Hacks and Attacks: How Do You React When China Conducts a Cyber Attack?

World had similar feeling of being violated after Snowden’s revelations, says Atlantic Council’s Jason Healey

When the news broke earlier this summer that hackers had breached the Office of Personnel Management (OPM) and accessed the records of more than twenty million current and former federal employees, it prompted calls to punish China, which was believed to have orchestrated the cyber attacks.  

But what Chinese hackers allegedly did [China denies any involvement in the OPM hack and the US government has not officially blamed China for the attack] is no different from what spy agencies around the world, including in the United States, do all the time.

“That feeling that you are violated right now, that’s how everyone else feels after Snowden,” said Jason Healey, Nonresident Senior Fellow in the Brent Scowcroft Center on International Security’s Cyber Statecraft Initiative at the Atlantic Council.

Healey was referring to revelations by former government contractor Edward Snowden of the extent of spying by the National Security Agency (NSA), including allegations that the NSA had tapped German Chancellor Angela Merkel’s phone.

“We are getting angry now… Imagine how Angela Merkel felt,” Healey said in a panel discussion at the Atlantic Council August 19.

“If you are actually upset at the Chinese… then there are probably some other lessons from the last couple of years to look at,” he added.

Hitting back?

The New York Times reported in July that the Obama administration had decided to retaliate against China over the OPM hack, but that it was still struggling to agree on a measured response that would not escalate a cyber conflict.

The United States has not clearly articulated that it feels strongly about cyber attacks on the scale and scope as the one against OPM, which is why such attacks continue, said Catherine Lotrionte, Director of the Institute for Law, Science and Global Security at Georgetown University.

In July, an unclassified e-mail network used by Gen. Martin Dempsey, Chairman of the Joint Chiefs of Staff, and hundreds of military and civilian personnel, was the target of a cyber attack. Russia is suspected in that attack.

“Right now I feel pretty comfortable in saying that we haven’t deterred anyone in terms of that they are going to continue to, at least, assume that these types of actions under traditional espionage rules are acceptable by the US and others until and when the US actually takes a position in response to that to say otherwise,” said Lotrionte.

However, Robert Knake, who until earlier this year served as Director for Cybersecurity Policy at the National Security Council, pointed out that the Obama administration has, in fact, laid out red lines.

In April, US President Barack Obama put forward a presidential directive on sanctions against countries and foreigners who conduct cyber attacks on the United States and US citizens.

Obama spelled out three red lines, said Knake. These were: destructive cyber attacks, stealing intellectual property, and stealing personally identifiable information (PII) for private gain.

The third red line was “about the PII, but it basically said, parenthetically, ‘If you are stealing this information for traditional espionage purposes, it doesn’t cross this red line and it is not the kind of thing that we might use economic sanctions for,’” said Knake, who is now the Whitney Shepardson Senior Fellow at the Council on Foreign Relations.

“China may have gotten the message: ‘Sony. Bad. Stealing data from Google. Bad… Stealing data from OPM. Yeah, that’s OK,’” he added, referring to past cyber attacks on Sony and Google.

Is that the right message to send, asked Siobhan Gorman,a Director in the Washington office of the advisory firm Brunswick and moderator of the panel discussion.

The challenge facing the United States is what limits it wants to place on cyber espionage by others in the context of what limits it wants to place on itself, said Knake.

Snowden fallout

“We’re in the post-Snowden period where basically the whole world knows the US engages in this kind of activity,” said Knake.

It is for this very reason that senior US officials, past and present, have been reluctant to take a strong line against China over its alleged role in the OPM hack.

Former CIA Director Michael Hayden said he “would not have thought twice” about seizing similar information from China if he had the chance. And Director of National Intelligence James Clapper said “you have to kind of salute the Chinese for what they did… If we had the opportunity to do that [to them], I don’t think we’d hesitate for a minute.”

The United States finds itself in an awkward position following Snowden’s revelations. Last week, documents revealed that AT&T had secretly helped the NSA spy on Americans.

“It’s probably not great timing to have the message that ‘We don’t engage in this, and you shouldn’t engage in this, and this is beyond the pale,’” said Knake of the damage the Snowden revelations have done to the US moral position on cyber espionage.

“The calculation that we have made in a certain way is to say we are better at this than anyone else; we’re getting more value out of this than they are, and the relative gains for us are more than the relative losses,” he added.

Responding to China

The United States could try and deter China from conducting cyber attacks by making two arguments: one, since China keeps getting caught, the information it collects is less valuable as the victims know they have been targeted, and two, “you can’t end up on the front of the Washington Post,” Knake.

“If the New York Times is talking that is going to force the United States to respond and get tough and we are going into an election season and I guarantee you over the next eighteen months every presidential candidate is going to say that they need to forcibly respond to China over the OPM breach,” he added.

The intrusion at OPM occurred last December, but was only detected in April.

Lotrionte made the case for a strong US response to Chinese cyber attacks.

Short of escalating the conflict, the Obama administration should issue a formal protest, impose sanctions, freeze assets, stop business ties, and expel officials from the United States, she said.

Knake, however, said the United States has already resorted to such “escalatory dominance” in the case of the five Chinese People’s Liberation Army officers who were indicted by the US Justice Department in May 2014 for hacking into the computers of US companies to steal trade secrets.

Healey, who is also a Senior Research Scholar at Columbia University’s School of International and Public Affairs, said the United States has to be “really careful” about how it responds to Chinese cyber attacks.

Ahead of Chinese President Xi Jinping’s visit to Washington in September, the United States should try and advance the conversation on cyber with China by emphasizing that it shows restraint and has rules on espionage as was evident from Obama’s presidential directive in April, said Healey.

Noting that no other country openly talks about matters Obama laid out in April, Healey said: “More like that, so that the world doesn’t automatically assume the worst of us, could particularly help.”

Ashish Kumar Sen is a staff writer at the Atlantic Council.

Related Experts: Ashish Kumar Sen and Jason Healey

Image: From left: Siobhan Gorman, a Director in the Washington office of the advisory firm Brunswick, moderates an August 19 panel discussion on cyber security at the Atlantic Council with Catherine Lotrionte, Director of the Institute for Law, Science and Global Security at Georgetown University; Robert Knake, the Whitney Shepardson Senior Fellow at the Council on Foreign Relations; and Jason Healey, a Nonresident Senior Fellow in the Brent Scowcroft Center on International Security’s Cyber Statecraft Initiative at the Atlantic Council.