Criminal Justice & the Rule of Law Cybersecurity & Tech Foreign Relations & International Law

Why The Weak And Hesitant Response to the OPM Breach?

Jack Goldsmith
Saturday, June 13, 2015, 10:48 AM

The NYT reports that the Obama administration is “considering financial sanctions against the attackers [from China] who gained access to the files of millions of federal workers” in from Office of Personnel Management computers.

Published by The Lawfare Institute
in Cooperation With
Brookings

The NYT reports that the Obama administration is “considering financial sanctions against the attackers [from China] who gained access to the files of millions of federal workers” in from Office of Personnel Management computers. This seems like a mild, dithering response, given the scale of the breach, which includes “personal data from more than four million current and former federal employees,” and “information about friends, family members and associates that could number millions more,” including “files related to intelligence officials working for the F.B.I., defense contractors and other government agencies.” John Schindler explains well why China’s spies hit the “blackmail jackpot,” and why the “disaster … will take decades to set right.”

Why such a weak and hesitant response to such a colossal intelligence disaster? I can think of two reasons.

One, as Marcy Wheeler noted a week ago, this is almost certainly the type of collection we are trying to do, and probably succeeding in doing, against China’s government officials. This is not IP theft; it is government espionage. (Note the difference in tone toward China in this context compared to the IP context.) We can hardly go ballistic if we are doing the same thing. (When we catch foreign spies, we retaliate against the spy, and usually not against the foreign nation more broadly, for similar reasons.)

Second, going ballistic with harsher sanctions – what would those sanctions be? – won’t do us any good on balance. If point 1 is right, China could retaliate on the same ground, and charge us publicly with hypocrisy. Or it could just retaliate in response to the sanctions without linking the retaliation to our spying. We simply have more to lose from harsh sanctions – along several diplomatic and economic fronts – than we have to gain. That is why we haven’t done much in terms of sanctions against China’s extensive and multi-faceted cyber theft, including in the IP context.

And so any sanctions will likely be purely nominal—designed, at most, for domestic consumption. The USG cannot be seen to do nothing in the face of the breach. That would be unseemly at home. But we cannot do too much, for that would be self-defeating abroad. If I am right, it’s a pretty bad situation to be in, given the apparently poor state of our cyber defenses.


Jack Goldsmith is the Learned Hand Professor at Harvard Law School, co-founder of Lawfare, and a Non-Resident Senior Fellow at the American Enterprise Institute. Before coming to Harvard, Professor Goldsmith served as Assistant Attorney General, Office of Legal Counsel from 2003-2004, and Special Counsel to the Department of Defense from 2002-2003.

Subscribe to Lawfare