Cyber Typhoon: Safeguarding Data Amidst US-China Geo-Political Tensions

A National Security Wake-Up Call

On February 7, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an urgent advisory:
“PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.”

This threat, identified as Volt Typhoon, has already infiltrated multiple critical sectors including Communications, Energy, Transportation Systems, and Water infrastructure across both continental and territorial United States. This isn’t theoretical — our government is clearly signaling that a domestic cyberattack is both possible and imminent.

For U.S. businesses with operations, vendors, or data dependencies in China, this warning is more than a government notice. It’s a call to act.

The Expanding Risk Landscape

Recent headlines show that the geopolitical tension between the U.S. and China is escalating. If you’re still doing business with or in China, you need to assess the risk implications more seriously.

• “A China-U.S. Decoupling? You Ain’t Seen Nothing Yet” – Wall Street Journal
• “U.S. to Invest Billions to Replace China-Made Cranes at Nation’s Ports”
• “FBI: China Cyberattacks on U.S. Infrastructure at Unprecedented Scale”
• “China’s Hacker Network: What to Know” – New York Times

Together, these developments signal a rising tide of digital and political hostility — one with real consequences for American business.

What the FBI Wants Businesses to Understand

The FBI warns U.S. companies about increasing efforts by Chinese state-backed actors to acquire intellectual property, proprietary technology, and sensitive business data.

In their paper, “Intellectual Property Protection – Safeguard Your Company’s Trade Secrets,” they highlight:

“If your company has a technological edge, expect your technology and those with access to it to be targeted.”

This is further supported by another key FBI document, “PRC Laws Impacting U.S. Business Operations with PRC Enterprises,” published in 2022. It explains how Chinese law enables data control and government access in ways that should concern any foreign business operating in China.

Key Chinese Laws Impacting U.S. Business Operations

• Personal Information Protection Law (PIPL) – Requires personal data collected in China to be stored locally and reviewed before transfer.
• Article 35 – Grants national security officials power to obtain data in the name of security or investigation.
• Article 38 – Requires foreign businesses to adopt PRC-approved contracts for handling Chinese citizens’ personal data.

These laws effectively eliminate the privacy and confidentiality protections U.S. companies are accustomed to. If you’re housing or accessing any personal data in China, you may already be out of compliance — or at risk.

China’s Long Game: The 100-Year Plan

China’s government operates on a 100-year plan (1949–2049), divided into five-year strategic sprints. Their aim is clear: global technological and economic dominance.

U.S. business leaders should align their risk management strategy to this reality, not just quarterly earnings reports. Cybersecurity is now geopolitical strategy.

10 Critical Questions to Assess Your China-Related Cyber Risk

As the former CSO of a global, publicly traded bank with a joint venture in China, these are the ten questions I would ask immediately if I were running a company exposed to this risk:

1. What types of data do I have?
   Take inventory of personal, financial, and proprietary data to guide protection strategies.
2. Am I compliant with China’s data laws?
   Understand how the Cybersecurity Law and PIPL apply to your business operations.
3. Where is my data stored?
   Data stored in China is fully governed by Chinese law — review your storage strategies now.
4. Who has access to my data?
   Apply least-privilege access and review permissions regularly.
5. How do I protect data in transit?
   Encrypt sensitive data before transferring it, especially across borders.
6. What’s my backup and recovery plan?
   Align recovery timelines to your Business Impact Assessment. Test regularly.
7. Am I monitoring for threats effectively?
   Invest in real-time monitoring or a security operations center (SOC).
8. How do I manage third-party risks?
   Evaluate all vendors for compliance and cybersecurity maturity.
9. What is my incident response plan?
   Include rapid response workflows and meet China’s strict notification requirements.
10. Do my employees understand cybersecurity?
    Ongoing training is critical. Reference materials like the NACD’s tech risk reports.

Planning Is No Longer Optional

CISA’s Volt Typhoon warning should be a strategic trigger for business leaders. Failing to plan for these risks is planning to fail. Navigating these risks is like sailing through a typhoon — without visibility and preparation, you will be caught off guard.

You are responsible for protecting your business, your customers, and your future.

About Nicholas Shevelyov

Nick Shevelyov is a cybersecurity, risk, and data privacy expert with deep experience across industries and executive levels. He served as Chief Security Officer for a publicly traded global bank and continues to advise boards and executives on how to manage emerging cyber threats.

He holds a B.A. in Economics, an Executive MBA, and CISSP, CIPP, and CISM certifications.