Source: Getty
commentary

What Makes This Attribution of Chinese Hacking Different

U.S. allies have joined Washington in voicing concerns about Chinese cyber behavior after the Microsoft Exchange hack. But lingering differences between the partners could still blunt an effective response.

Published on July 22, 2021

This week, the White House called out the Chinese government for conducting or permitting a range of irresponsible behaviors in cyberspace. The statement referenced malicious cyber activities carried out by China’s Ministry of State Security, such as the recent Microsoft Exchange hack, as well as cyber criminal activities by proxy actors affiliated with the Chinese government.

In tandem, the EU, NATO, the other Five Eyes allies (the UK, Australia, New Zealand, and Canada), and Japan all issued similar statements. The White House’s statement was also coupled with a U.S. Department of Justice indictment against four Chinese nationals working for the Ministry of State Security responsible for cyber activities spanning 2011 to 2018. Meanwhile, there was also a joint cybersecurity advisory issued by the National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation detailing more than fifty tactics, techniques, and procedures employed by Chinese actors and ways network defenders can mitigate them.

Two things stand out about these statements. First, the wide range of countries joining the United States in publicly condemning irresponsible Chinese cyber behavior is notable. Second, differences in the substance of the various statements, while not surprising, raise questions about the path forward for international cyber norms.

Statements of Joint Condemnation

The White House emphasized that “an unprecedented group of allies and partners” joined the United States in denouncing Chinese behavior in cyberspace. Of course, this is not the first time allies have coordinated with the United States to publicly attribute a cyber incident. For example, in 2018, seven countries, including the United States, issued public statements linking the NotPetya cyber attack to the Russian government. Yet the recent coordinated attribution involving China represents the largest contingent of countries to make such coordinated statements and goes far beyond just including the United States’ closest intelligence partners, such as its Five Eyes allies. This is an inherently positive development for international cyber norms—it shifts the discourse away from a generally unilateral U.S. perspective toward a broader consensus.

And even in the context of the Five Eyes alliance, the statement from New Zealand stands out. Recently, there has been speculation about potential rifts between New Zealand and the other Five Eyes allies over China. While New Zealand has previously attributed other malicious cyber activity to China, as it did in this 2018 statement by the Government Communications Security Bureau, this latest statement contained stronger language. This may be a sign that possible disagreements among the Five Eyes allies have been ameliorated.

Subtle Signs of Differing Views

But differences in language and substance across the statements are also illuminating. The U.S. statement was the most specific, direct, and detailed. This is not surprising given the United States’ history of issuing similar types of attribution statements and the greater salience of geopolitical competition—in cyberspace and beyond—between the United States and China. Further, the White House statement builds on recent attempts to provide greater clarity about why it defines certain types of cyber incidents as falling outside the scope of responsible behavior (such as its description of the SolarWinds incident as beyond the bounds of routine cyber espionage). In this instance, the United States noted China’s apparent unwillingness to address cyber criminal behavior, including ransomware, cyber-enabled intellectual property theft, and cyber espionage that undermines the broader stability of cyberspace. This attempt to distinguish between different forms of cyber behavior and explain in more detail why certain incidents are problematic is a positive development—it makes cyber norms more tangible and concrete. Looking ahead, the United States should continue to engage its allies to work toward more specific messaging so that Western democracies present a more consistent view on the boundaries between responsible and irresponsible cyber behavior.

The NATO statement stood out because this was the first time the alliance has publicly condemned Chinese cyber behavior. This is the case despite recent efforts by NATO members to elevate cybersecurity issues on the alliance’s agenda. Such steps include issuing a Comprehensive Cyber Defence Policy, establishing a military Cyberspace Operations Centre that will be fully operational in 2023, and affirming (in the wake of the Brussels summit in June 2021) that cyber incidents could trigger NATO’s mutual defense clause.

Meanwhile, the EU statement emphasized the systemic risks created by China’s behavior in relation to the Microsoft Exchange hack, but its language around other Chinese-linked activities was vague and simply referred to groups associated with cyber espionage and intellectual property theft. The EU language also contained more caveats about Chinese responsibility, referring to “malicious cyber activities . . . undertaken from the territory of China,” rather than directly calling out the Ministry of State Security (which the U.S. statement did) or even the Chinese government.

This is not surprising given sensitivities in Europe to the strategic implications of economic links between EU members and China. However, the weaker attribution language in the EU statement may have provided China with an opportunity to continue exploiting differences in perspectives across the transatlantic alliance about how to address the strategic challenge posed by China. In fact, in reacting to the attribution statements, a Chinese foreign ministry’s spokesperson claimed that Europe’s actions were inconsistent with its purported desire for greater strategic autonomy from the United States.

Also of note, the EU statement specifically referenced the consensus-based norms of responsible cyber behavior that were recently affirmed by UN members, presumably to hold China accountable to agreements to which it has just signed on. In contrast, the U.S. statement referred to G7, EU, and NATO commitments and also called out China for the disconnect between its behavior and the image it seeks to project as a responsible global leader. However, the White House refrained from explicitly linking Chinese cyber activities to the international norms affirmed via the UN. The conspicuous absence of these UN norms from the U.S. statement seems to be a lost opportunity to reinforce not only norms of responsible behavior delineated by Western democratic states but also more international, multilateral norms agreed to by a far more diverse set of countries.

An Uncertain Path Forward

Finally, while the White House should be commended for pursuing more robust coordinated attribution that identifies problematic behavior and reaffirms international norms, it is not clear what additional responses or punitive measures the United States, alone or together with allies, will seek to impose on China as a result. Some commentators have called for the United States to impose sanctions on China, similar to its response to the SolarWinds hack. Setting aside the legitimate question of whether sanctions are even a useful policy instrument to address malicious cyber behavior, economic interdependence between the United States and China (as well as Europe and China) means that the consequences of imposing sanctions on Beijing would be far more significant than sanctions against Russia. It is also not clear whether the United States has sufficient political capital to convince European states to sign onto Chinese sanctions.

That said, statements about norms without meaningful enforcement will do little to make cyber norms viable over the long term. Therefore, President Joe Biden and his administration should soon convey to the American people, allies and partners, and adversaries some information about how the United States intends to enforce these norms. Otherwise, non-actions may speak louder than words.

Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.