The Biden administration formally accused the Chinese government this week of carrying out the hacks of the Microsoft Exchange email server software, the details of which came to light in early March. In a joint statement with the European Union, NATO and several other U.S. allies, the White House placed blame for the hacks squarely on the shoulders of the contractors of China’s civilian intelligence agency, the Ministry of State Security (MSS), and accused the Chinese government of supporting “irresponsible and destabilizing behavior in cyberspace.” In conjunction with the White House’s statement, the Justice Department on July 19 unsealed criminal charges against four hackers working with the MSS, albeit for unrelated cyber intrusions.
In the still-nascent history of the United States’ responses to major cyber incidents, attributing the Exchange hacks to the People’s Republic of China (PRC) is another step in the right direction. However, the White House should take the additional step of imposing material costs on the parties charged with these reckless actions, both to deter further malicious activity and to bolster the progress the administration has made in delineating clear strategic norms to guide the U.S.’s responses to cyber incidents.
The Biden administration should be commended for many elements of its actions. Although the U.S. has issued public attributions of malicious cyber activity with allies in the past, it has never rallied such a large coalition behind a public condemnation of China’s cyber activity. Building such a broad coalition is no easy task, given that many of the U.S.’s allies now have much more extensive trade relationships with China than they do with the U.S., and they are rightly hesitant to take any public action that might trigger retaliation from Beijing. The predictably angry and immediate responses to the administration’s action from the PRC’s spokespeople are a testament to the dangers that smaller nations face in confronting the increasingly arrogant and self-assured Chinese Communist Party.
That said, publicly “naming and shaming” threat actors in response to state-sponsored or state-tolerated cyber intrusions is one thing; imposing costs and consequences on those actors is very much another. Notwithstanding the real merits of the announcement, the failure to impose sanctions, a continuation of the U.S.’s ineffective past policy toward China, is a major strategic oversight that the Biden administration has an opportunity to correct—and it cannot do so soon enough.
Imposing economic sanctions on both the MSS contractors and the private and state-owned companies that have benefited financially over the years from the MSS’s malicious activities, including theft of intellectual property, would send a strong signal that the U.S. will not tolerate these reckless intrusions. It would also allow Biden to overcome the strategic shortcoming of the past administrations which, in the face of rapidly escalating cyber threats from Beijing, repeatedly declined to impose any meaningful costs on Chinese cyber threat actors. This persistent refusal to impose sanctions on China has stood in stark contrast to the United States’ past decisions to sanction its other major geopolitical adversaries—including Russia, Iran and North Korea—for their malign cyber activity, as well as to the approach taken by U.S. allies in the European Union, which has imposed sanctions on China for past cyber intrusions.
In fairness to the current administration, it is still too early to know what sort of consequences might lie in store for China. On Monday, an unnamed administration official told the Washington Post that the administration is “not ruling out further action to hold [China] accountable,” and only time will tell what this action might entail.
But in the meantime, the White House’s position raises an equally pressing question: What is the administration waiting for? In April, the White House took swift action against the Russian government for its involvement in the SolarWinds breach, attributing the intrusions to Russia’s Foreign Intelligence Service and imposing sanctions on Russian entities in a single action. As we argued at the time, the SolarWinds attack was less damaging and less reckless than the Exchange hacks—and therefore warranted less severe punishment. The fact that, at this point, the administration has imposed stronger penalties on the Russian government for the SolarWinds attack than it has on the PRC for the Microsoft Exchange hacks represents a major strategic inconsistency. To put it counterfactually, there should be little doubt that if Russia had carried out an attack that was as brazen and reckless as the Exchange hacks, the U.S. would almost certainly have responded both sooner and more harshly.
Yet the merits of the administration’s response to the SolarWinds attack are not in question here. As we argued before, the only way to create lasting and effective international norms in cyberspace is to enforce red lines when they are crossed. The more immediate point is that that past decision carries strategic consequences. Having drawn a red line in the case of the SolarWinds breach—a narrowly executed, nondestructive, conventional cyberespionage campaign—the United States ought to calibrate its responses to subsequent attacks relative to that line. By every conceivable technical standard, the Exchange hacks were the more damaging and more reckless of the two actions. For the sake of both strategic and normative consistency, the administration should be prepared to impose more serious consequences.