Over the past few weeks, attention has been focused on the Obama administration’s response to China for the hack on the Office of Personnel Management (OPM), which compromised the personal information of more than 20 million Americans. In a July 31 article in The New York Times, David Sanger reported that while the administration has determined that it ought to retaliate against Beijing, officials have struggled to determine exactly what options to pursue.
The question of how the United States should respond to the attack – still not officially attributed to China by the Obama administration – took center stage at an August 19 panel discussion on the issue at the Atlantic Council, a Washington, D.C.-based think tank. The event took place just weeks before Chinese President Xi Jinping’s upcoming visit to the United States.
Catherine Lotrionte, a former intelligence official under the Bush administration, argued that the OPM hack constituted a serious attack on U.S. national security. Beyond compromising the security information of a large number of individuals, it also provided a list of people with clearances for China to potentially recruit as well as insights into which foreign nationals may have been speaking to U.S. intelligence officials.
Despite this, Lotrionte, now a professor at Georgetown University, noted that the Obama administration had remained silent on the issue, refusing to even state a clear position. Without at least lodging a formal protest, she said it was very difficult to expect a change of behavior from China, particularly since attacks according to some U.S. officials have continued to happen.
“I feel pretty comfortable saying we haven’t really deterred anyone,” she said.
If the Obama administration wants to demonstrate to China that such attacks are unacceptable, Lotrionte said, it could consider several proposals that were short of severing ties with China. After issuing a formal protest, Washington could consider expelling targeted groups of Chinese out of the United States; stopping business ties; and enacting targeted sanctions or asset freezes.
But Robert Knake, who until this year directed cybersecurity policy at the National Security Council in the Obama administration, argued that such moves – which were already being considered by U.S. officials – would go too far. The United States, Knake noted, thus far has deliberately chosen to object to Chinese economic espionage against American companies but not to state-on-state spying incidents like the OPM hack. Part of the calculation, Knake said, was that the United States should focus on bigger issues – like intellectual property theft and suppression of free speech in cyberspace, as well as hacks on the President or Joint Chiefs of Staff – rather than events like the OPM hack.
Furthermore, Knake noted that the U.S. intelligence community has not been pushing for punishing China or drawing red lines in cyberspace because it still believes that it is still doing far better than its peer competitors like China and is getting much more out of it.
“Right now, we judge that that’s not in our interest,” he said.
Knake, currently a fellow at the Council on Foreign Relations, also reminded the audience that the United States had lost any moral high ground it had in cyberspace following the Edward Snowden revelations. If the United States were to take tougher measures against China this week, for instance, new Snowden documents revealing that AT & T had secretly helped the National Security Agency spy on Americans would not make the optics look too good.
“It’s probably not a great thing,” he said.
Given all this, Knake said that Washington and Beijing could agree on the basis of a much subtler norm which had informally been in place during the Cold War: “don’t get caught.” The United States would clearly communicate to China that by conducting clumsy espionage operations and getting caught – such as the OPM hack – Beijing was not only drastically reducing the value of the information it was stealing, but also drawing unnecessary public attention and forcing the administration’s hand to react.
“You can’t end up in the front page of The Washington Post,” Knake said in an attempt to convey what Washington would say to Beijing.
The stakes are even higher for China as the United States goes into an election season. Presidential candidates – already notorious for bashing China to look tough during their campaigns – would view the cyber issue as an easy opportunity to take a swipe at Beijing
“If that sets the stage for the next presidential election, that’s going to be interesting,” Knake said.
Jason Healey, who served as Director for Cyber Infrastructure Protection during the Bush administration, also expressed skepticism about the United States “punishing” China. He said he was concerned about more serious escalations between the United States and China rather than the OPM hack. That being said, he still argued that the United States and other actors could go even further to shape the norms of cyberspace in several ways, even in a post-Snowden world.
For starters, Healey said that although the United States had lost the moral high ground in cyberspace, the fact that China still continues to categorically deny charges of cyber espionage affords Washington the opportunity to publicly name and shame Beijing.
“We can continue to call them out,” Healey, currently a senior fellow at the Atlantic Council , said.
In addition, the United States could also undertake more constructive measures either unilaterally or in concert with China.
First, he said the United States could point to instances where it was demonstrating restraint with respect to intelligence. One example he pointed to was PPD-28, a 2014 presidential policy directive which publicly outlined the terms and limits guiding signals intelligence activities.
“We [wouldn’t] care if others do it. We’re going to do it because of who we are,” he said.
Second, the United States could also unilaterally inform China that it would not undertake certain measures against Beijing in the hope that Beijing might reciprocate in turn. This, he said, could include a pledge not to attack certain critical infrastructure like electrical transmissions systems.
Third and lastly, the United States and China could also work out private arrangements to limit the scale and scope of cyberattacks and distinguish what would constitute a departure from traditional espionage cases. These would be comparable, Healey said, to the ones that were developed between Washington and Moscow during the Cold War.