Many Hands in the Cookie Jar

Cyber-enabled espionage against the United States has been a challenge for more than 20 years and is likely to remain so in the future. In the aftermath of the 2020 SolarWinds cyber incident that affected U.S. government networks, policymakers, lawmakers, and the public, we ask:  “Why does this keep happening, and what can the United States do to prevent it from reoccurring?” It is these questions that motivate this effort. Specifically, this report summarizes three cases of Russian cyber-enabled espionage and two cases of Chinese cyber-enabled espionage dating back to the compromise of multiple government agencies in the late 1990s up to the 2015 compromise of the Office of Personnel Management. The purpose of this inquiry is to address whether U.S. responses have changed over time, whether they led to changes in adversary behavior, and what the United States can learn from these cases to inform future policymaking. The authors show that policymakers typically consider a narrow set of response options, and they often conclude that not much can be done beyond trying to improve network defenses because the United States “does it too.” The authors suggest that the U.S. government could broaden its policy response options by increasing focus on diplomatic engagement, including working with partners and allies to call out malicious cyber behavior; expanding the use of active defense measures to root out adversaries; and employing more-sophisticated counterintelligence techniques, such as deception, to decrease the benefits that adversaries derive from cyber espionage.