Source: helloRuby via Shutterstock

The US government has reportedly scuttled plans to sanction China’s Ministry of State Security for its role in the Salt Typhoon attacks that targeted telecommunications firms, deciding instead to favor ongoing trade negotiations with China.

Taken along with the recent reports that the United States will allow Nvidia to export its second-most-powerful artificial intelligence chip — the H200 processors — to China, critics claim that the US government is sacrificing cybersecurity as a trade negotiation sweetener, a recent news report from the Financial Times states.

On the diplomatic and economic side, the moves certainly feel ad hoc and transactional, says Antoine Harden, regional vice president of federal for secure software development firm Sonatype.

"Cyber-related sanctions and export controls are getting folded into broader negotiations on fentanyl, trade balances, and industrial policy," he says. "That makes cyber tools look like just one more chip at the table instead of a clear line about acceptable behavior in cyberspace."

However, recent history shows existing sanctions haven’t been a particularly effective tool to deter nation-state cyberattacks against the US and its allies.

Between Russia’s increased use of cyber operations during its invasion of Ukraine and the rising activity from China, conflict in the cyber domain has heated up. The Salt Typhoon advanced persistent threat (APT) group initially targeted about a dozen Internet service providers and telecommunications firms, stealing sensitive data and gaining a backdoor into critical infrastructure. The victim count now stands at more than 200 companies in 80 countries.

Related:A Tale of Two CISOs: Why An Engineering-Focused CISO Can Be a Liability

The US government has responded with sanctions against individuals and organizations linked to the attack. By now easing those sanctions, there is a concern that it signals that cybersecurity is being deemphasized by the Trump administration. In addition to dropping sanctions against the threat actors behind the telecom breaches, earlier this year, Brendan Carr, the chairman of the Federal Communication Commission, dropped Biden-era cybersecurity regulations placed on telecommunications firms following the Salt Typhoon attacks to shore up network defenses.

It’s important to note that the Trump administration is not alone in using sanctions as a bargaining chip for trade or diplomatic concessions. In 2023, the Biden administration removed the Institute of Forensic Science (IFS) from a trade-sanctions list for, among other violations, its alleged surveillance abuses against the Uyghurs and other minority group. The move was not about the risks disappearing — the delisting concerned many human-rights activists — but about securing cooperation on fentanyl precursors, says Antoine Harden, regional vice president of federal for secure software development firm Sonatype.

Related:ServiceNow’s Acquisition of NHI Provider Veza Strengthens Governance Portfolio

Sanctions Aren’t Enough to Stop Compromises

"You can see a clear pattern of sanctions being treated as a bargaining chip rather than a consistent part of cyber strategy," Harden says, pointing to claims that the IFS had conducted cyber-surveillance of the minorities. "The bigger problem is what this says to adversaries: economic sanctions are negotiable."

Yet, the diplomatic field is but one arena. No matter what is promised diplomatically, neither the United States nor China — nor Russia or Iran, for that matter — will likely ease up on their offensive and defensive cyber operations, says Adam Darrah, vice president of intelligence for cybersecurity firm ZeroFox and an eight-year veteran analyst of the Central Intelligence Agency.

"China will continue to carry on hyper-aggressive cyber-intrusion and espionage campaigns against the United States regardless of how they’re designated," he says. "The United States, in the same vein, will continue from an intelligence perspective, off both offensive and defensive."

Related:ShadowRay 2.0 Turns AI Clusters into Crypto Botnets

If anything, the administration’s decisions highlight a deeper lesson: Deterring cyberattacks by economic punishment is never going to be enough, says Sonatype’s Harden. Instead, practical efforts to bolster defense have become more important, steps the US government is already taking, he says. The US Department of Defense’s requirement that contractors comply with the Cybersecurity Maturity Model Certification (CMMC) 2.0 and the Cybersecurity Risk Management Construct (CSRMC) are both long-term plans to improve cyber defense, for example.

"You can’t sanction your way out of a supply chain compromise," he says. "The most reliable form of deterrence is ‘deterrence by denial’ — make the target so hardened, so well-instrumented, and so well-governed that the cost of getting in and staying in is higher than the value of what you can steal or disrupt."

In addition, the Trump administration has taken a more aggressive approach to cyber operations and cyber conflict, but — for the most part — those actions are not made public, says ZeroFox’s Darrah.

"We remain the world’s best offensive, cyber-capable country on the planet, [but] we use it very, very sparingly and in ways that doesn’t make it look like it was a cyber incident," he says. "When [these capabilities] are exercised, it’s done very surgically and it’s done professionally —unless it’s a Stuxnet type of thing, where it’s in our interest to send a public message."

About the Author

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.