To sanction or not to sanction; that's the question legislators, public onlookers and federal workers have been waffling about since the Office of Personnel Management (OPM) data breaches, and even dating back to the cyberattack on Sony Pictures in 2014.
In the latter debilitating attack, the U.S. government imposed sanctions on North Korea, the apparent perpetrator. But the government has dragged its feet on putting forth sanctions in the OPM breach, even though it pointed to China as the likely conductor of the major espionage campaign that turned over more than 20 million federal workers' personal information, including that of informants based in foreign countries.
The contentious relationship between the two countries appeared to come to a head over the weekend, ahead of Chinese President Xi Jinping's visit to the White House later this month. China's state news agency, Xinhuanet, reported on September 12 that the two countries reached an “important consensus on combating cyber crime.”
Jinping's Special Envoy Meng Jianzhu reportedly met with U.S. Secretary of State John Kerry, as well as Jeh Johnson, secretary of the Department of Homeland Security, and Susan Rice, U.S. national security advisor.
The Chinese media outlet reports that this meeting involved both countries stressing their desire to curb cyber incidents. They also emphasized the necessity of enhancing “mutual trust and cooperation in the sphere of cybersecurity.”
Meanwhile, U.S. officials remain relatively mum about their diplomatic cybersecurity accomplishments. Rice reportedly told Reuters she had a “frank and open exchange about cyber issues.”
While some might point to sanctions against North Korea as evidence enough for imposing sanctions in retaliation for the compromising of OPM's databases, Paul Kurtz, former White House cybersecurity advisor and current CEO and founder of TruSTAR Technology, reminded of the serious implications behind that kind of move during an interview with SCMagazine.com.
“It's silly not to have the tool of sanctions available in cyberspace,” he said. “But the ability to use that tool is developed over time.”
In other words, even if sanctions were imposed on individuals or specific groups, it would take months for them to truly take effect.
Instead, he suggested looking at all the tools available to the U.S. government and then determining the best course of action before “pulling the trigger.”