US Lawmakers Seek Uniform Policy on Nation-State Cyberattacks

Following years of nation-state cyberattacks targeting United States interests, during a Securing Cyberspace panel hosted by the Washington Post, a pair of lawmakers expressed their determination to establish harsher penalties for such attacks.

As recently as March 2022, attackers affiliated with the Chinese government broke into six or more U.S. states using the Log4j vulnerability with the intent to conduct espionage. In February, it was revealed that Russia-affiliated attackers had breached several defense contractors for more than a year from January 2020 through February 2022. U.S. government reports indicated that attackers stole emails, sensitive trade data and communications with foreign states.

During the conversion, both Michael McCaul (R-Tex) and Elissa Slotkin, (D-Mich), pushed back against the notion that Russia hasn’t aggressively engaged in cyberwarfare operations during their invasion of Ukraine. Both representatives are members of the Congressional Cybersecurity Caucus.

“There’s a lot of talk that Russia had not conducted a cyberattack in advance of the invasion,” said McCaul. “That’s just simply not correct. They did attack the satellite systems to bring them down. That’s why Elon Musk brought Starlink into the picture to provide the ability for Zelensky to be able to project around the world,” he said.

McCaul also noted that Russia attacked Ukrainian command-and-control systems, its parliament and numerous other government entities. Russia also attacked Finland and Sweden after those nations agreed to join NATO; defacing their websites and launching denial-of-service attacks.

“They were successful on the [Ukrainian] communication towers and the satellite systems, but with respect to threats to the United States, [which were of great] concern, they have demonstrated the ability to do this in the past. I think Colonial Pipeline is the best example of that; a very destructive attack, a denial-of-service [attack] to bring down critical infrastructure in the United States,” he said.

Both representatives speculated that Russia has yet to launch a significant cyberattack on the U.S. out of concern of triggering a NATO response.

“I’m sure many of us were thinking that they would have launched some sort of … serious cyberattack in the United States in response to our support for the Ukrainians,” said Slotkin. “It’s been interesting that they have not done that. I interpret it as them not wanting to pull us further into the conflict … [T]hey’ve had some failures and some problems, [and] they don’t want to further globalize the conflict and potentially risk us getting [involved] in a more serious way, but the capability is there. It is not for want of capability, as we know,” she added.

McCaul and Slotkin noted that Russia’s reluctance to launch more serious cyberattacks, especially aimed at the U.S. could be to avoid triggering Article 5. Article 5 is a defense principle clause in the NATO charter specifying that any attack on any of the member countries is effectively an attack against them all. In the past, NATO has said that a cyberattack would meet the criteria for an attack on any of its 28 member nations.

“I think they’re very careful not to trigger Article 5. They know if they attack a NATO power, that could potentially trigger that. In fact, in 2014, after Crimea, NATO did come forward saying a massive cyberattack would constitute a triggering of Article 5,” McCaul said.

Both representatives also agreed that the world needs to come to an agreement on repercussions for state-sponsored cyberattacks on critical infrastructure.

“If, for instance, God forbid, the Russians or the Chinese attacked infrastructure, our natural gas infrastructure in Michigan in the middle of winter and 26 elderly people freeze to death in their homes, what is the right proportional response for the United States? What do we do back to that nation-state where those attacks are emanating from? We don’t have [a] real doctrine on this, and we certainly don’t have anything like an arms control regime for cyber that lays out the rules and standards for the international communities, but that there’s some sort of agreed-upon framework by which we prosecute these new wars,” said Slotkin.

“I think getting four adversary states to agree to anything, particularly cyberspace doctrines, would be extremely difficult. They profit off of this. Iran uses it to get around the sanctions. North Korea uses cyberattacks to steal bank accounts. Russians are using it to get around the sanctions. And it’s in their best interest not to agree to anything,” said McCaul.

In April 2021, the U.S. House passed the Cyber Diplomacy Act, which would require the State Department to create and lead a Bureau of International Cyberspace Policy, which would help build policies and international agreement on certain state-sponsored digital attacks. The bill has yet to pass the Senate.

“We remember the attack on OPM by China, when they stole 23 million security clearances. Very disturbing, but yet there were no consequences,” said McCaul.