It's been many years that we've been hearing how Chinese hacker groups, perhaps connected with their government, have been hacking into U.S. government and industrial systems. To a lesser extent the same is true of Russian hackers, who have battle-tested experience in the wars against Estonia and Georgia.
There's rarely any conclusive proof, but the circumstantial evidence is overwhelming, plus it just makes sense. It's the nature of such attacks that if the attacker is skilled, it's usually impossible to conclusively attribute a source. This is part of what makes responding so difficult.
So far, all the talk I hear about responding focuses on defensive measures: How can we make our systems more secure to prevent such attacks? This is a mistake. On this battlefield, offense enjoys too great an advantage over defense.
The lesson is that the best defense is a strong offense. We should be probing and hacking Chinese and Russian governmental and industrial infrastructure.
The scenario I envision is very much like Cold War mutually assured destruction (MAD). Were it not for the certainty of massive retaliation, either the Soviets or the United States might have tried a pre-emptive nuclear attack.
Therefore it needs to be clear to the enemy (sorry, the polite Cold War term is "adversary") that we have this ability, and it exists independent of our own systems and infrastructure. In other words, it might be hidden in the systems of uninvolved countries or even the Chinese themselves.
For all I know, we have been doing this for a while already. When U.S. systems are attacked--at least some of the time--word leaks out or is even announced. Would the Chinese do the same if they were attacked? I'm not so sure. You could at least make a case that they wouldn't want to, and it's not like press freedoms will stand in their way.
I'm not so certain that we are doing such things and I am certain that we wouldn't be as ruthless about it as the Chinese. I've heard stories about Chinese nationals working for Western companies being blackmailed into reporting on their work. Maybe we wouldn't do that, but there's always bribery. We might be more dissuaded if such actions violated U.S. law. I'd be surprised if they don't.
Fighting a defensive cyberwar is a recipe for disaster. If that's all we're actually doing, we need a new approach.