The Biden administration blamed China on Monday for a cyberattack that compromised more than a million Microsoft customers, but stopped short of sanctioning Beijing for contracting with hackers.
The United Kingdom, European Union, and NATO joined the United States in condemning China for facilitating the March attack on Microsoft Exchange email servers. But President Joe Biden and State Department spokesman Ned Price dismissed the need for retaliation, causing some lawmakers to question the Biden administration’s ability to combat hostile foreign actors.
"The recent Microsoft Exchange hack is just the latest in a series of escalating cyber threats to come out of China, and yet this administration continues to bury its head in the sand as it has done on Russia," Rep. Andrew Garbarino (R., N.Y.) told the Washington Free Beacon. "The United States must make it clear that there are severe consequences for cyberattacks that affect Americans and our allies and partners."
The Biden administration has come under fire for its inconsistent response to foreign cyberattacks. The White House sanctioned Russia in April following Kremlin-directed hacks on critical U.S. infrastructure. But Biden came under fire in June for giving Russian president Vladimir Putin a list of targets that should remain "off-limits" to cyberattacks.
Cybersecurity experts said the wide range of the Microsoft hack seemed designed to target vulnerable civilians, including those without any clear national security connection. The Free Beacon reported that rather than severing ties with the country, Microsoft responded to the hack by expanding its footprint in China.
A senior administration official told reporters that U.S. partners were unwilling to back sanctions against China. National security experts said the hack shows China’s growing ambitions in cyberspace and warrants a tough response.
"We see China as the long-term pacing threat for the United States," said Mark Montgomery, a senior director for the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies. "Even in a perfect environment, we would still be a year or two away from things being smooth."
The Biden administration has struggled to shore up federal cybersecurity resources. The administration’s budget for the Cybersecurity and Infrastructure Security Agency was more than $397 million short of what even some Democrats desired for the agency. And experts warn that several top cybersecurity positions have yet to be filled.
The White House did not respond to a request for comment.