Search Google

6/19/15

The OPM breach: Can the US respond to the “Pearl Harbor” of cyberattacks?

By now, the widely reported breach of the Office of Personnel Management files is common knowledge to friends and foes alike (who likely knew already). Since the first disclosure two weeks ago, the depth and breadth of the security breach has only widened. It now seems that the files of at least 4.5 million, and possibly up to 14 million, federal workers are now in the hands of Chinese hackers, who almost certainly are directly connected to the Chinese government. The pilfered OPM data included addresses, work history, job evaluations, medical history, names of friends, family and work associates, as well as many other personal details. Potentially, the most devastating files stem from information laid out by government personnel in a 127-page security clearance form, SF 86. This form digs deep into personal data, with questions relating to sexual affairs and encounters, contact with foreign citizens, financial difficulties, drug use, mental health, and the names and personal details of relatives. While the CIA has its own clearance system, other vital federal agencies such as the State and Defense Departments and the National Security Agency all use the OPM system to some degree.

The stunned and horrified reaction has been universal: “The potential loss here is truly staggering,” said former CIA and NSA Director, Michael Hayden. “This disaster was decades in the making and will take decades to set right,” warned former NSA counterterrorism officer, John Schindler. Schindler also described the breach as a “blackmail jackpot” for the Chinese. The most extreme reactions have likened the breach to a “cyber Pearl Harbor.”

Needless to say, as the magnitude of the system failure has become evident, urgent demands for a US response and retaliation have grown louder. Putative GOP presidential candidate, former Gov. Mike Huckabee, has pushed to “punch [China] in the face” and take down key Chinese computer networks. Others, much troubled by the depth of the attack, are still wary of overreaction. Former Sen. Joseph Lieberman (D-CT) has argued that “this attack cannot be left unresponded to.” But, he added, it “should be done in a way that’s proportionate to the attack so we don’t escalate into a larger conflict.”

In the face of these demands, the Obama administration has appeared “weak and hesitant,” in the words of expert observers such as Harvard’s Jack Goldsmith. But Goldsmith and others have pointed to the very difficult calculations that must be made before any response is undertaken. First, we must distinguish the OPM attack from earlier incidents involving Sony Pictures and the indictment of five Chinese PLA officers some months ago. The Sony Pictures attack destroyed considerable property and business records. The indictment of the Chinese officers involved allegations of the theft of intellectual property and economic information vital to Chinese competitors of US-based companies such as Westinghouse and US Steel (a more recent indictment of six Chinese businessmen charged violations of the US trade secrets law).

Second, the OPM attack seems to have been purely an espionage operation, aimed at acquiring information to use in blackmail or in the recruitment of US individuals to spy for China. There was no IP or trade secret theft, or destruction of public or private property. This presents difficult options for the Obama administration. While operations of the NSA and CIA remain hidden, one has to assume that US security operations have penetrated the inner workings of our potential adversaries, including the Chinese and the Russians. Indeed, the Snowden documents revealed (no doubt to NSA/CIA dismay) that the US had penetrated deep into the Chinese governmental apparatus – and, ironically, into the inner sanctum of the Chinese telecoms giant, Huawei, after we had banned the company from major contracts on the fear that it would become a Trojan horse for Beijing. The bottom line is that espionage among nations is an accepted practice. We are still technically superior to our potential adversaries on cyberoffense – and intend to continue to exploit that advantage. Thus, as Adam Segal of the Council of Foreign Relations stated: “Stealing secrets from governments is part of spying…You can get angry with the incompetence of our defense. It’s hard to get angry with the Chinese for trying.”

Then there is the question of proportionality that Sen. Lieberman raised. Dramatic, draconian sanctions would undoubtedly provoke a counter-reaction from China, as well as the charge of hypocrisy. Some months ago, the president signed an executive order giving the US Treasury more power to impose economic sanctions on foreign regimes caught hacking the US and the White House has alluded to this authority in discussing possible responses to the OPM incident. But such a move would have to be weighed against the myriad cooperative actions between the US and Beijing – from Iran, to North Korea, and to the ongoing US-China Strategic and Security Dialogue. In the end, some experts have suggested that the US will find a way to retaliate quietly, possibly through a proportionate offensive cyber operation such as seeking to locate the large trove of OPM files on Chinese servers and deleting them. There would be satisfaction in this, but it is also true that much vital information for subversion of US agents likely has already been dispersed throughout China’s own vast intelligence apparatus.

As this ongoing episode demonstrates, responding to cyber threats and attacks is rough going, replete with ad hoc rules as the challenges emerge.



from AEI » Latest Content http://ift.tt/1ChIvw4

0 التعليقات:

Post a Comment

Search Google

Blog Archive