For years, the People’s Republic of China (PRC) has supported and harbored hacking groups that consistently attack U.S. government cyber networks. Far from the reach of U.S. law enforcement and hidden behind the digital iron curtain, Communist China employs an army of state-sponsored hackers who relentlessly probe our networks looking for any vulnerability they can exploit. Unfortunately, that army of hackers recently showed us a glimpse of what they’re capable of.
In May, a state-sponsored Chinese hacking group known as Storm-0558 successfully exploited a vulnerability across email systems used by the U.S. State Department, U.S. Department of Commerce, and the U.S. House of Representatives. Using a sophisticated attack, hackers reached the highest levels of our government. These hackers accessed thousands of sensitive emails by high-level officials. In response, I led other senators in a bipartisan letter requesting information from the State Department regarding the extent and scope of the hack.
The State Department then briefed me and other Senate offices on the extent of the cyberattack. I was alarmed at both the scope and the sophistication employed by the PRC-linked hacking group to gain unfettered access to emails containing highly sensitive information presumably related to the U.S. government’s efforts to contain China. In this briefing, the State Department disclosed that the PRC- linked hacking group gained access to over 60,000 emails during the cyber breach that occurred between May and June of this year. A hack of this magnitude from a hostile foreign enemy should scare every American and inspire the federal government to do everything in its power to prevent another one in the future.
Although the cyberattack was caught early thanks to custom alerts deployed by State, this intrusion is still a cause for concern. More can always be done, but defending networks from any and all attacks is an unreachable goal.
If the United States wants to properly protect its networks, we have to exercise every tool at our disposal to deter state-sponsored hackers from conducting cyberattacks. Our country needs more than just a good defense. It’s far past time for America to go on offense. We must bring the fight to the front door of hackers who would do us harm, and most critically, state-sponsored hacking groups like Storm-0558.
For too long, the United States has relied on tactics such as “naming-and- shaming.” If and when the U.S. is able to identify individuals who make up various state-sponsored hacking groups, it’s right to shine a light on them and point out their illicit activity. But this approach doesn’t go far enough. We must use every tool in our arsenal to stop these cyberterrorists. The United States needs to go beyond a “tsk-tsk,” an angry finger wave, and diplomatic overtures that fall on deaf ears.
To deter other groups from stealing sensitive information from U.S. government officials, we need to fight fire with fire and step up offensive cyber operations against specific groups who are responsible for nefarious actions against the United States. The Biden administration must use all of the resources at its disposal to unleash a cyber-offensive effort to dismantle, destroy, and paralyze Storm-0558 in retaliation for its hack against the Department of State, Commerce, and the House of Representatives.
Without adopting a strategy of forceful deterrence in cyberspace, state-sponsored actors will continue to run rampant with little fear of retaliation. U.S. Cyber Command and its ability to conduct offensive cyberoperations is a vital tool for the United States to project power behind China’s digital iron curtain. U.S. Cyber Command released its unclassified cyber strategy to the public, which indicates an openness towards offensive cyber operations against state-sponsored PRC hacking groups, among others. Cyberspace is a 21st century battlefield, and just like with our conventional forces, we must be able to project force wherever necessary.
After President Biden’s disastrous withdrawal from Afghanistan, there is little doubt both our allies and our adversaries can see our weaknesses. At a time when U.S. credibility hangs in the balance, I urge U.S. Cyber Command to demonstrate strength against Storm-0558 to show America’s commitment to using every tool at our disposal to deter cyberattacks. Consistent and repeated shows of force in cyberspace will demonstrate to our adversaries that we are done with wrist slaps for major cyber provocations. As we enter a period of fierce economic and military competition with China, this has never been a more critical issue.
Eric Schmitt is the junior senator from Missouri and a member of the Armed Services Committee.