US intelligence agencies face a number of issues when drawing up plans of retaliation against China following numerous cyber attacks and data breaches. However any moves of aggression will come at a cost, according to a number of security experts.
US officials are currently holding classified meetings to discuss their options after the breach at the US Office of Personnel Management (OPM) resulted in the loss of 21.5 million federal records.
Speaking to V3 the security advisor at F-Secure, Tom Gaffney, said that even though there is no “smoking gun” to prove that China is responsible for the breaches, he is certain that these attacks occur.
However the situation becomes complicated after considering that the United States also conducts global offensive cyber attacks. For example, in documents leaked to the Washington Post in 2013 it was revealed that the US carried out 231 offensive cyber-operations in 2011 alone.
“There is a long list of tit for tat and for a while the US was able to portray itself as the victim,” Gaffney told V3. “China has fought back with its own allegations and conspiracy theorists point to the Snowden data being released shortly before Obama’s official visit to China,” he said.
“It embarrassed the US administration and undermined the US attempts to tackle the issue with China.”
“It’s a new cold war where no-one is innocent and everyday people are the losers as states sponsor new cyber-attack methods that will inevitable fall into the hands of criminals,” he warned.
Meanwhile Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute (RUSI) told V3 that the US will now attempt to “differentiate between hacking for destructive purposes or for commercial gain”.
“There is a sense that the scale and frequency of attacks apparently emanating from China has reached a level where even if the purpose is ‘traditional espionage’, it has reached a level where it is no longer acceptable and requires a response,” he said.
Lawson highlighted two traditional responses open to the US when drawing up retaliation plans: economic sanctions and diplomatic expulsions. Yet he noted that “there is a hint of a growing appetite for a response through cyberspace aimed at damaging or disrupting the source of those attacks”.
“In US CYBERCOM doctrine these are known as Defensive Cyber Operations – Response Action (DCORA) and whilst they might be technically feasible there is a risk that used outside of conflict, they run the risk of a series of escalations and tit for tat operations,” he said.
According to Lawson, the US has two options current available: deterrence by denial and deterrence by punishment.
“Attackers need to be aware that if they are caught doing something malicious to the USA through cyberspace there will be a cost. In cyberspace, this is likely to be graded depending upon the severity of the attack and could of course be the non-cyber methods highlighted earlier,” he explained.
“The nature of the capabilities required and the accesses to adversary networks and systems means that they are not routinely demonstrated in the way that it was possible for example to demonstrate the power of an atomic weapon.”
US agencies now discussing options
US Officials are meeting in secret to discuss the available options for how to retaliate against China in a way that will not harm ongoing intelligence operations, according to a report first published in The New York Times.
The options being touted include diplomatic protests, legal threats and even the ousting of known Chinese agents operating in the US.
One approach being raised by security agencies is targeting the so-called Great Firewall, a complex network that protects the Chinese government’s censorship apparatus.
This move would allow the US to show China that it has the ability directly to affect the country’s political control.
However, any aggressive moves are likely to be met with significant pushback from Chinese officials.
The legal route has been tried in the past. The US indicted five members of China’s People’s Liberations Army last year for cyber espionage against six American targets.
“For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries,” said FBI director James Comey at the time.
However, the action has been criticised as a symbolic punishment as those involved are not likely to face trial unless they voluntarily go the US.
A report analysing the fallout from the OPM hack, published by the Congressional Research Service, detailed the options available to the US government, but noted that “criminal charges appear to be unlikely in the case of the OPM breach”.
Nevertheless, the report did outline some of the other options currently open to the US government.
“If the US chooses to respond in other ways to intrusions from China, experts have suggested that China has multiple vulnerabilities that the US could exploit,” the report said.
“China’s uneven industrial development, fragmented cyber defences, uneven cyber operator tradecraft, and the market dominance of Western IT firms provide an environment conducive to Western [computer network exploitation] against China.”
The congressional report stops before directly blaming China for the cyber attack, but comments by James Clapper, director of national intelligence, identified China as the “leading suspect” in the investigation.
The Obama administration has remained mute on the subject of cyber attacks and possible retaliation.
China has denied involvement
Yet officials in China have explicitly denied involvement in the attacks. “Maybe it is better to clarify one’s own matters before rushing to make unfounded accusations against others, so as to make oneself sound more convincing,” said foreign ministry spokesman Lu Kang in June.
Cyber awareness is now on the agenda of the US government. A “30-day sprint” was announced earlier this year to enhance federal cyber security and “assess and improve the health of all federal assets and networks, civilian and military”.
US chief information officer Tony Scott announced the results of the programme, saying that more than half of the largest government agencies have now implemented a stronger level of authentication for users.
“Our economy, and the credibility and viability of our most cherished and valuable institutions, depend on a strong foundation of trust and the protection of critical assets and information,” he said.
“Let me be clear: there are no one-shot silver bullets. Cyber threats cannot be eliminated entirely, but they can be managed much more effectively.”