全球智库信息集成服务系统

Available response options are not limited to the cyber domain, and no one should expect them to be

• The response options that U.S. policymakers consider for cyber espionage cases do not appear to have changed much over the past two decades — and, in some respects, they may be even more constrained today.

The benefits of cyber-enabled espionage continue to outweigh any perceived repercussions for such countries as Russia and China

• The historical record suggests that the United States has felt constrained in its ability to respond vigorously against Russia or China because of the notion that cyber espionage is a standard and accepted practice by nations.
• The record also suggests that the United States would not want to take steps to constrain its own ability to engage in similar intelligence activities in cyberspace.
• U.S. policymakers have assessed that breaches of confidentiality, although damaging in the long term, did not rise to the same level of acute damage to national security that another, more destructive form of cyber operation might entail.
• The United States has proved especially vulnerable to cyber incidents, and a lack of response appears to have emboldened the Russians and Chinese to continue and expand their cyber espionage activities over the years.
• Improving the U.S. ability to deter by denial — by strengthening the cybersecurity of the U.S. government — remains an elusive but vital priority.

Cyber-enabled espionage against the United States has been a challenge for more than 20 years and is likely to remain so in the future. In the aftermath of the 2020 SolarWinds cyber incident that affected U.S. government networks, policymakers, lawmakers, and the public asked: "Why does this keep happening, and what can the United States do to prevent it from reoccurring?" It is these questions that motivate this effort. Specifically, this report summarizes three cases of Russian cyber-enabled espionage and two cases of Chinese cyber-enabled espionage dating back to the compromise of multiple government agencies in the late 1990s up to the 2015 compromise of the Office of Personnel Management. The purpose of this inquiry is to address whether U.S. responses have changed over time, whether they led to changes in adversary behavior, and what the United States can learn from these cases to inform future policymaking. The authors show that policymakers typically consider a narrow set of response options, and they often conclude that not much can be done beyond trying to improve network defenses, because the United States "does it too." The authors suggest that the U.S. government could broaden its policy response options by increasing focus on diplomatic engagement, including working with partners and allies to call out malicious cyber behavior; expanding the use of active defense measures to root out adversaries; and employing more-sophisticated counterintelligence techniques, such as deception, to decrease the benefits that adversaries derive from cyber espionage.

• Chapter One

  Introduction

• Chapter Two

  Cyber Espionage, Deterrence, and Response

• Chapter Three

  Russia Case Studies

• Chapter Four

  China Case Studies

• Chapter Five

  Conclusion and Recommendations