The U.S. debate over how to respond to the embarrassing breach of government personnel databases raises many questions, but one of the hardest has been largely overlooked amid calls for “retaliation” and “deterrence.” China’s government is the “leading suspect” in the data theft, and if it is indeed responsible, what does the U.S. government want them to stop doing?
Soon after the public learned of the breach, which exposed personal data in millions of security clearance files held by the Office of Personnel Management (OPM), former National Security Administration (NSA) chief Michael Hayden memorably declared the files were a “legitimate foreign intelligence target,” and Director of National Intelligence James Clapper said, “You have to kind of salute the Chinese for what they did.”
Despite these frank assessments, there are widespread calls to “impose costs” or otherwise penalize China for the unprecedented breach, and anonymous sources told The New York Times the Obama administration is considering a wide variety of options. According to one official, “One of the conclusions we’ve reached is that we need to be a bit more public about our responses, and one reason is deterrence. We need to disrupt and deter what our adversaries are doing in cyberspace, and that means you need a full range of tools to tailor a response.”
Scholars and strategists have produced remarkable and frenetic literature on deterrence in cyberspace, often laboriously grafting Cold War-era deterrence concepts like “mutually assured destruction” onto online realities—uncertainty in attribution and the power of non-state actors, for instance. Opinions vary widely as to whether deterrence even makes sense online, and no one argues that deterring “cyber attacks” is easy. Indeed, Deputy Secretary of Defense William Lynn in 2010 argued that “deterrence [in cyberspace] will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.” In other words, a strong defense may be the best deterrent. Amidst the diversity of opinions, one thing most “cyber deterrence” studies have in common is a focus on highly disruptive “cyber attacks” and warfare, not online espionage.
Deterring online espionage is seen as especially challenging. In a 2009 study, Martin Libicki of RAND Corporation described at least three hurdles to deterring online spying. First is “communicating exactly what was objectionable about the behavior—was it the fact of the espionage, its volume, its gross nature, the mess it left behind?” Second is “determining the threshold for response. … What level of activity would be actionable?” Third is “ascertaining that an act of retaliation had any effect on the behavior of the offending state.”
Libicki’s first hurdle is the most vexing for the Obama administration today. Despite Hayden and Clapper’s apparent acceptance that the OPM was a legitimate target, many in the policy community seem to believe this breach crossed the line.
Even if one accepts that the OPM hackers had a legitimate target, one could still argue the U.S. government has reason to retaliate in a way that at least partially offsets intelligence losses or restores a perceived strategic balance—perhaps by threatening to expose spies or other secrets. Settling the score in this way does not inherently require publicity, but, as the anonymous official told the Times, deterrence calls for responses that could demonstrate costs to other potential adversaries. Officials would have to describe the line that was crossed.
Across what line?
Governments expect to lose some secrets to other governments, but not all of them. They expect some spies to be exposed, and some of their officials to be undermined by blackmail, but not all of them. The OPM hack violates this expectation. The scale is unprecedented, with the sensitive personal information of millions of officials and others with government affiliations or aspirations stolen for uncertain future use. Moreover, the invasion of privacy is deeply personal for some, since many files would include embarrassing secrets. Perhaps the U.S. government could find a way to describe why the scale and nature of this event violates an existing norm or a newly asserted line in the sand.
Doing so, however, would be remarkably difficult given the long-suspected and now well-known U.S. penchant for large-scale and intrusive espionage, even in allied countries. Whoever is behind the OPM hack may even have had the goal of retaliating and balancing against penetration of their own networks. Still, it could be that U.S. officials are coming around to a realization that espionage at a gargantuan scale is not the same as traditional spying. Perhaps international society is moving away from the norm that any government secret, up to and including all of them at once, is fair game for espionage. Perhaps citizens everywhere are changing their definition of a “legitimate foreign intelligence target.” This is a discussion worth having.
If the U.S. government is looking for a cyber deterrence strategy, however, this is not the place to start. The Pentagon’s new Cyber Strategy emphasizes deterrence through appropriate responses, strong defense, and the ability to weather attacks. The U.S. government has responded to commercial espionage with a range of tools and could employ more. But not every “cyber” incident is created equal, and retaliation without a clearly communicated principle simply wouldn’t deter anything in particular.
Graham Webster is a researcher, lecturer, and senior fellow of The China Center at Yale Law School. He writes and publishes the weekly e-mail brief U.S.–China Week.