Modern field guide to security and privacy

Opinion: Retaliation against China is the wrong reaction to OPM hack

Even if Beijing was responsible for breaches that exposed sensitive data on millions of Americans, a diplomatic or economic response only distracts from the US government's most pressing problem: bolstering security measures to foil the next attack.

Mark Schiefelbein/Reuters
Chinese Premier Li Keqiang, second from right, is flanked by Singaporean and Chinese flags as he spoke with Singaporean President Tony Tan at a Beijing meeting in July.

The Office of Personnel Management breach – the worst in US history – is a graphic testament to the White House's ongoing inability to identify and secure its most critical data.

In this case, it lost control of incredibly sensitive and detailed information on federal employees. That's a bounty worth many millions of dollars to foreign intelligence services in a breach for which China is the "leading suspect," according to Director of National Intelligence James Clapper. But even if Beijing is to blame, the way to fix the administration's cybersecurity problem – and to prevent future data heists that rival the OPM breach – isn't to retaliate against a foreign government. 

After all, we are living in a world in which this kind of digital espionage is the new normal. It's the kind of thing that the National Security Agency wishes it could do against China. That is, if the spy agency isn't already doing it. 

Sure, President Obama is upset about the shameful state of security in place at OPM, and has made limited efforts to correct security problems at government agencies in a 30-day "Cybersecurity Sprint." But exacting some kind of diplomatic or economic toll against China seems like a key play in the Obama administration's plans. According to unnamed officials quoted in The New York Times, Obama staff members are considering a range of options meant "to disrupt and deter what our adversaries are doing in cyberspace."

Traditional forms of deterrence in cyberspace are only partially effective even when you’re certain about the attacker's identity. And determining that with absolute certainty is tough. Hackers working for foreign intelligence services are trained to hide their identities and use deception techniques to throw off investigators. They can mimic tools, techniques, and procedures used by other hackers to make it look like a different group or foreign government carried out the strike. 

Still, administration officials and at least one large cybersecurity firm with ties to the government are intent on pointing the finger at China. There are two key reasons for this blame game: (1) In order for the US to respond, the responsible party must be another government; (2) Under international law, the standard of evidence for state responsibility is solely based upon "reasonableness" versus proof beyond a reasonable doubt. The administration hasn't publicly presented any proof that China directed the OPM attacks.  

While the US government is expert at denying, disrupting, and deterring kinetic actions on battlefields in each of the four domains (land, air, sea, and space), it still hasn't grasped that the digital battlefield is entirely different. The recent Times article about retaliating against China makes that all too clear.

Deterrence is possible. But it doesn't come from force or trying to instill fear. It comes from enabling security protocols that make sensitive or valuable data so hard to steal that the effort isn’t worth the reward. The goal of deterrence isn’t to keep bad guys out of a network, it’s to make it next to impossible for them to acquire the assets that they’re targeting. Technically, that’s already possible.

So, instead of shifting the focus to China, Mr. Obama should take full responsibility for the breach (OPM being part of the Executive Office) and immediately start work on a fulsome solution to the government's cybersecurity problem. That requires more than the Cybersecurity Sprint. It means a complete overhaul of how the government employs security measures and uses encryption technology across out all of its networks. It means ferreting out additional weaknesses in security and correcting them. It means identifying those responsible for making that breach possible and firing them. It means apologizing to the estimated 20 million Americans whose personal information is forever compromised.

Without those steps, nebulous talk of retaliation against China only tells the world the US doesn't understand the limitations of deterrence in cyberspace. It shows that the US remains weak and naive when it comes to battling criminal hackers. The way to demonstrate strength is to take actions that show the president understands the limitations and advantages of the cyberthreat landscape and acts accordingly. The president and Congress simply need the will to make it happen.

Jeffrey Carr is an internationally known author, speaker, entrepreneur, and the founder and president of Taia Global. Follow him on Twitter @jeffreycarr.

Editor's note: This article was updated after publication to correct James Clapper's position. He is Director of National Intelligence.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.