Accuse, Evict, Repeat: Why Punishing China and Russia for Cyberattacks Fails

Employees at the Chinese Consulate in Houston burned papers after the United States ordered it closed, prompting firefighters and the police to rush to the area.

As smoke poured from the Chinese Consulate in Houston on Wednesday, the product of an old-fashioned ritual in which evicted diplomats touch off a bonfire of classified documents after being ordered to leave the country, Trump administration officials boasted that they were hitting Beijing where it hurt — in one of the epicenters of its spying operations in the United States.

The technique the administration chose — accuse, condemn, evict — has been used before. And, so far, there is scant evidence that it has limited the cyberattacks and other bad behavior from America’s two greatest rivals for influence and power around the world, China and Russia.

Officers of the Chinese People’s Liberation Army were indicted in 2014 for an extensive effort to bore inside American companies. The result was an impressive “Wanted” poster by the F.B.I., but six years later none of them have been apprehended to stand trial in the United States on charges of looting some of America’s biggest companies.

Two years ago, 12 Russian intelligence operatives were indicted by Robert S. Mueller III, the special counsel who investigated both Moscow and President Trump. They have also evaded trial. The president closed two Russian diplomatic facilities that the United States said were dens of spies operating under diplomatic cover, and ordered more evictions.

Yet the hacking and the disinformation operations have proceeded unabated, and by some measures have accelerated.

“There is no doubt that China represents a tremendous espionage threat for the United States,” said Abraham M. Denmark, who runs the Asia program at the Woodrow Wilson International Center for Scholars and was a senior Defense Department official. “The question here is not China’s culpability — I expect it’s solid — but rather if suddenly closing the consulate in Houston will address the problem.”

It probably won’t, most cyberexperts inside and outside the government concede. After years of trying to figure out how to deter cyberattacks — by naming and shaming, indicting and sometimes even counterattacking — the problem of halting attacks that remain short of war is proving far more complex than deterring nuclear holocaust.

“Our problem is that we have to be much more clear about what actions we won’t tolerate and what the consequences will be,” said Representative Jim Langevin, a Rhode Island Democrat who served on the congressionally created Cyberspace Solarium Commission, which recommended a series of steps to increase deterrence this year. When it comes to defending against cyberattacks, Mr. Langevin said, the Obama administration was overly cautious and the Trump administration “is too often shooting from the hip.”

In fact, both presidents have often used the same tools — mostly drawn from a 19th-century diplomatic playbook that is being applied to a 21st-century challenge. It shouldn’t be a surprise that it isn’t working.

It is a reminder of two things. First, in the cyberage, closing a diplomatic facility has the faint ring of the Cold War, but most of the attacks on American corporations, laboratories and the government are launched from servers outside American borders. And second, without firing a bullet or dropping a bomb, an adversary can deliver a crippling setback to the United States by infiltrating American computer networks, whether the target is the design for the F-35 warplane or a potential coronavirus vaccine.

To Mr. Trump’s credit, orders he issued two summers ago have resulted in more aggressive pushback, what the National Security Agency and the United States Cyber Command call a strategy of “defend forward.” That means they go deep into an adversary’s computer networks, sometimes to strike back, but more often to signal that an attack will not be cost-free.

“The central issue is that they need to know they will pay a price,” Mr. Langevin said.

It was the Obama administration that moved more aggressively to indict cyberactors, making public the information about who was behind the hacks that until then was available only to those who had the clearance to read classified intelligence briefings.

“It was a long-overdue step,” said John P. Carlin, who spearheaded the strategy as the chief of the Justice Department’s national security division. Mr. Carlin, who later wrote about the experience in the book “Dawn of the Code War,” said that “it is a good way to make the detail public in a credible way, with the high standard that you believe you can prove your case beyond a reasonable doubt.”

If you do not do that, Mr. Carlin said in an interview on Wednesday, “the message you are sending is that you are decriminalizing this activity.” Just before Mr. Carlin left office in 2016, President Barack Obama and Xi Jinping, the Chinese leader, announced an agreement that should have ended cybertheft of corporate data. It worked for a while, then fell apart. The Chinese military’s hacking diminished, but the slack was picked up by operatives of the Chinese intelligence agencies. On Tuesday, for example, the Justice Department accused a pair of Chinese hackers of targeting vaccine development on behalf of the country’s intelligence service.

The lesson may be that while the indictments are necessary, they may not be sufficient. So when Gen. Paul M. Nakasone took over as the director of the N.S.A. and the commander of U.S. Cyber Command, he turned to more aggressive actions. The N.S.A. shut down the Internet Research Agency in St. Petersburg for a few days around the 2018 midterms and sent warnings to Russian intelligence officers. It has worked to sabotage North Korean and Iranian missiles.

The best argument for the strategy is that, so far, no one has turned off the power grid in the United States or conducted a similarly crippling strike. But when it comes to stealing corporate or national security secrets, the cost-benefit analysis conducted in Moscow and Beijing usually comes back with the same conclusion: The benefits still outweigh the costs.

While Mr. Trump has periodically threatened the Chinese with trade sanctions in response to their hacking, and thrown Chinese telecommunications firms like Huawei out of the country rather than let them dominate next-generation telecommunications networks, he has also periodically suggested these penalties could be bartered away in a good trade deal. That does not exactly establish red lines.

“There is no evidence of significant pullback by the Chinese and the Russians,” said Gregory Rattray, who first dealt with these issues working for President George W. Bush’s National Security Council and now runs a cybersecurity consulting firm, Next Peak.

“It’s possible that we don’t have a better option than to create less exposure, which means focusing on protecting the data you have and thinking more about defense,” he said.

Employees at the Chinese Consulate in Houston burned papers after the United States ordered it closed, prompting firefighters and the police to rush to the area.