In response to the United States and its allies formally attributing the Microsoft Exchange hack to a group of hackers affiliated with China’s Ministry of State Security, R Street Institute Director of Cybersecurity & Emerging Threats Tatyana Bolton released the following statement:

“The Biden administration is right to take the growing threat of cyber-attacks seriously and call out malicious actors in cyberspace. However, attributing malicious behavior to Chinese nation state actors is not sufficient. As with Russia, the administration needs to enforce international norms to create a safe, secure, and resilient cyberspace.”

The R Street Cybersecurity and Emerging Threats team recommends the following actions:

In the short-term:

  • Consider pursuing additional punitive actions against the People’s Republic of China, such as sanctions, investment restrictions, or even limited offensive cyber operations to signal lines of demarcation in the U.S.’s willingness to tolerate state-sponsored malicious cyber behavior.
  • Coordinate with allies on additional statements, cyber training exercises, building resilient and robust partner capacity, and especially establishing strong international cyber norms.

In the long-term:

Formal attribution of a cyberattack to a nation-state is a rarity in the world of cyber threats, as it can be difficult to determine which group of malicious actors is behind a particular hack and whether these actors are encouraged or merely tolerated by a foreign government. Therefore, the Biden administration’s decision to release a statement demonstrates the White House’s recognition that the cyber-attacks from China pose serious threats to U.S. national security. Attribution, particularly through multinational channels, is an important first step to furthering the conversation on international cyber norms, but Biden should not limit U.S. actions to rhetoric. Russian President Vladimir Putin appears to have already ignored Biden’s rhetoric from their first meeting, where the President verbally called out Russia for its role in the SolarWinds hack, so it is clear that attribution alone will likely fall flat when it comes to deterring future intrusions.

We must protect our reputation in cyberspace by protecting the credibility of our rhetoric. If the White House wants this attribution to be effective, it must be followed by concrete actions that not only communicate the U.S.’s unwillingness to tolerate cyber intrusions from other nation-states, but also bolster our own cybersecurity posture. As Senior Fellow Paul Rosenzweig argues, “Attribution without action is ineffective. The Chinese cannot be shamed into good behavior. Having named the Chinese explicitly, the West must now take responsive, proportional action.”