U.S. Backpedals on Blaming China for Massive Government Hack

07_22_ChinaHack_01
Anonymous senior administration officials tell The Washington Post that formally blaming China for a U.S. government hack is not worth revealing its own cyberespionage capabilities. Kacper Pempel/Reuters

Since a massive breach of U.S. government personnel files was discovered months ago, government officials have publicly implicated China for the intrusion. But anonymous “senior administration officials” now tell The Washington Post that the Obama administration has decided not to formally attribute the hack to the Chinese, partly because doing so could require the U.S. to reveal details of its own cyberespionage capabilities.

In June, the U.S. government said the Office of Personnel Management’s (OPM) systems had been hacked, compromising millions of government employees’ personal information, such as sexual history and drug use—information found in security clearance forms. The joint FBI and Homeland Security investigation ultimately found more than 21 million former, prospective and current federal employees’ personal information, including Social Security numbers and fingerprints, had been accessed.

Shortly after the hack was announced, Director of National Intelligence James Clapper told a Washington intelligence conference, “You have to kind of salute the Chinese for what they did,” referring to the hack’s sophistication. But on Tuesday, an anonymous official told the Post, “We don’t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities.”

The anonymous officials also tell the Post that the U.S. has decided not to directly retaliate with a cyberattack of its own—such as one that could corrupt or destroy the data the hackers stole. Instead, a senior administration official told the Post, the U.S. could impose new sanctions on China, “then send a private message that said, ‘Oh, and by the way, part of the reason for this is OPM.’”

As the Post’s Ellen Nakashima points out, the U.S. is treating economic espionage and political espionage differently.

In the past year and a half, the administration has aggressively gone after governments it has accused of hacking major U.S. companies. When Sony Pictures Entertainment was hacked last fall, for instance, Obama was quick to blame North Korea and impose additional sanctions. “It caused a lot of damage,” Obama said, justifying the move. But when it comes to the OPM incident, which some are calling the worst hacking of the U.S. government in history, China has avoided any major consequences.

A reason: The administration seems to view the hacking of government networks as more traditional espionage, and something the U.S. itself would do against other governments.

“I don’t blame the Chinese for this at all,” Michael Hayden, a retired Air Force general and former head of the CIA and the National Security Agency, told the Post, speaking of the hack. “If I [as head of the NSA] could have done it, I would have done it in a heartbeat.” He added that he wouldn’t have been required to call the White House for permission to do so.

“In making such a distinction,” Nakashima writes, “the United States may be adhering to unwritten rules that other countries disregard.”

The Post’s sources went on to suggest that the U.S. has put itself in a hard-to-win situation. Nations, they say, do not typically impose sanctions as punishment for political espionage. But failing to do anything will send a message to countries that the U.S. government is willing to do more to protect industry than its own employees. Also, the reluctance to name China will make it harder for the administration to make the public case for retaliation.