The recent Solarwinds, Kaseya and Colonial Pipeline cyberattacks have plainly demonstrated the digital threat posed by Russian criminals and intelligence agencies. But for many businesses, China is just as dangerous of an adversary, as evidenced by the Biden administration’s July 19 announcement blaming Chinese-sponsored actors for exploiting vulnerabilities in Microsoft Exchange, resulting in the compromise of approximately 30,000 U.S. organizations earlier this year.
And yet, the U.S. has so far publicly resorted only to naming and shaming the Chinese actors, while taking a more forceful approach against Russia, threatening sanctions and even contemplating hacking back. According to experts speaking at a Wilson Center think tank panel session on Wednesday, this inconsistent approach may be sending mixed messages to malicious actors in terms of how far the government will go to defend the business users they are targeting.
Publicly blaming China for the Microsoft Exchange Proxylogon hacking campaign (with ample backing from key global allies), the White House this week asserted in a press release that the nation has been contracting with cybercriminals who operate within its borders and engage in financially motivated ransomware, cryptojacking and cybertheft campaigns.
“In some cases, we are aware that PRC [People’s Republic of China] government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the release states.
On the same day, the Department of Justice disclosed an unsealed indictment against four Chinese nationals who allegedly were behind a campaign to hack dozens of companies, universities and government organizations between 2011 and 2018 for the benefit of an APT group known as APT 40, Leviathan or Temp.Periscope. The U.S. claims three of the charged men served in China’s Ministry of State Security, while the fourth is a hacker who worked for MSS front company Hainan Xiandun.
Still, some observers said the actions don’t go far enough and appear less aggressive than public and private actions taken against Russia.
“Naming and shaming doesn't stop the behavior,” said Congressman Jim Hines, D-Conn. In the past, “I remember opening the New York Times to read about the very specific indictment of individual PLA [China People’s Liberation Army] units with exquisitely detailed explanations of how the Chinese were doing what they were doing — and did that stop it? No, it didn't.”
“The message is very muddled,” asserted Dmitri Alperovich, cofounder and executive chairman at Silverado Policy Accelerator, and co-founder and former CTO of Crowdstrike. Speaking at the panel session, Alperovich contended that the Chinese Microsoft Exchange hacks were actually far more serious than the Russian SolarWinds hack because of how distributed the threat was.
SolarWinds was “very targeted very constrained. [Russia] shut down their access voluntarily to any victim that they did not care about, and they went after primary espionage targets – U.S. government agencies that they wanted to steal secrets from. The same type of thing that we would love to do to them,” Alperovich explained. “And we responded very strongly, we attributed that attack very quickly, and instituted sanctions on the parties that were involved.”
Now compare that to the scope of the Exchange attack, which was “indiscriminate, disruptive, untargeted. Everything that there is the opposite of the SolarWinds action,” Alperovich continued. “And yet it took us many, many months for public attribution to come out, even though private sector actors attributed it right away. And secondly, there was no follow-through. We had a statement that was done with allies. That was great to call out China, but there were no economic sanctions. There were no penalties imposed on China for something that was worse than SolarWinds.”
Consequently, adversaries may be confused about the line in the sand that the U.S. is drawing when it comes to cyber norms, and to what degree the country will enforce that line.
Alperovich also pointed out that while the U.S. has historically sanctioned China for different political reasons, “we have never sanctioned China for anything that they have done in cyber.” However, “Surely there's something that they've done over the years [in cyber] that deserves sanctions, including… the massive theft of intellectual property that they've been conducting for the better part of two decades. And yet we've never taken that step.”
As a counterpoint, fellow speaker Meg King, director of the Wilson Center’s Science and Technology Innovation Program, contended that U.S. response does not have to be one-size-fits-all.
“Every country looks at cyberspace in a different way,” she said. “And so just applying the same tool against each adversary isn't going to work.”
King also argued that there’s probably more to the U.S. response than currently meets the eye, noting that Deputy Secretary of State Wendy Sherman will be traveling in China July 25-26.
“There is a clear plan in place. We just don't know what it is, but I don't think they're going to stop at just calling out China for their activities. This was the first play of a very long game,” she said.
Matthew Rojansky, director of the Kennan Institute, believes there may be another underlying factor behind why Russia and China are at present being treated differently. He believes history has shown that sanctions and diplomacy are at least somewhat effective in deterring Russia from especially serious offensive onslaughts against the U.S., while China remains more of an unknown.
“We don't have quite the same history with China to know, vis-à-vis this regime … what really is realistic and what's possible in terms of deterrence,” said Rojansky.
Moderator Ellen Nakashima, national security reporter at the Washington Post, reminded the panel, however, that China did agree to a pact with the U.S. to curb economic cyberespionage against corporate targets after the Obama administration indicated it would impose economic sanctions on China. However, it is questionable to what degree China has held to that agreement in the ensuing years.
Congressman Hines suggested that future action may call for an official international establishment of cyber norms, “more serious bilateral conversations” with China, and proportional cyber actions in response to hacking campaigns.
For that matter, Hines said the U.S. could still stand to push back even harder against Russia, as well. “I can say with some confidence that we have not in any way established a deterrence — a sense that these that these adventures [on the part of Russia] will be met with very costly responses,” he said. “I don't think sanctions are enough. I think that every time either a non-state actor that communicates with the Kremlin or the Kremlin is thinking about this, they need to think that the cost will be high.”
And that could mean that the U.S. needs to flex its own cyber muscles at times, said Hines, noting that “we are better at cyber operations than anybody else on the planet, but the problem is if we don't use them we will not establish a deterrent.”
Alperovich agreed that the U.S. could potentially motivate Russian President Vladimir Putin to crack down on cybercriminals within his borders by imposing the “credible threat of severe sanctions that would have enormous impact on his economy in a way that the existing sanctions that we've put in place since 2014 really have not.”
Hines suggested impacting the finances of Russian oligarchs, though Rojansky was more skeptical of this strategy, believing that it’s Putin who controls the oligarchy and not the other way around. However, from an economic sanctions perspective, Alperovich noted that so far the U.S. has “avoided oil and gas, we avoided sovereign debt, [and] sales that actually are conducted with American and European institutions.” And “that’s what would hurt him the most.”
The bottom line is that “we're going to be having a very big problem until we actually effectively establish a sense of deterrence,” said Hines. “I don't want to be interpreted as saying that we should be anything other than proportional and careful when we're doing this, but… we must extract a cost.”