Cover: Many Hands in the Cookie Jar

Many Hands in the Cookie Jar

Case Studies in Response Options to Cyber Incidents Affecting U.S. Government Networks and Implications for Future Response

Published Apr 29, 2022

by Quentin E. Hodgson, Yuliya Shokh, Jonathan Balk


Download eBook for Free

FormatFile SizeNotes
PDF file 0.6 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback52 pages $15.00

Research Questions

  1. What responses has the United States considered in the past to cyber compromises of U.S. government systems?
  2. Has the United States been able to materially affect adversary behavior through its past responses?
  3. How should the United States respond to similar cyber incidents in the future?
  4. Should the United States expect those responses to achieve its objectives in the future in light of prior responses?

Cyber-enabled espionage against the United States has been a challenge for more than 20 years and is likely to remain so in the future. In the aftermath of the 2020 SolarWinds cyber incident that affected U.S. government networks, policymakers, lawmakers, and the public asked: "Why does this keep happening, and what can the United States do to prevent it from reoccurring?" It is these questions that motivate this effort. Specifically, this report summarizes three cases of Russian cyber-enabled espionage and two cases of Chinese cyber-enabled espionage dating back to the compromise of multiple government agencies in the late 1990s up to the 2015 compromise of the Office of Personnel Management. The purpose of this inquiry is to address whether U.S. responses have changed over time, whether they led to changes in adversary behavior, and what the United States can learn from these cases to inform future policymaking. The authors show that policymakers typically consider a narrow set of response options, and they often conclude that not much can be done beyond trying to improve network defenses, because the United States "does it too." The authors suggest that the U.S. government could broaden its policy response options by increasing focus on diplomatic engagement, including working with partners and allies to call out malicious cyber behavior; expanding the use of active defense measures to root out adversaries; and employing more-sophisticated counterintelligence techniques, such as deception, to decrease the benefits that adversaries derive from cyber espionage.

Key Findings

Available response options are not limited to the cyber domain, and no one should expect them to be

  • The response options that U.S. policymakers consider for cyber espionage cases do not appear to have changed much over the past two decades — and, in some respects, they may be even more constrained today.

The benefits of cyber-enabled espionage continue to outweigh any perceived repercussions for such countries as Russia and China

  • The historical record suggests that the United States has felt constrained in its ability to respond vigorously against Russia or China because of the notion that cyber espionage is a standard and accepted practice by nations.
  • The record also suggests that the United States would not want to take steps to constrain its own ability to engage in similar intelligence activities in cyberspace.
  • U.S. policymakers have assessed that breaches of confidentiality, although damaging in the long term, did not rise to the same level of acute damage to national security that another, more destructive form of cyber operation might entail.
  • The United States has proved especially vulnerable to cyber incidents, and a lack of response appears to have emboldened the Russians and Chinese to continue and expand their cyber espionage activities over the years.
  • Improving the U.S. ability to deter by denial — by strengthening the cybersecurity of the U.S. government — remains an elusive but vital priority.


  • The United States should pursue expanded diplomatic efforts, including with its partners and allies, to call out indiscriminate cyber espionage and establish guardrails for acceptable cyber espionage.
  • The United States should also expand its use of active defense measures on U.S. government networks to hunt for adversary activity and offer similar support to partners and allies.
  • The United States should make better use of counterintelligence, particularly deception operations, to reduce the benefits that countries might derive from cyber espionage.
  • The role of diplomacy should not be diminished, and more-recent multilateral efforts to call out malicious cyber behavior have the potential to lay a foundation for shaping international norms.

This research was sponsored by the Office of the Secretary of Defense and conducted within the International Security and Defense Policy Center of the RAND National Security Research Division (NSRD).

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.