SAN FRANCISCO – President Obama is facing pressure to retaliate against the hack that captured personal data on millions of federal employees.
"We must deter future attacks by making it clear that the consequences of attacks are not worth hacking into American systems," Sen. Mark Warner said.
Warner stopped short of naming China, though numerous unnamed U.S. officials have said Beijing is believed to be behind the attack on the Office of Personnel Management (OPM), when hackers breached the data of more than 14 million federal employees, with some believing the hackers may have accessed the personal files of every U.S. federal employee going back decades. While the breach is hardly the first attack attributed to the Chinese government, the size and scope of the attack have left many calling for retaliation.
Senators Lindsey Graham and Charles Schumer have asked the International Monetary Fund (IMF) to withhold China's currency benefits until the country stops its overseas hacking campaign. In a conference call with reporters Monday, Rep. Adam Schiff said "there has to be a deterrent" against hackers attacking U.S. sites. Schiff said the repeated hacks had proven that for the U.S., a strong defense "is not enough, in and of itself." The senators did not specify what action should be taken, but said that in the coming weeks options would be discussed.
Lawmakers who spoke to BuzzFeed News Monday said there was "strong evidence" that China was behind the attack. They said the FBI and other law enforcement officials were still sorting through the implications of the attack. China routinely spies on the U.S., and is widely believed to be behind the February 2012 hack of classified information about the technologies onboard F-35 Joint Strike Fighters.
"I do think the U.S. should be responding," Rep. Ted Lieu told BuzzFeed News in a phone interview. "I am fine with the U.S. taking steps against state actors who attack our systems and who are successful." He noted: "Keep in mind we do this against other countries, so we need to be prepared if countries take sanctions against us too."
Lieu said that on a wider scale, the U.S. had to change its cybersecurity culture, and hold itself to a higher standard, especially if it could expect the same type of hacks on its websites that the U.S. intelligence community is believed to be carrying out in other countries.
"We have to better at it both defensively and offensively. It is clear from this breach that we are, at least defensively, weak," Lieu said.
President Obama discussed the free-for-all cyber-espionage currently happening in a January 2014 speech at the Department of Justice. "The legal safeguards that restrict surveillance against U.S. persons without a warrant do not apply to foreign persons overseas," he said. "This is not unique to America; few, if any, spy agencies around the world constrain their activities beyond their own borders. And the whole point of intelligence is to obtain information that is not publicly available. But America's capabilities are unique, and the power of new technologies means that there are fewer and fewer technical constraints on what we can do. That places a special obligation on us to ask tough questions about what we should do."
Two top OPM officials are expected to appear before the House Oversight and Government Reform Committee on Tuesday to be questioned by Congress over the hack. Lawmakers have already demanded answers as to why sensitive information was not encrypted.
"What is especially troubling is the fact that this isn't the first major breach at OPM. Last year, hackers breached an OPM system that manages sensitive data used for security clearance applications. OPM says it has 'undertaken an aggressive effort to update its cybersecurity posture,' but it clearly hasn't done enough," Sen. Warner told BuzzFeed News in an email. "A report released last November noted a lack of encryption of sensitive personal information and that OPM failed to maintain appropriate controls over its servers and systems connected to its networks. The failure to encrypt federal employees' Social Security numbers is an embarrassing indication of how far behind the curve OPM has been in protecting this data."
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.