Saturday, August 01, 2015

Deterring Cyber Attacks

The New York Times reports today that President Obama has been weighing a variety of possible responses to the intrusion into Office of Personnel Management computers that was first reported in June. The hack, which has been attributed to China, resulted in the theft of personal information for over twenty million federal employees. Although CIA data was not involved in the breach, some of the information collected may have allowed the Chinese to determine the identity of spies posted to China in the past.

One of the considerations involved in the Obama administration's deliberations--and apparently the reason that certain administration officials were willing to talk to a reporter about ongoing discussions--is the desire to achieve a measure of deterrence by imposing costs on the attackers that are clearly tied to the initial data breach. James R. Clapper, Jr., director of national intelligence, and Admiral Michael S. Rogers, director of the National Security Agency, have both argued that Chinese cyber attacks will keep escalating as long as the United States fails to impose costs on China for the attacks. On the other hand, there is a concern that retaliation, if not carefully calibrated, might prompt escalation rather than restraint.

According to the Times article, the idea of economic sanctions against China has been considered and rejected due to the potential for costly Chinese retaliation against U.S. economic interests. Additionally, the idea of criminal prosecution has apparently been rejected due to the scope and nature of the OPM breach. A recent Congressional Research Service report notes that U.S. policy regarding cyber espionage attempts to distinguish between breaches that involve national security and those that are concerned with economic interests. The former draw a counterintelligence response while the latter are potential subjects for criminal prosecution.

Two years ago, at a "shirt sleeves summit" in Rancho Mirage, California, President Obama tried but failed to get his Chinese counterpart, Xi Jinping, to agree to a framework for the regulation of activities in cyberspace. If the U.S.-Soviet nuclear relationship provides any guidance--and it's not entirely clear that it does--a sense of mutual vulnerability may be necessary to bring the United States and China to the point of being able to cooperate on cyber arms control.