The Obama administration’s reluctance to publicly name China as the perpetrator of what has been called the worst data breach in U.S. government history is symptomatic of the federal government’s lack of a real strategy for dealing with cyberspace and encourages future attacks, two prominent Senate Republicans said Wednesday.
Although senior administration officials, including Director of National Intelligence James Clapper, have said China is the leading suspect behind the data breach at the Office of Personnel Management that compromised background investigations on more than 21.5 million current and former federal employees, the White House has decided against publicly attributing the breach to the Chinese government, according to reporting by the Washington Post.
Senate Republicans, however, are calling this decision a strategic mistake stemming from the lack of a clear strategy for dealing with emerging cyber threats to national security.
“I think it is important that we be very public about who is doing what” in cyberspace, said Sen. Cory Gardner, a Colorado Republican who chairs the Senate Foreign Relations subcommittee on East Asia, the Pacific and International Cybersecurity Policy. “I think the fact that we’re not willing to name names is a grave mistake.”
“If there is no penalty, not even public identification of the perpetrator of a cyber attack, it seems to me that it only encourages future cyber attacks from the same actors,” said Sen. Susan Collins, R-Maine, during a press conference Wednesday announcing the Federal Information Security Management Act reform bill. “If they can get away scot-free and not even be named as responsible for the cyber hack, then what incentive is there for a nation-state, a terrorist group, an international criminal gang or a hacktivist to not just perform the same time of intrusion again.”
In a July 13 letter to President Barack Obama, Gardner demanded to know if the administration had raised the incident with China through diplomatic channels and questioned why cybersecurity issues were not among the 127 outcomes agreed to during last month’s U.S.-China Strategic and Economic Dialogue.
“We had an opportunity to bring up the OPM hacks and cyber issues and of the 127 points of agreement that were reached out of the Strategic and Economic Dialogue, including wildlife tracking and volcano studies, not one of them addressed the issue of cyber,” Gardner said, speaking Wednesday at the American Enterprise Institute. International norms would help mitigate the possibility of an international cyber arms race, he said. “Because of our lack of a strategy … we are seeing the real possibility where you could have a commercial sector try to engage in retaliatory measures.”
Richard Bejtlich, the chief security strategist at FireEye Inc. and one of the cybersecurity experts behind the study that identified China’s main cyber espionage unit (Unit 61398), said ignoring international norms and allowing organizations to hack back is a bad idea.
A better idea would be to go after the malware “kingpins,” Bejtlich said. Some estimates have placed the number of top-tier malware producers in the world at only 100. “That puts pressure on that whole ecosystem,” he said.
As for preventing another OPM hack, Bejtlich said the government and the private sector should rethink how much data it needs to collect and store. “The trajectory of history has shown that nobody can keep secrets,” he said. “We need to think about the need to collect so much data. What you need to do instead [of trying to stop every attack] is prevent an intrusion from becoming a breach,” Bejtlich said. “There is no wall that’s high enough to keep these guys out.”
Greg Otto contributed to this report.
Follow Dan Verton on Twitter @DanielVerton.