In writings and conversations over the past four years, Mr Sullivan has made it clear that he believes that traditional sanctions alone do not increase costs enough to force powers like Russia or China to talk about new rules for cyberspace.
However, government officials often fear that too strong a reaction could lead to escalation.
This is a particular problem with the Russian and Chinese attacks, in which both countries have clearly planted “back doors” to American systems that could be used for more destructive purposes.
American officials publicly say current evidence suggests that Russia’s intent in the SolarWinds attack was merely data theft. But several senior officials, who did not advocate an attribution, said they believed the size, scope, and cost of the operation suggested the Russians may have had much broader motives.
“I’m impressed with how many of these attacks undermine trust in our systems,” said Burt. “Just as there are efforts to get the country to distrust the electoral infrastructure, which is a central part of our democracy.”
Russia broke into the National Democratic Committee and state voter registration systems in 2016, mainly by guessing or obtaining passwords. However, when they hacked SolarWinds, they used a far more sophisticated technique that included code in the company’s software updates, rolling them deep into about 18,000 systems that used the network management software. Once inside, the Russians had high-level access to the systems with no passwords required.
Similarly, four years ago, a large majority of the Chinese government’s hacker attacks were carried out through email spear phishing campaigns. In recent years, China’s military hacking divisions have formed a new strategic support group, similar to the Pentagon’s Cyber Command. Some of the key hacking operations are carried out by the more secretive Ministry of State Security, China’s premier intelligence agency, which maintains a satellite network of contractors.
Beijing also began hoarding so-called zero days, bugs in the code that are unknown to software vendors and for which there is no patch.