Congress could also create a cyberattack exception to the Foreign Sovereign Immunities Act, which currently precludes civil suits against a foreign government or entity acting on its behalf in the cyber-realm. There is precedent: In the case of terrorism, Congress enacted an exception to immunity for states and their agents that sponsor terrorism, allowing individuals to sue them.
Enterprising companies and intelligence personnel are already able to trace attacks with an increasing degree of accuracy. For example, the U.S. security company Mandiant traced numerous incidents going back several years to the Shanghai-based Unit 61398 of the PLA, which was first identified publicly by the Project 2049 Institute, a Virginia-based think tank.
Scholars Jeremy and Ariel Rabkin have identified another way to initiate nongovernmental legal action: rekindling the 19th-century legal practice of issuing "letters of marque" -- the act of commissioning privateers to attack enemy ships on behalf of the state -- to selectively and cautiously legitimize retaliation by private U.S. actors against hacking and cyber-espionage. This would allow the U.S. government to effectively employ its own cybermilitia. Creating new laws or using current ones would force the Chinese government and the entities that support its cyberstrategy to consider the reputational and financial costs of their actions. Of course, if the United States retaliates by committing similar acts of harassment and hacking, it risks Chinese legal action. But America has a key advantage in that its legal system is respected and trusted; China's is not.
Diplomatic action should bolster these efforts. The Obama administration's suggestions for pressuring China and other countries are a good start, but U.S. diplomacy must be tougher. In presenting Chinese leaders with overwhelming evidence of cyber-misdeeds (but without giving away too many details), Washington should communicate how it could respond. To control escalation, the administration should explain what it views as proportionate reprisals to different kinds of attacks. (For instance, an attack on critical infrastructure that led to deaths would merit a different response than harassment of the New York Times.)
As the administration's report suggests, the United States is not the only victim and should engage in cooperative diplomacy. The United States should set up a center for cyberdefense that would bring together the best minds from allied countries to develop countermeasures and conduct offensive activities. One such center could be Taiwan, as its understanding of Chinese language, culture, business networks, and political landscape make it invaluable in the fight against cyberattacks. Of course, centers could be placed elsewhere and still utilize Taiwan's knowledge, but even the threat of placing a cyberdefense center just across the strait would be very embarrassing for China's leaders, as Taiwan is viewed as a renegade province. The point is not to be gratuitously provocative, but rather to demonstrate that the United States options that China would not favor.
The U.S. military's cyber-efforts presumably already include it own probes, penetrations, and demonstrations of capability. While the leaks claiming the U.S. government's involvement in the Stuxnet operation -- the computer worm that disabled centrifuges in the Iranian nuclear program -- may have damaged U.S. national security, at least China knows that Washington is quite capable of carrying out strategic cyberattacks. To enhance deterrence, the U.S. government needs to demonstrate these sorts of capabilities more regularly, perhaps through cyber-exercises modeled after military exercises. For example, the U.S. military could set up an allied public training exercise in which it conducted cyberattacks against a "Country X" to disable its military infrastructure such as radars, satellites, and computer-based command-and-control systems.
To use the tools at America's disposal in the fight for cybersecurity will require a high degree of interagency coordination, a much-maligned process. But Washington has made all the levers of power work together previously. The successful use of unified legal, law enforcement, financial, intelligence, and military deterrence against the Kim regime of North Korea during a short period of George W. Bush's administration met the strategic goals of imposing serious costs on a dangerous government. China is not North Korea -- it is far more responsible and less totalitarian. But America must target those acting irresponsibly in cyberspace. By taking the offensive, the United States can start to impose, rather than simply incur, costs in this element of strategic competition with China. Sitting by idly, however, presents a much greater likelihood that China's dangerous cyberstrategy could spark a wider conflict.