Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails

It is a reminder of two things. First, in the cyberage, closing a diplomatic facility has the faint ring of the Cold War, but most of the attacks on American corporations, laboratories and the government are launched from servers outside American borders. And second, without firing a bullet or dropping a bomb, an adversary can deliver a crippling setback to the United States by infiltrating American computer networks, whether the target is the design for the F-35 warplane or a potential coronavirus vaccine.

To Mr. Trump’s credit, orders he issued two summers ago have resulted in more aggressive pushback, what the National Security Agency and the United States Cyber Command call a strategy of “defend forward.” That means they go deep into an adversary’s computer networks, sometimes to strike back, but more often to signal that an attack will not be cost-free.

“The central issue is that they need to know they will pay a price,” Mr. Langevin said.

It was the Obama administration that moved more aggressively to indict cyberactors, making public the information about who was behind the hacks that until then was available only to those who had the clearance to read classified intelligence briefings.

“It was a long-overdue step,” said John P. Carlin, who spearheaded the strategy as the chief of the Justice Department’s national security division. Mr. Carlin, who later wrote about the experience in the book “Dawn of the Code War,” said that “it is a good way to make the detail public in a credible way, with the high standard that you believe you can prove your case beyond a reasonable doubt.”

If you do not do that, Mr. Carlin said in an interview on Wednesday, “the message you are sending is that you are decriminalizing this activity.” Just before Mr. Carlin left office in 2016, President Barack Obama and Xi Jinping, the Chinese leader, announced an agreement that should have ended cybertheft of corporate data. It worked for a while, then fell apart. The Chinese military’s hacking diminished, but the slack was picked up by operatives of the Chinese intelligence agencies. On Tuesday, for example, the Justice Department accused a pair of Chinese hackers of targeting vaccine development on behalf of the country’s intelligence service.

The lesson may be that while the indictments are necessary, they may not be sufficient. So when Gen. Paul M. Nakasone took over as the director of the N.S.A. and the commander of U.S. Cyber Command, he turned to more aggressive actions. The N.S.A. shut down the Internet Research Agency in St. Petersburg for a few days around the 2018 midterms and sent warnings to Russian intelligence officers. It has worked to sabotage North Korean and Iranian missiles.

The best argument for the strategy is that, so far, no one has turned off the power grid in the United States or conducted a similarly crippling strike. But when it comes to stealing corporate or national security secrets, the cost-benefit analysis conducted in Moscow and Beijing usually comes back with the same conclusion: The benefits still outweigh the costs.