Can America thump China for the OPM hack – and should it?

Can the U.S. really shame another superpower for espionage excess?

While some argue that mitigation, not attribution, should be the top priority in the wake of the Office of Personnel Management breaches, foreign relations experts are wrestling with how the U.S. should – or even could – respond to the state believed to be behind the breaches: China.

In a discussion hosted by the Atlantic Council on Aug. 19, academics hashed out red lines and the threat of escalation.

And they generally agreed that better cybersecurity on America’s end is a far better response than geopolitical threats.

Was OPM fair game?

“Clearly the U.S. hasn’t made its position known strongly enough … that the U.S. will protest these actions,” said Catherine Lotrionte, director of the Institute for Law, Science and Global Security at Georgetown University. “[China and other nations are] going to assume that these types of actions are, under traditional espionage rules, acceptable.”

She added that persistent attempts to take information from other nations was “part of traditional statecraft,” pointing to the long history of Soviet-American spying back-and-forth.

The U.S. and U.S.S.R. never went to war over espionage, she noted.

“I don’t think the U.S. government has actually stated a position [on wide scale exfiltration of personal information],” Lotrionte said. “So it is not surprising if this behavior were to continue.”

“The U.S. has put out a red line on this issue,” interjected Robert Knake, senior fellow at the Council on Foreign Relations, pointing to President Barack Obama’s April 1 executive order that threatened the property of those tied to “significant malicious cyber-enabled activities.”

The problem, Knake argued, is that Obama singled out destructive cyberattacks, stealing intellectual property, and stealing personally identifiable information (PII) “for private gain.”

“It basically said if you’re stealing this PII for traditional espionage purposes it’s not crossing the red line and we won’t impose sanctions,” Knake said. “Stealing data from Sony? Bad. Stealing data from OPM? OK.”

The U.S. position makes sense from an historical, free-market-protecting standpoint, he added, but the U.S. position was shaped before cyber capabilities enabled nations to suck down such vast quantities of personal data.

Besides, the U.S. conducts its own cyber espionage, much of it quite personal.

“This is how the rest of the world felt after Snowden,” chimed in Columbia University international affairs researcher Jason Healey. “That feeling of being violated.”

American espionage abides by the “subtler norm” of bygone spy craft: Don’t get caught. But in the new era, Knake said, China doesn’t really see any consequences coming for targeting huge databases, whether or not they’re caught doing it.

And without moral superiority, the U.S. could have a difficult time enforcing norms.

“How do you say, ‘It’s OK to tap the phone of foreign leaders but it’s not OK to take the OPM database’?” Knake asked. “It’s, I think, probably impossible to do.”

Give Chinese the FOOT treatment?

Lotrionte pointed to the past as a possible guide for American response: Operation FOOT, the 1971 action in which the fed-up, spied-on British booted 105 Soviet intelligence and trade officials from the U.K.

The lead-up to the action required intelligence officials to weigh the risks, and then explain to politicians the value of one big, sweeping expulsion.

“There were no acts of retaliation [by the Soviets] against London,” she noted, praising the decisive nature of the move.

The U.S. might pursue a similar course with Chinese officials.

The U.S. might also go after China through the World Trade Organization.

“It’s very important to China to be seen as a state that’s cooperating with its agreements under the WTO, because they fought to get in,” Lotrionte said.

“But first, a formal protest, you have to write a letter,” she added, noting how the Obama Administration has been officially muted on the issue, even as the administration plans some kind of retaliation.

Healey noted the need for American officials to “think about this escalation path,” and consider actions China might take in response. Perhaps the Chinese would dox federal employees in desperation, he wondered, or match the OPM database against the recently released infidelity site Ashley Madison’s data dump.

Or perhaps the U.S. ought not do anything. Is it really worth thumping China, when we benefit from cyber espionage so much?

“The relative gains for us are greater than the relative losses,” said Knake. “I think that’s the general view of the intelligence community, and I think it may be right.”

Are USDA, Education next?

This is a “shame on CIA,” not shame on China or OPM, situation, said Knake.

“The idea that they were relying on OPM, this little non-national [security] agency, to protect who their spies are, that seems a little ridiculous to me,” he said.

Just as OPM was vulnerable, so too are other agencies charged with keeping valuable information.

“We’ve got lots of other places that hackers could hit that are seen as IT security backwaters,” noted Healey.

He singled out the Education Department, which holds student loan information and has security “at best” around OPM’s pre-breach level, and the USDA, which holds farm loan data and is “probably below” OPM’s security level, as potential future targets.

“Even if you work at the Department of Agriculture, you need to understand securing data,” added Lotrionte, saying every single agency head ought to have a deep understanding of the data they protect, and the tools they’re using to protect it.

While Healey worried about the hyper escalatory nature of cyber espionage, Knake was moderately optimistic about the fallout from the OPM breaches.

“It’s bad that we lost this information,” he said. “It’s not devastating. It’s not devastating because we know about it.”

Since we know China has our people’s data, he explained, we can shuffle agents accordingly and maybe even use the information to our advantage.

“How are we going to use that to our advantage?” asked a puzzled moderator.

Knake’s response: “It’s classified.”