Soon after U.S. officials put out the word that Chinese hackers were behind an enormous breach of government employee databases, legislators and pundits began calling for retaliation. Talk of economic sanctions, however, misses the mark. Stronger, proactive defense is what is called for.
Different kinds of hacking incidents call for different kinds of responses, and the U.S. government has for years been careful to draw a line between hackers who steal trade secrets and classic espionage targeting government and national security secrets.
If the Chinese government was indeed behind the recent intrusions into the U.S. Office of Personnel Management systems, there is little question that this is an example of the latter, more classic form of espionage.
Spies like us
Even Gen. Michael Hayden, a former head of the National Security Agency and the Central Intelligence Agency, called the personnel files a "legitimate foreign intelligence target" at a conference in Washington. "To grab the equivalent in the Chinese system, I would not have thought twice," Hayden said, as quoted by The Wall Street Journal. "This is not 'shame on China.' This is 'shame on us' for not protecting that kind of information."
U.S. defenses were shown to be woefully inadequate.
For the U.S. government, the first response to this deeply embarrassing and potentially very harmful security failure is to reform the way it stores and protects information likely to be targeted by foreign spies.
Given that primary defense has failed, however, widespread calls for retaliation are not surprising. One option is sanctions. In April, President Barack Obama issued an executive order threatening foreign individuals and entities with sanctions in response to "malicious cyber-enabled activities" that constitute a threat to "the national security, foreign policy and economy of the United States." White House press secretary Josh Earnest said June 12 sanctions were a "newly available option ... that is on the table" in response to the OPM hacks.
Levying economic sanctions against China in response to its efforts to gain access to a "legitimate foreign intelligence target," however, would be misguided. To do so would invite economic retaliation not just from China but from other countries that are targets of similar U.S. efforts. It was never a secret that the U.S. government spies on foreign governments online, but Edward Snowden and other leakers have exposed those efforts in unprecedented detail.
How to hit back
This doesn't mean the U.S. government should never employ sanctions against Chinese entities following an online theft. An influential 2013 report by a commission led by Adm. Dennis Blair, a former U.S. Director of National Intelligence, and Jon Huntsman, a former Ambassador to China, specifically recommended sanctions against foreign companies shown to have benefitted from the theft of U.S. intellectual property. The U.S. government might deny those firms access to the U.S. banking system or impose other sanctions.
The Obama executive order helps give U.S. agencies the power to impose sanctions on these companies, and, should circumstances warrant, they should aggressively use lawful means to minimize profits gained using stolen intellectual property.
But the loss of important government secrets calls for a different range of policy options. The best responses might be considered "active defense." For instance, if a breach is detected while the intruders are still working, security officials might break into the intruders' own systems to destroy or distort the stolen data. They might also target the same intruder's other systems for disruption as a deterrent.
This kind of "active defense" is called for and expected in the world of espionage. Given news reports that the government only discovered the OPM intrusions after weeks or months, it seems less likely these measures would be effective. Unfortunately, the most realistic response now is to minimize the harm to those affected, increase accountability for maintaining secure systems, and more effectively compartmentalize data.
At the same time, the world urgently needs norms and confidence-building mechanisms designed to manage the growing risk of escalation and catastrophe as governments worldwide develop strong network warfare tools -- capabilities distinct from everyday espionage.
Certain areas under the general umbrella of cybersecurity raise the same "strategic" questions that the U.S. and the Soviet Union faced during the Cold War: how to maintain credible deterrence and prevent accidents that could lead to nuclear war. If one government has the ability to disrupt another's nuclear weapons systems, this balance is upset.
A global norm against compromising nuclear weapons systems, therefore, could be an area of agreement for governments -- including in the U.S., China, and Russia -- that often find themselves at odds. Every nuclear state has an interest in their counterparts maintaining confidence in their control over their own nuclear weapons. Once they have created such reassurance, more common online strategic interests could follow.
At a time when political voices are calling for retaliation, it's important to remember that governments can simultaneously be adversaries in espionage and partners in economics. They can pursue deterrence and build confidence all at once.
There is no reason the U.S. and Chinese governments and publics cannot develop a subtle, differentiated view of the diverse challenges of cybersecurity -- working together on some challenges, even if still facing off on others.
Graham Webster is a senior fellow at the Yale Law School China Center specializing in U.S.-China relations and author of U.S.-China Week, an analytical news brief.