WASHINGTON — In public remarks, US officials appear to be split over whether to blame China for a pair of major breaches that compromised deeply personal data for millions of federal employees, suggesting a potential policy gap and uncertainty about how best to respond.
One day after National Security Agency (NSA) Director Adm. Mike Rogers declined to confirm China was the culprit at an intelligence conference here, Director of National Intelligence James Clapper called China "the leading suspect."
If the US was going to point fingers over the mass collection of personal data, China might just tell Rogers — as the public face of an agency that broke US privacy rules — to look in the mirror, an analyst said. Plus, it comes amid the awkward revelation of extensive eavesdropping by the NSA on the private conversations of French officials, including three presidents.
"The US has been calling China out when breaches occurred in the areas where the US has a high moral ground, such as intellectual property theft and free speech," said Klara Tothova Jordan, of the Brent Scowcroft Center on International Security's Cyber Statecraft Initiative.
"The US is involved in state espionage, so it would be hypocritical to call China on something the US is doing. I think the US wants to preserve its weight for the situation where there is a legitimate reason to call China out."
Rogers is the director of one intelligence agency, and Clapper is the nation's top intelligence official, responsible for integrating intelligence across multiple agencies. "He naturally should have more insights into what is happening that anyone else," Tothova Jordan said.
Clapper made the comments June 25 at the GeoInt Symposium, an intelligence conference in Washington, where a moderator asked if he could name China as responsible for the breaches at the Office of Personnel Management (OPM).
"I mean, that's the leading suspect," Clapper replied. Clapper was the first administration official to name China publicly, though the New York Times and Washington Post cited unnamed government officials in their reporting that China was the top suspect.
"On the one hand — please don't take this the wrong way — you've got to salute the Chinese for what they did," Clapper said earlier in his talk. "If we had the opportunity to do that, I don't think we'd hesitate for a minute."
Finding the best response to these attacks has been a sticking point for US decision-makers. While military leaders in the cyber domain have made clear the US possesses cyber capabilities to retaliate, it does not appear that those capabilities have been used.
"That has been a struggle for us because of concerns about unintended consequences," said Clapper, who emphasized the need to further develop methods of deterrence in cyberspace while also improving defenses.
A day before Clapper's remarks, Rogers — also at GeoInt — was asked about the attack and said he did not accept the "assumption" in the question that the breach is attributable to China.
"I think first of all, I'm not getting into the specifics of attribution," he said. "That's a process that we're working through on the policy side. That's ongoing."
For the US, there are separate matters of technical attribution and political attribution, said Michael Sulmeyer, a former Pentagon cyber policy official and now director of the Cyber Security Project at Harvard University. Sulmeyer said he suspected the government is working through both.
Once the US follows the digital footprints to a computer, the questions get trickier, Sulmeyer said. Who was sitting at that computer? Who ordered that person to do it? Who forbade that person from doing it but did it anyway
Officially, an FBI investigation is ongoing. The government, which learned of the breach in April, may be working not only to determine what happened, but the appropriate response from policy and legal perspectives.
"I think that at this stage — without being able to attribute in a publicly verifiable way and finding an argument why what China did was wrong— naming China would be more counterproductive than anything else," said Tothova Jordan.
The timing would also be inconvenient with the Seventh China-U.S. Strategic Economic Dialogue ongoing the week of June 22, and discussions being conducted on bigger issues: the South China Sea, US-Chinese military relations, trade, energy and climate change, among many others.
State Department Spokesman John Kirby in a mid-June briefing would not confirm that the OPM hack would be raised in discussions with China and, on June 23, danced around questions over attributing the attack to China.
"Don't try to distill what I'm saying down to some, like, there's going to be specific charges levied against them for this or that incident," Kirby said.
In the case of North Korea's hack against Sony, in November 2014, the US did not name North Korea for weeks. "That was because nobody knew what to do about it," said Richard Bejtlich chief security strategist of cybersecurity company FireEye, which was involved in the response.
The US has taken a hard line against Chinese state-sponsored cyber theft from US companies. In May 2014, the US indicted five Chinese military hackers who targeted companies in the US nuclear power, metals and solar products industries.
"The norm we have been trying to push is when it's government-on-government, military-on-military, that's expected, but when it's private companies getting hacked by the Chinese military to steal their IP and commercialize it, that's beyond the pale," Bejtlich said.
"It's an awkward situation to say, 'Well, it's the Chinese,' because what are you going to do about it? Nothing, because it's OK by our norms," Bejtlich said.
In a post on the national security website Cipher Brief, retired Air Force Gen. Michael Hayden, former NSA and CIA director, called the OPM hack, "legitimate state espionage, one government going after another for information that could contribute to its national security.
"As director of the National Security Agency, given the opportunity against similar Chinese information, I would not have hesitated for a second and I wouldn't have had to get anyone's permission to do it," he said.
Hayden rapped the executive branch over being "late to need" on cybersecurity, and Congress for its failure to pass cybersecurity legislation that would have given liability protection to firms sharing cyber threat information with one another and with the government. In particular, he chided Rep. Jason Chaffetz, R-Utah, and chairman of the House Oversight Committee, who presided over hearings about the OPM hack.
"And Chairman Chaffetz was an enthusiastic supporter of the USA Freedom Act designed to rein in the allegedly renegade National Security Agency and its wanton depredations of American privacy," Hayden said. "Little more than 48 hours after voting to limit the nation's most powerful cyber force, Chaffetz and the rest of Congress was demanding to know how the personal records of millions of Americans could have been violated by a foreign power. Perhaps they misidentified the real threats to American privacy."
More than deterrents, which have become a central part of the conversation about the OPM hack, the government needs to take a hard look at how to strengthen defense, Sulmeyer said.
"I'm not so comfortable dismissing the defense question here," he said. "If you are saying this information is crucial and look how damaging its theft is, you should also be asking what — as they say in Vegas — are we doubling down on in terms of defense of your most crucial data is for tomorrow and the next day."
However, Sulmeyer credited the White House's deliberate way of attributing these types of incidents and crafting responses, targeting weaknesses to deterrent effect.
Economic sanctions against North Korea hit its reliance on illicit funds while the indictment of Chinese hackers hit China's desire for regime legitimacy, Sulmeyer said.
"Sometimes it can seem like a policy gap, or that there's an inability to respond," Sulmeyer said. "But what actually may be at issue is its not always clear how the US links certain actions it undertakes, relative to what prompted it.