Intel chiefs draw distinction between digital espionage and malicious hacks

At a Congressional hearing Thursday, officials stressed the need to develop clearer international norms to determine what's a tolerable amount cyberspying and what's unacceptable. 

Ever since Edward Snowden revealed widespread US surveillance and data gathering, US national security officials have been trying to manage the public relations fallout at home and abroad.

Two summers later, they seem willing to concede similar intelligence-gathering efforts by foreign adversaries may fall within the realm of acceptable behavior.

“I caution that we think about the old saw about people who live in glass houses,” James Clapper, Director of National Intelligence, told the House Intelligence Committee in a Thursday hearing on worldwide cyberthreats. “We should think before we throw rocks. These are very complex policy issues.”

Making the distinction between intelligence-gathering and corporate espionage is becoming especially important as the White House considers imposing groundbreaking sanctions on several Chinese entities for theft of trade secrets from American businesses, reportedly ahead of President Xi Jinping’s state visit to Washington later this month.

US officials are also reported to believe that China is behind the massive breach of the Office of Personnel Management, which compromised the Social Security Numbers and personal information of millions of people.

Washington is debating whether and how to respond, yet China routinely denies carrying out corporate espionage, instead accusing the US of hacking Chinese interests and arguing that leaks from former contractor-turned-fugitive Mr. Snowden reveal a troubling double standard.

By appearing on Capitol Hill and arguing for a clear distinction between what they see as intelligence-gathering versus other malicious cyberactivities, however, US officials seem to be making a case for why sanctions against China and other countries that engage in cyberattacks against the US would be acceptable – and not hypocritical.

The core of the argument: The US does not engage in corporate espionage, data theft and sabotage to help American businesses for economic reasons.

“We clearly understand nation states use the spectrum of capabilities they have to attempt to generate insight into the world around them,” said Adm. Michael Rogers, director of the National Security Agency. “That does not mean the use of cyber for manipulative, destructive purposes is acceptable.”

An executive order from President Obama earlier this year gives the US Treasury Department the authority to impose sanctions on individuals or organizations engaged in harmful activities against American interests in cyberspace. The order gives the Treasury Department targeted authority to freeze assets and seize property belonging to those identified as engaged in attacks against US critical infrastructure or in attacks that result in financial loss, theft of intellectual property, trade secrets and personally identifiable data.

Yet the complexities of attributing who is behind certain actions in cyberspace can make it hard to delineate between acceptable and unacceptable behavior when considering how to dole out such punishment.

All this may contribute to a heightened urgency among US officials to find common ground on the need for new rules of the road for engagement in the digital realm. “The long term end-state we have to get to is this idea of acceptable norms and behavior. What’s within reason and what’s not within reason,” Mr. Rogers said.

Making matters worse is the lack of consistent terminology and a common lexicon for describing various cyberthreats, Clapper added.

Many for instance have described the disastrous data breach at OPM as a cyberattack, while in reality, Clapper said, there was no manipulation or destruction of data – it was simply stolen. “That is a passive intelligence collection activity just like we do,” he said.

“It’s not that we don’t make that distinction,” Mr. Clapper said. “But the adversaries, most notably the Chinese, do not at all in the ultimate purpose for which they extract data from us,” he said.

Rep. James Himes (D) from Connecticut said the US needs to commit to helping develop some Geneva Convention-like rules of the road on how cyberwarfare is conducted to help policymakers develop appropriate responses, and, potentially, to avoid out-of-proportion retaliation.

“We don’t know, today, what constitutes an act of war – we don’t know what an appropriate response is, we don’t know where the line is drawn between crime and warfare,” Mr. Himes said. “Is stealing classified information from us an act or war, or is it just an act of espionage that we do to each other and maybe even grudgingly admire? What if that espionage leads to the death of a source or the death of hundreds of sources? At what point does it become an act of war?”