Obama Considering Range of Options in Response to OPM Hack

Administration working to find culprit in massive cyber theft of federal employee data

June 17, 2015

President Obama is considering a range of options in addition to economic sanctions in response to the massive theft of data from federal government computer networks, a senior White House security official said Tuesday.

"We’ve got a range of tools and we’ll consider all of them," said Lisa Monaco, the White House’s homeland security adviser.

Monaco said in a brief interview with the Washington Free Beacon after a speech on cyber threats that the U.S. government is currently investigating the clandestine theft of sensitive information on at least 4 million government workers from computers at the Office of Personnel Management (OPM).

Officials have so far not reached a firm conclusion about who was behind the attack, she said.

Monaco’s comments on possible responses to the cyber attack were the first to indicate that the administration is considering more than economic sanctions in retaliation. Josh Earnest, the White House press secretary, suggested Friday that sanctions were among the options.

Monaco did not respond when asked why neither the president nor his advisers have condemned the cyber attack against the Office of Personnel Management, which has been described by U.S. officials as one of the most damaging compromises of sensitive information in recent years.

Monaco, in her speech, said that the administration’s current tools for responding to cyber attacks include sanctions, indictments, diplomacy, and intelligence operations.

The OPM breach was first discovered in April and then determined to have begun around December.

Obama said after the G-7 summit in Germany that he would not identify the source of the OPM attack and instead said the vulnerability of federal computer networks is increasing.

The OPM revealed Friday that its investigation into the initial loss of personal data on 4 million federal employees had expanded and revealed that additional data was compromised, including sensitive information on some of the 700,000 government officials who hold security clearances and are involved in secret activities.

Monaco declined to comment when asked whether China was behind the cyber attack, as officials have said privately. However, she identified China and Russia as the main state-sponsored cyber threats, with Iran and North Korea as two others.

The Obama administration has experienced a string of major security compromises. They have included the 2009 leak of thousands of classified documents to Wikileaks, the theft of over 1 million classified documents by the renegade National Security Agency contractor Edward Snowden, and the recent cyber attacks on government networks.

U.S. officials have said the OPM cyber attack has been traced to Chinese hackers, including a group that has been dubbed "Deep Panda." Earlier cyber attacks on State Department and White House networks were linked to Russian hackers.

Monaco, who met with the president prior to her remarks, said the threats from cyber attacks are increasing in both size and sophistication.

"The OPM breach is just the most recent example of the threat that we’re facing," Monaco said during a speech earlier to the Aspen Institute. "What we have seen is a threat that is expanding in every single dimension, from the frequency of attacks, the scale of those attacks, the sophistication, and severity of the impact."

Asked how the administration plans to respond to both state-sponsored and criminal cyber attacks, Monaco listed four methods.

They include Justice Department indictments, such as the one handed down in May 2014 against five Chinese military hackers, and economic sanctions, such as those imposed in response to the November 2014 hack of Sony Pictures Entertainment networks that was traced to North Korean government hackers.

Additionally, diplomatic efforts "that don’t always see the light of day" will be used to respond to attacks, along with secret intelligence operations, Monaco said.

"These are a suite of tools that we want to make sure we have in our tool box for every eventuality," she said. "You’ve seen how we responded to the Sony attack. We want to make sure there’s a range of things that we have at our disposal as we face more and more of these different types [of cyber attacks]."

The PLA indictments, which Monaco said she began when she headed the Justice Department’s national security division is one set of reprisals.

The indictments of the Chinese, who are members of a known Chinese military hacking unit, were modeled after past indictments of wanted foreign terrorists as a way to signal that even if the U.S. government is unable to "get our hands on" the actors that their crimes are addressed, she said.

Government-sponsored hackers pose a significant threat and range from sophisticated actors such as China and Russia to those with "disruptive and at times destructive intent," including Iran and North Korea.

Non-state hackers are "almost more insidious" than their state-sponsored counterparts and are motivated by financial gain, she said.

"These folks are profit driven and may not be operating for their own profit motive but may be hired by some other entities that I just listed in the other bucket," Monaco said.

These include criminal syndicates, ideologically-driven "patriotic" hackers, and terrorist groups.

Terrorist groups, such as the Islamic State, are a growing concern because of the ability to use hacking for propaganda purposes.

Cyber attacks pose both national security and economic threats.

The administration has been focused on "raising our cyber defenses," Monaco said.

Critics of the administration’s approach to cyber attacks have said that the use of sanctions, legal measures, and diplomacy is not working, as cyber attacks are increasing.

Adm. Mike Rogers, commander of the U.S. Cyber Command, has suggested the United States needs to take more aggressive actions, such as retaliatory cyber attacks against China as a way to create strategic deterrence.

The U.S. government should "think about how can we increase our capacity on the offensive side here, to get to that point of deterrence," Rogers told the Senate Armed Services Committee in March.

However, administration advisers in the past have rejected retaliatory cyber attacks due to concerns that the attacks will escalate into a full-scale cyber war.

China has been detected mapping critical U.S. infrastructures in what U.S. intelligence agencies believe is reconnaissance for cyber attacks aimed at disrupting the U.S. electrical grid or vital financial or transportation networks.

The Pentagon last week published a new edition of its law of war manual that outlines the legal conditions for using cyber attacks.

The manual notes that how the laws of war are applied to cyber warfare is "not well-settled."

"Cyber operations can be a form of advance force operations, which precede the main effort in an objective area in order to prepare the objective for the main assault," the manual states. "For example, cyber operations may include reconnaissance (e.g., mapping a network), seizure of supporting positions (e.g., securing access to key network systems or nodes), and pre-emplacement of capabilities or weapons (e.g., implanting cyber access tools or malicious code)."

The manual states that cyber attacks against stock exchanges, banking systems, and universities would be considered illegal—unless the attacks are linked to the imperatives of war.

Cyber attacks also must be proportional, in terms of the potential to cause loss of civilian life.

The Pentagon is barred from indiscriminate cyber attacks. "For example, a destructive computer virus that was programmed to spread and destroy uncontrollably within civilian Internet systems would be prohibited as an inherently indiscriminate weapon," the manual says.

Cyber attacks that are defined in the manual as a legal use of force governed by the laws of war include digital strikes that can cause a nuclear plant to melt down, a dam to open in a populated area causing destruction, and cyber attacks against air traffic control that cause aircraft to crash.

"Similarly, cyber operations that cripple a military’s logistics systems, and thus its ability to conduct and sustain military operations, might also be considered a use of force under jus ad bellum [right to war]," the report said.

The Senate Armed Services Committee, as part of an investigation last year, revealed that Chinese government hackers broke into such logistics networks at the U.S. Transportation Command, which is in charge of moving troops, weapons, and supplies around the world for U.S. military forces.