The United States Must Assert Principles of Deterrence in Response to Mounting Cyber Attacks

In 2021 alone, there have been several large-scale cyber hacks and ransomware attacks by groups emanating from Russia and China.  Evidence suggests that the Colonial Pipeline hack in May, the RNC contractor hack, the recent ransomware attacks, and others were all carried out by groups inside Russia which likely have ties to the Russian government.  The Biden Administration also recently stated, along with many of our allies, that state-sponsored groups in China were responsible for the Microsoft Exchange cyberattack earlier this year.  These attacks on our economy and infrastructure do direct harm to the American people and their businesses, large and small.  They must be addressed directly and decisively.

President Biden sat down with Russian President Vladimir Putin and drew “red lines” as a warning, and the Administration called out Beijing publicly with the support of our allies over its involvement in the Microsoft hack.  But without imposing real costs on our adversaries, such tough talk is likely to fall on deaf ears.

The cybersecurity realm presents American leaders with novel challenges. There is an inherent element of uncertainty when a major attack or hack is conducted – it can be difficult for our intelligence agencies to definitively locate its origin, and it can be even more challenging to identify the extent to which a foreign government is involved.  Despite this, though, the role of deterrence in meeting these novel challenges remains the same.

American leaders must not only draw red lines but also back them up, ensuring our adversaries know that we will respond to any attack on the American people.  Unfortunately, the actual retaliatory actions that Team Biden has imposed on Russia and China, which are what establish that deterrence, have been lacking.  The Biden Administration has followed the Obama Administration in drawing red lines and then dangerously erasing them.

President Biden has said that we are unsure of Russia’s involvement and left thousands of potential targets open to attack by only committing to defending a list of 16 potential “off limits” targets in his talks with Putin.  And by allowing Russia to achieve its objectives unimpeded outside the realm of cybersecurity – not checking its military buildup in the Donbas region of Ukraine, allowing the Nordstream II pipeline to be completed, and more – the current Administration is demonstrating weakness instead of reiterating that the United States is a force to be reckoned with.  If Russia is confident that it can achieve its strategic objectives elsewhere in the world without serious pushback from the United States, then why should it fear reprisal for encroaching on the private information of the American people or extorting businesses in America?

As for China, although the Administration deserves some credit for its response to the Microsoft hack – in particular, directly calling out China’s Ministry of State Security was a welcome action  – Team Biden now needs to follow up that tough talk with sanctions on Chinese Communist Party (CCP) officials.  We must take a tougher line on the CCP’s engagement in corporate espionage, which robs American companies of their intellectual property and uses it to the benefit of the Chinese military (something which was a focus of the Trump Administration).

The Biden Administration’s hesitance to enact punitive measures should concern the American people, because it is a repeat of past behavior.  The Obama Administration infamously drew red lines back in 2012, warning Syrian President Assad that if he used chemical weapons in the Syrian Civil War, American military intervention would soon follow.  But when Assad used sarin gas to kill over 1,000 Syrians, many of them civilians, the Obama Administration did nothing.  In fact, their response was worse than nothing – they invited Russia to help them locate and remove Assad’s chemical weapons. Such a feckless response ceded American authority to Russia and invited chaos into an already unstable and volatile region, emboldening groups like ISIS.

Determined to avoid such mistakes, the Trump Administration responded quickly and forcefully when Assad used chemical weapons to kill over 100 Syrians in 2017 – we must never forget that strength deters aggression and weakness invites it.  If Team Biden obfuscates in the wake of the next cyberattack from Russia by avoiding placing blame squarely on Putin and his government and offering only a strongly worded response, attacks like the ones we have seen thus far will become more damaging and frequent.

By having the necessary resolve to back up our words with action, the United States can become the necessary touchstone in the cybersecurity landscape just as we have always been in other areas of security.  But if we cannot first establish deterrence by imposing serious costs on Russia and China for inflicting harm on the American people, then we will only be in the position of responding to attacks rather than preventing them. The ACLJ will continue to call on the Biden Administration to hold our adversaries accountable for their malicious actions and protect America’s security interests.

Support the work of the ACLJ, as we continue to bring you expert analysis on the issues that matter most.