US won’t publicly blame China for massive government hacks – reports
Two breaches at the Office of Personnel Management this year put the data of more than 22 million Americans at risk, raising concern about foreign cyberattacks and lax government security measures.
According to the Washington Post, which cited unnamed government officials, the basis for the decision is that the US does not want to reveal any of its intelligence or cybersecurity capabilities, some of which would need to be disclosed in order to convincingly show China carried out the hack.
“We don’t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities,” an unnamed US official told the newspaper.
The US is also reluctant to get involved in any public mudslinging with China over cybersecurity breaches considering it also conducts cyberespionage, Reuters reported. Criminal charges, such as those filed against Chinese nationals accused of stealing trade secrets from private companies, will probably not be filed, either.
Unlike the hack against Sony, later pinned on North Korea, the OPM breach is apparently seen by US officials as an incident that falls within the unwritten confines of nation-state espionage that date back to the Cold War. Essentially, the officials say
“This is espionage,” said Michael Hayden, the former head of the CIA and the National Security Agency, on the OPM hacks, according to the Post. “I don’t blame the Chinese for this at all. If I [as head of the NSA] could have done it, I would have done it in a heartbeat,” he added, saying such an attack wouldn’t have even needed approval by the White House.
Brian Finch, a cybersecurity expert with the Pillsbury law firm in Washington, echoed some of these sentiments.
"This really falls more in the world of traditional espionage. It’s sort of more shame on us than anything else," he said to Reuters. "We just got had if you will by the Chinese government and it’s really more our fault than anything else."
Officials said the US is still considering taking action against China, including economic sanctions, and relaying to China privately that their implementation is over the OPM cyberattack.
Still, the Post wrote that by more aggressively retaliating for breaches against private companies than those against government agencies, the US risks indicating that attacking the federal government won’t be punished.
“We’re effectively saying you can do in cyberspace a volume of spying that is far greater than we ever could have during the Cold War and there will be fewer consequences for it,” Robert Knake of the Council on Foreign Relations told the newspaper.
The OPM hacks were no minor attacks. One hack alone affected the records of 21.5 million people, 19.7 million of which were former, current or prospective government employees who had submitted to a background check. The other 1.8 million were family members. A separate attack saw the data of 4.2 million former and current government workers compromised.
According to OPM, hackers were able to steal information such as Social Security numbers, fingerprint records, employment, health and criminal history. Anyone who underwent a background investigation since 2000 is “highly likely” to have had their records stolen, OPM said.
Since the breach was uncovered, OPM has moved to boost security measures and partner with several agencies, including the FBI and Department of Defense, to do so.
Soon after the second hack was revealed, OPM Director Katherine Archuleta resigned from her post.