NSA warns of Chinese hacking in hopes of stirring U.S. defenders to action

Foreign Affairs

The NSA may be hoping that its reputation as the nation’s premier signals intelligence agency convinces more organizations to follow the government’s guidance.

On Tuesday, the National Security Agency (NSA) issued an advisory detailing 25 vulnerabilities that Chinese state-sponsored hackers have exploited in cyber campaigns against sensitive U.S. government networks.

The advisory specifically called on those protecting the Department of Defense, Defense Industrial Base, and National Security Systems information networks to patch their systems. Those patches are already available because all 25 vulnerabilities cited by the NSA were public prior to Tuesday, indicating that the hackers were taking advantage of their victims’ poor network defense.

In a press statement, Anne Neuberger, head of the NSA’s Cybersecurity Directorate, explained that the agency was calling out China both to convince network defenders of the severity of the threat and to guide their risk mitigation strategy.

“We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems,” Neuberger said.

The advisory follows similar guidance published last month by the Cybersecurity and Infrastructure Agency (CISA), a unit of the Department of Homeland Security.

Both advisories identified ongoing operations by state-sponsored Chinese hackers and described efforts to use public hacking tools to gain access to U.S. information systems.

Despite those similarities, it remains unclear whether the advisories refer to the same group of hackers. Whereas the CISA advisory specifically called out China’s Ministry of State Security, the NSA advisory cited “state-sponsored hackers,” a broader designation that could include independent contractors working with tacit state support.

Nonetheless, the three highest priority vulnerabilities cited in Tuesday’s advisory were also flagged in September — suggesting that some entities had not heeded CISA’s earlier warnings regarding patching.

Patching is one of the most effective steps network defenders can take to protect against breaches. However, vulnerabilities are common, updates can be costly to implement, and risk varies based on a range of contextual factors, such as which hackers, if any, are exploiting a known flaw.

Tying a vulnerability to a targeted industry and an active hacking group — and one with the resources of a nation-state, no less — helps network defenders identify critical patches.

That appears to be the goal of both advisories. In repeating information already provided by CISA, the NSA may be hoping that its reputation as the nation’s premier signals intelligence agency convinces more organizations to follow the government’s guidance.

The advisory comes amid a broader campaign by the United States government to be more vocal about state-sponsored cyberthreats, a shift calibrated in large part by a desire to deter cyber-attacks against the upcoming US presidential election.

Those efforts have generally been led by CISA, the Justice Department, or the FBI. Yet the NSA, which once had a reputation for extreme secrecy, has recently played a more public-facing role as well.

At the forefront of the agency’s outreach is its Cybersecurity Directorate, which was stood up in 2019. The Directorate has strived to share more cyber threat information with the public, and it was responsible for Tuesday’s advisory.