Cyber-enabled espionage against the United States has been a challenge for more than 20 years and is likely to remain so in the future. In the aftermath of the 2020 SolarWinds cyber incident that affected U.S. government networks, policymakers, lawmakers, and the public asked: “Why does this keep happening, and what can the United States do to prevent it from reoccurring?” It is these questions that motivate this effort. Specifically, this report from Rand Corporation summarizes three cases of Russian cyber-enabled espionage and two cases of Chinese cyber-enabled espionage dating back to the compromise of multiple government agencies in the late 1990s up to the 2015 compromise of the Office of Personnel Management. The purpose of this inquiry is to address whether U.S. responses have changed over time, whether they led to changes in adversary behavior, and what the United States can learn from these cases to inform future policymaking. The authors show that policymakers typically consider a narrow set of response options, and they often conclude that not much can be done beyond trying to improve network defenses, because the United States “does it too.” The authors suggest that the U.S. government could broaden its policy response options by increasing focus on diplomatic engagement, including working with partners and allies to call out malicious cyber behavior; expanding the use of active defense measures to root out adversaries; and employing more-sophisticated counterintelligence techniques, such as deception, to decrease the benefits that adversaries derive from cyber espionage.
- What responses has the United States considered in the past to cyber compromises of U.S. government systems?
- Has the United States been able to materially affect adversary behavior through its past responses?
- How should the United States respond to similar cyber incidents in the future?
- Should the United States expect those responses to achieve its objectives in the future in light of prior responses?
Available response options are not limited to the cyber domain, and no one should expect them to be
- The response options that U.S. policymakers consider for cyber espionage cases do not appear to have changed much over the past two decades — and, in some respects, they may be even more constrained today.
The benefits of cyber-enabled espionage continue to outweigh any perceived repercussions for such countries as Russia and China
- The historical record suggests that the United States has felt constrained in its ability to respond vigorously against Russia or China because of the notion that cyber espionage is a standard and accepted practice by nations.
- The record also suggests that the United States would not want to take steps to constrain its own ability to engage in similar intelligence activities in cyberspace.
- U.S. policymakers have assessed that breaches of confidentiality, although damaging in the long term, did not rise to the same level of acute damage to national security that another, more destructive form of cyber operation might entail.
- The United States has proved especially vulnerable to cyber incidents, and a lack of response appears to have emboldened the Russians and Chinese to continue and expand their cyber espionage activities over the years.
- Improving the U.S. ability to deter by denial — by strengthening the cybersecurity of the U.S. government — remains an elusive but vital priority.
- The United States should pursue expanded diplomatic efforts, including with its partners and allies, to call out indiscriminate cyber espionage and establish guardrails for acceptable cyber espionage.
- The United States should also expand its use of active defense measures on U.S. government networks to hunt for adversary activity and offer similar support to partners and allies.
- The United States should make better use of counterintelligence, particularly deception operations, to reduce the benefits that countries might derive from cyber espionage.
- The role of diplomacy should not be diminished, and more-recent multilateral efforts to call out malicious cyber behavior have the potential to lay a foundation for shaping international norms.