Last Friday was a big day in cybersecurity news. OPM announced that, in addition to the compromise of the personnel information of federal employees revealed on June 4, Chinese hackers also breached a database containing millions of security clearance forms. Meanwhile, on the other side of the Potomac, the Department of Defense released its new Law of War Manual — the first since 1956 — including a new chapter on “Cyber Operations.” Considering the OPM hack in light of the Law of War Manual shows why, as a legal matter, the U.S. government is in a tough spot in responding to the hack.
Debates are raging over just how damaging the two OPM hacks are. In the first of what are sure to be many congressional hearings on the breaches, Rep. Carolyn Maloney (D-NY) asserted that she “consider[s] this attack … a far more serious one to the national security” of the United States than the 9/11 attacks. Others have called the hacks the long-warned-about cyber 9/11 or cyber Pearl Harbor. But other commentators have pushed back. Robert Knake of CFR noted that he is “a bit blasé” about the hack because “if the Chinese government is indeed behind it, it’s not by any stretch the most dastardly thing they have done in cyberspace.” Prof. Henry Farrell on the Washington Post‘s Monkey Cage blog similarly explained that “hacking into information on U.S. government employees, however sensitive, is not a Pearl Harbor attack,” but rather “an (extremely worrying) exercise in espionage.”
That’s also the rub for international law. However damaging the hacks ultimately are to US national security — something that will be revealed only over time — they were fundamentally espionage, not an act of war or use of force. For an explanation, see the DOD Law of War Manual (emphasis added):
16.3.2. Peacetime Intelligence and Counterintelligence Activities. International law and long-standing international norms are applicable to State behavior in cyberspace, and the question of the legality of peacetime intelligence and counterintelligence activities must be considered on a case-by-case basis. Generally, to the extent that cyber operations resemble traditional intelligence and counter-intelligence activities, such as unauthorized intrusions into computer networks solely to acquire information, then such cyber operations would likely be treated similarly under international law. The United States conducts such activities via cyberspace, and such operations are governed by long-standing and well-established considerations, including the possibility that those operations could be interpreted as a hostile act. (footnotes omitted, emphasis added)
This section shows two reasons that make a full-throated US denunciation of the hacks difficult.
First, the OPM hacks were “unauthorized intrusions into computer networks solely to acquire information,” as opposed to causing system disruption or physical destruction. Per the Law of War Manual, they are equivalent to non-cyber intelligence activities under international law. What the Manual implies, but does not explicitly state, is that international law traditionally doesn’t prohibit espionage. (For background, see these articles by William Banks and Ashley Deeks.)
Second, and perhaps more importantly, the Manual acknowledges that the United States “conducts such activities [i.e., espionage] via cyberspace.” The United States regularly denounces China for engaging in commercial espionage, such as theft of intellectual property for the benefit of Chinese companies. But the OPM hack is government-on-government espionage, not commercial espionage. As Jack Goldsmith noted, “this is almost certainly the type of collection we are trying to do, and probably succeeding in doing, against China’s government officials,” and “[w]e can hardly go ballistic if we are doing the same thing.”
There is an irony here: because of the administration’s policy in favor of transparency and attempting to protect individuals’ whose information was compromised in the hacks, the US government is in the position of announcing foreign intelligence agencies’ successes, at least when they compromise individuals’ personal information. Foreign countries are not so forthcoming if or when the United States achieves similar intelligence wins. And of course the announcement of breaches also telegraphs to US adversaries what the United States does and does not know about ongoing vulnerabilities in and breaches of its systems.
Despite the debate over exactly how bad the OPM hacks are for national security, there is no doubt that they are a blow, the magnitude of which will become clearer over time. Where any US claim to the legal or moral high ground would be shaky at best, we should assume that spies are going to spy and act accordingly. This means that the government must better secure its sensitive information going forward and take steps to protect the individuals already put at risk. Beyond such responses, allusions to 9/11 and Pearl Harbor are misplaced and tend to frame these hacks in terms countenanced neither by realism in international relations nor by the rules of international law.