Summary of "Bonus: Live Panel with Top China & Cyber Experts at The New York Stock Exchange" Podcast: To Catch a Thief: China’s Rise to Cyber Supremacy
Host: Nicole Perlroth
Release Date: March 27, 2025

Introduction

In this bonus episode of To Catch a Thief: China’s Rise to Cyber Supremacy, host Nicole Perlroth moderates a live panel at the New York Stock Exchange, bringing together top experts in cybersecurity and China-focused intelligence. The panel includes:

• David Barbosa: Co-founder of Wire China and former Shanghai Bureau Chief for The New York Times.
• Rob Joyce: Former Head of Cybersecurity at the NSA.
• Jen Easterly: Former Director of CISA (Cybersecurity and Infrastructure Security Agency).
• Jim Lewis: Senior Vice President at the Center for Strategic and International Studies.
• Bipul Sinha: CEO and Co-founder of Rubrik.

The discussion delves into the escalating threats posed by Chinese cyber-espionage, its impact on American infrastructure, the challenges in defending against such attacks, and potential strategies moving forward.

Evolution of Chinese Cyber Threats

Nicole Perlroth sets the stage by highlighting the transformation of Chinese cyber operations from “the most polite, mediocre hackers in cyberspace” to “apex predators” targeting America’s critical infrastructure.

Rob Joyce (09:42) explains:

"If you look at the operational way that China comes at us, it is scope and scale and now sophistication... [they] have grown in scope and scale, sophistication on a level nobody else has seen."

The panel underscores how Chinese cyber capabilities have become more robust, with operations expanding across military, government, and commercial sectors, enabling pervasive infiltration into U.S. critical systems.

Challenges in Reporting and Public Awareness

David Barbosa (07:21) addresses the delicate balance between reporting on Chinese cyber threats and avoiding xenophobia:

"We should say some really tough things about China. But we shouldn't think everyone who's Chinese is a spy, is a hacker, is the threat."

Perlroth emphasizes the historical reluctance to attribute cyberattacks to China publicly. Fifteen years ago, even reputable firms like McAfee avoided naming China directly in major cyber-espionage cases.

Impact on US Critical Infrastructure

Jen Easterly (11:36) elaborates on the advanced targeting of U.S. critical infrastructure by Chinese actors:

"They could be prepared to launch disruptive or destructive attacks in the event of a major conflict in Taiwan... effects on communications being severed, transportation networks, power grids, water systems."

She cites the Colonial Pipeline ransomware attack as a glimpse into potential large-scale disruptions, comparing it to what coordinated Chinese attacks could achieve across multiple sectors simultaneously.

Jim Lewis (16:49) discusses negotiations with China to establish red lines around critical targets like water facilities:

"Under international law, there are no targets that are off limits."

China dismissed proposals to limit cyber targets, emphasizing a consequentialist approach:

"If it's a little consequence, like Podunk, Massachusetts... we don't care."

Negotiations and Red Lines with China

Jim Lewis (16:49) highlights the futility of negotiating cyber boundaries with China:

"Are you willing to engage in... the answer was no, we're not interested."

China’s stance reflects a strategic mindset focused on long-term leverage rather than immediate concessions, viewing the ability to compromise U.S. infrastructure as a bargaining chip in broader geopolitical negotiations.

Deterrence and Mutually Assured Digital Destruction

Rob Joyce (20:02) critiques the concept of mutually assured cyber destruction, emphasizing that deterrence has not effectively curbed Chinese cyber activities:

"Cyber doesn't stop. You don't get a bigger cyber bat and hit somebody hard and they just go away."

He differentiates U.S. cyber operations by adhering to the rule of law, which complicates retaliatory actions against Chinese targets that often lack clear proportionality and legal grounding.

Jim Lewis (23:03) adds:

"They know you can't punch back in certain ways... this is their advantage to use the US system, the openness of the us, the universities, just an open freedom rule of law society and say, let's take advantage of that."

Intellectual Property Theft by China

The panel discusses numerous instances of Chinese IP theft, spotlighting how China leverages partnerships and joint ventures to siphon proprietary technologies.

Jim Lewis (43:56) shares iconic IP theft anecdotes:

"One Chinese guy's job was to steal genetically modified seeds in the Midwest... another about white house paint recipes being stolen by senior Chinese officials."

These stories illustrate the breadth of Chinese espionage, encompassing sectors from agriculture to consumer goods, driven by national security and economic imperatives.

Mechanisms of Chinese Cyberattacks

Rob Joyce (45:31) explains the sophisticated methods employed by Chinese hackers to infiltrate U.S. infrastructure:

"They collect routers and hack them at scale, putting malware on devices like TP Link routers to use as bounces for their operations."

The dominance of Chinese-manufactured hardware, particularly TP Link’s 60% market share in U.S. home routers, provides an exploitable vector for cyberattacks, enabling persistent and widespread access to critical networks.

Jen Easterly (50:51) extends the discussion to the inherent vulnerabilities in global technology:

"The technology and the devices and the software that we rely upon for critical infrastructure is frankly inherently insecure."

She emphasizes the need for vendors to prioritize security in their products to mitigate exploitation by state actors like China.

Resilience and Cyber Defense Strategies

Bipul Sinha (25:21) advocates for a resilience-based approach, assuming breaches are inevitable and focusing on recovery:

"You need to really assume that the breaches are inevitable or might have already happened."

He introduces the concept of a "minimal viable organization," ensuring that essential services remain operational even during a cyberattack, thereby enhancing overall resilience.

Jen Easterly (28:58) highlights CISA’s efforts to distill complex cybersecurity frameworks into actionable steps for vulnerable sectors:

"We did a distillation... to less than 40 things that a hospital or a water facility or a K through 12 school could do."

This pragmatic approach aims to empower critical but under-resourced entities to strengthen their defenses effectively.

The Role of AI in Cybersecurity

As discussions shift toward futuristic solutions, AI emerges as a beacon of hope in combating cyber threats.

Jen Easterly (55:12) expresses optimism about AI’s potential:

"If you could use powerful AI to refactor insecure legacy code at scale to remove whole classes of vulnerabilities, that can advance a much more safe technology ecosystem."

Rob Joyce (57:14) discusses AI’s role in detecting sophisticated attacks:

"AI lets you look at scope, scale, and detail about these trends and flag the things that are unusual anomalies."

Bipul Sinha (59:56) underscores the necessity of machine intelligence to manage the complexities and volumes of modern cyber threats:

"We need to have AI write better code, but at the same time really use AI to assume that all else has already been bad and how do we protect."

These insights highlight AI as a transformative tool capable of enhancing both proactive defenses and reactive measures in cybersecurity.

The Future of US-China Cyber Relations

The panel forecasts an increasingly aggressive stance from China, driven by national pride and geopolitical ambitions.

David Barbosa (34:07) anticipates China’s continued leverage through cyber operations:

"China is more powerful now. They're probably going to show that they don't have to bend or bow as much or even negotiate in the same way."

Jim Lewis (66:48) provides a somber perspective on China’s internal challenges:

"Xi Jinping wakes up in the middle of the night screaming... the number one threat to China is their own population."

Despite internal pressures, China remains steadfast in its cyber strategies, viewing technological dominance as integral to national security and economic power.

Conclusion

Nicole Perlroth wraps up the panel by emphasizing the multifaceted nature of Chinese cyber threats and the urgent need for comprehensive strategies to counteract them. The discussion underscores the importance of resilience, secure technological infrastructure, and the innovative application of AI in safeguarding critical systems. The panelists collectively advocate for a proactive and holistic approach, blending defensive fortifications with advanced detection mechanisms to mitigate the pervasive risks posed by China’s cyber-espionage tactics.

Notable Quotes

• Nicole Perlroth (00:05):
  "American companies, whole towns, have been eviscerated by Chinese cyberattacks. But their stories remain untold..."

• David Barbosa (07:21):
  "We should say some really tough things about China. But we shouldn't think everyone who's Chinese is a spy, is a hacker, is the threat."

• Rob Joyce (09:42):
  "They have grown in scope and scale, sophistication on a level nobody else has seen, and is, quite frankly, becoming a huge problem for us."

• Jen Easterly (11:36):
  "...we believe what we were able to find when we were at CISA was really just the tip of the iceberg."

• Jim Lewis (16:49):
  "Under international law, there are no targets that are off limits."

• Rob Joyce (20:02):
  "Cyber doesn't stop. You don't get a bigger cyber bat and hit somebody hard and they just go away."

• Jim Lewis (43:56):
  "One Chinese guy’s job was to steal genetically modified seeds... another about white house paint recipes being stolen by senior Chinese officials."

• Jen Easterly (55:12):
  "If you could use powerful AI to refactor insecure legacy code at scale to remove whole classes of vulnerabilities..."

• Bipul Sinha (25:21):
  "You need to really assume that the breaches are inevitable or might have already happened."

• Jim Lewis (66:48):
  "Xi Jinping wakes up in the middle of the night screaming... the number one threat to China is their own population."

This summary encapsulates the depth and breadth of the panel's discussions, providing listeners with a comprehensive understanding of China's cyber-espionage strategies, their implications for the United States, and the evolving landscape of cybersecurity defenses.