In response to the United States and its allies formally attributing the Microsoft Exchange hack  to a group of hackers affiliated with China’s Ministry of State Security, R Street Institute Director of Cybersecurity & Emerging Threats Tatyana Bolton released the following statement:
“The Biden administration is right to take the growing threat of cyber-attacks seriously and call out malicious actors in cyberspace. However, attributing malicious behavior to Chinese nation state actors is not sufficient. As with Russia, the administration needs to enforce international norms to create a safe, secure, and resilient cyberspace.”
The R Street Cybersecurity and Emerging Threats team recommends the following actions:
In the short-term:
- Consider pursuing additional punitive actions against the People’s Republic of China, such as sanctions, investment restrictions, or even limited offensive cyber operations to signal lines of demarcation in the U.S.’s willingness to tolerate state-sponsored malicious cyber behavior.
- Coordinate with allies on additional statements, cyber training exercises, building resilient and robust partner capacity, and especially establishing strong international cyber norms.
In the long-term:
- Create a Bureau of Cyber Statistics  to accurately understand the collective cybersecurity posture of the United States.
- Congress should pass data breach notification legislation  to quickly alert CISA about future hacks in a standardized manner, allowing for better response coordination.
- Congress should also pass a national data privacy and security law to help combat espionage from outsiders.
- Invest in a diverse workforce equipped to protect against diverse threat actors.
- Incentivize and reward the private sector for bolstering their security infrastructure and securing their supply chains. Penalize them for poor security practices like bad patch management and lack of training, particularly for Systemically Important Critical Infrastructure (SICI) entities .
Formal attribution of a cyberattack to a nation-state is a rarity in the world of cyber threats, as it can be difficult to determine which group of malicious actors is behind a particular hack and whether these actors are encouraged or merely tolerated by a foreign government. Therefore, the Biden administration’s decision to release a statement demonstrates the White House’s recognition that the cyber-attacks from China pose serious threats to U.S. national security. Attribution, particularly through multinational channels, is an important first step to furthering the conversation on international cyber norms, but Biden should not limit U.S. actions to rhetoric. Russian President Vladimir Putin appears to have already ignored  Biden’s rhetoric from their first meeting, where the President verbally called out Russia for its role in the SolarWinds hack, so it is clear that attribution alone will likely fall flat when it comes to deterring future intrusions.
We must protect our reputation in cyberspace by protecting the credibility of our rhetoric. If the White House wants this attribution to be effective, it must be followed by concrete actions that not only communicate the U.S.’s unwillingness to tolerate cyber intrusions from other nation-states, but also bolster our own cybersecurity posture. As Senior Fellow Paul Rosenzweig argues, “Attribution without action is ineffective. The Chinese cannot be shamed into good behavior. Having named the Chinese explicitly, the West must now take responsive, proportional action.”
- “Microsoft Exchange hack”: https://apnews.com/article/technology-politics-national-security-hacking-email-4813d462835dcf54cd1397adb94d468b
- “Bureau of Cyber Statistics”: https://www.rstreet.org/2021/06/07/bureau-of-cyber-statistics/
- “data breach notification legislation”: https://www.rstreet.org/2021/04/06/national-data-breach-notification/
- “national data privacy and security law ”: https://www.rstreet.org/2021/04/06/national-data-privacy-and-data-security-legislation/
- “Systemically Important Critical Infrastructure (SICI) ”: https://www.cyberscoop.com/sici-cyber-ransomware-congress-critical-infrastructure/
- “entities”: https://www.cyberscoop.com/sici-cyber-ransomware-congress-critical-infrastructure/
- “ignored”: https://www.nytimes.com/2021/07/06/technology/rnc-hacked-cyberattack-russia.html?action=click&module=Top%20Stories&pgtype=Homepage