The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict.
The decision came after the administration concluded that the hacking attack was so vast in scope and ambition that the usual practices for dealing with traditional espionage cases did not apply.
But in a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States — to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries.
That does not mean a response will happen any time soon — or be obvious when it does. The White House could determine that the downsides of any meaningful, yet proportionate, retaliation outweigh the benefits, or will lead to retaliation on American firms or individuals doing work in China. President Obama, clearly seeking leverage, has asked his staff to come up with a more creative set of responses.
“One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence,” said one senior administration official involved in the debate, who spoke on the condition of anonymity to discuss internal White House plans. “We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.”
In public, Mr. Obama has said almost nothing, and officials are under strict instructions to avoid naming China as the source of the attack. While James R. Clapper Jr., the director of national intelligence, said last month that “you have to kind of salute the Chinese for what they did,” he avoided repeating that accusation when pressed again in public last week.
But over recent days, both Mr. Clapper and Adm. Michael S. Rogers, director of the National Security Agency and commander of the military’s Cyber Command, have hinted at the internal debate by noting that unless the United States finds a way to respond to the attacks, they are bound to escalate.
Mr. Clapper predicted that the number and sophistication of hacking aimed at the United States would worsen “until such time as we create both the substance and psychology of deterrence.”
Admiral Rogers made clear in a public presentation to the meeting of the Aspen Security Forum last week that he had advised President Obama to strike back against North Korea for the earlier attack on Sony Pictures Entertainment. Since then, evidence that hackers associated with the Chinese government were responsible for the Office of Personnel Management theft has been gathered by personnel under Admiral Rogers’s command, officials said.
Admiral Rogers stressed the need for “creating costs” for attackers responsible for the intrusion, although he acknowledged that it differed in important ways from the Sony case. In the Sony attack, the theft of emails was secondary to the destruction of much of the company’s computer systems, part of an effort to intimidate the studio to keep it from releasing a comedy that portrayed the assassination of Kim Jong-un, the North Korean leader.
According to officials involved in the internal debates over responses to the personnel office attack, Mr. Obama’s aides explored applying economic sanctions against China, based on the precedent of sanctions the president approved against North Korea in January.
“The analogy simply didn’t work,” said one senior economic official, who spoke on the condition of anonymity to discuss internal White House deliberations. North Korea is so isolated that there was no risk it could retaliate in kind. But in considering sanctions against China, officials from the Commerce Department and the Treasury offered a long list of counter sanctions the Chinese could impose against American firms that are already struggling to deal with China.
The Justice Department is exploring legal action against Chinese individuals and organizations believed responsible for the personnel office theft, much as it did last summer when five officers of the People’s Liberation Army, part of the Chinese military, were indicted on a charge of the theft of intellectual property from American companies. While Justice officials say that earlier action was a breakthrough, others characterize the punishment as only symbolic: Unless they visit the United States or a friendly nation, none of them are likely to ever see the inside of an American courtroom.
“Criminal charges appear to be unlikely in the case of the O.P.M. breach,” a study of the Office of Personnel Management breach published by the Congressional Research Service two weeks ago concluded. “As a matter of policy, the United States has sought to distinguish between cyber intrusions to collect data for national security purposes — to which the United States deems counter intelligence to be an appropriate response — and cyber intrusions to steal data for commercial purposes, to which the United States deems a criminal justice response to be appropriate.”
There is another risk in criminal prosecution: Intelligence officials say that any legal case could result in exposing American intelligence operations inside China — including the placement of thousands of implants in Chinese computer networks to warn of impending attacks.
Other options discussed inside the administration include retaliatory operations, perhaps designed to steal or reveal to the public information as valuable to the Chinese government as the security-clearance files on government employees were to Washington.
One of the most innovative actions discussed inside the intelligence agencies, according to two officials familiar with the debate, involves finding a way to breach the so-called great firewall, the complex network of censorship and control that the Chinese government keeps in place to suppress dissent inside the country. The idea would be to demonstrate to the Chinese leadership that the one thing they value most — keeping absolute control over the country’s political dialogue — could be at risk if they do not moderate attacks on the United States.
But any counter attack could lead to a cycle of escalation just as the United States hopes to discuss with Chinese leaders new rules of the road limiting cyber operations. A similar initiative to get the Chinese leadership to discuss those rules, proposed by Mr. Obama when he met the Chinese leader at Sunnylands in California in 2013, has made little progress.
The United States has been cautious about using cyber weapons or even discussing it. A new Pentagon strategy, introduced by the secretary of Defense, Ashton B. Carter, in the spring, explicitly discussed retaliation but left vague what kind of cases the United States viewed as so critical that they would prompt that type of retaliation.
In response to the Office of Personnel Management attack, White House officials on Friday announced the results of a 30-day “cyber-security sprint” that began in early June after the federal personnel office disclosed the gigantic theft of data.
Tony Scott, the government’s chief information officer, who ordered the review, said in a blog post that agencies had significantly ramped up their use of strong authentication procedures, especially for users who required access to sensitive parts of networks.
By the end of the 30th day, officials said that more than half of the nation’s largest agencies, including the Departments of Transportation, Veterans Affairs and the Interior, now required strong authentication for almost 95 percent of their privileged users.
For Mr. Obama, responding to the theft at the Office of Personnel Management is complicated because it was not destructive, nor did it involve stealing intellectual property. Instead, the goal was espionage, on a scale that no one imagined before.
“This is one of those cases where you have to ask, ‘Does the size of the operation change the nature of it?’ ” one senior intelligence official said. “Clearly, it does.”(New York Times)