(REUTERS/Kevin Lamarque) Two months after the Office of Personnel Management (OPM) discovered that it had suffered a massive data breach, the Obama administration is trying to figure out how best to retaliate against the prime suspect — China — without escalating the cyberwar.
"In a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses — for example, diplomatic protests or the ouster of known Chinese agents in the United States — to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries," The New York Times reported last week.
US President Barack Obama is asking for a creative response. But cybersecurity expert Dave Aitel, CEO of Immunity Inc., thinks the government would be better off focusing its energy and resources on securing its vulnerable systems rather than on retaliation.
"If you want to disrupt and deter people from hacking OPM, all you have to do is properly secure it," Aitel told Business Insider.
"We lost a lot of really valuable information, but we have to remain the adults in the room."
In hacking the OPM, Chinese hackers diverged from their pattern of stealing intellectual property and defense secrets. Instead they targeted information that would enable them to build a database of US diplomats, intelligence operatives, and those with business in China.
"The government just has to secure its systems and move on," Aitel added, especially since the OPM hack was technically fair game.
"This particular kind of hack is considered normal — nation states spy on each other all the time, and we don't sanction them or start cyberwars over it," Aitel said. "It was massive, but it was well targeted."
Indeed, as one senior administration official told The Times in June, "This was classic espionage, just on a scale we've never seen before from a traditional adversary."
And mistakes were clearly made.
Contractors in both Argentina and China were reportedly given "direct access to every row of data in every database" when they were hired by the OPM to manage million of detailed personnel records of federal employees and applicants, and the hackers managed to stay undetected in the agency's security clearance computer system for over a year.
"OPM's data-security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information," House Oversight chairman Jason Chaffetz (R-Utah) told Katherine Archuleta, who resigned as OPM director over the breach, during a hearing before the House Oversight and Government Reform Committee in June.
Even as they consider ways to get back at China, Obama administration officials are not publicly blaming the breach on the Chinese government — reportedly out of fear that doing so may discourage China from working with the US on international initiatives such as limiting Iran's nuclear program.
Chinese officials, for their part, have vehemently denied the allegations as "irresponsible" and "unscientific."
Behind closed doors, US officials seem fairly confident that the cybercriminals were state-sponsored Chinese hackers, but even this should be questioned, Aitel warns.
The US was also confident — and publicly accused — the Russian government of hacking JPMorgan Chase last summer, but the breach affecting 83 million people turned out to be the work of two Israelis and an American.
"Just two weeks ago we had to renege on our conviction that Russia hacked JPMorgan," Aitel said. "And the Chinese could easily point to this error to demonstrate the US' lack of proof.
"We're burning sources and methods if we start hacking for political reasons, and it could get expensive," he added. "We got caught with our pants down, and we need to learn how to deal with the embarrassment."
More From Business Insider