When will the 'cyber typhoon' farce blow over?

Editor's note: Li Yan, a special commentator on current affairs for CGTN, is executive director of the Institute of Sci-Tech and Cyber Security Studies under the China Institute of Contemporary International Relations. The article reflects the author's opinions and not necessarily the views of CGTN.

For a while now, the U.S. government has been busy spinning a series of so-called "typhoon" operations – first "Volt Typhoon," now "Salt Typhoon." Unsurprisingly, they've pointed the finger squarely at China as the usual suspect.

However, China's cybersecurity agencies wasted no time in responding. They released detailed reports exposing the truth behind "Volt Typhoon," backed by hard evidence that it was the handiwork of an international ransomware group. These reports also revealed how U.S. intelligence agencies and cybersecurity firms colluded to stage this farce, driven by their hunger for funding and staffing. Faced with this hard evidence, the U.S., once loud and adamant, has since fallen conspicuously silent.

The "Salt Typhoon" operation, however, brings an own ironic twist. Regardless of who the attacker might be, the real eyebrow-raiser lies in the target: a wiretapping and surveillance system specifically set up by a U.S. telecom company for federal law enforcement agencies, as reported by The Washington Post. The revelation shows the astonishing breadth of this system's surveillance capabilities, calling to mind the infamous Prism program exposed in 2013.

This explains why the U.S. government rushed to shift attention to "foreign attackers" to deflect scrutiny from the system itself. Without such a diversion, it would struggle to justify its actions in the face of mounting domestic and international scrutiny. And so, the familiar trope of "Chinese hackers" was wheeled out again – loud and dramatic as always, but offering nothing new under the sun.

According to insiders, Chinese cyber diplomats have been resolute in refuting the baseless accusations over hacking campaigns like "Salt Typhoon" and "Volt Typhoon" in conversations with their U.S. counterparts. They've also expressed serious concerns over America's extensive cyber espionage and sabotage activities targeting China's critical information infrastructure.

For example, on December 18, 2024, the National Computer Network Emergency Response Technical Team Center of China reported two instances of U.S. intelligence agencies hacking into major Chinese tech firms. As expected, the U.S. has yet to offer any meaningful response.

An age-old debate

If we set aside the truth behind the "typhoon" operations for a moment and return to the fundamental issue of cyberattacks, we find that despite years of discussions, both in the international community and between China and the U.S., progress has been remarkably limited. Why is that?

The first issue stems from the nature of cyber technology itself. As is widely acknowledged, cyberspace is a highly complex domain. Its unique characteristics create an asymmetrical dynamic between offense and defense – where attackers hold the advantage and defenders find themselves in a perpetual state of struggling to guard against all attacks.

The second challenge lies in the difficulty of attribution. While there are certainly technical reasons behind this, the deeper issue is non-technical: the instrumentalization and even politicization of attribution. Attribution, in essence, refers to the process of retracing the steps of a cyberattack to determine its origins. It serves as the foundation for identifying the perpetrators and holding them accountable.

If attribution remained purely a technical endeavor, it might not be such a herculean task. The real problem, however, is that the debate over attribution has long gone beyond its original technical purpose. Western policymakers and academics have openly acknowledged that attribution is not just a matter of technical evidence but also a deliberate strategic decision. On the one hand, it involves figuring out "who really did it"; on the other, it's about deciding "who we want to say did it." The latter, of course, is driven by political considerations.

Simply put, governments can leverage the "public release of attribution results" as a tool to suppress, contain, or deter rivals, using it to achieve broader strategic goals and purposes. To be blunt, whether the narrative of "Chinese hackers" is laden with political and strategic motives is hardly up for debate – it's been glaringly obvious for quite some time.

The right way to address the issue

Predictably, the U.S. government is never going to admit that it has politicized and weaponized attribution. Instead, it'll double down on how "advanced" its technology is, insisting that its conclusions are above reproach. And when its methods are called into question, it tends to cloak itself in mystery, either claiming that "evidence chain protection" prevents it from sharing details or simply refusing to respond.

This turns the whole situation into a dead-end scenario where its stance boils down to, "It's true because I say so." But if, as they claim, their true intent is to raise global awareness and actually solve the problem, then the right way to go about it should be:

First, the U.S. needs to drop its one-sided "national security" narrative. It insists on pursuing maximum freedom for its own operations in cyberspace while justifying cyberattacks and infiltrations against other countries as "legitimate" and "necessary" for national security.

To top it off, it even theorizes and legitimizes these actions in lofty rhetoric, branding them as "persistent engagement" or "hunt forward." With such a playbook, is it any wonder that the world views the U.S. as the biggest attacker and beneficiary of hacking in cyberspace? This double standard makes it hard to take their supposed commitment to solving the problem seriously.

Second, the U.S. should finally listen to the international community's long-standing call for a neutral and authoritative third-party attribution mechanism. Let's face it: no one trusts a system where one party gets to act as both the accuser and the judge in a dispute. This is why global voices have been pushing for a fair, impartial body to tackle the thorny issue of attribution. Yet, the U.S. has consistently shrugged it off.

Sure, building such a mechanism wouldn't be easy, but it's the right way forward. Without it, solving cyberattacks – especially disputes between countries – will remain little more than wishful thinking.

Frankly speaking, given the U.S.'s track record of attitude and action, it's hard to hold much hope for change. That's why it's crucial to rally the international community for collective efforts. Right now, under the United Nations framework, the process of establishing norms for "responsible state behavior" in cyberspace is making steady headway.

Reaching a general consensus on principles is not demanding, as many countries have already issued position statements and policy documents. While the wording may differ, the core message is the same: to safeguard an open, secure, prosperous and stable cyberspace.

Here's an idea: Why not use America's cyber activities, especially its worldwide surveillance operations, as a textbook example of what not to do? Making these actions a focal point in discussions on responsible state behavior could help turn lofty principles into concrete and actionable international norms.

(If you want to contribute and have specific expertise, please contact us at opinions@cgtn.com. Follow @thouse_opinions on X, formerly Twitter, to discover the latest commentaries in the CGTN Opinion Section.)