Why The Weak And Hesitant Response to the OPM Breach?

By Jack Goldsmith
Saturday, June 13, 2015, 10:48 AM

The NYT reports that the Obama administration is “considering financial sanctions against the attackers [from China] who gained access to the files of millions of federal workers” in from Office of Personnel Management computers. This seems like a mild, dithering response, given the scale of the breach, which includes “personal data from more than four million current and former federal employees,” and “information about friends, family members and associates that could number millions more,” including “files related to intelligence officials working for the F.B.I., defense contractors and other government agencies.” John Schindler explains well why China’s spies hit the “blackmail jackpot,” and why the “disaster … will take decades to set right.”

Why such a weak and hesitant response to such a colossal intelligence disaster? I can think of two reasons.

One, as Marcy Wheeler noted a week ago, this is almost certainly the type of collection we are trying to do, and probably succeeding in doing, against China’s government officials. This is not IP theft; it is government espionage. (Note the difference in tone toward China in this context compared to the IP context.) We can hardly go ballistic if we are doing the same thing. (When we catch foreign spies, we retaliate against the spy, and usually not against the foreign nation more broadly, for similar reasons.)

Second, going ballistic with harsher sanctions – what would those sanctions be? – won’t do us any good on balance. If point 1 is right, China could retaliate on the same ground, and charge us publicly with hypocrisy. Or it could just retaliate in response to the sanctions without linking the retaliation to our spying. We simply have more to lose from harsh sanctions – along several diplomatic and economic fronts – than we have to gain. That is why we haven’t done much in terms of sanctions against China’s extensive and multi-faceted cyber theft, including in the IP context.

And so any sanctions will likely be purely nominal—designed, at most, for domestic consumption. The USG cannot be seen to do nothing in the face of the breach. That would be unseemly at home. But we cannot do too much, for that would be self-defeating abroad. If I am right, it’s a pretty bad situation to be in, given the apparently poor state of our cyber defenses.