State Sponsored Attacks: Is the US taking the gloves off?

It looks serious this time: the Trump administration says it’s ready to hit China with direct sanctions for what the US says is a sustained digital industrial espionage campaign. It’s quite unprecedented – at least as far as US policy is concerned – and is intended to apply real-world pressure on China so it stops what the Western world agrees it has been doing for a decade: the practice of gaining intellectual property, trade secrets and R&D information via military grade hacking, aka Advanced Persistent Threats (APTs).

Economic sanctions are a hard lined departure from the prior administration’s policy of treading lightly when it comes to China. Faced with a tsunami of APTs in 2009-2012, made famous by the 2011 attack on security giant RSA and targeting pretty much any vertical and any major US corporation, the official US reaction was extremely careful. Obama’s retaliatory measures were few and far between, erring to the side of caution.

The only high-profile attempt at forcing China’s hand was the 2014 public indictment of 5 military hackers belonging to Unit 61398, which threat intelligence companies say is the elite cyber espionage shop of the Chinese military. Many raised an eyebrow, suggesting this slap on the wrist looks a relatively minor reaction when taking into account the massive, five-year-long state sponsored campaign that stripped the US of ridiculous amounts of intellectual property.

Later on Obama’s administration used diplomacy to try to settle with China, and in 2015 the two powers agreed to put a stop to industrial espionage where state sponsored actors penetrate private sector networks. A 2016 report showed attack level on US targets dropped, but digital industrial espionage did not disappear; the attacks got more focused and high-yield.

As Trump went into office, he called a far more aggressive action on cyber attacks against the US. This is easier said than done: to make such a strategy effective, the US had to invest in more than offensive capabilities. In order to use offensive measures and create deterrence, it's critical to have very good cyber intelligence, quick detection of attacks, and the ability to build a precise profile of hacker tools, methods and behaviors, making attribution extremely accurate. The other and equally important requirement would be strong defensive measures to avoid a backlash.

Are economic sanctions effective against state sponsored attacks? Actually, there’s historic precedence to the effectiveness of such tools: in 2012 Australia sent a very clear message to Beijing, preventing Chinese IT companies from taking part in gigantic broadband infrastructure projects designed to connect the inland of the continent to fast Internet. The result: attacks against Australian companies dropped to a mere trickle.

How will China respond to the new measures? Like in any high-stakes diplomacy issue, all bets are off and only time will tell. In any event, we should expect Interesting Times…