The massive digital theft of millions of federal workers’ data is mounting pressure on President Obama to take a tougher stand against state-sponsored cyberattacks.
Since the infiltration of the Office of Personnel Management by suspected Chinese hackers, lawmakers, experts and 2016 hopefuls have pushed for a range of responses, from economic sanctions to currency restrictions to aggressively hacking back at Beijing officials.
The OPM hack is believed to be part of a broader Chinese cyber espionage scheme to construct a comprehensive database of millions of government workers that could allow hackers to imitate, blackmail and digitally exploit high-ranking officials.
“What we’re seeing with these repeated hacks and repeated intrusions is that building your defense is not enough in and of itself,” Rep. Adam SchiffAdam Bennett SchiffOvernight Hillicon Valley — Hacking goes global Schiff calls on Amazon, Facebook to address spread of vaccine misinformation Spotlight turns to GOP's McCarthy in Jan. 6 probe MORE (D-Calif.), the top Democrat on the House Intelligence Committee, told reporters Tuesday. “There also has to be a deterrent.”
But no one can agree on what exactly that deterrent should be. The only thing people seem to agree on is that the deterrent has been woefully insufficient so far.
“This is not an easy problem,” Schiff added. “That’s why it hasn’t been solved yet.”
In recent years, cyber crime syndicates have matured, pilfering billions of dollars from banks around the world. Underground darknet markets have become the go-to location to buy and sell billions worth of narcotics. And foreign powers have rapidly built up massive cyber espionage programs that one U.S. defense official said was causing the country to “hemorrhage” commercial and military secrets “at a dizzying rate.”
All this has exploded with little fear of being caught as law enforcement and government officials scramble to catch up.
“It cannot be costless,” said former Sen. Joseph Lieberman (I-Conn.), who chaired the Senate Homeland Security Committee for roughly eight of his last 12 years in Congress, before retiring in 2013.
While police have dramatically ramped up crackdowns on cyber crime rings, the administration has not developed a codified response system to fight back against state-backed hacks on federal agencies or private companies.
The U.S. has gone after China over cyber spying before. In 2014, the Justice Department indicted five members of the Chinese military for hacking a variety of U.S. companies in the nuclear, solar and metals industries from 2006-2014.
But that lacked the same eye-for-an-eye or “symmetric response” that people increasingly call for after mammoth hacks.
That means any retaliation for the OPM breach could set a precedent, putting all eyes on Obama to see how — and if — he reacts.
The administration has been hesitant to tip its hand thus far, refusing to publicly lay blame on China even as officials do so privately.
“I can’t promise you that we’ll be in a position at any point in the future to make a grand pronouncement about who may have been responsible for this particular intrusion,” White House press secretary Josh Earnest said in a briefing this week.
The White House has also yet to vow a “proportional” response, as it did following the bruising cyberattack on Sony Pictures Entertainment, which it blamed on North Korea.
In the Sony case, “proportional” meant a new round of economic sanctions on the reclusive East Asian nation.
Since then, President Obama has signed an executive order giving the Treasury Department more clout to impose similar sanctions on any foreign regime caught hacking the U.S.
But experts are wary the administration will make the OPM hack its inaugural test case for this new tool.
“I don’t know that frankly, in this case, in the absence of any independent evidence that doesn’t rely on [classified] intelligence sources, that it would make sense to do that,” said Chris Finan, a former Obama administration cybersecurity adviser. “What do you get in return?”
Finan and others believe such sanctions would simply provoke China and do little to change its hacking behavior.
“I think they’re going to save [sanctions] for an intellectual property case,” said Adam Segal, a Chinese cyber policy expert and senior fellow at the Council on Foreign Relations, referring to China’s digital theft of commercial trade secrets.
Maintaining the fraught U.S.-China relationship, which has been particularly strained in recent months over territorial disputes in the South China Sea, is economically vital to the U.S., Segal explained.
“Cyber is an irritation, a growing irritation, but one that they don't want to derail the relationship,” he said.
But many are pressing the president to respond swiftly and forcefully.
“They’re really daring us, in some ways challenging us, to respond to them,” Lieberman said. “It’s a time for action, not talk.”
Former Arkansas Gov. Mike Huckabee, a 2016 GOP hopeful, went so far as to argue the U.S. should be hitting China back in cyberspace. Infiltrate Communist party leaders’ cellphones, he said this week, hack intelligence officials’ bank accounts, call out elite Chinese families for political corruption, take down key computer networks in the country.
“The way you deal with a bully on the playground is to punch them in the face and put them on the ground because the only thing they respect is power,” Huckabee said.
Most have been more measured.
“This attack, while serious, is not the equivalent of an attack on our cyber infrastructure,” Lieberman said. “This is a theft of records.”
The former senator advocated a counter cyberattack that is perhaps not made public, but “something the Chinese know about.”
“This attack cannot be left unresponded to, but should be done in a way that’s proportionate to the attack so we don’t escalate into a larger conflict,” he said.
Others have focused on pulling international levers.
Sen. Lindsey GrahamLindsey Olin GrahamRep. Tim Ryan becomes latest COVID-19 breakthrough case in Congress Graham found Trump election fraud arguments suitable for 'third grade': Woodward book Senate parliamentarian nixes Democrats' immigration plan MORE (R-S.C.), another 2016 candidate, and Sen. Charles SchumerChuck SchumerMcConnell signals Senate GOP will oppose combined debt ceiling-funding bill Centrist state lawmaker enters Ohio GOP Senate primary Biden discusses agenda with Schumer, Pelosi ahead of pivotal week MORE (D-N.Y.), asked the International Monetary Fund (IMF) on Tuesday to withhold currency benefits from China until the country reins in overseas hacking.
The IMF is contemplating including the yuan as part of its emergency-lending fund, used to stabilize the global economy. Designating the yuan as a reserve currency would make it stronger in the international marketplace.
“It is long past time for the international community to rally together and make crystal clear to the Chinese government that if they want to be treated as a leading nation on the global stage, then they need to start acting like it,” Schumer said.
As troubling details continue to leak about the scale of the OPM hack, it’s unlikely the White House is close to determining its ultimate response, if there even is one.
Finan believes the administration might never officially blame China, reluctant to give up its methods for tracing the hacks.
The evidence he’s seen is also “circumstantial,” lacking a “direct linkage to the government.”
That won’t stop the calls from Congress and the public to strike back, or to at least develop a better protocol for future retaliation, as Schiff has been advocating.
“We have not done enough to provide that deterrent,” he said.
The U.S. must “develop not only the offensive capabilities, but also the rules of this cyber warfare,” he added.