Tag Archives: OPM

Personnel hack calls not for sanctions, but stronger and ‘active’ defense

My latest piece for Nikkei Asian Review builds on last week’s U.S.–China Week and argues that sanctions are not the answer for the Obama administration as it weighs a response the hacking of U.S. government personnel data, allegedly by the Chinese government. Read the whole piece, but here are some highlights:

Given that primary defense has failed, however, widespread calls for retaliation are not surprising. One option is sanctions. In April, President Barack Obama issued an executive order threatening foreign individuals and entities with sanctions in response to “malicious cyber-enabled activities” that constitute a threat to “the national security, foreign policy and economy of the United States.” White House press secretary Josh Earnest said June 12 sanctions were a “newly available option … that is on the table” in response to the OPM hacks.

Levying economic sanctions against China in response to its efforts to gain access to a “legitimate foreign intelligence target,” however, would be misguided. To do so would invite economic retaliation not just from China but from other countries that are targets of similar U.S. efforts. It was never a secret that the U.S. government spies on foreign governments online, but Edward Snowden and other leakers have exposed those efforts in unprecedented detail.

But the loss of important government secrets calls for a different range of policy options. The best responses might be considered “active defense.” For instance, if a breach is detected while the intruders are still working, security officials might break into the intruders’ own systems to destroy or distort the stolen data. They might also target the same intruder’s other systems for disruption as a deterrent.

This kind of “active defense” is called for and expected in the world of espionage. Given news reports that the government only discovered the OPM intrusions after weeks or months, it seems less likely these measures would be effective. Unfortunately, the most realistic response now is to minimize the harm to those affected, increase accountability for maintaining secure systems, and more effectively compartmentalize data. [more]