Chinese Hackers Have Burrowed Into Too Many Corporate Systems. Time to Fight Back.

F5, a tech firm based in Seattle, was hacked this year by suspected Chinese actors. (David Ryder/Bloomberg)

About the author: Justin Sherman is the founder and CEO of Global Cyber Strategies, a research and advisory firm. He is the author of Navigating Technology and National Security.

The cybersecurity firm F5 announced on Oct. 15 that it had uncovered a long-term breach of its systems by foreign hackers who stole, among other things, source code and sensitive information about software vulnerabilities. While F5 hasn’t named the supposed perpetrator, Reuters did: China.

It is the latest in a long line of Chinese government-perpetuated breaches of U.S. systems, from the 2015 hack of the U.S. Office of Personnel Management to a hack this year of the Congressional Budget Office. A growing number of these incidents are supply-chain hacks. Rather than directly breaching one target at a time, the hackers tunnel into a company whose systems then link to many different end victims.

F5, for example, services 48 of the Fortune 50 and has roughly 23,000 customers in about 170 countries. The F5 hackers could have gained access to or siphoned information about all downstream clients. The firm’s share price has fallen more than 30% since it disclosed the incident.

It is long overdue for the U.S. to lock down its supply-chain cybersecurity to prevent widespread hacks of this kind. The U.S. should expel or restrict foreign components that pose undue national security risks, force U.S. companies to raise their cybersecurity baselines, and assume a more assertive posture toward China. While deterring all espionage isn’t possible, the U.S. and its allies and partners could put much more pressure on China to change how and where it carries out its cyber operations.

Beijing has an enormous cyber arsenal at its disposal. In 2023, then-FBI Director Christopher Wray said that Chinese hackers outnumbered all of the FBI’s cyber agents and intel analysts—even those not focused on China—by at least 50 to one. Its theft of U.S. intellectual property through hacking easily reaches into the hundreds of billions of dollars. More and more, these hacks exploit highly connected digital supply chains—globally distributed networks of people, organizations, hardware, and software that hook into, speak to, and work alongside one another.

This isn’t just a China issue. The F5 hack brings to mind the SolarWinds incident of 2020, in which Russian government hackers pushed malware updates onto thousands of U.S. companies and government agencies. That hack lasted for months before it was discovered. The F5 hackers were present within the firm’s systems for years.

The U.S. government has started to focus in on the supply chain dimension of these threats. In 2019, President Donald Trump created the Information and Communications Technology and Services Program to investigate, designate, and then restrict or even expel foreign-made components from the U.S. technology supply chain. It was used for the first time against the Russian cybersecurity firm Kaspersky last year.

While blocking China from selling tech components in the U.S. won’t stop cyber espionage completely—hackers can still break in from afar—the Commerce Department could block or restrict sales of components like microelectronics, routers, and cloud computing subcomponents that could give Chinese hackers a direct foothold in U.S. systems. That is common sense.

Congress also needs to get its house in order. For decades, cybersecurity professionals have told lawmakers about the need for minimum, comprehensive cybersecurity standards across all sectors, to little avail. Congress should consider implementing basic cybersecurity regulations that require firms to implement encryption, multifactor authentication, continuous monitoring, and an incident response plan. These regulations should apply broadly, especially to companies with key nexuses in the supply chain like the “hyperscalers” that dominate the cloud computing sector, water and energy infrastructure, and key cybersecurity services providers.

But as the saying goes, the adversary gets a vote, too. It seems quite clear that U.S. measures to date—such as indicting the Chinese operators who actually type out the code to enable hacks or the 2015 Obama-Xi agreement on cyber-enabled theft of IP—haven’t significantly changed China’s calculus.

To be clear, nobody is going to entirely deter a nation-state from conducting espionage. Countries have spied for thousands of years. Still, it is possible to shape how adversaries carry out their espionage.

Policymakers should therefore reassess the conventional wisdom that more disruptive or deterrence-oriented cyber operations against China would be escalatory. That position may in fact encourage the adversary to escalate its cyber operations—whereas responding firmly up front could cause the adversary to rethink more operations down the line. U.S. officials should also consider more punishing sanctions for Chinese officials higher up in the food chain who oversee foreign espionage operations that violate norms, such as IP theft or the co-optation of cybercriminals.

Shoring up defenses can certainly raise costs on Chinese hackers and make it more difficult to exfiltrate information on government agencies, businesses, civil society groups, and journalists. As yet another hack against a major U.S. company unfolds, it is about time policymakers consider a more assertive shift on China as part of its response.

Guest commentaries like this one are written by authors outside the Barron’s newsroom. They reflect the perspective and opinions of the authors. Submit feedback and commentary pitches to ideas@barrons.com.