Intelligence officials have said that the seizing of information from the Office of Personnel Management wasn’t severe enough to be considered an attack.
“Many times I’ll hear people throw out attack, act of war, and I go, that’s not necessarily in every case how I would describe the activity that I see,” Adm. Mike Rogers, head of U.S. Cyber Command, told a House panel on Thursday.
James Clapper, the director of national intelligence, agreed, saying, “Though it has been characterized by some loosely as an attack, it really wasn’t since it was entirely passive. It didn’t result in destruction or any of those kinds of effects.”
“I wish we wouldn’t characterize it that way,” Clapper said. “The lexicon and terminology is crucial.”
The OPM breach, which involved classified personnel files on 21.5 million people, has been traced to the Chinese government. However, officials have described the data as a legitimate intelligence target that the U.S. failed to protect. It would be more serious, Clapper said, if China manipulated the data.
“What’s of great concern with respect to the OPM breach … had to do with potential uses of bad data,” Clapper said. “Thus far we haven’t seen any evidence of their usage of that data. Certainly, we’re going to be looking for it.
“We haven’t seen actual use of this data in a nefarious way,” he said. If it was collected for “espionage purposes, I just would caution that we think … about people who live in glass houses, we should think before we throw rocks.”
Rogers said lawmakers need to work on developing more concise policies if they consistency in matters of cybersecurity.
“We clearly understand that nation-states use the spectrum of capabilities they have to attempt to generate insights about the world around them,” Rogers said. “That does not mean that the use of cyber for manipulative, destructive purposes is acceptable. That does not mean that the use of cyber for the extraction of massive amounts of personally identifiable information is acceptable. We’re going to have to work our way through, how do we develop all that in a much more defined way than we have to date.”
China and Russia have been collaborating in efforts to collect U.S. intelligence data, and some lawmakers have been frustrated by the country’s lack of response. Experts generally say that the use of hacking for commercial espionage should be considered unacceptable by the U.S., and that sanctions should be placed on foreign companies that benefit from it. However, they point out, it is difficult for the U.S. to criticize political espionage, in which it also engages.
