Yesterday, the Washington Post reported that the U.S. Central Intelligence Agency (CIA) has pulled its officers from the U.S. embassy in Beijing. The move was undertaken by the agency a “precautionary measure,” the report notes, to avoid any possible retaliation against these officers in the wake of data acquired by Chinese hackers in a breach of the U.S. Office of Personnel Management (OPM).
The OPM breach, announced earlier this year, resulted in the theft of over 20 million records, including fingerprints and SF-86 security clearance forms. The source of the hack has been widely attributed to the Chinese government, though the United States has not officially said so.
The CIA’s move is necessary to protect officers who may be discovered by a simple cross-referencing of the State Department records obtained in the OPM breach against declared U.S. Embassy personnel records in Beijing. “Anybody not on that [State Department] list could be a CIA officer,” the Post report notes.
Over the summer, Michael Hayden, a former head of both the U.S. National Security Agency and CIA, noted that the data stolen in the OPM breach could be of immense counter-intelligence value to China. Hayden speculated that China could use the information to recruit spies. Hayden—and others—have described the OPM data as a “legitimate foreign intelligence target” for Chinese hackers to pursue, and clearly, the breach is proving to have deleterious consequences for U.S. human intelligence capabilities inside China.
The United States and China, at the conclusion of Chinese President Xi Jinping’s inaugural state visit, agreed to refrain from attacking each other’s critical infrastructure with cyber attacks and to not “conduct or knowingly support cyber-enabled theft of intellectual property.” U.S. officials note that the OPM breach, as disastrous as it is for U.S. national security, was not a cyber attack per se. James Clapper, the U.S. director of national intelligence, described the OPM breach as a “form of theft or espionage.”
The U.S. and China have disagreed in the past on the acceptable limits on legitimate state-sponsored espionage. The United States, though it notes the legitimate value of espionage against state targets, has suggested that espionage against private entities and the theft of intellectual property in particular should be “out of bounds.”
The United States most frequently accuses China of the latter—indeed, reports leading up to Xi’s visit that Washington would impose sanctions against Chinese individual and entities were primarily concerned with that sort of cyber espionage.
The OPM breach, however, is a reminder that China also practices good old fashioned cyber-enabled espionage against state targets. Clapper, during a testimony before the U.S. Senate Armed Services Committee, highlighted the difficulties in retaliating against China for this sort of behavior: “We, too, practice cyberespionage and … we’re not bad at it,” he noted.
Clapper may be right that the United States isn’t bad at espionage, but it needs to get better at keeping its own information secure. China is getting better at the world’s second oldest profession at an alarming pace.