Accuse, evict, repeat: Why punishing China and Russia for cyber attacks fails

The Chinese flag flies outside of the Chinese consulate in Houston on July 22, 2020. PHOTO: AFP

NEW YORK (NYTIMES) - As smoke poured from the Chinese Consulate in Houston on Wednesday (July 22), the product of an old-fashioned ritual in which evicted diplomats touch off a bonfire of classified documents after being ordered to leave the country, Trump administration officials boasted that they were hitting Beijing where it hurts - in one of the epicentres of its spying operations in the United States.

The technique the administration chose - accuse, condemn, evict - has been used before. And, so far, there is scant evidence that it has limited the cyber attacks and other bad behaviour from America's two greatest rivals for influence and power around the world, China and Russia.

Officers of the Chinese People's Liberation Army were indicted in 2014 for an extensive effort to bore inside American companies.

The result was an impressive "Wanted" poster by the FBI, but six years later, none of them have been apprehended to stand trial in the US on charges of looting some of America's biggest companies.

Two years ago, 12 Russian intelligence operatives were indicted by Mr Robert Mueller, the special counsel who investigated both Moscow and President Donald Trump.

They have also evaded trial. The President closed two Russian diplomatic facilities that the US said were dens of spies operating under diplomatic cover, and ordered more evictions.

Yet the hacking and the disinformation operations have proceeded unabated, and by some measures have accelerated.

"There is no doubt that China represents a tremendous espionage threat for the United States," said Mr Abraham M. Denmark, who runs the Asia programme at the Woodrow Wilson Centre for International Scholars and was a senior Defence Department official.

"The question here is not China's culpability - I expect it's solid - but rather if suddenly closing the consulate in Houston will address the problem."

It probably won't, most cyber experts inside and outside the government concede.

After years of trying to figure out how to deter cyber attacks - by naming and shaming, indicting and sometimes even counterattacking - the problem of halting attacks that remain short of war is proving far more complex than deterring nuclear holocaust.

"Our problem is that we have to be much more clear about what actions we won't tolerate and what the consequences will be," said Representative Jim Langevin, a Rhode Island Democrat, who served on the congressionally created Cyberspace Solarium Commission, which recommended a series of steps to increase deterrence this year.

When it comes to defending against cyber attacks, Mr Langevin said, the Obama administration was overly cautious and the Trump administration "is too often shooting from the hip".

In fact, both presidents have often used the same tools - mostly drawn from a 19th century diplomatic playbook that is being applied to a 21st century challenge. It shouldn't be a surprise that it isn't working.

It is a reminder of two things. First, in the cyber age, closing a diplomatic facility has the faint ring of the Cold War, but most of the attacks on American corporations, laboratories and the government are launched from servers outside US borders.

And second, without firing a bullet or dropping a bomb, an adversary can deliver a crippling setback to the US by infiltrating American computer networks, whether the target is the design for the F-35 warplane or a potential coronavirus vaccine.

To Mr Trump's credit, orders he issued two summers ago have resulted in more aggressive pushback, what the National Security Agency and the US Cyber Command call a strategy of "defend forward".

That means they go deep into an adversary's computer networks, sometimes to strike back, but more often to signal that an attack will not be cost-free.

"The central issue is that they need to know they will pay a price," Mr Langevin said.

It was the Obama administration that moved more aggressively to indict cyber actors, making public the information about who was behind the hacks that until then was available only to those who had the clearance to read classified intelligence briefings.

"It was a long-overdue step," said Mr John P. Carlin, who spearheaded the strategy as the chief of the Justice Department's national security division.

Mr Carlin, who later wrote about the experience in the book Dawn Of The Code War, said that "it is a good way to make the detail public in a credible way, with the high standard that you believe you can prove your case beyond a reasonable doubt".

If you do not do that, he said in an interview on Wednesday, "the message you are sending is that you are decriminalising this activity."

Just before Mr Carlin left office in 2016, President Barack Obama and Mr Xi Jinping, the Chinese leader, announced an agreement that should have ended cyber theft of corporate data.

It worked for a while, then fell apart. The Chinese military's hacking diminished, but the slack was picked up by operatives of the Chinese intelligence agencies.

On Tuesday, for example, the Justice Department accused a pair of Chinese hackers of targeting vaccine development on behalf of the country's intelligence service.

The lesson may be that while the indictments are necessary, they may not be sufficient.

So when General Paul M. Nakasone took over at the director of the NSA and the commander of US Cyber Command, he turned to more aggressive actions.

The NSA shut down the Internet Research Agency in St Petersburg for a few days around the 2018 mid-terms and sent warnings to Russian intelligence officers. It has worked to sabotage North Korean and Iranian missiles.

The best argument for the strategy is that, so far, no one has turned off the power grid in the US or conducted a similarly crippling strike.

But when it comes to stealing corporate or national security secrets, the cost-benefit analysis conducted in Moscow and Beijing usually comes back with the same conclusion: The benefits still outweigh the costs.

While Mr Trump has periodically threatened the Chinese with trade sanctions in response to their hacking, and thrown Chinese telecommunications firms like Huawei out of the country rather than let them dominate next-generation telecommunications networks, he has also periodically suggested these penalties could be bartered away in a good trade deal.

That does not exactly establish red lines.

"There is no evidence of significant pullback by the Chinese and the Russians," said Mr Gregory Rattray, who first dealt with these issues working for President George W. Bush's National Security Council and now runs a cyber security consulting firm, Next Peak.

"It's possible that we don't have a better option than to create less exposure, which means focusing on protecting the data you have and thinking more about defence," he said.

Join ST's Telegram channel and get the latest breaking news delivered to you.