Biden administration debates whether and how to sanction China for ransomware attacks
When the administration in April attributed SolarWinds’ massive spy campaign to Russian intelligence services, they simultaneously announced sweeping sanctions against Russian finance and technology companies and expelled 10 diplomats from the Russian embassy in Washington. But the administration took no such punitive action against China on Monday when it accused China’s State Security Ministry of facilitating a massive hack into Microsoft’s messaging system and other attacks. ransomware worldwide.
The disparity sparked questions from cybersecurity experts – including at the White House directly on Monday morning, according to a person familiar with the outreach – about why they appeared to be out of the game with Beijing in a way that ‘they did not have with Moscow. .
“I think the lack of sanctions is a problem,” said Adam Segal, cybersecurity and China expert at the Council on Foreign Relations. “The Chinese are not going to take a stern warning and suddenly change their behavior for some reason.”
The response so far, much to the chagrin of some more hawkish officials and experts, has been simply to be patient.
White House press secretary Jen Psaki has sought to play down any distinction between the United States’ response to China and Russia after the United States and its allies accused China of widespread embezzlement in the cyberspace, claiming that the United States “does not differentiate” its response to the two countries.
“We do not allow any circumstance or consideration to prevent us from taking action when warranted. And we also reserve the right to take additional action if it also warrants it. This is not the conclusion of our efforts in regarding cyber activities with China or Russia, ”Psaki said.
The administration has no illusions that international pressure alone will be enough to change China’s behavior, said a person familiar with the ongoing talks. President Joe Biden hinted at more to come on Monday, telling reporters “the investigation is not over.” State Department spokesman Ned Price also told a briefing Monday that the United States “is not ruling out other measures if they are deserved and if they are appropriate.” No further action is imminent, however, and the White House is weighing all options.
A senior administration official told CNN on Monday that “we have made it clear that we will continue to take steps to protect the American people from malicious cyber activity, regardless of who is responsible for it. Plus, as we have said. said, the United States and our allies have not ruled out further actions. ” The official added that the administration has made it clear to China that “as long as China continues its model of irresponsible malicious cyber activities, we will continue to work with our allies and partners to call them out, promote network defense and cybersecurity and take measures. to disrupt the threats to our people.
Cyber security experts have said that one option available to U.S. officials is an executive order, signed under the Obama administration, that allows the U.S. government to sanction beneficiaries or facilitators of industrial espionage via a cyber intrusion. The order is still on the books and can be invoked at any time.
Before imposing sanctions, US officials would embark on a detailed interagency process to assess the risks of a possible backfire as well as the likelihood of the action changing Chinese behavior, said Christopher Painter, a former senior US chief cybersecurity officer.
“It will be a sustained campaign,” he said, “and you will need to use a lot of different tools. And sanctions need to be in that list of tools.”
An administration official involved in the deliberations separately told CNN that “today we did everything we were willing to do at the moment, which is to drop the charges, name and shame “. He was referring to an indictment released Monday by the Justice Ministry, which accuses China’s State Security Ministry of relying on a shell company to carry out cyber attacks.
The official said there were ongoing discussions about potential sanctions, and said the threat of economic consequences is what brought Chinese President Xi Jinping to the table with President Barack Obama in 2015, where they have reached a common cyber “deal” to try to curb companies. spying.
But he warned that no consensus had been reached.
“The economic reality is that we are much more linked to China than to Russia, and we have much less room to accept sanctions,” he added.
The same is true of many key allies of the United States, with whom the Biden administration prefers to coordinate major foreign policy actions.
NATO, the UK and the European Union joined the US on Monday in condemning China, and US officials said the united front presented on Monday was in itself a signal to Chinese officials that their behavior was moved.
“Part of the appeal of having such a broad coalition is that it sort of sets clear markers of what responsible behavior should be in cyberspace,” said Alexis Serfaty, senior analyst at Eurasia Group, a political risk consultancy company. “It’s safe to say this is an unprecedented level of coordinated response.”
But U.S. officials have also privately acknowledged that joining the same group of counties with new sanctions would be a much more difficult move for the United States, if the Biden administration decides on that course of action.
Nations like Germany and Italy have at times balked at such public demonstrations of condemnation of China because of their economies’ interweaving with Beijing. At last month’s G7 summit in England, EU leaders first showed resistance to exposing some of China’s human rights violations in a final statement. Japan has also historically avoided public condemnation from Beijing because of its important regional relations with China.
Officials called Monday’s announcement a first step in challenging China’s cyberattacks that did not rule out further action such as sanctions. One of the main goals of US officials was to garner international support for the move, hoping that including countries in Europe and Asia in the announcement would project a united front in Beijing.
Getting so many countries and allies to support the condemnation is a meaningful diplomatic victory, Painter said.
“Look at the NATO membership,” he said. “There are a lot of countries in the EU, and countries outside the EU, where they themselves have complex relations with China. Getting NATO as a whole to say yes – I think that it’s a big problem.”
The administration hopes to maintain this united front in the future. Amid calls for sanctions or other punitive measures against China, Price suggested Monday that the United States would prefer any future action against China to be coordinated with the allies as well.
“We know that we cannot change the malicious cyber activity of the PRC on our own,” Price said, referring to the nation’s official name, the People’s Republic of China. He added that “we know we are going to be more effective, especially in those areas where our relationship is competitive or adversarial, as it can be in this area, when we bring our closest allies and partners.”
The senior administration official echoed this, telling CNN: “The key element for us here was to secure the membership of an unprecedented group of allies, including NATO, which for the first time made an attribution to China “. The official said the joint statement underlined “the extent to which we are getting countries around the world to recognize more and more that there is power in collective defense and that working together will be much more effective in countering this activity. “.