After suffering a number of high-profile breaches, including a massive hack at the Office of Personnel Management (OPM), and with threats against private industry from nation-states on the rise, US officials are mulling economic sanctions against Russia and China that target foreign companies and citizens believed behind cyber-attacks on US commercial enterprises.
The sanctions would ban individuals and business from using the US financial system and would not target individuals suspected in government hacks, anonymous sources told Reuters. If the US were to go forward with the sanctions it would mark the first use of an executive order that President Obama signed in April targeting hackers lying outside US borders.
Sanctions also would send a message to Beijing that the Obama administration will start fighting back against cyber-espionage as well a message to the American private sectors that the US government will fight for them, one official told the Washington Post.
Talk of the sanctions come as rumours swirled that Chinese and Russian intelligence services are using personally identifiable information obtained from the OPM and Ashley Madison hacks to target American government officials for counter intelligence measures, an official told CNN.
In fact, in July, Adam Meyers, vice president of intelligence at CrowdStrike, told Bloomberg that China was putting together "the Facebook of human intelligence capabilities".
He added, "This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals.”
While officials were considering taking action in the next few weeks the Post report said action might be delayed so as not to foul the diplomatic waters in preface to Chinese President Xi Jinping's scheduled visit next month to the US and dinner with the president.
The Post report didn't mention any details on the possible sanctions for Russia but noted the country's annexation of Crimea from Ukraine last year coupled with its continued support for the rebel forces fighting in eastern Ukraine have also strained relations with the US.
The likelihood of potential sanctions succeeding drew scepticism from security professionals. Jeff Hill, manager at STEALTHbits, told SCMagazine.com via email correspondence on Tuesday that sanctions may assuage the American public's desire for revenge but would be counter-productive in the long run.
And, John Gunn, vice president of communications at VASCO Data Security, told SCMagazine.com that economic sanctions are not likely to work against Russia or China since the sources of the recent attacks haven't been determined and too much time has passed since the incidents occurred. What's more, the sanctions likely won't have the desired impact with only one nation imposing them.
“You need a coalition to issue an effective sanction; otherwise the country that the sanctions are imposed on will just go to another partner,” Gunn said.
Instead, Hill said that it would be wiser to focus on improving cyber-security defence efforts in the private and public sector and move away from a conventional prevention to a more practical detection data security posture.
“In conjunction with those public efforts, an escalation of our clandestine cyber-warfare activities will get the message across, although it's likely that's already well under way,” Hill said.
Gunn contended that the US may start making more pre-emptive strikes against cyber-attackers, pointing to the ISIS hacker that was killed in a drone strike last week.
“It was retaliatory and in a sense pre-emptive because he would have continued to put Americans at risk,” Gunn said, adding, “His weapon was a keyboard not a gun, but he posed the same threat to American lives.”
Gunn explained that the lines between cyber-warfare and traditional warfare are beginning to dissolve. If an attacker steals military plans in a cyber-attack, he said, then those plans become less effective and compromise the state's ability to fight traditional war.