A reminder that governments and political parties are not the only organizations that hackers are targeting these days.
With the current focus on alleged Russian interference in the U.S. presidential election, attention on corporate data breaches has declined. Massive thefts of customer information from Target (tgt), Home Depot (hd), J.P. Morgan Chase (jpm), and Anthem (antm) have been superseded in the public’s mind by break-ins at political and governmental organizations with three-letter-acronyms like OPM, DNC, and CIA.
But the threat by hackers to business remains.
“The problem is the asymmetry in cyberspace,” says Kevin Mandia, CEO of FireEye, a Milpitas, Calif.-based cybersecurity firm, using military jargon. He adds a folksy translation: “We’re getting sucker punched pretty bad.”
Mandia visited Fortune’s office to discuss the U.S. response this month to one of the largest known domestic corporate data breaches: the 2014 breach at Yahoo (yhoo). The Air Force officer-turned-businessman visited a day after the federal government indicted four people—two Russian agents, one Russian cybercriminal, and a Canadian-Kazakh hacker-for-hire, according to the Justice Department—who were allegedly responsible for stealing personal information related to 500 million Yahoo accounts.
Get Data Sheet, Fortune’s technology newsletter.
“We’re at a tipping point,” Mandia says. “We’ve got to figure this out as a sovereign nation, as the United States, what are we going to do to deter—what are we going to do to establish fair game or rules of engagement.”
The landmark charges brought against Russian security service officials are a “first step,” he says, toward initiating an open dialogue with Moscow about what kind of hacking the two nation’s should allow, and what they should not. (U.S. law enforcement said that formal diplomatic channels failed them when they were pursuing the alleged Yahoo hackers.) That conversation, long overdue, comes as the U.S. continues its investigation into what authorities describe as Russia’s political meddling last year.
“Others call it public shaming, but we’ve got to make sure the world is aware of what is happening—and that’s the first step,” Mandia says, referring to the Justice Department’s decision to call out Yahoo’s alleged hackers.
Mandia should know. He made his name compiling and publishing a groundbreaking report on Chinese cyberespionage in 2013, a document that a year later led the U.S. to indict five officers in China’s People’s Liberation Army for stealing intellectual property from U.S. businesses (The suspects were never arrested). At the time, Fortune dubbed him in a cover story as “the CEO who caught the Chinese spies red-handed.”
The problem stems from a lack of penalties, Mandia says. “There are no risks or repercussions to hacking companies in the West,” he says, mentioning that attackers can find safe harbor in countries without extradition treaties with the U.S., such as Russia, North Korea, and Iran. “Until we can impose some risk, some deterrence, these intrusions are here to stay.”
The U.S. has had success establishing international hacking norms before. Two years ago, the Obama administration managed to work out rules of the road with China on the eve of Chinese President Xi Jinping’s first visit to the White House. At the time, the U.S. government had mulled placing sanctions on China for its economic espionage, but it ultimately demurred when China’s leadership agreed that it would forbid hacking for profit.
Can the U.S. find similar ground with Russia? Maybe. Mandia remain hopeful, though he has reservations given how aggressive Russia’s spies seem to have become. “They’re full bore, pedal to the metal,” he says.