AI is helping US spies catch stealthy Chinese hacking ops, NSA official says

Machine learning tools are aiding U.S. security agencies to catch operations relying on so-called "living off the land" techniques.
High-voltage power transition lines are seen at sunset. (Anton Petrus/Getty Images)

NEW YORK CITY — Artificial intelligence and machine learning technologies are helping the National Security Agency and other U.S. government agencies detect malicious Chinese cyber activity, a top U.S. intelligence official said in remarks on Tuesday that indicate how U.S. security agencies are using the technology to improve computer defenses.

Speaking Tuesday at the International Conference on Cyber Security at Fordham University, Rob Joyce, the director of the NSA Cybersecurity Directorate, said that AI is helping his agency detect Chinese operations targeting U.S. critical infrastructure that might evade traditional defensive measures.

U.S. intelligence officials have warned in recent months that Chinese hacking groups are increasingly targeting power generation systems, ports and other critical infrastructure entities by using methods that analysts refer to as “living off the land” — the use of tools, software and privileges already present on networks to achieve various objectives. Malware that would normally trip detection software or tools is never employed, making it much harder to detect.

Recent Chinese operations do not rely on traditional or known malware that might be easily flagged based on signatures, Joyce explained. Instead, the hackers takes advantage of architecture implementation flaws or misconfigurations, or default passwords to get into networks, create accounts or users that appear to be legitimate, which are then used to move around the networks or perform activities that typical users don’t normally do.


AI tools are helping the NSA catch these operations. “Machine learning, AI and big data help us surface those activities,” Joyce said, because the models are better at detecting anomalous behavior of supposedly legitimate users.

Recent advances in AI and machine learning have raised concerns among researchers and security officials that they might provide an advantage to offensive cyber operations, but Joyce said Tuesday that he’s encouraged by the defensive dividends offered by the technology.

“You’re going to see that on both sides, people that use AI/ML will do better,” Joyce said.

Joyce, his colleagues at the NSA and other agencies have been warning for months that China is aggressively targeting U.S. critical infrastructure in troubling ways. The U.S. government and Microsoft revealed in May 2023 that Chinese-linked operations were targeting critical infrastructure entities in the U.S. and Guam as part of a campaign tracked as Volt Typhoon.

“They’re not there for intelligence. They’re not there for financial motivation. They’re in places like electric, transportation, and ports, trying to hack in so they can cause societal disruption and panic at a time and place of their choosing,” Joyce said Tuesday.


In November, Morgan Adamski, the director of the NSA’s Cybersecurity Collaboration Center, told a crowd of industry analysts and researchers at the CYBERWARCON conference that China was penetrating crtiicial infrastructure and waiting “for the best time to exploit these networks.” In a call to action, Adamski urged the researchers to look for anomalous behavior beyond known malware in their networks and emphasized how serious the situation is.

“The threat is extremely sophisticated and pervasive,” she said, as reported by Wired at the time. “It is not easy to find. It is pre-positioning with intent to quietly burrow into critical networks for the long haul. The fact that these actors are in critical infrastructure is unacceptable, and it is something that we are taking very seriously — something that we are concerned about.”

Latest Podcasts