Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
OPM Breach: China Is 'Leading Suspect'But Intel Chief Urges Policymakers to Improve Defenses
China is the "leading suspect" behind the massive breach of the Office of Personnel Management, Director of National Intelligence James Clapper told a Washington intelligence conference on June 25.
"Don't take this the wrong way," Clapper at told the Geoint Security conference audience. "You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don't think we'd hesitate for a minute."
To date, the White House has only confirmed publicly that the OPM breach resulted in the exposure of personally identifiable information for about 4 million current and former government workers. But some officials now reportedly believe that the OPM breach - or breaches - may have resulted in the exposure of private information for tens of millions of current and former federal employees and contractors, as well as their family members, friends and acquaintances (see OPM Breach Victims: Tens of Millions?).
Exclusive Webinar: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs
Clapper's comments now represent the Obama administration's most pointed public statements about whom they believe to be the culprit behind the massive OPM breach. But the White House is reportedly still weighing how best to respond. Unlike the 2014 hack attack against Sony Pictures Entertainment, which resulted in thousands of PCs being wiped and sensitive personal and corporate information being publicly leaked - and which the FBI attributed to North Korea - the OPM breach has resulted in no systems being destroyed.
Clapper said at the conference that he believed the U.S. should potentially retaliate - by launching an attack against the perpetrators - only in response to cyber-attacks that were "physically destructive."
Clapper Talks China
Director of National Intelligence James Clapper speaks at the Geoint Security conference.
His view was echoed the same day by House Permanent Select Committee Intelligence member Rep. Adam Schiff, D-Calif., who said that he believed that espionage-related hacks would likely not meet the threshold for the U.S. to launch a destructive attack. But for "an attack that does damage" - such as the Sony hack - he said that might "merit a response."
The White House continues to refine its ability to respond to cyber-attacks. In April, for example, President Obama signed an executive order authorizing the U.S. government to block or seize the assets of suspected "malicious cyber actors" (see Anti-Hacker Executive Order: 5 Concerns).
Responding to questions about Clapper's comments, White House spokesman Josh Earnest on June 25 said that the White House would only name suspects if it served the aims of the government's investigation, defense news site Defense One reports. "If there is a response, it is not one we are likely to telegraph in advance," he said. But he did note that the April sanctions power "gives the U.S. government a whole set of new tools that didn't previously exist in responding to incidents like this," and said that as a potential response, the sanctions "certainly are available."
But attributing hack attacks can be notoriously difficult, as well as politically fraught. Indeed, Clapper delivered his observations just one day after Adm. Michael Rogers, who leads the National Security Agency and U.S. Cyber Command, refused to name China as even a suspect in the OPM investigation. In particular, Rogers was asked at the Geoint conference how the NSA was going about attributing the attacks to China. "You've put an assumption in your question," he replied. "I'm not going to get into the specifics of attribution. It's a process that's ongoing."
Even with proper attribution, however, Clapper said at the conference that attempting retribution was no easy matter. "The challenge here, the problem for us, frankly, is until such time as we can create both the substance and the psychology of deterrence, this is going to go on," he said. "And that's been frankly a struggle for us, because of concerns about unintended consequences and other related policy issues."
Until such time as there are serious consequences for hacking into U.S. systems, he added that U.S. government policymakers need to focus "a lot more attention to defense."
John Pescatore, director of emerging security trends at SANS Institute, talks OPM breach response.
Lawmakers Demand Attribution
OPM attack-attribution questions have been circling across Washington. Clapper's remarks were delivered shortly after Chinese and U.S. officials concluded a two-day strategic summit in Washington, after which U.S. Secretary of State John Kerry and U.S. Secretary of the Treasury Jacob Lew reported that both sides had secured agreements on a number of trade, investment, economic, climate change and cybersecurity matters (see China, U.S. Plan Cyber Code of Conduct). Asked in a press conference afterward about the OPM hack and China being a potential culprit, however, Kerry declined to respond, citing the ongoing FBI investigation.
In a June 25 Senate Homeland Security Committee hearing, meanwhile, Sen. John McCain, (R-Ariz.) pressed OPM Director Katherine Archuletta over whom she believed had hacked OPM's systems. But Archuletta rebuffed such attempts, saying that attributing cyber-attacks was not part of OPM's mission.
"OPM is not responsible for attribution," Archuleta said. "We rely on our colleagues to talk about that."
Archuletta has made four appearances on Capitol Hill over the course of nine days, and on June 25 she told lawmakers she had come to request more funding and staff members to help identify all of the security problems in the OPM infrastructure and lock them down.
"We need more resources to get things done, and that's why we've come to Congress to ask for them," she said.