The Central Intelligence Agency was forced to recall its spies from Beijing after Chinese hackers stole information about 21.5 million government employees from the Office of Personnel Management, the Washington Post reports:
Because the OPM records contained the background checks of State Department employees, officials privately said the Chinese could have compared those records with the list of embassy personnel. Anybody not on that list could be a CIA officer.
The CIA’s move was meant to safeguard officers whose agency affiliation might be discovered as a result of the hack, said officials, who spoke on the condition of anonymity to discuss a sensitive matter.
This is a big setback for U.S. intelligence, and it is likely to be just one of many consequences of the OPM hack. It is the latest development in a new era of cyber warfare that shows few signs of cooling off. China and the U.S. did agree to some initial rules intended to limit cyber attacks last week, but President Obama sounded cautious when he announced the deal, according to Reuters:
“It has to stop,” Obama told reporters at a joint news conference in the White House Rose Garden, with Xi standing beside him. Obama said he and Xi made “significant progress” on cyber security.
But he added warily: “The question now is, are words followed by actions?” and made clear he is prepared to levy sanctions against cyber criminals.
Speaking before the Senate Armed Services Committee yesterday, Director of National Intelligence James Clapper expressed even clearer skepticism, Reuters reports:
Asked if he was optimistic the agreement would eliminate Chinese cyber attacks, Clapper said simply: “No.”
Clapper said he was skeptical because Chinese cyber espionage aimed at extracting U.S. intellectual property was so pervasive, and there were questions about the extent to which it was orchestrated by the Chinese government.
He said the United States should “trust but verify,” a reference to former President Ronald Reagan’s approach to nuclear disarmament with the former Soviet Union.
In light of the CIA news, it’s no wonder that Clapper sounded so frustrated.
President Obama and Obama administration officials continue to say the right things about Chinese cyber warfare. Officials testifying at the hearing promised a “vigorous” response if another hack like the one on the OPM were to occur. But any response would face obstacles. In the first place, verification is much more difficult with cyber attacks than it is with conventional ones, and it’s not actually clear that the United States could reliably determine whom to sanction even if it wanted to respond. And then there is the question of political will: Even if verification became possible for an attack, will officials actually do anything to punish the Chinese companies and government agencies responsible?