It's argued, especially in Congress, that the U.S. has not responded strongly enough in cyberspace to high-profile incidents as to deter future behavior. Two such incidents include the hack and theft of more than 20 million records from the databases of the Office of Personnel Management and the recent allegations of Russian interference in the 2016 presidential election.
However, for some, including those in the intelligence community, these incidents are distinct and should not be conflated: The information lifted from OPM was a classic espionage operation and was not publicized. Contrast that with the hacked emails of Democratic Party officials during the election cycle and publicly leaked in an alleged effort to weaponize the information.
Director of National Intelligence James Clapper told the Senate Armed Services Committee on Thursday that the major action taken in response to the OPM breach, widely believed to have been perpetrated by China, was remediation. This took the form of advising the public of potential risks as well as shoring up defenses.
"I would say that this was espionage, it was not an attack, per se, and of course I am always a bit reticent of people that live in glass houses shouldn't throw publicly too many rocks," Clapper told the committee. "I think there is a difference between an act of espionage, which we conduct as well and other nations do, versus an attack."
An armed attack, under international law, is triggered by very specific events, something Clapper declined to delve deep into as it concerned the recent alleged Russian incursion, calling it a "heavy policy call" and not for the intelligence community to make.
"Espionage implies, to me, at least, a passive collection. This was much more activist," Clapper said, identifying the differences between espionage and election interference.
The apparent lack of retaliatory response against China for the OPM hack combined with what some members of Congress have described as a watered-down response to the Russian hacks has led to a situation in which the U.S. appears to look weak on the world stage, allowing adversaries to act without impunity as there is no deterrence strategy in place.
Sen. Dan Sullivan, R-Ark., asked the hearing's witnesses, who included Under Secretary of Defense for Intelligence Marcel Lettre and the Adm. Michael Rogers, the head of the National Security Agency and Cyber Command, why the U.S. has not hit back against adversaries in a significant manner out of the public eye unlike the way in which it publicly announced sections against Russian individuals and expelled 35 Russian diplomats in the U.S. for meddling in the U.S. election.
"I think you're getting right at the question of what do we mean by a proportional response," Lettre said.
To that end, Clapper told the committee that a symmetrical response in cyberspace is not always the best tool. "In most cases to date, non-cyber tools have been more effective at changing our adversaries' cyber behavior," he said. "When we do choose to act, we need to model the rules we want others to follow since our actions set precedents."
Clapper also noted one of the problems is understanding what counter-retaliatory measures adversaries might take: "The problem, at least for me, is … not knowing if you do retaliate in the cyber context, not knowing exactly what counter-retaliation you'll get back. Now we go through all kinds of exquisite thought processes on deciding how to react."
Clapper added that the U.S. government tries to be surgical in its responses and understand the unintended consequences of its measures.
"I don't think others are similarly disposed to consider such precision and such exactness when they respond. So there's always that issue of counter-retaliate, ergo my brief mention that it's in my view to consider all instruments of national power," he continued.
Senate Armed Services Committee members Sens. Dan Sullivan, R-Ark., left, and Thom Tillis, R-N.C., question intelligence officials during a hearing in the Dirksen Senate Office Building on Capitol Hill on Jan. 5, 2017, in Washington, D.C. The intelligence chiefs testified to the committee about cyberthreats to the United States and fielded questions about effects of alleged Russian government hacking on the 2016 presidential election.
Photo Credit: Chip Somodevilla/Getty Images
Sullivan was unsatisfied with these answers, especially as they apply to the OPM incident. "We did not retaliate against an act of espionage any more than other countries have retaliated against us for when we conduct espionage," Clapper told him.
However, Sullivan pushed back, asking whether Clapper's answer is part of the problem that the U.S. is not making it costly enough for adversaries to steal the files of 22 million Americans
Clapper repeated his earlier mantra, one he has orated to Congress in previous years: that those residing in a glass house should not throw rocks "because this was an act of espionage, and we and other nations conduct similar acts of espionage."
"If we're going to punish each other for acts of espionage, that's a different policy issue," Clapper asserted.
Another critical difference between Russia's recent operations and the OPM hack was the "multi-faceted" nature of the campaign, Clapper said. Declining to offer too many details prior to the release of the intelligence community's report on the campaign as directed by the president — and due prior to Jan. 20 — Clapper noted the hacks were only a small component. "It also entailed classical propaganda, disinformation, fake news," he said, echoing sentiments he told the House Intelligence Committee in November.
Thus far, two organizations, APT 28 and 29 — called by some as Fancy Bear and Cozy Bear and affiliated with Russian military intelligence and Russian Federal Security Service — have been identified by the U.S. intelligence community as those responsible for electoral manipulation. Clapper raised the specter that there could be more actors involved. When asked if all those engaged in the incident have been publicly identified, Clapper declined to answer in a public forum.
Clapper expressed skepticism that deterrence is attainable in cyber the same way it is in the physical or nuclear realm. The government currently cannot put a lot of stock in cyber deterrence, he said. Unlike nuclear weapons, cyber capabilities are difficult to see and evaluate and can be ephemeral. It's accordingly very hard to create the substance and psychology for deterrence in my view, Clapper added.