US Cybersecurity Policy In One Sad Cliche: 'People Who Live In Glass Houses Shouldn't Throw Rocks'

US Cybersecurity Policy in One Sad Cliche:

The US doesn't have a problem punishing foreign hackers. The government killed an ISIS hacker with a drone in August. It quickly sanctioned North Korea following the Sony hack. So why hasn't the United States retaliated against the OPM hackers?

Watching the Senate Armed Services Committee hearing on US cybersecurity policy on Tuesday, it seems like the people making decisions are as confused as the rest of us.

At one point, Sen. John McCain (R-AZ) starkly asked Deputy Secretary of Defence Robert Work if there was a policy in place to deal with incidents like the hack of the US Office of Personnel Management.

"First is to try. First we deny and then we first find out-we do the forensics," Work said. He spoke with impressive confidence, as if the words he said weren't a stream of nonsense.

"I'm not asking the methodology, I'm asking the policy," McCain interrupted, asking Work if the US would respond to OPM-like hacks by counterattacking, or by some other measures.

"That may be one of the options," Work said.

Director of National Intelligence James R. Clapper Jr. was equally vague when McCain questioned him about responding to hacks like OPM debacle.

"I think it's a good idea to at least think about the old saw about people who live in glass houses shouldn't throw rocks," Clapper said, noting that the US also practices cyber espionage. This bears repeating: The Director of National Intelligence strongly implied that the US shouldn't punish other governments for tit-for-tat attacks. Clapper's argument here is "we spy, they spy back."

McCain was not happy with that response. "So it's ok for them to steal our secrets that are most important because we live in a glass house?" he said. "That is astounding."

McCain's frustration was warranted, but high-ranking government officials dodging senate hearing questions is a little too commonplace to call "astounding." Water on Mars is astounding. These answers from Clapper and Work are simply cagey and evasive.

What came off as confusion is a ploy to hide the clumsy brinksmanship that happens between superpowers. Clapper, McCain, and Work are dancing around the fact that the US isn't responding to the OPM hack because it's not strategically advantageous for it to do so, period.

The theft of 22 million federal employees' background checks, fingerprints, and other sensitive data is a real threat to national security. The stolen information can be used to blackmail, hack, and track federal employees, including State Department officials. The US doesn't know exactly whose information was stolen, making it harder to identify potential targets. It certainly qualifies as the type of intrusion President Obama condemned in an executive order authorizing sanctions for cyber-threats earlier this year:

With the new Executive Order I'm signing today, I'm for the first time authorizing targeted sanctions against individuals or entities whose actions in cyberspace result in significant threats to the national security, foreign policy, economic health or financial stability of the United States.

No matter how elegant Obama's cadence is as he discusses protecting the US from digital threats, it's not simply how bad a hack is that determines a response. It's who did it, and whether fighting back is convenient.

That means this breach will probably go unanswered. Even after reports that the US considered economic sanctions on China and pulled CIA employees from the US Embassy in Beijing following the theft, the US has not even officially blamed China. Instead, during Chinese President Xi Jinping's recent visit to the US, Obama and Xi announced an agreement that neither government would digitally hijack the other's intellectual property.

This ensures that China and the US can continue to digitally hijack the other's intellectual property without escalating the situation further than that. US inaction helps maintain the status quo, which is HELLA SPYING.

We just lost a spy game. The best option may very well be to act like good sports. But this incident highlights an unsettling truth about the rules of cyber warfare: The personal data for citizens will, more often than not, be collateral damage in a game of chicken.

[Washington Post]