In Data Breach, Reluctance To Point The Finger At China
Adm. Michael Rogers is among the American officials most likely to know which country perpetrated the Office of Personnel Management's massive data breach, possibly the biggest hack ever of the U.S. government. He's not only director of the National Security Agency, but also heads the U.S. Cyber Command.
Still, when asked last week at a spy satellite symposium about the origin of the OPM hack, which was first reported in early June, Rogers demurred.
"I'm not gonna get into the specifics of attribution," he said. "That's a process that we're working through on the policy side. There's a wide range of people, groups and nation states out there aggressively attempting to gain access to that data."
Lawmakers have shown a similar reluctance to name names. California U.S. Rep. Adam Schiff is the House Intelligence Committee's top Democrat and has been outspoken on many sensitive issues.
But in an interview, Schiff did not cite China when asked which country was behind the data breach.
"I think we have a pretty good case as to who's responsible," he said. "But it really is up to the administration to decide whether they want to publicly attribute the attack."
Federal law enforcement sources tell NPR the personal data of at least 18 million federal workers may have been accessed through the OPM computer system. Some China experts say assigning blame in this case can be tricky, because cyberspying there is often outsourced to nongovernment contractors.
"It's hard to sort of pin down who you should be blaming, and if you leave all of the blame at Beijing's doorstep, is that really the right place?" says Dan Altman, a China-watcher at New York University's Stern School of Business and senior economics editor at Foreign Policy magazine.
Beyond uncertainty, there's the hard, cold reality that China is still the United States' second largest trade partner, after Canada.
"This might not be the best time to try and get into the blame game with Beijing," Altman says, "because you want to engage them in that economic relationship, and that's always been the reason for reticence in terms of the United States pushing back at China — and not just over cybersecurity, but over things like civil rights and human rights as well."
Not surprisingly, China denies any responsibility for the OPM hack. At a meeting last month in Beijing with foreign journalists, the Chinese foreign minister, Wang Yi, inveighed against what he termed "irresponsible finger-pointing" by anonymous sources.
"The Chinese government opposes any hacking activities or the theft of commercial secrets," he said, "and this is the set policy of the Chinese government, and we have very strict regulations."
Wang also pointed out that 80 percent of the Chinese government's websites have been hacked. Most of these cyberattacks, he asserted, have come from the U.S.
Just as China is willing to point fingers, so, too, are some American officials. One of them is Director of National Intelligence James Clapper. At the same symposium where the NSA's Rogers had avoided singling out China for blame, Clapper named China as "the leading suspect" behind the data theft.
"You have to kind of salute the Chinese for what they did," Clapper said, adding, "You know, if we had the opportunity to do that, I don't think we'd hesitate for a minute."
That the nation's top intelligence official would name China publicly struck some in his audience as revealing.
"I think Clapper's saying clearly here, A) I really do want to go after them, and B), it's really complicated," says Colin Clark, editor of the online publication Breaking Defense. "If you're simply engaging in counterespionage, you're OK. But, you know, where does counterespionage begin and end and where does war-fighting begin?"
Clark says nobody in Washington wants to get into a dogfight with Beijing over the stolen data.
And with Chinese President Xi Jinping set to make his first state visit to the White House in September, the muted official response to the OPM hack is bound to continue.
Copyright 2020 NPR. To see more, visit https://www.npr.org.