The Obama administration’s top intelligence and law enforcement officials have concluded that China was almost certainly responsible for the massive hack that exposed highly sensitive information on millions of U.S. government employees.
But the Obama administration has so far refused to publicly accuse Beijing, despite their private conclusions. According to individuals familiar with internal deliberations on the subject, the White House has been reluctant to offend the Chinese in the midst of sensitive international negotiations. And there are concerns that exposing China could compromise U.S. intelligence-gathering techniques.
Naming China would likely lead to calls for the administration to produce evidence of its claims. In that case, “there could be an issue with revealing sources and methods” of intelligence-gathering, James Lewis, a top computer security expert who has spoken to senior administration officials about the hack against the Office of Personnel Management, told The Daily Beast.
Intelligence agencies jealously guard their techniques for monitoring China’s armies of hackers and tracing attacks back to them, fearful that were they exposed, streams of valuable intelligence could dry up. Revealing technical details of how the U.S. has attributed the breach of OPM to Chinese actors could tip off hackers to the ways that American intelligence agencies track them, said Lewis, a director and senior fellow at the Center for Strategic and International Studies in Washington. Lewis added that in the OPM case, attributing the hack to China has been a less complicated matter than deciding when to point the finger.
Computer security firm CrowdStrike, whose executives have close ties to U.S. law enforcement, has already traced the breach to hackers it says are “affiliated with the Chinese government,” using forensic information from the OPM hack provided by the government.
Questions of political timing have also complicated the question of when to call out China, according to two more individuals who have discussed the OPM attack with U.S. officials and asked not to be identified. On July 9, the administration released more details about the scope of the cyber breach, revealing for the first time that more than 22 million people’s records were compromised. But blaming China then, amid final negotiations over Iran’s nuclear program to which China was a party, would have been a significant distraction. Those talks have now concluded, but Chinese President Xi Jinping is also scheduled to come to Washington in September, and opening a public spat over the OPM hack could overshadow his visit.
President Obama met with top Chinese leaders at the White House last month and raised his concerns over the country’s “cyber and maritime behavior,” according to an official statement. But openly linking China to the OPM hack would escalate tensions and immediately raise the question of how the United States would respond. After accusing North Korea of hacking Sony Pictures Entertainment last year, Obama slapped new sanctions on the country. The U.S. launched targeted cyber attacks on North Korean computer networks.
Administration officials have previously said that they don’t rule out imposing sanctions against individuals or organizations responsible for the OPM hack. After the Sony hack, the White House trumpeted a new sanctions regime designed to punish hackers and the countries, companies, and people who benefit from information they steal.
But retaliating economically against China could pose its own set of problems.
“The real question is a strategic one,” Zachary Goldman, a sanctions expert and a former senior official in the Treasury Department, told The Daily Beast. “The U.S. government has worked hard to cultivate a norm against commercially-motivated cyber espionage.” State-on-state digital spying, however, is largely considered part of the global espionage game. “If this hack was motivated by reasons of state, we still might find it objectionable, and might indeed retaliate in ways that are outside the public eye. But we might not want to vocally argue that this kind of espionage should never take place.”
Indeed, the nation’s top intelligence official, who said China was “the leading suspect” in the OPM hack, has doffed his hat to the country’s cyber spies for exploiting such a valuable and obvious target.
“You have to kind of salute the Chinese for what they did," Clapper told an intelligence conference, adding the U.S. would have hacked them the same way if it could. There’s an obvious hypocrisy in sanctioning China for an intelligence operation that the top American spy has said he’d like to mount.
Clapper’s remarks aren’t an official statement of the administration's position. When asked if China was in fact responsible for the personnel records hack, spokespersons for the National Security Council, the FBI, and the OPM all said they weren’t ready to identify a culprit.
So far, the only hard line the administration has taken publicly with China over its cyber spying is the indictment of five Chinese military officers in 2014 for hacking into U.S. corporations and stealing proprietary information. In that case, Justice Department officials said the Chinese had crossed a line, stealing trade secrets and pricing data from American companies and giving it to their Chinese competitors. That’s one kind of spying that intelligence officials insist the U.S. doesn’t do.
Similarly, the Obama administration justified retaliations against North Korea by describing the Sony hack as outside the bounds of traditional espionage. The regime purportedly attacked Sony in part to dissuade the movie studio from releasing a satirical film about North Korean leader Kim Jong Un.
“We cannot have a society in which some dictator someplace can start imposing censorship here in the United States,” Obama said at the time, adding, “That’s not who we are. That’s not what America is about.”