Did China cross a new red line in cyberspace?
supply chain vulnerabilities. While the Solarwinds hack helped Russia gain insight into US decision making practices and sensitive information, Moscow’s hackers were targeted and methodical in their exploitation of America’s cyber vulnerabilities, wary of causing collateral damage.
By contrast, the Mumbai hack showed complete disregard for collateral damage. In fact, since then, Beijing demonstrated similar disregard in its breach of Microsoft earlier this year, which exposed vulnerabilities in thousands of companies for criminal actors to exploit. The Microsoft operation appears to be Beijing’s latest effort to conduct espionage and widespread intellectual property theft as part of China’s decades-long cyber-enabled economic warfare campaign, which has undermined the longterm economic and national security of the United States and its allies and partners. In addition to intellectual property theft, the Chinese have conducted aggressive efforts to steal American citizens’ personal data, collecting as much information as possible for further exploitation and analysis.
Four years ago, the world witnessed how a similar disregard for collateral damage in a disruptive and destructive attack could spiral beyond an attacker’s control. In 2017, Russian state hackers targeted Ukraine’s banks and federal agencies using Notpetya ransomware to punish Kyiv and destabilize the country. The operation immediately had unintended consequences, spreading to the electrical power infrastructure. Forensic analysis of the malware revealed that because the hackers used a computer worm with the ransomware package, it inadvertently and indiscriminately infected machines elsewhere in Ukraine and then moved outside Ukraine, causing significant economic damage across Europe.
The lack of attacker controls to limit which machines were infected could have led to significant escalation. Had the ransomware spread even more aggressively, the United States and its European allies might have chosen to respond with actions beyond economic sanctions, such as a cyber response in kind or other form of escalation. At the time, Russia appeared to have signalled it was willing to take that risk to punish a recalcitrant neighbour.
Last year’s Cyberspace Solarium Commission report urged Congress and the White House to issue a declaratory policy that clarifies what cyber activity Washington finds unacceptable and more clearly conveys US intent and willingness to respond to attacks against the United States and its allies and partners.
America must reinforce this declaration with a rapid and effective system for attributing malicious behaviour, and ensuring it has the appropriate coordination, authorities, and capabilities in place to enable quick offensive and defensive responses to malicious cyber activity.
China’s contesting of norms in cyberspace appears to risk miscalculation and potentially significant escalation. This irresponsible behaviour is especially worrisome from a nucleararmed state. The United States needs to firmly establish the declaratory and signalling guidance recommended by the Cyberspace Solarium Commission or risk allowing its adversaries to continue to define the terms of acceptable behaviour in cyberspace. In such a world, the American people, and citizens of our allies and partners like India, would have to live with the risk that a nuclear-armed adversary could accidentally trigger escalation or take steps that cripple civilian critical infrastructure in times of crisis.
Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. FDD is a nonpartisan research institute focused on national security and foreign policy. Follow Mark and Trevor on Twitter @Markcmontgomery and @ Trevorloganfdd.