Monday, October 13, 2025

We Warned American IT in the 1990s about Cyberthreats... and about China

How China’s Cyber Penetration Was Foretold (and Why It’s Now Inside Every Town, Home, and Grid). Last night 60 Minutes had an episode about China hacking our cyber infrastructure which may have been shocking to many viewers. However, it's not shocking to some of us, or our government. Or others... 

Prelude: A Warning from the 1990s

In the late 1990s and early 2000s, I was part of a Seattle-based cybersecurity group called Agora, founded by Kirk Bailey, then Head of IT Security. I worked in IT under Kirk — a remarkable leader and a truly great guy (and smart) — and, along with a colleague from my team, supported and attended every meeting I could. 

I learned my first semblance of ComSec (Communications Security) in the USAF in holding a Secret clearance for Nuclear weapons at a SAC (Strategic Air Command) base of B-52 bombers, "nuclear weapons systems". We had mandatory quarterly, day-long briefings on a variety of cold war issues and communications security. I lived off base and was quite aware the base was monitoring my phone calls from home. 

There were no cell phones in the late 1970s. When I was on-call for a week at a time to go to nuclear war, I had to do it the old-fashioned way — like doctors did in old movies — always reachable, no matter where I was. If my wife and I went to a movie, I’d call the base when I arrived and give them the theater’s phone number, letting the theater manager know so they could pull me out of the film to call the base, if I was needed.

Eventually, we got “Bell Boys” — pagers — and life got a little easier.

So, for me, the Agora felt like a natural extension of that same mindset: staying hyper-aware of foreign actors, hostile nations, and anyone looking for an edge against us. The tools had changed, but the vigilance was the same.

Agora brought together security professionals, government liaisons, and academic technologists in one of the first truly cross-sector security forums in the region. The group continued until 2019. We repeatedly heard from guest speakers — federal cyber agents, corporate security chiefs, and intelligence analysts — warning us about emerging Chinese hacker groups and their growing sophistication.

“Wired once called Agora ‘the security world’s worst kept secret’ — no website, no formal offices, yet drawing speakers and attendees from every corner of federal, corporate, academic and law enforcement spheres. It was a rare place where otherwise siloed communities came together. That Agora existed — and ran for decades — is proof that early warning voices did exist. What’s tragic is how few heeded them.” Wired

These weren’t just student pranksters or script kiddies; they were tied to China’s military and intelligence establishments, operating from government facilities, university testbeds, or state-sponsored labs.

We had attendees and members from many major and smaller corporations as well as people from the Government, FBI, local police, NSA, Secret Service, Canadian Mounted Police and others from as far away as Australian law enforcement. One day VP Gore was in town and before he landed in the afternoon, we had about five Secret Service agents attend, a woman and four male agents. In the middle of the event day, they all got up to leave, disrupting a talk being given, apologizing for the interruption but their primary was to arrive soon at the airport. It was an extra special pleasure hosting them and to know they were interested. Some of the talks, many of them, were fascinating... and often disturbing. 

We all were filtering in one day, I was late getting there, and Kirk had set up a screen and a projector and a list of text was propagating and scrolling on the screen. They appeared to be texts, for people's pagers. When Kirk started speaking, he pointed out what the scrolling texts were about saying that all of us probably had pagers and every nodded. 

People were just starting to text on their phones yet, that was still new. He said, You all also probably know there is no security on the text function and they travel through the air open to anyone. For a few dollars at Radio Shack you can buy a device that lets you capture all texts passing through your location and read the. Just as we have done here. 

We saw texts by the number of people downtown Seattle texting at that time of day. Some were banal, ordinary. Some were obvious work related but some, one in particular was a man and woman, that seemed clear, who were making plans and were having an affair. And that was also quite clear, and it drew chuckles as well as a few groans of realization. Some of the texts were a little uncomfortable in our mixed group of a few hundred professionals of both genders. Eventually Kirk turned the text capture projector off as it was distracting. And he had made his point.

In years of those quarterly meetings, we urged corporate attendees something we knew they would laugh at and did: allocate 10% of your IT budgets to cybersecurity. Most of them were spending less than 1%. Or much less. Municipal systems, utilities, and small counties were almost entirely unprotected. We were sounding alarms that most decision-makers were not ready to hear. But the warnings were real. 

For fun back then you could get online and walk around inside a corporation's intranet. Not anyone, but if you knew even a little what to do, you could be in. As for expert educated hackers?

Today, the infiltration of Chinese cyber actors into nearly every layer of U.S. infrastructure—from large utilities down to home routers—shows how prescient that group was. The problem is not just foreign hacking in the abstract. It’s that our foundational systems—power, water, transport, telecommunications, and even personal digital space—are now part of the battlefield.

Part I: Early Days — China Enters the Internet & Begins Probing

China’s First Access

China's first experimental link to the Internet (or international TCP/IP) dates to 1989, but sustained global connectivity came on April 20, 1994, when a 64 kb line connected a Beijing node to Sprint in the U.S. Soon thereafter, 256 kb and higher circuits followed, making China a full peer on the global Internet. Over the next few years, China’s academic, government, and telecommunication networks built out greater bandwidth and peering.

Once connectivity existed, the opportunity for reconnaissance and intrusion—even if nascent—emerged instantly.

The “Patriotic Hacker” Facade

Around 1996–1998, Chinese hacker groups began publicly calling themselves “patriotic” collectives: China Eagle Union, Honker Union, Green Army Corps, etc. At first glance, these appeared to be forums of nationalistic students and online activists. But evidence suggests they were much more:

  • Many of their infrastructure elements (servers, colocation, routing) were traced back to PLA-managed networks, defense labs, or university nodes with military affiliation.

  • Their attack campaigns coincided with diplomatic or military events (e.g. the 1999 NATO bombing of the Chinese embassy in Belgrade) in which hacking attacks or defacements surged.

  • They shared toolkits, coordinated timing, and probed the same target domains as later state-linked campaigns—indicating directed planning rather than random hacking.

Thus, China Eagle and its peers seem to have functioned as a public-facing mask for state-directed reconnaissance—an early method of plausible deniability.

1997–2001: Intrusion Before the Term “APT”

  • In 2001, the Honker Union (among others) publicly announced a “week of attacks” on U.S. websites, timed around May Day and linked to patriotic motivation. EBSCO

  • But beneath that public show were more clandestine operations: traces of scanning, credential probes, and exfiltration attempts.

  • Soon afterward, China formalized strategy around “informatization” and networked warfare in its defense white papers. EBSCO+1

By the early 2000s, even before the nomenclature of “advanced persistent threat (APT)” was common, Chinese actors were probing U.S. defense contractors, research institutions, and government systems.

Part II: The Rise of State‐Linked Operations (2003–2015)

Titan Rain and Early APT Campaigns

One of the more documented early campaigns is Titan Rain (circa 2003–2006). The attacks originated in Guangdong province and penetrated U.S. defense contractor networks (Lockheed Martin, NASA, Sandia, Redstone Arsenal) for sustained periods. Wikipedia

These campaigns marked a shift: they were not random probes, but coordinated, sustained espionage campaigns.

Operation Aurora & Intellectual Property Theft

In 2009, Operation Aurora attacked Google and dozens of other tech companies to steal intellectual property and access source code repositories. Google publicly disclosed it in January 2010. Wikipedia

Aurora reinforced that China’s cyber strategy had matured: now targeting high-value tech firms to gain trade advantages, R&D secrets, and latent access.

The OPM Breach and Mass Data Compromise

In 2015, a massive breach of the U.S. Office of Personnel Management exposed data on millions of federal employees and security clearance holders. China-affiliated hackers were strongly suspected in the attack, which represented one of the most consequential data exfiltrations in U.S. history. Wikipedia+1

This was not just espionage — it was data for leverage, potential blackmail, and deep knowledge of insider networks.

Institutionalizing Cyber Espionage

By the 2010s, multiple Chinese APT groups (APT1, APT10, etc.) operated under known state influence. China’s doctrine increasingly framed cyber operations not just as intelligence gathering, but as information warfare—breaking or influencing adversary systems in wartime or crisis. Bradley+1

Yet, through all this, corporate America, state governments, and local utilities largely failed to scale defensive posture. Budgeting remained weak, segmentation rudimentary, oversight fragmented.

Part III: Deep Penetration Into Infrastructure — The Modern Phase

Volt Typhoon: Pre-Positioning Inside Utilities & Grids

The most alarming recent campaign is Volt Typhoon (also called Vanguard Panda, UNC3236, Dev-0391, Bronze Silhouette). U.S. agencies (CISA, NSA, FBI) and private sector analysts confirm that Chinese state-linked actors have compromised the IT environments of multiple critical infrastructure organizations—communications, energy, transportation, water, and wastewater. CISA+3CISA+3CISA+3

Volt Typhoon’s behavior is notable:

  • It is not strictly espionage. The pattern points to pre-positioning: the attackers are placing footholds so they can later “jump” into Operational Technology (OT) systems that manage physical assets. CISA+2CISA+2

  • In Massachusetts, a utility’s systems were compromised for months before Thanksgiving 2023. The Record from Recorded Future

  • The campaign employed “living off the land” techniques (i.e. using existing OS tools and legitimate credentials) to stay under detection. Microsoft+2CISA+2

  • The FBI disrupted a related botnet (KV Botnet) involving SOHO routers whose infection helped mask Volt Typhoon operations. Department of Justice

  • The U.S. agencies issued a joint advisory: Volt Typhoon is pre-positioning to disrupt U.S. critical infrastructure at chosen moments of conflict. CISA+2CISA+2

In short: the infrastructure is compromised in peace time, ready for worst-case escalation.

Salt Typhoon, Telecom Intrusion & Surveillance

Another campaign, Salt Typhoon, is implicated in recent telecommunications penetrations affecting metadata, wiring, and surveillance-level systems. DFPI+4CISA+4Wikipedia+4

In 2024, major U.S. telecoms (AT&T, Verizon, Lumen, T-Mobile) were reportedly compromised, enabling access to call metadata (dates, phone numbers, routing) and even wiretap infrastructure. Wikipedia+2CISA+2

These attacks directly affect citizens—your phone calls, messaging metadata, service provider switches—making even individuals nodes in the espionage architecture.

Home Routers & Citizen Exposure

Volt Typhoon and related actors have leveraged consumer routers and SOHO (Small Office / Home Office) devices as part of their malware infrastructure (botnets). CISA+3Department of Justice+3CISA+3

This means that ordinary citizens’ home devices are being used to cloak state-level cyber operations, and potentially serve as staging or pivot points into other network layers. The boundary between “national defense” and “your home network” has blurred.

Part IV: Why This Is a Crisis — Not Just Espionage

1. Persistent Embedded Threats

This is not a one-time break-in. These actors are living inside our infrastructure, waiting for a geopolitical trigger. That means:

  • The damage can be surgical, targeted, or cascading.

  • Attribution will be murky; China can deny or obfuscate.

  • The ability to respond or isolate may be too late when attack time comes.

2. Infrastructure Interdependence & Fragility

Conventional adversary intrusion focuses on one sector (military, government). China is embedded in telecom, utilities, transportation, and more. Disrupt one node (say, power), and cascading failures can affect hospitals, communications, water, and emergency systems.

3. Citizen-Level Risk & Surveillance

With telecom breaches and metadata access, the Chinese actors are penetrating communications, not just computers. That means:

  • Exposure of private data—phone logs, call chains, connections.

  • Potential interception or tampering of signals or switches.

  • Use of citizen devices (routers, IoT, isolated networks) as proxies to hide advanced operations.

4. Governance, Response & Strategy Gap

The U.S. has struggled to build a coherent national defense to this scale because:

  • Public sector and local governments (which run power, water, transit) lack budget, expertise, and incentives.

  • Private sector is fragmented; vendors and contractors are often weak links.

  • National agencies can issue alerts (CISA, FBI) but enforcement is decentralized.

  • The threat is asymmetric: China can degrade us non-violently; we must respond in kind across multiple domains (cyber, diplomatic, economic).

5. The “It Didn’t Have to Be This Way” Truth

Your earlier point—“this is not a national security threat that didn’t have to be”—is fully valid. We had warnings, we had reconnaissance data, we had early indicators. But we underfunded, we underestimated, and we delayed. If corporations, utilities, and governments had invested decades ago in segmentation, monitoring, zero-trust, cross-domain coordination, local resilience, and threat-intel sharing, we might have forced China to fight uphill rather than starting from inside.

Part V: What Must Be Done (And What You Can Do Now)

Strategic Priorities

  1. Zero Trust & Microsegmentation
    No network zone should implicitly trust devices. Enforce least-privilege access, segment OT from IT, segregate governance networks from SCADA.

  2. Active Monitoring & Detection
    Use anomaly detection, EDR/XDR, log aggregation, and threat hunting to spot stealthy adversaries even when they mimic “normal” credentials.

  3. Incident Readiness & Rapid Response
    Build local capacity for digital forensics, restore operations in degraded mode, isolate breach zones.

  4. National Coordination & Enforcement
    Expand legal mandates and incentives for utilities, municipalities, telecoms to adopt mandatory safeguards. Increase liability for failure to defend.

  5. Public Awareness & Home Hardening
    Educate citizens on router security (patch firmware, change defaults), isolate IoT devices, use home network segmentation, deploy better device management.

  6. Attribution & Diplomatic Action
    Maintain public attribution pressure. Sanction culpable actors and seek international norms against embedding malware in civilian infrastructure.

What You Can Do as a Citizen or Local Stakeholder

  • Audit your home network: replace old routers, apply firmware updates, disable remote management, segment IoT traffic.

  • Engage your local government or utility: advocate for cybersecurity assessments and investments.

  • Use encrypted communications, VPNs, or privacy-enhancing practices when possible.

  • Watch for alerts (CISA, state agencies) about threats targeted at your region or industry.

Epilogue: We Knew, They Knew — Now the Battlefield Is Inside Our Homes

The story isn’t one of surprise. The threat was visible in 1996, louder in 2000, undeniable by 2010. It’s just that we—the corporate sector, state and municipal governments, utilities, even citizens—failed to act early enough.

Now, what was once espionage is war preparation.
What was once probing is persistence.
What was once external is internal.

China’s cyber presence in U.S. systems is no longer abstract—it’s baked into the pipes, lines, switches, routers, grids, and even your home’s device stack. And if we don’t treat it as the existential threat it is—across all layers, all communities, and all homes—we’ll find ourselves too deep to push back effectively.

I’m sad to learn that the Agora ended back in 2019, as the Wired article above details. I don’t know how I missed it. When Kirk left our company for a new position, he kept the quarterly meetings going at other locations. I attended as long as I could, but eventually it became hard to make the trip — taking a day off work each time, and later, after I retired from IT in 2016, the travel to Seattle from where I live now got to be too much.

Still, those meetings — the people, the insight, the foresight — have stayed with me ever since.

What we built at Agora wasn’t just a community; it was awareness. And looking at the world today — the cyber intrusions, the infrastructure threats, the warnings we once discussed quarterly and shared between meetings, on ad hoc teams built from those meetings, or around the country, and the world at attendee's home organizations, are now filling the evening news — it’s clear that awareness is something we can’t afford to lose again.

We still have much to do. At least we are at least somewhat better positioned, because of one organization, and because of one dynamic individual, Kirk Bailey.

Cheers! Sláinte! Na zdravie!


Compiled with aid of ChatGPT

Posted by at
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)