Hoover Institution (Stanford, CA) — The federal government must warn the American public about the cyber threat posed by China, and the assembled experts of the Hoover Institution can help share the message, Senior Fellow H.R. McMaster told a panel of lawmakers on May 28.
Alongside three cybersecurity experts, McMaster testified before three members of the US House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection on Wednesday at a special field hearing at the Hoover Institution’s offices on the Stanford University campus.
The hearing, entitled “Innovation Nation: Leveraging Technology to Secure Cyberspace and Streamline Compliance,” was planned for leading cyber and national security experts to brief lawmakers on how the private and the public sectors can collaborate to improve US cybersecurity.
In it, McMaster warned representatives Mark Green, Andrew Garbarino, and Eric Swalwell that the American public does not yet comprehend why Chinese-aligned hacking groups are intruding into American 5G networks or the phone accounts of presidential candidates.
“We haven’t really taken this to the American people to explain the gravity of it and say why China is in our systems,” McMaster said. “They are preparing for war—the Chinese Communist Party is preparing for war—in a number of ways.”
In 2024, a hacking group dubbed “Salt Typhoon,” believed to be connected to China’s Ministry of State Security, infiltrated the networks of several leading wireless service providers and reportedly accessed the metadata of phones used by Donald Trump, JD Vance, and the staff of Kamala Harris during the presidential election campaign.
“They literally have a kill switch on the system right now,” Rep. Green said of the intrusion.
McMaster told Green that Hoover has a number of programs that address cybersecurity, including the Technology Policy Accelerator, which explores the geopolitical implications of emerging technology, as well as Tech Track 2, which is designed to foster deeper cooperation between US government leaders, tech executives, and distinguished academics on urgent national security challenges.
Hoover also coleads the Stanford Emerging Technology Review, an all-of-Stanford effort to help America’s public and private sectors better understand the policy implications of transformational technologies.
McMaster said all of these Hoover programs can help legislators work through challenges such as generating nimble and effective cybersecurity policy.
The witnesses, along with Green, also spoke about the fact that that there is a tendency in cybercrime, unlike most other crimes, for the public and media to blame or shame the victim organization when they report a breach, instead of the perpetrators, who are often initially unknown.
Even if the breach was made possible by a flaw in software the victim purchased from an outside vendor, the outside vendor is rarely blamed or even mentioned in reporting about the cyber intrusion.
“We tend to punish the victims. If there’s a bank robbery, we don’t publish that on the news and blame the bank,” Wendi Whitmore, chief security intelligence officer at Palo Alto Networks told the panel.
“But when the media gets hold of cybercrime or intrusions, we often punish the victims.”
Green asked the experts if more should be done to hold software and cybersecurity firms accountable when vulnerabilities are exposed that put their clients at risk.
Whitmore also reminded the legislators of the enormous scale of the cyber threat confronting her firm’s clients. Just within the client portfolio of Palo Alto Networks, she said, her technology encounters 31 billion unique cyberattacks every day. Further, as many as 9 million of those attacks contain new characteristics never seen before that day.
All the witnesses told lawmakers they were supportive of the committee’s effort to reauthorize the 2015 Cybersecurity Information Sharing Act, which enables the Cybersecurity and Infrastructure Security Agency to share information with lower-tier governments and private firms about how to better protect US communications infrastructure from foreign intrusion. Its provisions expire in September 2025.
In conjunction with the hearing, representatives also met with a number of other cybersecurity industry leaders and Stanford cyber policy experts about the future of US cybersecurity legislation.
