In writings and interviews over the past four years, Mr Sullivan has made it clear that he believes traditional sanctions alone do not increase the cost enough to force powers like Russia or China to start. talk about new rules of conduct for cyberspace.
But government officials often fear that too strong a response could escalate.
This is of particular concern in the Russian and Chinese attacks, where both countries have clearly planted “back doors” to American systems that could be used for more destructive purposes.
U.S. officials say publicly that current evidence suggests that the Russian intention in the SolarWinds attack was simply data theft. But several senior officials, when not speaking for the award, said they believed the size, scope and cost of the operation suggested they could have had much broader motives.
“I am struck by the number of these attacks which undermine confidence in our systems,” said Mr. Burt, “just as there are efforts to make the country wary of the electoral infrastructure, which is an essential component of our democracy. “
Russia broke into the Democratic National Committee and state voter registration systems in 2016, largely by guessing or obtaining passwords. But they used a much more sophisticated method of hacking SolarWinds, inserting code into the company’s software updates, which got them into about 18,000 systems using network management software. Once inside, the Russians had high-level access to the systems, with no password required.
Likewise, four years ago, the vast majority of Chinese government hacking was carried out through email spear-phishing campaigns. But in recent years, China’s military hacking divisions have regrouped into a new strategic support force, similar to the Pentagon’s Cyber Command. Some of the most significant hacking operations are handled by the stealthy Ministry of State Security, China’s premier intelligence agency, which operates a satellite network of contractors.
Beijing has also started to rack up the so-called zero days, code flaws unknown to software companies and for which a fix does not exist.