The White House has identified a ninth U.S. telecom network that Chinese state hackers have compromised in a sweeping intrusion, a senior official said on Dec. 27, as authorities take steps to prevent similar cases of cyberespionage and hold the cyberattackers liable for their actions.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, revealed the new information in a press briefing as officials continue to assess the scope of the cybersecurity breach from China’s state-backed Salt Typhoon hacking group, which has carried out a wide-ranging espionage campaign since 2022.
“Our understanding is that a large number of individuals were geolocated in the Washington DC, Virginia area,” she said.
Only a fraction of them had their communications affected, Neuberger said, as the hackers are more interested in eavesdropping on U.S. government officials.
“The scale we’re talking about is far larger on the geolocation, probably less than 100 on the actual individuals,” she said.
As officials scramble to understand the impact of the Chinese cyber intrusion, they also began a multi-agency effort to fortify U.S. infrastructure against such operations.
Shortly after the briefing, the Justice Department issued a final rule naming China, Cuba, Iran, North Korea, Russia, and Venezuela as countries of concern over their ambitions to exploit sensitive U.S. personal and government-related data by bulk. Under the rule, certain individuals and groups whom authorities deemed as threat actors are barred from transactions involving six types of U.S. data, including certain personal identifiers such as social security numbers or government identification numbers, precise geolocation data, biometric identifiers, human genetic or molecular data, personal health data, and personal financial data.
The regulation applies to entities over which China has an ownership of 50 percent or more, those that principally conduct business in China or are organized under Chinese law, their contractors and employees, and foreign individuals who primarily reside in China.
Violators could face a civil fine of up to $368,136 or twice the amount of the transaction involved, whichever is greater. Criminal penalties include up to $1,000,000 in fines and up to 20 years in prison.
The Department of Health and Human Services on Dec. 27 also proposed a rule to protect the U.S. health care system from cyberattacks.
The proposed measure would modify the Health Insurance Portability and Accountability Act of 1996, making the first change to the act’s security rule in 11 years, according to a statement. It would mandate stepped-up protection for personal health information by health plans and health care clearinghouses, as well as most health care providers and their business associates.
The department’s Office for Civil Rights said the number of individuals impacted by large health care breaches soared more than tenfold between 2018 and 2023, and is likely to grow.
The hacking group has targeted now-Vice President-elect JD Vance and now-president-elect Donald Trump, as well as Vice President Kamala Harris.
To deter Chinese hacking attempts, Neuberger said, the first step is to build a “defensible infrastructure.”
“We wouldn’t leave our homes, our offices unlocked, and yet our critical infrastructure, the private companies owning and operating our critical infrastructure often do not have the basic cybersecurity practices in place,” she said in the press call.
Authorities are also scrutinizing government contracts to enforce stricter cybersecurity practices, Neuberger said. In doing so, she said, the United States is following in the footsteps of Australia and the UK.
“The nation’s secrets, the nation’s economy, lies on our telecommunications sector,” she said.
“When I talked with our UK colleagues and I asked, ‘Do you believe your regulations would have prevented the Salt Typhoon attack?’ their comment to me was, we would have found it faster, we would have contained it faster.”
Neuberger said it was a “powerful message.”
“Those networks are not as defensible as they need to be to defend against a well resourced, capable offensive cyber actor like China,” Neuberger said.
In assessing the Salt Typhoon breach, she said, authorities have found one administrator account that had access to more than 100,000 routers.
“So when the Chinese compromised that account, they gained that kind of broad access across the network,” she said.
Neuberger said officials are looking to segment the telecom networks so that in the event of a cyber attack, the potential damage could be contained.
The Federal Communications Commission on Dec. 5 proposed cybersecurity rules requiring communications service providers to certify annually that they have a plan to protect against cyberattacks.
The rule is waiting for a vote by Jan. 15, Neuberger said, noting that they are eager to see bipartisan support across the commission to see it through.
The Chinese were “very careful about their techniques. They erased logs,” she said. And as “we will never know regarding the scope and scale of this,” she said, the United States is “looking forward.”
Neuberger said more actions will be coming out in the next few months.
“Let’s lock down this infrastructure. And frankly, let’s hold the Chinese accountable for this,” she said.