Background
The Challenge of Cyberspace
The rapid diffusion of information technology has remade economics, politics, and international affairs. It has transformed commerce, making global supply chains possible and generating enormous wealth. It has created social and cultural networks that span the globe. It has enabled people to overcome distance and share knowledge and ideas. It has provided powerful tools for political organization and protest.
The digital revolution has also created new sources of vulnerability. Countries, terrorists, and criminals can shut down power, communication, transportation, and financial networks with the click of a mouse. These attacks inflict not just massive economic losses but also death and physical destruction.
In recent years, cyberattacks have grown in frequency and sophistication. The 2016 U.S. presidential election was marked by repeated hacking incidents linked to Russian intelligence. Attacks have also targeted U.S. critical infrastructure. One of the most extensive cyberattacks on the United States to date began in late 2019 or early 2020. This cyberattack began when a group of hackers hid a piece of malware in a widely used network management software made by the company Solar Winds. The hacking campaign ran undetected until December 2020. This span of time allowed the group to gain access to the networks of some eighteen thousand companies and government agencies that installed the software. The group was able to steal data from at least one hundred companies and nine U.S. government agencies. In May 2021, a ransomware attack on Colonial Pipeline forced the U.S. company to shut down operations. This resulted in fuel shortages along the eastern seaboard of the United States. The escalating scale and scope of those attacks have underscored the need to bolster U.S. cyber defenses.
Countries have yet to figure out how to limit competition in cyberspace. Malicious software (malware) is impossible to count or control. Agreements like those that limit nuclear competition do not exist for digital weapons. Although acceptance of international law in cyberspace is growing, great uncertainty remains about how it should be applied. Major powers, including the United States and China, have been willing to discuss threats in cyberspace but slow to develop a policy framework.
The evolution of U.S. Cyber Policy
Throughout the early 2000s, the United States was hesitant to openly acknowledge its operations in cyberspace. Experts widely believe that the United States and Israel were behind Stuxnet, one of the world’s first cyber weapons. The malware was designed to slow Iran’s nuclear program by damaging centrifuges at the Natanz nuclear facility in 2009. Still, both countries denied any involvement.
After years of silence, the U.S. government has gradually become more transparent about developing and using cyberattacks. The 2015 Defense Department Cyber Strategy explicitly recognized offensive missions. Furthermore, the Pentagon began to develop cyber capabilities that can support military operations. The first public acknowledgment of the United States using cyberweapons came in February 2016. It was here when Pentagon officials announced that U.S. Cyber Command had launched attacks against the self-proclaimed Islamic State. Since then, Cyber Command has grown from approximately nine hundred personnel to more than six thousand.
The United States and China have a history of clashes in cyberspace. According to a 2013 Washington Post report, Chinese hackers have stolen information relating to more than two dozen U.S. weapons programs. This stolen information includes the Patriot missile system, the F-35 Joint Strike Fighter, and the U.S. Navy’s new littoral combat ship. The White House, the State Department, the Office of Personnel Management, and NASA have been breached. Attacks on U.S. companies including Adobe, Disney, General Electric, Google, Johnson & Johnson, and Yahoo have also been publicly reported. In addition, Chinese hackers have reportedly targeted the negotiation strategies and financial information in energy, banking, law, and other sectors.
In response to U.S. claims of Chinese hacking, China has noted that it is also a victim of cybercrime. China claims that the majority of attacks against it originate from internet protocol (IP) addresses in the United States, Japan, and South Korea. Chinese media were quick to echo claims by former National Security Agency contractor Edward Snowden that the United States hacks targets on the Chinese mainland and in Hong Kong.
Washington has steadily increased pressure on Beijing over cyber espionage. In April 2015, President Barack Obama signed an executive order that declared a national emergency to deal with the threat of “significant malicious cyber-enabled activities.” This move allowed for economic sanctions against companies or individuals that profited from cyber theft. The order threatened to block financial transactions routed through the United States, prevent exports to the United States, and prevent executives of the companies that benefit from the hacks from traveling to the United States.
In August 2015, the Washington Post reported that the Obama administration planned to levy these sanctions against Chinese companies in the lead-up to a summit the following month between Presidents Barack Obama and Xi Jinping. Perhaps because of the threat, the summit produced a breakthrough agreement. Both sides agreed that “neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.” Washington and Beijing also agreed to identify and endorse norms of behavior in cyberspace. They agreed to establish two high-level working groups and a hotline between them. After departing the United States, Xi signed similar agreements with the United Kingdom and at a Group of Twenty meeting in Turkey.
Following the presidents’ September summit, the cybersecurity firm FireEye reported a sharp decline in the number of Chinese cyberattacks. However, the firm also suggested that actors could simply have become stealthier and more difficult to detect. Former U.S. Assistant Attorney General John P. Carlin confirmed the company’s findings that attacks were “less voluminous but more focused, calculated, and still successful.”
The U.S.-China working group on security issues met only once before the end of the Obama administration, but the cybercrime group reported some progress. The two sides established a point of contact and a designated email address. They also successfully cooperated on taking down websites with false information. After Donald Trump met Xi Jinping in April 2017, Washington and Beijing agreed to a U.S.-China Comprehensive Dialogue that would have four pillars, including one on law enforcement and cybersecurity. The negotiations broke down before the two countries could come to an agreement.
In 2018, the Trump administration implemented a series of sweeping tariffs on Chinese goods. The administration cited unfavorable trade practices and Chinese theft of American intellectual property. The resulting trade war stalled cooperation on cybersecurity. According to cybersecurity firms, cyberattacks on American businesses and government agencies have increased since the trade war began.
In September 2018, the Trump administration announced a more aggressive cybersecurity strategy. It authorized using offensive cyber operations as a deterrent against foreign cyberattacks. This strategy, known as defend forward, focused on observing, countering, and disrupting adversary operations before they affect U.S. networks. The Trump administration further oversaw the creation of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. The goal of CISA is to coordinate and improve government defenses against cyberattacks. Despite this increase in offensive operations, officials have continued to warn that critical U.S. government agencies remain dangerously unprepared to defend against cyberattacks. For example, in June 2023, a group of Russian cybercriminals led a global cyberattack targeting personnel data from several U.S. government agencies.
The Joe Biden administration has reaffirmed the importance of cyber issues to U.S. national security and taken steps to improve U.S. cyber defenses. The administration also increased efforts to deter cyberattacks by imposing costs on perpetrators, and invigorate diplomatic efforts toward cyber norms. Soon after the May 2021 Colonial Pipeline attack, the Biden administration released an executive order designed to improve U.S. cybersecurity. This included a significant increase in funding. Requests for cyber operations in the 2023 defense budget totaled $13.5 billion, an increase of more than 30 percent from 2021. In addition to increasing the financial resources going towards cyber security, U.S. Cyber Command has also changed its approach in responding to cybersecurity threats. In a Cyber Strategy Report published in September 2023, the department called for expanding beyond its previous mandate of just protecting U.S. military networks. Instead, it suggested “opening up communications with other federal agencies and the private sector,...and increasing assistance to foreign allies.”
Meanwhile, tensions between the United States and China have remained high. The first round of high-level talks between Washington and Beijing since Biden’s inauguration were marked by tense rhetoric and yielded little progress toward addressing ongoing issues including cyber concerns. Although high-level meetings have continued to occur between the two leaders, concerns over Chinese activity in cyberspace have remained high. The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment underscored that China still represents “the broadest, most active, and persistent cyber espionage threat to the U.S. Government and private-sector networks.” This sustained tension, coupled with continued U.S. vulnerabilities in cyberspace, highlights the continued need for increased cyber preparedness.