WASHINGTON—On April 15, 2015, officials of the Office of Personnel Management realized they had been hacked and the records of 4.2 million of current and former employees had been stolen. Later investigations by OPM determined in early June that the number affected is 21.5 million, for whom sensitive information, including Social Security Numbers (SSNs), was stolen from the background investigation databases.
This was the biggest breach of United States government data in history. Reports point to China as the source of the breach, but the Administration has not formally accused China.
On Aug. 19, the Atlantic Council held a discussion on how best to respond to cyberattacks, especially to the data breach of OPM, but also other hacking into government databases. The latter includes the discovery on July 25 that the unclassified email network of the Joint Chiefs of Staff had been broken into and 4,000 military and civilian personnel affected. Russia is believed to be the culprit here, but again the U.S. government has refrained from accusing anyone. Without doubt, more cyberattacks are going to happen.
Should the U.S. government retaliate in some manner? In view of the Snowden revelations of the U.S.’s own surveillance activities, is the U.S. in any position to invoke rules restricting other nations?
Cold War Model
The experts at the discussion expressed differing views on the seriousness of the OMP data breach. Catherine Lotrionte, director of the Institute for Law, Science, and Global Security at Georgetown University, said that the U.S. response was inadequate. The OPM breach was “highly significant,” she said.
“I don’t think the U.S. government has actually stated a position,” she said disapprovingly. “So, it is not surprising that this behavior will continue.”
According to Lotrionte, our lack of a formal protest to China signals our acceptance of the behavior that falls under “traditional statecraft with respect to espionage.” This reaction would not have been acceptable during the Cold War, she said.
Lotrionte several times referred to the way the United Kingdom handled the widespread spying of Soviet Union diplomats in 1971 as a model for statecraft. In terms of scale and scope, the expulsion of 90 Soviet diplomats and disallowing the return of about 15 more, was unprecedented, according to Lotrionte. The British were fed up with so many Soviet spies and their intelligence services couldn’t watch them all. She said there was no negotiated reduction of diplomats with the USSR in this expulsion, which is often done. Lotrionte was firm that the U.S. needed a stronger response to the OPM attack based on the magnitude of the data stolen.
