WASHINGTON—On April 15, 2015, officials of the Office of Personnel Management realized they had been hacked and the records of 4.2 million of current and former employees had been stolen. Later investigations by OPM determined in early June that the number affected is 21.5 million, for whom sensitive information, including Social Security Numbers (SSNs), was stolen from the background investigation databases.
This was the biggest breach of United States government data in history. Reports point to China as the source of the breach, but the Administration has not formally accused China.
On Aug. 19, the Atlantic Council held a discussion on how best to respond to cyberattacks, especially to the data breach of OPM, but also other hacking into government databases. The latter includes the discovery on July 25 that the unclassified email network of the Joint Chiefs of Staff had been broken into and 4,000 military and civilian personnel affected. Russia is believed to be the culprit here, but again the U.S. government has refrained from accusing anyone. Without doubt, more cyberattacks are going to happen.
Should the U.S. government retaliate in some manner? In view of the Snowden revelations of the U.S.’s own surveillance activities, is the U.S. in any position to invoke rules restricting other nations?
Cold War Model
The experts at the discussion expressed differing views on the seriousness of the OMP data breach. Catherine Lotrionte, director of the Institute for Law, Science, and Global Security at Georgetown University, said that the U.S. response was inadequate. The OPM breach was “highly significant,” she said.
“I don’t think the U.S. government has actually stated a position,” she said disapprovingly. “So, it is not surprising that this behavior will continue.”
According to Lotrionte, our lack of a formal protest to China signals our acceptance of the behavior that falls under “traditional statecraft with respect to espionage.” This reaction would not have been acceptable during the Cold War, she said.
Lotrionte several times referred to the way the United Kingdom handled the widespread spying of Soviet Union diplomats in 1971 as a model for statecraft. In terms of scale and scope, the expulsion of 90 Soviet diplomats and disallowing the return of about 15 more, was unprecedented, according to Lotrionte. The British were fed up with so many Soviet spies and their intelligence services couldn’t watch them all. She said there was no negotiated reduction of diplomats with the USSR in this expulsion, which is often done. Lotrionte was firm that the U.S. needed a stronger response to the OPM attack based on the magnitude of the data stolen.
“In the Cold War, it was about scale and scope that we actually put redlines,” she said. Certain norms were adhered to that kept the situation from escalating or going to war. Lotrionte noted that there were no acts of retaliation against London from the expulsion, because the British were prepared and privately made clear to the USSR what it would do.
Jason Healey, senior fellow, at the Atlantic Council’s Cyber Statecraft Initiative, said that during the Cold War an understanding arose over the years about what was acceptable and what went too far in espionage. For instance, “We would never kill a Russian [spy] and they would never kill an American spy,” he said.
Lotrionte said that in each case of espionage that goes too far, we have to find their “weak spot,” whether it be freezing assets, expelling people, or restraining travel. Left uncontested, the adversary builds a precedent that what it did was acceptable.
Lotrionte is eminently qualified on this issue. At Georgetown, Professor Lotrionte teaches national security law, U.S. Intelligence law, and international law. From 2002 to 2006, she was counsel to the president’s Foreign Intelligence Advisory Board at the White House, appointed by General Brent Scowcroft.
Post-Snowden Model
Robert Knake, senior fellow at the Council on Foreign Relations, and co-author of the book (with former chair of the U.S. Counterterrorism Security Group Richard A. Clarke), “Cyber War: The Next Threat to National Security and What to Do About It,” had a totally different take about the OPM data breach. He said there was a good rationale for why the Administration has not singled out the OPM data breach.
“Of all the crimes that China has committed in cyber space, this is the one that I am the least worried about,” Knake said, who listed many violations by China, such as against Google and Intel, and against civil liberties that were more worthy of retaliation.
Knake said, “You don’t have those traditional limits on espionage that you had during the Cold War.” And there was a limit on how much information could be stolen back then. Today, you can steal gigabytes of information from the Library of Congress on the Internet, he said. Even Robert Hanssen, one of the worst case spies in American history, maybe gave to the Russians a couple of megabytes if the documents he purloined were printed out—“certainly a different world from what we live in now.”
Knake said, “We got to think about what limits we want to place on espionage in cyber space in the context of what we want to place on ourselves.”
Because of the Edward Snowden disclosures, the whole world knows we are engaged in our own extensive program of surveillance. Yet we have managed to have not one of our ambassadors kicked out of a foreign country, or German Chancellor Angela Merkel or anyone declaring our tapping of her cellphone an act of war, said Knake, who also authored the Council on Foreign Affairs special report, “Internet Governance in an Age of Cyberinsecurity.”
The view of the intelligence community at this time, according to Knake, is that it’s not in our interest to make an issue out of cyberattacks such as what happened to OPM.
“The calculation we have made in a certain way is, ‘We are better at this than everybody else; we’re getting more out of this than they are.’ The relative gains for us are more than the relative losses,” he said.
If the Executive Order that President Obama issued April 1 is an indication of the intelligence community input, the latter appears to agree with Knake. The EO lays out redlines that the United States will not tolerate, which, if crossed, will trigger economic sanctions. It mentions destructive cyberattacks on the critical infrastructure sector, stealing intellectual property, and stealing personal identifiable information used for personal gain. It would appear that simply stealing data from OPM—simple espionage—does not, at least not yet, fall into the redline category.
In January, when President Obama accused North Korea of ordering the attack against Sony Pictures that occurred in Nov. 2014, it was the first time the United States had explicitly charged another government with mounting a cyberattack on American targets, according to the New York Times. “More than 3,000 computers and 800 servers were destroyed by the attackers after they had made off with mountains of business secrets, several unreleased movies, unfinished scripts, and the personal records of 6,000 employees,” stated CBS' 60 Minutes.
Chinese Cyber Espionage ‘Uncontrolled’
Knake contrasted the U.S. and Chinese approaches to espionage. Fundamental in U.S. intelligence gathering, as a holdover from the Cold War, is that our spies don’t want or expect to get caught. Our spying is “narrow,” “specific,” and “we wouldn’t go after large databases like [what the Chinese allegedly did with OPM], because we'd probably get caught taking gigabytes of information.” He said China doesn’t subscribe to this Cold War thinking and is largely indifferent to whether it gets caught. So, he said that the Chinese think, “Why not take as much information as we possibly can.”
The problem for them is that we know what they got from us and so its value is rendered much less. Moreover, the publicity of China’s massive spying becomes a political football where every presidential candidate will call them out on it, and that could have negative repercussions for China when a new administration takes over in 2017.
Knake’s view was supported by Healey, who was director for cyber policy at the White House from 2003 to 2005. He observed, “If you had Chinese [spying], you had three, four, five, or six different groups, all doing different things at the same time.” That gave the sense that it was uncontrolled.
“You may not like what you learned from the Snowden disclosures, but those collections were operating under a requirement reviewed by the White house on what they’re going to collect. We’re not seeing that kind of performance on the Chinese side,” Healey said.
Knake belittled the value of the intelligence the Chinese gained from the OPM breach not only for the fact that we know what they got. “Everything in [the] OPM [data breach] is about secondary value to create further Intelligence value to create targeting opportunities though counter Intelligence.” He found it “ridiculous” and “far-fetched” to believe that the CIA would rely on OPM, a non-national security agency, to protect who our spies are, and that the Chinese could ascertain who our CIA operatives were in China.
Lotrionte countered that the sheer volume of the OPM breach is worrisome. “Scale has always been significant in the intelligence world. The day you collect it, you may not actually know how you’re using it. But there is significant value in having that information. … You know [the people that] have clearances. Foreign intelligence agencies now are at risk of possible people to recruit [because their clearances are compromised]. And also foreign nationals of their own possibly [are at risk because the Chinese intelligence knows who] has been speaking to that American CIA officer.”
