In July, amid what felt like a relentless surge of cyber attacks, President Biden was under great pressure to do something. There were all those attacks attributed to Russia. Then more attacks said to be from China. The United States had become an international cyber punching bag. It was time for the president to take action. And he did.
The big move was in response to China’s alleged global attacks through a vulnerability in Microsoft’s Exchange email systems. Microsoft had attributed the attacks to China back in March, and on July 19 Secretary of State Antony Blinken declared that China’s Ministry of State Security “has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.” And for the first time the U.S. was joined in condemning China not only by the European Union but by all NATO members (though only the United Kingdom also used language tying criminal hackers to the Chinese government).
And it was not just a matter of speeches. The U.S. unsealed an indictment filed in May charging that four Chinese nationals worked with their government to steal confidential information from entities in a dozen countries. The defendants were accused of engaging in a sweeping campaign between 2011 and 2018 that targeted a wide range of industries, including aviation, defense, education, government, health care, biopharmaceutical, and maritime.
The indictment built on and extended U.S. efforts to establish red lines and encourage cooperation among nations to support them. It was a particularly welcome development because the U.S. response to the spate of attacks that emanated from Russia included lots of threats but no indictment. It seemed to be blurring a sense of where the lines lie. Yet, the U.S. imposed sanctions on Russia, but none on China.
This might be a good time to ask: What are the rules?
The Attacks from Russia
The recent onslaught said to be from Russia began with the huge and devastating SolarWinds hack, which was revealed last December. What followed was a succession of cyber attacks attributed to Russian gangs, like the ransomware attack on Colonial Pipeline conducted by DarkSide, and several more that were the handiwork of REvil (short for Ransomware Evil). In the wake of these, pressure mounted on Biden to respond. But his public rejoinders amounted to warnings and threats directed at President Putin.
Harvard law professor Jack Goldsmith summed it up well in “Empty Threats and Warnings on Cyber.” As he pointed out, Biden has not been alone in warning the Russian Bear to back off. The Trump and Obama administrations also issued periodic threats, Goldsmith noted. But it has not been all talk. Sometimes the United States has engineered retaliatory strikes that we hear about only after the fact. But then Russia hits again. The administration fumes, fumbles for an answer, and finally threatens. Any teacher can tell you that threats without follow-through are quickly recognized for what they are: pleas for cooperation. And signs of weakness.
So, why doesn’t the U.S. just hit back? Few doubt the government has the capability. Goldsmith suggested one reason is that international law limits options when the provocation isn’t a conventional armed attack. The larger issue, he said, is the fear of setting off an escalating conflict. And the United States, the most digitized country on earth—and hence the most vulnerable—has the most to lose. I should add that we can’t be sure what the government may be doing behind the scenes. DarkSide and REvil recently appeared to shut down their operations—at least for the time being. There’s no way to know if these actions were voluntary or forced by a government. And if so, which one.
Even before the China indictment was announced, a salient issue was lost in the uproar. Where exactly are the red lines for nation states? They used to be fairly clear. Now they’re hard to decipher.
Red Lines for Nation States
The first time the United States government converted a threat into an action that established a cyber red line was in 2014, when the Department of Justice indicted five members of China’s People’s Liberation Army. (Some observers saw the indictment of people who would almost certainly never stand trial as mere bluster, but I argue it was, and is, much more.) In that instance, the Obama administration articulated a clear rationale. The indictment accused the PLA members of stealing confidential information, including intellectual property, from U.S. companies for the benefit of Chinese businesses that were supposedly partners of, or were litigating against, U.S. counterparts.
In the press release that accompanied the indictment, then-Attorney General Eric Holder explained that the Chinese government had crossed a line between political espionage, which all countries engage in, and economic espionage. As Holder put it: “Success in the global marketplace should be based solely on a company’s ability to innovate and compete, not on a sponsor government’s ability to spy and steal business secrets. This administration will not tolerate actions by any nation that seeks to illegally sabotage American companies and undermine the integrity of fair competition in the operation of the free market.”
Yet, the government’s criticism of Russia in the wake of the SolarWinds episode seemed to walk back that understanding. Most experts agree, based on what is known so far, that Russian government employees were behind the intrusion, and that it was not for economic gain. Nonetheless, the Biden administration imposed sanctions on Russia for its actions. Writing in Lawfare, Erica Borghard questioned why. She praised the administration for not calling SolarWinds a “cyberattack,” going on to say: “The distinction between cyber espionage and cyberattack is important because espionage—including spying that takes place in and through cyberspace—is a routine aspect of statecraft.” And, of course, the United States engages in as much of it as any nation.
Instead of theft, the Biden administration focused on another aspect. It called the intrusion “disruptive,” Borghard noted. She wondered whether this was supposed to be a new line. In the “Fact Sheet” that accompanied the sanctions imposed on Russia after the discovery of the Solarwinds hack, the administration added this about it: “The scope of this compromise is a national security and public safety concern. Moreover, it places an undue burden on the mostly private sector victims who must bear the unusually high cost of mitigating this incident.” So there’s an economic cost, but it’s not the result of theft. Is this supposed to be a new line?
Drawing a New Line
Beyond these questions, the public conversation has leapfrogged an important issue. In the past, nation-state attacks were those perpetrated by individuals who were employed by the nation in question. But some of the recent attacks attributed to Russia did not identify any of the military groups, like the GRU, that have been named in the past. Aside from SolarWinds, attributions for the other attacks have only meant that the perpetrators were believed to be operating out of Russia. For example, REvil claimed responsibility for an attack that affected between 800 and 1500 companies. Like the SolarWinds assault, it took advantage of a supply chain vulnerability: in this case, that of Kaseya, which sells software to help businesses manage their computer networks.
The United States seems to have no doubt that Vladimir Putin has the ability to control REvil. In blaming Russia’s president for attacks like this, Biden is also asserting that Putin also has a responsibility to do so. On July 9, the Washington Post reported that Biden called Putin to deliver this message. “I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said.
This is a new angle worth acknowledging. And it’s not just Biden who is redrawing the line. The G7 has thrown its weight behind this policy. In its communique in June following the G7 summit in Cornwall, England, paragraph 34 includes this exhortation: “We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”It’s clear that the G7 is not speaking of networks hired by or operating under the control of states. These are independent criminal groups reporting to no one and operating out of self-interest. And the G7 seemed to make a point of saying that this is a line that applies to “all states,” not just Russia. Or not just states that don’t have extradition treaties with theirs.
We don’t know what Putin had to say to Biden over the telephone, or in their private meeting in Geneva in June, after Biden attended the G7 meeting. But this is what Putin said on the eve of the G7 summit in a televised interview with NBC News: “We have been accused of all kinds of things: election interference, cyber attacks and so on and so forth. And not once, not one time did they bother to produce any kind of evidence or proof. Just unfounded accusations.” This statement may be the single best justification for the time and effort that was required to present evidence to grand juries that returned all the indictments that named Russian nationals for allegedly engaging in the very acts that Putin cited.
So Where Are the Lines?
A final blurring of lines that was first detected a few years ago in Russia seems to have emerged full bore in China. We have generally thought of nation-state employees and gangs of cyber criminals as two distinct groups. One exception was Russia’s Evgeniy Bogachev. Indicted by the Justice Department back in 2014, a week after the first indictment was unsealed against China’s PLA, Bogachev operated the vast GameOver Zeus botnet. He and his gang used it to plant malware on the computers of businesses, steal their banking credentials, and then wire themselves money. They also surprised victims with ransomware attacks long before these were common. Bogachev never seems to leave Russia, and he’s never been apprehended. Like virtually all cyber criminals in Russia, he makes sure not to victimize Russians. And he may have bought himself an extra layer of protection by moonlighting for the state. As U.S investigators labored for years to try to track him down, they discovered that he was conducting espionage on the side for his government. Another Russian cyber thief named Alexsey Belan did the same thing. Belan made his name hacking Yahoo, which resulted in huge data breaches and a 2017 indictment.
Those dual roles took a long time to detect because they were carefully concealed. That was apparently not the case with China. The unsealed indictment details a wide array of activities and an equally diverse cast of hackers. Not the kind of operation that’s easy to hide. One vestige of the old red lines in the indictment is the careful inclusion of the term that was groundbreaking when it was introduced in that first indictment in 2014. Count 2 is a conspiracy to commit “economic espionage.”
It’s hard to know where the lines are now. If a series of ransomware attacks suddenly originate from a new country, are the leaders there now on notice that their country could be sanctioned if they don’t take swift action—even if the country’s government was not involved? The statement made by the large coalition of countries that condemned China suggests it could. But none of the countries that condemned China has yet imposed penalties. Is the sanction red line only for Russia?
The U.S. has not acted to impose sanctions on China probably because the two economies are interdependent, and having been through years of tariff wars during the last administration, the current one has no desire to rekindle the conflict. And one thing we know about China’s leadership: They do not issue warnings and hollow threats. If sanctioned, they will almost certainly retaliate.