James Clapper, the director of National Intelligence, said Thursday that China was the likely culprit in a cyber attack which stole millions of employee records from the Office of Personnel Management. He stopped short of directly blaming the Chinese government, but said Beijing was the “leading suspect.”
Clapper’s somewhat-offhanded attribution for the attack came in the context of a question and answer session following a speech at the annual GEOINT symposium in Washington. He was the first administration official to publicly assign suspicion for the OPM breach to any particular actor, but his answers also indicated that the intelligence community is operating under the assumption that China was responsible.
“Please don’t take this the wrong way, but you have to kind of salute the Chinese for what they did,” Clapper said. “If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”
Speaking at the same conference a day earlier, Adm. Mike Rogers, the director of the National Security Agency and the commander of U.S. Cyber Command, pointedly refused to single out China or any other nation as the source of the OPM data theft, saying that naming countries in the context of specific attacks involved policy decisions that are outside his purview.
But he said the U.S. government’s ability to trace the origins of cyber attacks has increased tremendously within the past decade. And decisions about whether and when to publicly name a country as the source of an attack may have more to do with carefully-calibrated geopolitical strategies than agencies’ technical capacity to determine their origin.
That is a marked change from a few years ago, when the difficulty of attribution was frequently cited as one of the government’s primary cybersecurity challenges.
“Attribution has come a very long way. It is not the problem it was 10 years ago,” Rogers said. “The Sony breach is a pretty good example of that. Relatively quickly, DHS, the FBI and NSA were able to come to a consensus that the activity came from North Korea and to provide the basis for that attribution, and that allowed our political leadership to have a high confidence factor and to act in a public and direct way. But every incident is different. It’s a bit of a cat-and-mouse game. As you gain more insight into what actors are doing, you watch them doing things like creating new partnerships in order to obfuscate the origin of the attacks. But in general, I’m pretty confident in our ability at this point to develop insights into who’s doing what.”
China’s government, as a matter of course, routinely denies its involvement in cyber thefts irrespective of contravening evidence, adding that it too is a victim of cyber attacks.
But even if the U.S. government’s capacity to attribute the origin of cyber attacks with a high degree of confidence has grown, Clapper said its ability to deter them with analogues to the ways it deters conventional attacks has not.
“The problem for us, frankly, is that until such time as we can create both the substance and psychology of deterrence, these things are going to continue to go on,” he said. “That’s been a struggle for us because of concerns about unintended consequences and other related policy issues. But until there’s some kind of penalty for the behaviors that we might see as onerous or reprehensible, these things are going to continue. In the meantime, we have to pay more attention to defense.”
Given the assumption that cyber defense is the country’s best option at the moment, Clapper said agencies and their employees need to dedicate much more attention to basic matters of cyber hygiene.
While the precise vector of the OPM hack remains somewhat murky, it appears as though the attackers gained access to the government networks by obtaining log-in credentials in one way or another from a contractor employee working for KeyPoint Government Solutions, which worked on OPM systems and which had administrative-level privileges on the agency’s network.
“A lot of this is not rocket science — it’s about being alert to attacks and having a ‘do-line’ for cyber,” Clapper said. “I feel really bad for OPM, but frankly, there but for the grace of God go any of us. We need better communications between industry and government, we all have profound challenges and this requires attention of all of our senior people. We have to explain to all of our employees what the risks are, what they need to do to protect themselves, and that this will be the gift that keeps on giving for the rest of their lives.”
But asked to assess which nation state is the largest threat in cyberspace, Clapper said he is less concerned about
China than he is about the Russian government.
“They are very sophisticated,” he said. “We know more about the Chinese because they’re a little noisier. I worry much more about the Russians because they are more subtle, and they have tremendous capability. They have strategic conventional weapons, and from a standpoint of capability if not intent, they pose a tremendous threat. I’d be reluctant to rank whether their cyber capabilities or their conventional weapons are more threatening, because if it came to it, they’d be using them in combination.”