Sanctions, Export Controls May Not Be Enough to Counter Chinese Cyber Efforts, Experts Say

Jacquelyn Schneider, a national security expert with the Hoover Institution, said the U.S. often focuses too much on “dissuading or deterring, and not enough about degrading.” While the U.S. may not be able to stop Chinese cyber attacks, it can make their operations more difficult to carry out, she said. “There has not been a lot of investment in making it harder for the Chinese to be successful,” Scneider told the commission during a Feb. 17 hearing. “Those are investments in defense, in resiliency and in counter-cyber operations.

She also argued for a revamped U.S. cyber strategy that threatens “credible retaliation” options. “We’ve come close to this before,” she said, but the U.S. has “always stopped short of binding its own hands or credibly threatening anything beyond sanctions or tit for tat cyber punishment for these cyber-attacks.”

Adam Segal, an emerging technologies and national security expert with the Council on Foreign Relations, said export controls and sanctions alone won’t necessarily degrade China's cyber abilities, but they can be used alongside other defensive tools to make it harder for China to carry out hacking.

“If we look at Huawei and semiconductor controls, we have done significant damage to Huawei. So I think it is possible at a pace,” Segal told the commission during the hearing. “But given the vast benefit that China has taken from this, there's no way we can do it at scale to truly impose enough costs.”

Commissioner Carolyn Barholomew said she and other commissioners are “struggling” to understand what realistic steps the U.S. can take to dissuade China from hacking. “When I think about commercial espionage, for example, by the time we've figured out sometimes the theft of trade secrets, the damage has already been done,” she said. “It's like the proverbial shutting the barn door after the horse has gotten out.”

Segal said the U.S. can continue to “rely on persistent engagement and disruption.” The Biden administration should give more power to the Treasury Department to sanction companies, universities, researchers and others who “benefit from cyberattacks designed to steal U.S. intellectual property,” Segal said, and the Commerce Department should ban U.S. technology exports to those same entities.

But if the U.S. does opt for more sanctions or export controls, Segal said, it may have to impose some of those measures alone. Other countries are “likely to remain hesitant” to sanction Beijing for cyber activities for a variety of reasons, Segal said, including “high economic interdependence with China, fear of retaliation, and a desire to make progress on higher priority issues.”

In addition, export controls can impose costs on foreign companies but likely won’t stop them from importing cyber-hacking equipment, said Dakota Cary, a research analyst at Georgetown University’s Center for Security and Emerging Technology. Much of that equipment is “ubiquitous,” Cary told the commission, such as computers, an internet connection and cyber training. “Even if these institutions were subject to export controls,” Cary said, “it’s unlikely such policies would matter much to China’s cyber capabilities.”

But export controls may prove effective “beyond the cyber domain,” Cary said. “Advanced research often requires advanced tools, so a listing on the Department of Commerce’s Entity List is still appropriate. But policymakers should not expect it to slow the development of China’s cyber capabilities.”

Other penalties, including federal indictments, are also unlikely to slow China’s cyber efforts, said Kelli Vanderlee, an analyst at Mandiant Threat Intelligence. Even after the Justice Department charged two Chinese nationals in 2020 for “conducting cyber threat activity” with the help of China’s Ministry of State Security, Vanderlee said Chinese cyber espionage groups continued to steal U.S. military and dual-use intellectual property.

“Evidence suggests that public exposure and indictments of Chinese cyber espionage operators has become less effective at deterring threat activity over time,” Vanderlee said. “Many Chinese cyber espionage actors have demonstrated greater attention to operational security in recent years and have taken steps to cover their tracks."