China caught the US 'with our pants down' - and the Obama administration is struggling to respond
"In a series of classified meetings, officials have struggled to choose among options that range from largely symbolic responses - for example, diplomatic protests or the ouster of known Chinese agents in the United States - to more significant actions that some officials fear could lead to an escalation of the hacking conflict between the two countries," The New York Times reported.
Obama is asking for a creative response. But cyber security expert Dave Aitel, CEO of Immunity, Inc., thinks the government would be better off focusing its energy and resources on securing its vulnerable systems rather than retaliation.
"If you want to disrupt and deter people from hacking OPM, all you have to do is properly secure it," Aitel told Business Insider. "We lost a lot of really valuable information, but we have to remain the adults in the room."
In hacking OPM, Chinese hackers diverged from their pattern of stealing intellectual property and defense secrets. Instead, they targeted information that would enable them to build a database of US diplomats, intelligence operatives, and those with business in China.
"The government just has to secure its systems and move on," he added, especially since the OPM hack was technically fair game.
"This particular kind of hack is considered normal - nation states spy on each other all the time, and we don't sanction them or start cyber wars over it," Aitel said. "It was massive, but it was well targeted."
Indeed, as one senior administration official told the New York Times in June, "this was classic espionage, just on a scale we've never seen before from a traditional adversary."
And mistakes were clearly made.
Contractors in Argentina and China were reportedly given "direct access to every row of data in every database" when they were hired by the Office of Personnel Management (OPM) to manage million of detailed personnel records of federal employees and applicants, and managed to stay undetected in the agency's security clearance computer system for over a year.
"OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information," House Oversight Chairman Jason Chaffetz (R-Utah) told former OPM director Katherine Archuleta during a hearing before the House Oversight and Government Reform Committee in June.
Even as they consider ways to get back at China, Obama administration officials are not publicly blaming the breach on the Chinese government - reportedly out of fear that doing so might discourage China from working with the US on international initiatives such as limiting Iran's nuclear program.
Chinese officials, for their part, have vehemently denied the allegations as "irresponsible" and "unscientific."
Behind closed doors, US officials seem fairly confident that the cybercriminals were state-sponsored Chinese hackers, but even this should be questioned, Aitel warns.
The US was also confident - and publicly accused - the Russian government of hacking JP Morgan Chase last summer, but the breach affecting 83 million people turned out to be the work of two Israelis and an American.
"Just two weeks ago we had to renege on our conviction that Russia hacked JP Morgan," Aitel said. "And the Chinese could easily point to this error to demonstrate the US' lack of proof."
"Were burning sources and methods if we start hacking for political reasons, and it could get expensive," he added. "We got caught with our pants down, and we need to learn how to deal with the embarrassment."