US retaliation for OPM hack could set precedent in global cyberconflict

Passcode was the exclusive media partner for an event with the Atlantic Council exploring how the US should respond to attacks such as the Office of Personnel Management breach.

August 21, 2015

After the recent string of high-profile breaches such as the one at the Office of Personnel Management, many experts and international policymakers are watching closely at how the US may retaliate against suspected hackers.

When it comes to digital spying, international norms are noticeably absent; there's little precedent for how nations should retaliate to each other's network attacks. So a strong American response against China, the leading suspect in the OPM hack, could be a first step in establishing norms for international cyberconflicts and digital espionage.

At an event hosted by the Atlantic Council think tank in Washington on Wednesday, a panel of security experts debated various possibilities for US responses to the multitude of digital attacks on government agencies and private corporations. Passcode was the exclusive media partner for the Cyber Risk Wednesday event focusing on hacks, attacks, and what the US can do about it.

Opinion: Retaliation against China is the wrong reaction to OPM hack

Here are three things we learned:

1. The US is careful about setting parameters on cyberespionage so it doesn't limit its own operations.

The US has spoken out publicly against certain kinds of attacks – destructive digital attacks, stealing intellectual property, and stealing personally identifiable information for private companies' gain, said Robert Knake, the Whitney Shepardson senior fellow for cyber policy at the Council on Foreign Relations.

But its relative silence after the OPM breach could leave other nations to interpret that the US does not consider the theft of government data for non-private benefit to be off-limits, he said. 

The message the US might be sending other countries, Mr. Knake said, is: “If you’re stealing this information for traditional espionage purposes, it doesn’t cross this red line ... and it’s not the kind of thing that we would use economic sanctions for.”

Iran’s official line on exchange with Israel: Deterrence restored

2. Starting a global dialogue about digital espionage has many challenges because of its secrecy.

Discussing traditional espionage with Russia during the cold war was relatively straightforward because both Washington and Moscow acknowledged their role in spying on each other, said Jason Healey, senior research scholar at the School of International and Public Affairs at Columbia University.

But talking to China about digital attacks is tough, because Beijing's public stance is that "we don't engage is this," he said. "Both for practical reasons, as well as potential for advantage, we can try and shift that.”

3. To thwart digital spying by other countries, the US could advocate the moral high ground and lead by example.

According to Mr. Healey, the US should continue showing restraint in espionage operations. “We don’t care if others show that restraint. We’re going to show restraint because of who we are,” he said.

Two Notable Quotes:

“We haven’t deterred anyone,” said Catherine Lotrionte, director of Georgetown University's Institute for Law, Science, and Global Security. Ms. Lotrionte said she doesn't believe that the current position of the US on digital attacks will keep future attackers at bay. 

“We’ve got to think about ... the limits that we want to place on espionage in cyberspace, in the context of what kinds of limits we want to place on ourselves," Knake said. 

Notable tweet:

Correction: A previous version of this article incorrectly spelled the name of Catherine Lotrionte. This version has been corrected.