Chinese military officers watch during a parade to celebrate the 70th Anniversary of the founding of the People’s Republic of China in a 2019 photo. (Kevin Frayer/Getty Images)

WASHINGTON: Leading cyber policy and strategy experts say that while the US’s Monday formal attribution and response to China for a widespread cyberespionage campaign earlier this year may not be as strong as some would like, it must be viewed as just the first step in a longer campaign to pressure China on its cyberspace activities.

“It’s part of a larger diplomatic strategy,” James Lewis, senior fellow at the Center for Strategic and International Studies, told Breaking Defense in an interview. “And so, this is better seen as a first move. Some people are looking at too short a timescale. They say there weren’t consequences this time, but I think [the US government] is looking at all the parts of strategy that will put pressure on China.”

The next step in that diplomatic strategy could happen as soon as Sunday and Monday, when Deputy Secretary of State Wendy Sherman will meet with Chinese State Councilor and Foreign Minister Wang Yi and other officials in the city of Tianjin, the State Department announced yesterday.

“These discussions are part of ongoing U.S. efforts to hold candid exchanges with PRC officials to advance U.S. interests and values and to responsibly manage the relationship,” the State Department said. “The Deputy Secretary will discuss areas where we have serious concerns about PRC actions, as well as areas where our interests align.”

Since Monday, when the US and a host of allies and partners attributed the hacking of Microsoft Exchange servers and rebuked the global cyberespionage campaign, China has strongly denied the allegations through official spokespersons. The country is also responding in its media, including the Global Times, an English-language Chinese Communist Party mouthpiece aimed at communicating CCP stances to the West.

A Global Times op-ed published shortly after the attribution called the US and allies’ claims “a huge lie” and “slander.” The op-ed then warned, “If the US takes aggressive measures, carries out national-level cyber attacks on China, or imposes so-called sanctions on China, we will retaliate.”

Herb Lin, an expert on cyber policy and strategy at the Center for International Security and Cooperation and Stanford University’s Hoover Institution, told Breaking Defense the attribution “caught [China’s] attention.” China’s reaction has been, “rhetorically, pretty strong,” despite the fact no consequences were imposed.

Still, Lin observed of the attribution, “The fact that something is symbolic doesn’t mean it’s worthless, and the fact of the matter is that we’ve managed to do something that we haven’t been able to do before, which is we’ve been able to get a whole bunch of different countries, Western allies, to condemn this as a bad thing to do. And we’ve attributed it to China, and that’s a non-trivial thing. It would have been a stronger statement if they had been willing to go out further, but they obviously weren’t willing to.”

Why Were No Consequences Imposed on China for the Hacks?

The lack of hard action against China on Monday stands in contrast to the US response to Russia in April, when the US government formally attributed the SolarWinds cyberespionage campaign to the Russian Foreign Intelligence Service (SVR) and applied additional economic sanctions.

Deputy Secretary of State Wendy Sherman, seen here in a 2015 photo, will be meeting with Chinese officials next week.

Russia has for years been under US economic sanctions for its cyberspace activities, but Lewis notes that the Russians “don’t care.” China is different in this regard, as evidenced by its aggressive pushback against Western nations for banning Chinese-manufactured telecommunications equipment for fear of vulnerabilities that would allow spying.

There are likely multiple factors underlying the dissimilar responses because there’s an “entirely different calculus” at play with China compared to Russia, Lin noted.

China is the second largest economy in the world (behind the US) and the second largest US trade partner (after the European Union). The US is China’s largest trade partner. China’s economy continues to grow at a healthy clip, even if less rapidly than in years past, and the country is aggressively investing to modernize and expand its military.

China has also been directly competing with the US for influence in emerging economies like Southeast Asia and Africa through its Belt and Road Initiative, which entails investments in domestic economies, as well as strategic and trade alliances. Such differences create a different geopolitical, strategic, and economic dynamic in US-China relations versus the backdrop of US-Russia relations.

But the US-China trade relationship is a primary point of tension underlying how the US should respond to China’s “unsanctioned global cyber operations,” as Monday’s White House statement characterized Chinese behavior.

“The relationship with China does complicate things, in part because the business community is much more leery about taking steps against them,” Lewis observed, adding that there are already people in the tech community and in the IT business world saying the US shouldn’t do anything.

“It’s incredible,” Lewis said, but added, “The politics are a little more favorable, because if there’s one issue that the Hill is united on, it’s that they don’t like or trust China. So the political fight gets covered, but you’ve got businesses mumbling about how bad this is for business, and that’s a bit of a problem.”

Lewis also pointed to European hesitancy over confronting China in contrast to, more or less, US-European solidarity against Russia. “[The Europeans] are worried about Russia,” Lewis said. “They’re worried about China, too, but they’re not as far along. And so you’ve got people who want to do business with China that don’t like taking action, and that could be in the US, that could be in Europe, but that doesn’t apply to Congress.”

To Lewis’s point, Rep. Mike Rogers, R-Ala., ranking member of the House Armed Services Committee, sent a letter to President Biden yesterday urging action. The letter specifically calls for Biden “to impose significant sanctions using the authorities in Executive Order 13694, criminal charges, or other punitive measures against the People’s Republic of China and the state affiliated actors responsible for the cyberattack on the Microsoft email exchange.”

“A failure in this situation to punish the People’s Republic of China in a manner comparable to our response to Russian hostilities creates an unacceptable double standard in this era of great power competition,” the letter notes.

Lin pointed to potential responses that would be viewed by the Chinese as escalatory, but cautioned such actions could “poison the well,” negatively impacting a range of other areas where US-China cooperation is desired or needed.

Lin acknowledged many people want responses that “have more teeth. Sure, I’d like that too,” he explained, but “How much pain you’re willing to inflict? That’s very, very hard to answer.”

The US government has identified China as being behind a series of hacking efforts. (File)

What is the Significance of NATO’s Reaction?

There are other noticeable differences between the China and Russia attributions. This includes the number of allies and partners that joined with the US to condemn China’s activities, including the United Kingdom, Australia, Canada, New Zealand, Japan, the European Union, and — perhaps most notably — the North Atlantic Treaty Organization.

On Monday, NATO released a statement saying it “stand[s] in solidarity” with countries affected by the Microsoft Exchange campaign and that it “acknowledge[s] national statements by Allies… attributing responsibility for the Microsoft Exchange Server compromise to the People’s Republic of China.”

Monday’s NATO statement marks the first time the 30-member nation-state military alliance has publicly endorsed a member nation’s attribution of hacking to another country.

Notably, the carefully worded statement stopped short of NATO itself attributing the campaign to China. This is consistent with the position laid out in a Joint Communique issued following a June meeting, in which NATO said, “Individual Allies may consider, when appropriate, attributing hybrid activities and responding in a coordinated manner, recognising attribution is a sovereign national prerogative.”

The Joint Communique went on to say that, “We will make greater use of NATO as a platform for political consultation among Allies, sharing concerns about malicious cyber activities, and exchanging national approaches and responses, as well as considering possible collective responses. If necessary, we will impose costs on those who harm us. Our response need not be restricted to the cyber domain.”

“It’s a huge step forward, and so the Europeans are moving in our direction,” Lewis said of the NATO statement on the US attribution to China. “We probably could not get the European Commission to say that. We couldn’t get the Germans to say it. The fact that NATO came out is a major step. It’s a major signal to Beijing. [NATO’s statement] probably shook Beijing.”

Lewis added that the latest attribution once again highlights China’s cyberspace activities and ultimately influences countries’ perceptions. “Think about all the discussion of Chinese espionage. It’s had a global effect. Those things hurt China. Those are penalties or costs.”

Asked if NATO’s statement is significant, Lin said, “Absolutely, I think there’s no question about it. What it shows [China] is that the efforts they have been making towards the West to appear more friendly haven’t worked. They would like to appear to the West to be non-threatening.”

Lewis also pointed to the potential effect this could have on China’s use of so-called “wolf-warrior diplomats,” which Lewis characterized as “exceptionally aggressive.” Lewis added, “I love the wolf-warrior diplomats because every time they open their mouths, the Europeans move a little closer to our position.”

Lewis said China’s leader Xi Jinping has noticed that. “[Xi is] worried about the fact that Europe is drifting towards the US, and so he’s paying close attention to the diplomatic effect of Chinese activity,” Lewis observed. “The debate is, can he afford to change? Some people say no, the wolf-warrior diplomats will be back, but the Chinese have started to realize that their public image isn’t so good.”

What’s Next?

Lewis and Lin agreed that the attribution is likely not the last chapter in this saga, so what lies ahead?

NATO Secretary General Jens Stoltenberg and President Joe Biden.

In addition to diplomacy, there are also questions around potential economic sanctions. Lewis noted that already “There are economic penalties being leveraged against China. They’re not the same as the Russian’s though, but when you go after the Chinese’s ability to sell to foreign markets, it begins to put pressure on.”

Lin said economics does and will continue to be part of the discussion and possible future actions. “Economics plays a large part because you can apply economic leverage in a way that hurts a country without actually going to war.”

Asked how effective economic sanctions can really be, given the US’s longstanding sanctions on Russia haven’t changed that country’s behavior, Lin said, “What we know is that the economic sanctions [we have imposed] haven’t worked. We have not exhausted the list of possible economic sanctions, not by a long shot. You just have to be willing to do them.”

Still, Lin acknowledges there remain broader questions about the effectiveness of any type of economic sanction to deter nation-state cyberspace operations. “To say that there are combinations of sanctions [and] response measures that will eliminate this entirely is just absurd. It’s like saying you’re going to stop crime. You’re never going to stop crime. Maybe you can reduce the frequency of it, maybe you can reduce the severity of it, maybe you can make it easier for people to recover, but you can’t deter it in the sense you’ve deterred nuclear war.”

And besides, Lin notes, “The problem with deterrence is that you can never tell when you’ve been successful because what you’re measuring is non-events. You don’t know why something doesn’t happen.”

“What you can do is maybe delay the time in between, but that’s not a satisfying answer,” Lin continued. “One of the [issues] in all of this is that people think there’s a decisive solution to it. And there isn’t any decisive solution. This is just going to go on forever. It may happen less frequently, but it’s just going to go on forever. There’s no getting around that fact.”