The U.S. had barely begun its recovery from the SolarWinds compromise, when another large-scale, state-sponsored cyberattack came to light in January. Like the SolarWinds hack, the Microsoft Exchange Server data breach exploited several zero-day vulnerabilities and has been attributed to a nation-state. But unlike SolarWinds, while the Microsoft attack was initially a targeted attack, it went on to create widespread collateral damage, leading some commentators to characterize it as “reckless.” Microsoft has attributed the compromise to a Chinese state-sponsored espionage group called “Hafnium.”
Recent U.S. sanctions against Russia, in part motivated by the SolarWinds attack, have given rise to an expectation that the U.S. will respond against China for its alleged role in the Microsoft hack. Yet, so far, the U.S. response has been practical rather than symbolic, and domestic rather than geopolitical. More generally, invocations by the U.S. of the rules-based international order ring hollow given the lack of agreed norms for responsible state behavior in cyberspace.
No one expects the Biden administration will be soft on China. There is bipartisan support in the U.S. to maintain a strong line, particularly on tech. From its initial promises to “hold Beijing accountable for its abuses of the international order” to the frosty exchanges at the high-level bilateral meeting in Alaska, the White House is positioning the U.S. for “extreme competition” with its most potent peer rival since the end of the Cold War.