The Office of Personnel Management breach – the worst in US history – is a graphic testament to the White House's ongoing inability to identify and secure its most critical data.
In this case, it lost control of incredibly sensitive and detailed information on federal employees. That's a bounty worth many millions of dollars to foreign intelligence services in a breach for which China is the "leading suspect," according to Director of National Intelligence James Clapper. But even if Beijing is to blame, the way to fix the administration's cybersecurity problem – and to prevent future data heists that rival the OPM breach – isn't to retaliate against a foreign government.
After all, we are living in a world in which this kind of digital espionage is the new normal. It's the kind of thing that the National Security Agency wishes it could do against China. That is, if the spy agency isn't already doing it.
Sure, President Obama is upset about the shameful state of security in place at OPM, and has made limited efforts to correct security problems at government agencies in a 30-day "Cybersecurity Sprint." But exacting some kind of diplomatic or economic toll against China seems like a key play in the Obama administration's plans. According to unnamed officials quoted in The New York Times, Obama staff members are considering a range of options meant "to disrupt and deter what our adversaries are doing in cyberspace."
Traditional forms of deterrence in cyberspace are only partially effective even when you’re certain about the attacker's identity. And determining that with absolute certainty is tough. Hackers working for foreign intelligence services are trained to hide their identities and use deception techniques to throw off investigators. They can mimic tools, techniques, and procedures used by other hackers to make it look like a different group or foreign government carried out the strike.
Still, administration officials and at least one large cybersecurity firm with ties to the government are intent on pointing the finger at China. There are two key reasons for this blame game: (1) In order for the US to respond, the responsible party must be another government; (2) Under international law, the standard of evidence for state responsibility is solely based upon "reasonableness" versus proof beyond a reasonable doubt. The administration hasn't publicly presented any proof that China directed the OPM attacks.
While the US government is expert at denying, disrupting, and deterring kinetic actions on battlefields in each of the four domains (land, air, sea, and space), it still hasn't grasped that the digital battlefield is entirely different. The recent Times article about retaliating against China makes that all too clear.
Deterrence is possible. But it doesn't come from force or trying to instill fear. It comes from enabling security protocols that make sensitive or valuable data so hard to steal that the effort isn’t worth the reward. The goal of deterrence isn’t to keep bad guys out of a network, it’s to make it next to impossible for them to acquire the assets that they’re targeting. Technically, that’s already possible.
So, instead of shifting the focus to China, Mr. Obama should take full responsibility for the breach (OPM being part of the Executive Office) and immediately start work on a fulsome solution to the government's cybersecurity problem. That requires more than the Cybersecurity Sprint. It means a complete overhaul of how the government employs security measures and uses encryption technology across out all of its networks. It means ferreting out additional weaknesses in security and correcting them. It means identifying those responsible for making that breach possible and firing them. It means apologizing to the estimated 20 million Americans whose personal information is forever compromised.
Without those steps, nebulous talk of retaliation against China only tells the world the US doesn't understand the limitations of deterrence in cyberspace. It shows that the US remains weak and naive when it comes to battling criminal hackers. The way to demonstrate strength is to take actions that show the president understands the limitations and advantages of the cyberthreat landscape and acts accordingly. The president and Congress simply need the will to make it happen.
Editor's note: This article was updated after publication to correct James Clapper's position. He is Director of National Intelligence.