Remember when Obama declared a national emergency in April and issued an executive order to allow sanctions for cyberattacks? The administration is now talking about using those sanctions to punish China for stealing US trade secrets, including nuclear power plant designs.
The US is infatuated with sanctions as a primary foreign policy option, despite a middling track record. But sanctions in this case would be somewhere between laughably flimsy to useless. This cybercrime sanctions policy is fatally addled by how difficult it is to pin down the origins of cybercrime.
The sanctions wouldn't be an old-school countrywide embargo, like when the US tried to pretend Cuba was a vintage car mirage below Florida. These cybercrime sanctions would be more targeted. They would include freezing assets and refusing to do business with groups that stole, as well as groups that benefited from the theft.
In the Washington Post article, the idea that this punishment could force China to change its ways is seriously floated:
"The indictments were a strong move," said Rob Knake, a former White House cyber official and currently a senior fellow at the Council on Foreign Relations. "This is going to be an even stronger move. It's really going to put China in the position of having to choose whether they want to be this pariah nation — this kleptocracy — or whether they want to be one of the leading nations in the world."
But that's a bizarrely optimistic view.
Sanctioning Chinese actors for the rash of cybercrime could certainly screw with some of its businesses and exact some toll, but expecting that the toll would propel the world's second-largest economy into an existential crisis is expecting far too much.
Hell, expecting that sanctions will get Chinese cybercriminals to change their behaviour in any other way besides encouraging them to become sneakier is naive. It would likely be viewed less as a deterrent than a galvanizing challenge.
The executive order Obama issued about cybercrime sanctions insists that the government needs evidence to sanction. Any good cyber-thief capable of infiltrating corporate and government networks to jack information capable of damaging the economy will be pursuing anti-forensic techniques that will render it very difficult — if not impossible — to determine who stole what.
China is the lead suspect for hacking the US Office of Personnel Management, but there's no hard evidence to pin the wide-ranging theft of the documents on 22 million government employees on it. These maybe-sanctions are a separate issue. That doesn't necessarily mean the US isn't doing anything in retaliation. While its public response has been oddly tepid for a theft of that size and gravity, the government "is considering covert cyber action." So why sanctions here and not there? Maybe we have a stash of evidence against the dumb hackers who left trails to provide the US with enough proof to enforce sanctions. That seems unlikely!
More likely: The US is looking weak as cybercrime that threatens the economy rises, and sanctions are a way to flex. This is theatre.
The Washington Post cited administration officials about the plans to punish Chinese cybercrime who said there may be a decision within the next two weeks. Here's hoping the decision is a "no".