US Must Think Carefully About OPM Data Breach Response Against China, Experts Say
The U.S. government should carefully consider whether the recent Office of Personnel Management (OPM) data breach is serious enough to require a public response, cybersecurity experts said during a Atlantic Council-Christian Science Monitor event. The OPM breach, publicized in June, exposed an estimated 21.5 million current, former and prospective federal employees’ personally identifiable information (PII). Congressional Republicans have been urging the White House to publicly name China as the culprit in the OPM breach (see 1507220063), despite China’s public denial of involvement, experts said.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
U.S. anger over the OPM breach in many ways mirrors “how everyone else felt” when former NSA contractor Edward Snowden began leaking information about controversial NSA surveillance programs in 2013, said Jason Healey, the Atlantic Council’s Brent Scowcroft Center on International Security Cyber Statecraft Initiative nonresident senior fellow. “Imagine how [German Chancellor] Angela Merkel felt” after leaks that the NSA had tapped her phone, Healey said Wednesday. The U.S. will need to look at “lessons from the last couple of years” in responding to the OPM breach, he said.
The U.S. will need to respond to the OPM breach in some way because it hasn’t “made its position known strongly enough” about the threshold for what’s considered acceptable espionage tactics, said Catherine Lotrionte, Georgetown University Institute for Law, Science and Global Security director. “We haven’t deterred anyone” from engaging in OPM-style data breaches in the future, she said. China and other countries will only get the message on how the U.S. feels when the government “takes a position in response to that to say otherwise,” Lotrionte said.
The U.S. may need to further define the red lines of what’s acceptable espionage behavior, though it has made limitations clear in the past, said former National Security Council Cybersecurity Policy Director Robert Knake, Council on Foreign Relations senior fellow. President Barack Obama’s April cybersecurity executive order, which authorized sanctions against foreign-based cyberattacks (see 1504010057), set the red lines at destructive cyberattacks, IP theft and the theft of PII for non-traditional espionage purposes, Knake said. “China may have gotten the message ‘Sony: bad. Stealing data from Google: bad … Stealing data from OPM: yeah, that’s OK.’” Any limits the U.S. wants to now set against further OPM-style cyberattacks will have to be considered in terms of what kinds of espionage the U.S. itself is comfortable with no longer using, Knake said. “We’re in the post-Snowden period where basically the whole world knows the U.S. engages in this kind of activity.” The U.S. will need to decide what it can tolerate as normal statecraft espionage, Lotrionte said. Traditional espionage norms set during the Cold War aren’t adequate to stem cyberespionage, Knake said.
The U.S. has “got to be very careful at how we express this outrage,” Healey said. Any U.S. response to the OPM breach should fall short of breaking off diplomatic relations, but could include expelling some Chinese economic diplomats or stopping potential China-based business deals involving U.S. companies, Lotrionte said. “There’s a lot you can do below escalating to a conflict.” The U.S. response should also factor in how to minimize potential consequences for U.S. diplomats and business interests in China, Lotrionte said. The U.S. can also look to the Department of Justice’s May 2014 arrest of five Chinese People’s Liberation Army officers for stealing U.S. trade secrets off private U.S. networks as a model for its OPM response, Knake said.