ARGUMENT: Cyber retaliationU.S. Leads Coalition Accusing China of Hacking
On 19 July, the United States joined other countries in condemning the hacking by Chinee government hackers of Microsoft Exchange email server software. Despite the condemnations, there have not been any sanctions against China for its role in the breach, leading critics to charge that the Biden’s response was weak and “not proportionate to the severity of the breach.” Abby Lemert and Eleanor Runde write that “Part of the problem is that escalatory retaliation carries special risks to a highly digitized society like the United States. Accordingly, some commentators assess that Biden’s response is properly calibrated to the risks.”
On 19 July, the United States, joined by the European Union, NATO, the other “Five Eyes” member nations (Britain, Canada, Australia and New Zealand), and Japan condemned the hacking of Microsoft Exchange email server software, which became public in March and is believed to be the work of hackers tied to the Chinese Ministry of State Security (MSS).
Abby Lemert and Eleanor Runde write in Lawfare that the intensity of the condemnations varied.
Despite the condemnations, there have not been any sanctions against China for its role in the breach.
Some political figures and cybersecurity experts have criticized President Biden’s response as weak and “not proportionate to the severity of the breach.” According to one top cybersecurity expert, the Microsoft hack was the most reckless operation yet by Chinese actors and, while the administration contends that “further action” is still on the table, there is no reason to delay. Others wondered why it took months for the administration to acknowledge China’s role in the breach; officials pointed to “the scope of the intrusions, the desire to fully understand China’s role and the need to recruit allies for a joint announcement.” A week before the coordinated statement, Jack Goldsmith laid out the Biden administration’s pattern of warnings and threats on cyber retaliation, and lamented the stagnation of American cyber policy—which, he argues, has not changed strategically since the Russian interference in the U.S. election of 2016.
Part of the problem is that escalatory retaliation carries special risks to a highly digitized society like the United States. Accordingly, some commentators assess that Biden’s response is properly calibrated to the risks.
Lemert and Eleanor Runde note that despite the delay and caution of this response, the developments of the past few months suggest a new focus on shoring up American cybersecurity with additional government intervention and guidance in the private sector.
In the wake of the Microsoft attack, the FBI requested and received a court order authorizing removal of backdoors from private email servers—the first time the bureau has exercised that type of direct remediation authority.
