The U.S. and its allies blamed China’s Ministry of State Security for the massive hack against Microsoft this year, with the Justice Department also charging members of the Chinese intelligence agency over a separate global espionage campaign. However, the U.S. did not implement sanctions against China like it did against Russian intelligence hackers earlier this year over the Solarwinds attack, and it did not charge anyone related to the Microsoft hack.
Rep. Mike Rogers, an Alabama Republican and the ranking member on House Armed Services Committee, said the U.S. needed to get tougher on China in a letter to Biden, obtained by the Washington Examiner.
“I commend you for publicly attributing the recent cyberattacks on Microsoft’s email exchange to the People’s Republic of China and hackers affiliated with their Ministry of State Security, but this action falls short,” Rogers wrote. “The People’s Republic of China routinely engages in hostile cyber actions against American businesses and our government agencies that goes without a clear and public response. It is imperative that you and your administration do more to dissuade hostile cyber activity by the People’s Republic of China against us and our allies.”
Rogers continued: “The SolarWinds exploitation attributed to Russian actors last year rightfully resulted in sanctions and other punitive measures against entities involved. Meanwhile, the extent of the United States’ response to an egregious cyberattack on American businesses by the People’s Republic of China is a statement of condemnation.”
Rogers said sanctions or criminal charges were needed.
On Monday, Secretary of State Antony Blinken said: “The PRC’s Ministry of State Security has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”
The White House said it had raised its concerns about “the PRC’s broader malicious cyberactivity” with senior Chinese officials.
In April, the Biden administration attributed the SolarWinds cyberattack to Russian intelligence, and the U.S. leveled sanctions against Russia in response, with the Treasury Department blacklisting companies it said “support the malign activities of the Russian intelligence services responsible for the SolarWinds intrusion and other recent cyber incidents.” The U.S. expelled 10 Russian diplomats at the same time.
“I implore you to impose significant sanctions using the authorities in Executive Order 13694, criminal charges, or other punitive measures against the People’s Republic of China and the state affiliated actors responsible for the cyberattack on the Microsoft email exchange,” Rogers concluded. “The People’s Republic of China and their Ministry of State Security are responsible for this and many other cyber intrusions that go unreported or unnoticed. A failure in this situation to punish the People’s Republic of China in a manner comparable to our response to Russian hostilities creates an unacceptable double standard in this era of great power competition.”
When asked on Monday why the U.S. had not sanctioned China, Biden replied, “They’re still determining exactly what happened.” And when pressed on the difference between Chinese and Russian hacking, Biden gave a muddled response.
“My understanding is that the Chinese government, not unlike the Russian government, is not doing this themselves but are protecting those who are doing it and maybe even accommodating them being able to do it. That may be the difference.”
Cybersecurity experts also called for the Biden administration to take further actions.
“The next step needs to include imposition of sanctions against PRC actors for such violations,” Dmitri Alperovitch, the chairman of Silverado Policy Accelerator and co-founder of CrowdStrike, tweeted. “Given that sanctions have already been used against virtually every other rogue cyber nation state, not using them against China is a glaring oversight.”
A senior administration official told the Washington Examiner that “the U.S. and our allies have not ruled out further action.”
The DOJ announced Monday that a federal grand jury in May indicted four members of China’s Hainan State Security Department for a hacking campaign targeting dozens of companies between 2011 and 2018, but it issued no charges related to the Microsoft hack.
CISA and the FBI released another advisory on Tuesday about a “spearphishing and intrusion” campaign “conducted by state-sponsored Chinese actors that occurred from December 2011 to 2013, targeting U.S. oil and natural gas pipeline companies.”
ThinkCivics researches, examines, and reports on issues that matter most. We deliver explanative, fearless, and insightful analysis for public consumption.