Asked about China’s involvement in the OPM attack, Adm. Mike Rogers, director of the National Security Agency and commander of U.S. Cyber Command, responded, “You’ve put an assumption in your question. I’m not going to get into the specifics of attribution. It’s a process that’s ongoing.”
Rogers’ statement appears to be at odds with unnamed senior administration officials who have told the New York Times and the Washington Post that China was responsible for the attack, which remained undetected for a year.
The breach at OPM, the federal government’s human-resources office, may have affected as many as 18 million current and former government employees. OPM Director Katherine Archuleta, testifying on Capitol Hill this week, downplayed that number, saying it referred only to the approximate number of unique Social Security numbers held in the agency’s security databases.
Archuleta called the 18-million-victims figure “preliminary and unverified.”
Rep. Jason Chaffetz (R-Utah), the chairman of the House Oversight Committee, speculated at a Wednesday hearing that as many as 32 million records may be affected, citing a figure from the agency’s 2016 fiscal budget. That includes “banking information for more than 2 million annuitants and background investigations for more than 30 million people.”
After the attack was disclosed, White House press secretary Josh Earnest told reporters that the government may never be “in a position at any point in the future to make a grand pronouncement about who may have been responsible for this particular intrusion.”
Cybersecurity analyst Jeffrey Carr told the Daily Dot on Thursday that there are “multiple problems with attempts at attribution based upon analysis of technical indicators associated with the attack.”
First, “all technical indicators can be faked.” Second, “we see only what the attacker wants us to see, such as hints in the code, DNS registration, keyboard language selection, working hours, et cetera.”
Attributing a cyberattack is difficult under the best of circumstances, Carr said. During last year’s attack on Sony Picture Entertainment, the U.S. government confidently pinned the blame on North Korea, going as far as to impose retaliatory economic sanctions. But Carr’s security firm, Taia Global, subsequently uncovered proof that Russian hackers had also breached Sony’s network and exfiltrated files.
“In fact, the FBI interviewed me about how that could have happened and by whom,” Carr said. “If the FBI and the NSA cannot differentiate among attackers in the same network at the same time, how reliable can attribution truly be?”
Senior U.S. officials openly scolded China on Wednesday for sponsoring attacks against U.S. business, but they refrained from publicly laying blame for the OPM attack.
During remarks at the U.S.-China Strategic and Economic Dialogue, Vice President Biden said that nations that use “cybertechnology as an economic weapon, or profits from the theft of intellectual property are sacrificing tomorrow’s gains for short-term gains today.”
In a closed-door meeting at the White House this week, President Obama also “raised ongoing U.S. concerns” regarding cyberattacks with Chinese officials, according to a White House statement.
“The kinds of conversations that take place behind closed doors in the context of a summit as significant as the Strategic and Economic Dialogue are different than the kinds of public discussions that take place,” Earnest told reporters.
Illustration by Max Fleishman