Months after the discovery of a massive breach of U.S. government personnel records, the Obama administration has decided against publicly blaming China for the intrusion in part out of reluctance to reveal the evidence that American investigators have assembled, U.S. officials said.
The administration also appears to have refrained from any direct retaliation against China or attempt to use cyber-measures to corrupt or destroy the stockpile of sensitive data stolen from the Office of Personnel Management.
“We have chosen not to make any official assertions about attribution at this point,” said a senior administration official, despite the widely held conviction that Beijing was responsible. The official cited factors including concern that making a public case against China could require exposing details of the United States’ own espionage and cyberspace capabilities. The official was among several who spoke on the condition of anonymity to describe internal deliberations.
As a result, China has so far escaped any major consequence for what U.S. officials have described as one of the most damaging cyberthefts in U.S. government history — an outcome that also appears to reflect an emerging divide in how the United States responds to commercial vs. traditional espionage.
Over the past year and a half, the United States has moved aggressively against foreign governments accused of stealing the corporate secrets of major U.S. firms. Most notably, the Justice Department last year filed criminal charges against five Chinese military officers accused of involvement in alleged hacks of U.S. Steel, Westinghouse and other companies.
The response to penetrations targeting government-held data has been more restrained, in part because U.S. officials regard such breaches as within the traditional parameters of espionage. Director of National Intelligence James R. Clapper Jr. and others have even expressed grudging admiration for the OPM hack, saying U.S. spy agencies would do the same against other governments.
Economic espionage occupies a separate category — supposedly off-limits to U.S. spy agencies and seen as deserving of a forceful response when committed by foreign adversaries.
In making such a distinction, the United States may be adhering to unwritten rules that other countries disregard. The administration risks sending a signal that it is willing to go further to defend the secrets of U.S. industry than it is to protect employees of federal agencies.
U.S. officials stressed that the administration has not ruled out economic sanctions or other punitive measures for the OPM breach. “We’re still teeing up options” for Obama and his national security team, a second U.S. official said.
The senior administration official said that the government could impose new sanctions on China without publicly linking it to the attack, and “then send a private message that said, ‘Oh, and by the way, part of the reason for this is OPM.’ ”
But the reluctance to confront China openly could complicate the administration’s ability to make a public case for such punitive measures. Other current and former officials said that nations typically do not impose sanctions as penalties for political espionage.
The OPM breaches exposed the personal data of more than 22 million people, including Social Security numbers, performance evaluations, and even the names of family members and friends who were listed as references on millions of applications for security clearances.
U.S. officials have privately said that forensic evidence leaves little doubt that China was responsible. But officials said the White House is unwilling to reveal even in broad terms how it made that determination, an effort that probably involved not only tracing the source of the intrusion, but also the United States’ using its ability to intercept the communications of government officials overseas.
“We don’t see enough benefit in doing the attribution at this point to outweigh whatever loss we might [experience] in terms of intelligence-collection capabilities,” the U.S. official said.
A reluctance to retaliate could encourage adversaries to continue targeting U.S. government networks, said Robert K. Knake, a former White House cyber official. He noted that arrests and expulsions of suspected spies were seen as important deterrents throughout the Cold War.
“We’re effectively saying you can do in cyberspace a volume of spying that is far greater than we ever could have during the Cold War and there will be fewer consequences for it,” said Knake, a senior fellow at the Council on Foreign Relations. “Nobody is going to be put in a jail cell for these cyber-intrusions. The operator in China or Russia isn’t putting themselves at personal risk in any way.”
Senior U.S. officials have avoided commenting directly on a Chinese link to the OPM hack, but Lisa Monaco, a counterterrorism adviser to Obama, spoke in broad terms during a public appearance last month about the considerations involved in going public with such an allegation.
“There has to be a policy judgment made as to whether or not we’re going to disclose the actor involved . . . and what does that mean for disclosing those intelligence sources and methods,” Monaco said during an event put on by the Aspen Institute.
Two different OPM systems were breached — one handling personnel records such as Social Security numbers and job performance data. The other stored sensitive security-clearance data, including fingerprints and extensive health, personal and financial histories.
In the aftermath of the attack, the United States has sought to shore up the security of the OPM systems and computers across the federal government. Officials have reduced the number of privileged user accounts, have added security steps for logging in and are patching critical software flaws.
The government also is pursuing an array of counterintelligence measures aimed at guarding against the Chinese government’s ability to use the stolen data to identify federal workers who might be induced to spy for Beijing.
Even as the White House continues to weigh options, officials said it is unlikely that the government would pursue criminal charges as it did last year.
“If you start trying to indict members of their intelligence service for conducting this type of espionage, what’s the response going to be? Are they going to start to indict NSA guys?” one U.S. security official said.
Former U.S. intelligence officials said the OPM hack is in some ways regarded as fair game because of unwritten spying norms that took shape during the Cold War.
“This is espionage,” said Michael Hayden, a retired Air Force general and former head of the CIA and the National Security Agency, of the OPM hacks. “I don’t blame the Chinese for this at all. If I [as head of the NSA] could have done it, I would have done it in a heartbeat. And I would have not been required to call downtown, either” to seek White House permission.
Even before the OPM breach, the U.S. response to cyber-intrusions had varied depending on the target and nature of the attack.
Last year, U.S. officials discovered an attempt to hack unclassified computer networks run by the White House and the State Department. Officials privately acknowledged that investigators had traced the intrusions to hackers associated with the Russian government but refrained from going public with that allegation against Moscow. That case also was seen as traditional espionage.
By contrast, when Sony Pictures Entertainment was hacked last fall in an apparent effort to halt its planned release of a movie that lampooned North Korea, Obama quickly blamed Pyongyang and stepped up sanctions on the regime. U.S. officials said the aggressive response was justified by the destructive and coercive nature of the attack.
In April, Obama signed an executive order creating a targeted sanctions program for malicious cyber-acts such as damaging critical infrastructure, disrupting networks, or stealing trade secrets of U.S. companies or Americans’ personal data for profit.