidence-from-the-second-wave-of-the-american-institutional-confidence-poll/.
[14] U.S. Constitution, amend. 4; U.S. Constitution, amend. 5.
[15] Alexis de Tocqueville, Democracy in America (1835), chapter 14.
[16] Andrew McAfee, “4 Ways Silicon Valley Changed How Companies Are Run,” Harvard Business Review, November 14, 2023, https://hbr.org/2023/11/4-ways-silicon-valley-changed-how-companies-are-run.
[17] Andrew Burt, “Privacy and Cybersecurity Are Converging. Here’s Why That Matters for People and for Companies,” Harvard Business Review, January 3, 2019, https://hbr.org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-for-companies.
[18] Brian Schaffner, “Public Demand for Regulating Big Tech,” The Tech Oversight Project, June 6, 2022, https://techoversight.org/wp-content/uploads/2022/06/Schaffner-Big-Tech-Polling.pdf.
[19] Keman Huang, et al., “The Devastating Business Impacts of a Cyber Breach,” Harvard Business Review, May 4, 2023, https://hbr.org/2023/05/the-devastating-business-impacts-of-a-cyber-breach.
[20] Securities and Exchange Commission, “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” July 23, 2023, https://www.sec.gov/news/press-release/2023-139.
[21] Jen Easterly and Eric Goldstein, “Stop Passing the Buck on Cybersecurity,” Foreign Affairs, February 1, 2023, https://www.foreignaffairs.com/united-states/stop-passing-buck-cybersecurity.
[22] Venky Anant, et al., “The consumer-data opportunity and the privacy imperative,” McKinsey and Company, April 27, 2020, https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-consumer-data-opportunity-and-the-privacy-imperative.
[23] James Stavridis, The News with Shepherd Smith, CNBC, February 11, 2022, https://www.cnbc.com/video/2022/02/11/if-russia-invades-ukraine-well-provide-high-level-intelligence-and-cyber-protection-adm-stavridis.html.
[24] Benjamin Jensen, et al., “Cyber Operations during the Russo-Ukrainian War: From Strange Patterns to Alternative Futures,” Center for Strategic and International Studies, July 13, 2023, https://www.csis.org/analysis/cyber-operations-during-russo-ukrainian-war.
[25] Microsoft, “Defending Ukraine: Early Lessons from the Cyber War,” June 22, 2022, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE50KOK.
[26] “National Security Memorandum on Critical Infrastructure Security and Resilience,” The White House, April 30, 2024, https://www.whitehouse.gov/briefing-room/presidential-actions/2024/04/30/national-security-memorandum-on-critical-infrastructure-security-and-resilience/.
[27] “Presidential Policy Directive – Critical Infrastructure Security and Resilience,” The White House, February 12, 2013, https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
[28] Elisabeth Bumiller and Thom Shanker, “Panetta Warns of Dire Threat of Cyberattack on US,” New York Times, October 11, 2012, https://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html.
[29] “Communications Sector,” Cybersecurity and Infrastructure Security Agency, accessed June 17, 2024, https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/communications-sector.
[30] Microsoft Threat Intelligence, “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Corporation, May 24, 2023, https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/.
[31] Microsoft Threat Intelligence Center, “Volt Typhoon targets US critical infrastructure.”
[32] “NSA Cybersecurity Collaboration Center,” NSA/CSS, accessed June 10, 2024, https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/; “Joint Cyber Defense Collaborative,” Cybersecurity & Infrastructure Security Agency, accessed June 10, 2024, https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative.
[33] Lionel Sujay Vailshery, “Number of Internet of Things (IoT) connected devices worldwide from 2019 to 2030, by vertical,” Statista, May 22, 2024, https://www.statista.com/statistics/1194682/iot-connected-devices-vertically/.
[34] “China: The Risk to Corporate America,” Federal Bureau of Investigation (2019), https://www.fbi.gov/file-repository/china-risk-to-corporate-america-2019.pdf/view.
[35] Office of the U.S. Trade Representative, Findings of the Investigation, 153.
[36] Yimou Lee, “Apple chip supplier TSMC resumes production after WannaCry attack,” Reuters, August 6, 2018, https://www.reuters.com/article/idUSKBN1KR0B8/.
[37] Bart Lenaerts-Bergmans, “What is a supply chain attack?” CrowdStrike, September 27, 2023, https://www.crowdstrike.com/cybersecurity-101/cyberattacks/supply-chain-attacks/.
[38] Phil Venables and Royal Hansen, “How AI can strengthen digital security,” Google, February 16, 2024, https://blog.google/technology/safety-security/google-ai-cyber-defense-initiative/.
[39] “National Security Memorandum on Critical Infrastructure Security and Resilience.”
[40] James Lewis, “Cyberattack on Civilian Critical Infrastructures in a Taiwan Scenario,” Center for Strategic and International Studies, August 2023, https://csis-website-prod.s3.amazonaws.com/s3fs-public/2023-08/230811_Lewis_Cyberattack_Taiwan.pdf?VersionId=l.gf7ysPjoW3.OcHvcRuNcpq3gN.Vj8b, 2.
[41] Kimberly Wood, “Cybersecurity Policy Responses to the Colonial Pipeline Ransomware Attack,” Georgetown Environmental Law Review, March 7, 2023, https://www.law.georgetown.edu/environmental-law-review/blog/cybersecurity-policy-responses-to-the-colonial-pipeline-ransomware-attack/.
[42] Wood, “Cybersecurity Policy Responses.”
[43] Adam Satariano, et al., “Elon Musk’s Unmatched Power in the Stars,” New York Times, July 28, 2023, https://www.nytimes.com/interactive/2023/07/28/business/starlink.html.
[44] Sam Bresnick, Ngor Luong, and Kathleen Curlee, “Which Ties Will Bind?” Center for Security and Emerging Technology, February 2024, https://doi.org/10.51593/20230037.