Retired General Michael Hayden is somewhat of an authority on spycraft, having led both the U.S. National Security Agency and the Central Intelligence Agency over his long career. So when he notes that the recent breach at the U.S. Office of Personnel Management—in which the personal information and background information of millions of current and former U.S. federal government employees was stolen by attackers presumed to be based in China—was a “tremendously big deal,” people will listen.
Hayden noted that the OPM data was a “legitimate foreign intelligence target.” Hayden continued: “To grab the equivalent in the Chinese system, I would not have thought twice. I would not have asked permission…This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information.” Highlighting a possible use case for the information, Hayden noted that the information could help China recruit spies in the United States—a deeply troubling outcome for the United States.
To clarify, the data taken from the OPM includes a wide range of personal data, ranging from the financial histories of federal government employees to names of their family members, and critically, their foreign national contacts. Experts worry that the information could be used to pressure Chinese citizens affiliated with U.S. government employees, or for the purposes of blackmailing federal employees. Additionally, social security numbers in the OPM’s database were unencrypted.
Hayden’s comments, made at a Wall Street Journal-sponsored event, will fan the flames of the differences on cyber issues between the United States and China, just days before senior officials from both sides will meet for their annual Strategic and Economic Dialogue. The Chinese government has consistently denied U.S. allegations that it backed the breach. “Jumping to conclusions and making hypothetical accusations is not responsible and counterproductive,” a Chinese embassy spokesperson noted in a statement after news of the breach emerged.
As China continues to deny any role in the OPM hack, the U.S. federal government continues to investigate the circumstances of the breach. If China is confirmed to have backed the attack, the United States would be forced to respond in some way. The OPM breach will test the United States’ shift in posture on cyber attacks: as I noted in The Diplomat in April, U.S. President Barack Obama’s executive order on “malicious cyber-enabled activities” has set out a framework for retaliation, primarily through the use of economic sanctions.
Of course, the administration, as it weighs a response, will have to do so with consideration of the broader U.S.-China relationship. Chinese President Xi Jinping is scheduled to visit the United States in September, and retaliation for this OPM breach could derail that visit. While cyber has long been a point of divergence between the two countries, their relationship is increasingly strained by China’s assertive behavior in the South China Sea and elsewhere. Calls for the United States to draw a line are intensifying, and administration will need to evaluate its options moving forward.