The terrifying reason we won't confront China hacks: Column

The White House refuses to publicly blame China for hacking the Office of Personnel Management (OPM), for stealing the private information of over 21 million public servants and their families and closest friends, and for amassing one of the largest spying databases in history. This refusal is a strategic mistake, and the fact that we’re making it may indicate things are even worse than we’ve been led to believe.

By declining to tell the truth about China, we abandon a core tenet of cyber deterrence theory: public attribution. The administration knows this.

In April, the Department of Defense issued its new Cyber Strategy that explicitly states: “Attribution is a fundamental part of an effective cyber deterrence strategy as anonymity enables malicious cyber activity by state and non-state groups … Public and private attribution can play a significant role in dissuading cyber actors from conducting attacks in the first place.”

So why is the administration officially staying silent? Inside Washington, two rationales have been floated. But to the 21 million Americans who had their information stolen — many of whom work in our defense and intelligence communities — one of these rationales isn’t compelling and the other is downright disturbing.

The administration’s first — and flimsiest — justification for staying silent is that attributing the attacks to China could force us to reveal our own intelligence sources and methods. This is wrong. Telling the truth about China doesn’t disclose our own capabilities. We’re not taking China to court. We don’t have to publicly file the intelligence and analysis that informs our judgments.

Instead, we could do what we did with the North Korean hack of Sony Entertainment Pictures — we simply said we had our reasons for concluding Pyongyang was the culprit and that it wasn’t ambiguous. Some in the cyber community objected that they didn’t have all of the information; but, in the end, we identified the North Koreans and our sensitive information was not released.

The administration’s second, more concerning, justification for not publicly blaming the Chinese is that doing so could force the United States into taking some type of retributive action, sparking a rapid escalation between Washington and Beijing and possibly starting an online shooting war. If the OPM and other hacks have taught us anything, it’s that the United States would be exceedingly vulnerable in such a conflict. Our own national security leaders have made this clear.

Since 2013, the Director of National Intelligence has identified the cyber threat as the number one strategic risk for the United States, more threatening than terrorist attacks or traditional wars. Cyber threats keep our defense and intelligence leaders up at night because no aspect of daily life is immune to attack, and the administration’s decision not to attribute the OPM hack to the Chinese suggests that we’re not operating from a position of strength.

Americans know security matters are sometimes handled in discreet ways out of the public view. Maybe the same bureaucrats who couldn’t identify the hack for more than a year are now planning an intricate and clandestine cyber response that will teach the Chinese a lesson and preclude a cyber standoff. Maybe, but there is reason to be skeptical.

Instead, many are concerned that Washington has neglected cyber security for so long that we now find ourselves in a dangerous position. We know what we need to do — aggressively deter cyber attacks — but we are unable to do so because we are too vulnerable to those very threats.

Something big has to change.

We need to do a serious scrub of our cyber threat assessments, of our defensive posture against online attacks, and of our offensive cyber doctrine. We can’t be passive anymore. We can’t sit in silence and naively hope that we’ll somehow still manage to preserve our national interests or our way of life.

Perhaps the administration has a different reason for not publicly blaming China for the OPM attack. If they did, it is in direct contradiction to their own cyber strategy. If they are silent out of duress, however, it underscores the essential point that we’ve got a lot more to worry about than just the loss of social security numbers and ruined credit scores. Our national security is at stake.

Sen. Ben Sasse is a Republican from Nebraska.

In addition to its own editorials, USA TODAY publishes diverse opinions from outside writers, including our Board of Contributors. To read more columns like this, go to the Opinion front page.