Bolton Hits Chinese for Hack of OPM Records

New Trump policy rejects Obama's passive response to cyber attacks

John Bolton /
John Bolton / Getty Images
September 21, 2018

White House National Security Adviser John Bolton confirmed this week that China carried out the cyber attack on the Office of Personnel Management in the theft of more than 22 million sensitive records on American government officials.

Bolton disclosed the Chinese hacking in unveiling the Trump administration's new national cyber strategy, which shifts the focus of security efforts from the passive approach of the administration of President Barack Obama to a proactive, aggressive stance against cyber attacks.

"For any nation that's taking cyber activity against the United States … we will respond offensively as well as defensively," Bolton bluntly stated at the White House Thursday.

China has been the most aggressive in conducting cyber espionage and cyber technology theft against the United States.

The National Security Agency estimated several years ago that China obtained 50 terabytes of data through cyber espionage, including details on F-35 and F-22 jets, space-based lasers, and other valuable data.

Members of Russia's GRU military intelligence service were indicted recently for the politically disruptive hack-and-release influence operation targeting the 2016 presidential election.

Russian cyber actors also conducted the NotPetya malware attack against Ukraine in 2017 that spread worldwide and destroyed data in banks, energy companies, an airport, and a shipping company.

North Korea conducted the global WannaCry ransomware cyber attack in May 2017 that infected hundreds of thousands of computers around the world and disrupted business, causing billions of dollars in damage.

On the OPM hack, Bolton's comment on the Chinese role in the cyber attack was the first time a senior government official directly linked Beijing to the massive theft of federal records, including sensitive background information on hundreds of thousands of federal officials with security clearances.

Commenting on whether the new Trump administration strategy against foreign hacking might impact Americans' privacy, Bolton said the new policy has nothing to do with domestic monitoring.

"The fact is that many Americans' privacy is at risk now from the actions of hostile foreign actors," he said.

"You may recall seeing about the hacking of the Office of Personnel Management by China, where potentially millions of personnel records—my own included, and maybe some of yours, from former government employees—has now found a new residence in Beijing," he noted.

"That's the kind of threat to privacy from hostile foreign actors that we're determined to deter."

The administration is not seeking continued hostility toward foreign states engaged in cyber attacks but "we're looking to create powerful deterrence structures that persuade the adversary not to strike in the first place," he said.

"I just think it's important for people to understand that we're not just on defense, as we have been primarily on defense for a period of time," Bolton said.

The OPM hack took place in 2015 and was the result of poor network security at the government's main personnel management agency.

Investigators determined that a total of 22.1 million people, mainly federal workers, lost personal data in the Chinese attack. The information included Social Security numbers, fingerprints, passwords, and information used in conducting background screening for security clearances.

It was among the most damaging cyber attacks against the U.S. government and reportedly prompted the CIA to recall intelligence officers from overseas due to risks to their security.

Around the same time as the OPM hack, China also used cyber attacks to steal some 80 million records from the U.S. healthcare provider Anthem.

Intelligence officials believe the Chinese are using the stolen data to conduct data mining operations in seeking potential spy recruits or identifying targets for cyber espionage.

Obama and his administration refused to publicly blame China for conducting the attack over fears of upsetting U.S. trade and diplomatic relations with Beijing.

At one point in 2015, then-Director of National Intelligence James Clapper publicly suggested China was the main suspect in the OPM hack. But he later refused to say if Beijing was behind the data theft.

The lack of response was a key feature of the Obama administration's passive approach to foreign cyber attacks. That administration rejected repeated appeals from intelligence and law enforcement agencies that urged going on the offensive against hostile cyber actors like China and Russia as a way to limit and deter future attacks.

Bolton said President Trump, in setting a new, more aggressive cyber security policy, several weeks ago rescinded a 2012 Obama directive called PPD-20 on cyber operations policy that restricted government from effectively countering foreign cyber attacks.

For example, the top-secret Obama order, made public by renegade National Security Agency contractor Edward Snowden, limits U.S. cyber responses by requiring "specific presidential approval" for all offensive cyber attacks, a restriction that could prevent routine rapid responses to foreign cyber attacks.

The approval was needed for any cyber action likely to produce "significant consequences"—another restriction limiting freedom of action for those in charge of U.S. offensive cyber attacks.

The order mandated that the U.S. government "obtain the consent" of countries targeted by defensive cyber security actions. And it called for using the "least intrusive methods" to counter cyber threats.

"Our presidential directive effectively reversed those restraints, enabling offensive cyber operations through the relevant departments," Bolton said, noting the gloves-off approach is in line with recent legislation requiring "particular attention to intrusive cyber operations by China, Russia, Iran, and North Korea."

Bolton said it is important for U.S. adversaries to know that Trump has authorized offensive cyber operations when it is the U.S. national interest and to "demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear." He did not elaborate.

The new presidential order will authorize both offensive and defensive cyber operations "to create structures of deterrence that will reduce malign behavior in cyberspace," he said.

Administration officials said the government has spent the past year-and-a-half with behind-the-scenes efforts to strengthen cyber defenses for both government and private sector critical networks.

The increased cyber security efforts will allow U.S. intelligence agencies and the Cyber Command to begin to take more aggressive cyber action.

Among the options for offensive cyber attacks are using computer means to disrupt or destroy computer systems caught attacking U.S. systems and conducting retaliatory cyber intrusions to steal back or destroy stolen U.S. information.

"Americans and our allies are under attack every day in cyberspace," Bolton said. "Malicious nation-state, criminal, and terrorist actors seek to steal our intellectual property and our personal information, damage our infrastructure, and even undermine our democracy through the use of cyber tools."

In a foreword to the new cyber strategy, Trump said "adversaries have increased the frequency and sophistication of their malicious cyber activities."

"America created the internet and shared it with the world," he stated. "Now, we must make sure to secure and preserve cyberspace for future generations."

In a section of the strategy on "peace through strength," the 40-page unclassified report says that "now-persistent engagement in cyberspace is already altering the strategic balance of power."

"All instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States," the report says.

"This includes diplomatic, information, military (both kinetic and cyber), financial, intelligence, public attribution, and law enforcement capabilities."

U.S. actions in cyberspace will include "swift, costly, and transparent consequences when malicious actors harm the United States or our partners."

For the first time, the administration has combined foreign information and influence operations in connection with its cyber operations.

"The United States will use all appropriate tools of national power to expose and counter the flood of online malign influence and information campaigns and non-state propaganda and disinformation," the report says.

"This includes working with foreign government partners as well as the private sector, academia, and civil society to identify, counter, and prevent the use of digital platforms for malign foreign influence operations while respecting civil rights and liberties."