The United States will continue to suffer increasingly damaging cyber attacks against both government and private sector networks as long as there is no significant response, according to a recent U.S. intelligence community assessment.
Disclosure of the intelligence assessment, an analytical consensus of 16 U.S. spy agencies, comes as the Obama administration is debating how to respond to a major cyber attack against the Office of Personnel Management. Sensitive records on 22.1 million federal workers, including millions cleared for access to secrets, were stolen by hackers linked to China’s government.
U.S. officials familiar with the classified cyber assessment discussed its central conclusion but did not provide details.
Spokesmen for the White House and office of the director of national intelligence declined to comment.
Recent comments by President Obama and senior military and security officials, however, reflect the intelligence assessment.
Obama said during a summit in Germany June 8 that he would not disclose who conducted the OPM hack. But he said such attacks would continue.
"We have known for a long time that there are significant vulnerabilities and that these vulnerabilities are gonna accelerate as time goes by, both in systems within government and within the private sector," the president said.
Last week, Adm. Mike Rogers, commander of the U.S. Cyber Command, said the increase in state-sponsored cyber attacks is partly the result of a perception that "there’s not a significant price to pay" for such attacks.
Privately, administration officials said the assessment appears to be an indirect criticism of the administration’s approach to cyber attacks that has emphasized diplomatic and law enforcement measures instead of counter-cyber attacks.
"The administration is expecting more attacks because they’re unwilling to do anything," said one official. "They’re preparing for more attacks because we’re failing to deter and defend against them."
Intelligence and cyber security experts agreed with the assessment that weak U.S. responses are encouraging more cyber attacks.
"Until we redefine warfare in the age of information, we will continue to be viciously and dangerously attacked with no consequences for those attackers," said retired Army Lt. Gen. Mike Flynn, a former Defense Intelligence Agency director.
"The extraordinary intellectual theft ongoing across the U.S.'s cyber critical infrastructure has the potential to shut down massive components of our nation’s capabilities, such as health care, energy and communications systems. This alone should scare the heck out of everyone."
James Lewis, a cyber security expert at the Center for Strategic and International Studies, agreed. Lewis said the defensive approach that emphasizes closing vulnerabilities to cyber attacks is not working.
"Unless we punch back, we will continue to get hit," Lewis said.
Lewis says that conducting retaliatory cyber strikes without starting a war is difficult but not impossible.
"There are a lot of ways to do this—leaking some party leader’s bank account could be a good start," Lewis said. "Many people think a cyber response is the best way to signal where the lines are the other side should not cross."
"We’re all coming to the same place—that a defensive orientation doesn’t work," he added.
Rogers, the Cyber Command chief who has stated in the past that he favors more aggressive U.S. responses, acknowledged that the U.S. response to the OPM hack has been muted compared to the government’s highly-public response to North Korea’s damaging cyber attack in November against Sony Pictures Entertainment. The Sony hack was a failed bid by the North Koreans to derail the release of a comedy film critical of dictator Kim Jong Un.
Major incidents in recent months include the Sony attack; cyber attacks against the health care provider Anthem that compromised the records of some 80 million people; attacks against State Department and White House networks from suspected Russian government-linked hackers; the OPM hacking; and an Iranian-backed cyber attack against the Sands casino in Las Vegas.
Asked about the increase in state-sponsored attacks, Rogers said during a security conference in Colorado that one factor has been a lack of response.
Rogers earlier in congressional testimony has suggested a more muscular cyber policy that would include demonstrations and threats of retaliatory cyber attacks against hackers in a bid to create deterrence similar to the Cold War-era strategic nuclear deterrence.
In addition to more capable hackers, "you’ve got a perception, I believe, that to date there is little price to pay for engaging in some pretty aggressive behaviors," Rogers aid.
"Whether it’s stealing intellectual property; whether it’s getting in and destroying things as we saw in the Sony attack; whether it’s going after large masses of data—OPM being the most recent but go back to the summer of ’14 and we saw a successful penetration of a large health insurance company and the extraction of most of the medical records and personal data information that they had."
Nation states are only one part of the threat. Criminal groups also are conducting large-scale cyber attacks, Rogers said.
In November, Rogers said he argued for going public in naming North Korea’s communist regime for the Sony hack and having the president make a public statement that Pyongyang would pay a price.
Rogers said some officials in the administration favored a less public response to the Sony case.
"So one of my concerns was this time it was a movie," Rogers said. "What if next time a nation state, a group, an individual, an actor decides I don’t like the U.S. policy, I don’t like a U.S. product, I don’t agree with this particular position taken by a company, or taken by an individual. If we start down this road, this is not a good one for us as a nation."
Rogers said he argued strongly that "we cannot pretend that this did not happen," and that the attack had to be linked to North Korea directly.
"My concern was if we do nothing, then one of the potential unintended consequences of this could be does this send a signal to other nation states, other groups, other actors that this kind of behavior [is okay] and that you can do this without generating any kind of response," Rogers said.
On not naming the Chinese for the OPM hack, Rogers appears to have lost out during the administration’s debate on naming the Chinese.
"OPM is an ongoing issue," Rogers said, adding that he would not discuss the specifics of internal discussions.
"But I would acknowledge, hey, to date the response to OPM, there’s a thought process and I’m the first to acknowledge to date we have to take a different approach."
Asked if he agreed with doing nothing about the OPM response, Rogers suggested some action might be forthcoming.
"Just because you’re not reading something in the media does not mean that there’s not things ongoing," he said. "So I would argue, let’s step back and see how this plays out a little bit."
He defended the more public U.S. response to the Sony hack that included limited sanctions against North Korean agencies and officials, by noting that to date no similar cyber attacks by Pyongyang have been conducted.