US intelligence agencies need to tread carefully when drawing up plans to retaliate against China following numerous cyber attacks and data breaches, as any moves of aggression will come at a cost, according to a number of security experts.
US officials are currently holding classified meetings to discuss the options, after the breach at the US Office of Personnel Management resulted in the exposure of 21.5 million federal records.
Tom Gaffney, security advisor at F-Secure, told V3 that there is no "smoking gun" to prove that China was responsible for the breaches, but that these attacks do occur.
The situation becomes complicated after considering that the US also conducts global offensive cyber attacks. For example, it was revealed in documents leaked to The Washington Post in 2013 that the US carried out 231 offensive cyber operations in 2011 alone.
"There is a long list of tit for tat and for a while the US was able to portray itself as the victim," Gaffney told V3.
"China has fought back with its own allegations, and conspiracy theorists point to the Snowden data being released shortly before Obama's official visit to China. It embarrassed the US administration and undermined US attempts to tackle the issue with China.
"It's a new cold war where no-one is innocent and everyday people are the losers as states sponsor new cyber attack methods that will inevitably fall into the hands of criminals."
Ewan Lawson, senior research fellow for military influence at the Royal United Services Institute, told V3 that the US will now attempt to "differentiate between hacking for destructive purposes or commercial gain".
"There is a sense that the scale and frequency of attacks apparently emanating from China has reached a level where even if the purpose is ‘traditional espionage', it is no longer acceptable and requires a response," he said.
Lawson highlighted two traditional responses open to the US when drawing up retaliation plans: economic sanctions and diplomatic expulsions. Yet he noted that "there is a hint of a growing appetite for a response through cyber space aimed at damaging or disrupting the source of those attacks".
"In US Cybercom doctrine these are known as Defensive Cyber Operations - Response Action and, while they might be technically feasible, there is a risk that used outside conflict they run the risk of a series of escalations and tit for tat operations," he said.
The US has two other options, according to Lawson: deterrence by denial and deterrence by punishment.
"Attackers need to be aware that if they are caught doing something malicious to the US through cyber space there will be a cost. In cyber space, this is likely to be graded depending on the severity of the attack and could, of course, be the non-cyber methods highlighted earlier," he explained.
"The nature of the capabilities required and the accesses to adversary networks and systems means that they are not routinely demonstrated in the way that it was possible, for example, to demonstrate the power of an atomic weapon."
US agencies now discussing options
US officials are meeting in secret to discuss the available options for how to retaliate against China in a way that will not harm ongoing intelligence operations, according to a report first published in The New York Times.
The options being touted include diplomatic protests, legal threats and even the ousting of known Chinese agents operating in the US.
One approach being raised by security agencies is targeting the so-called Great Firewall, a complex network that protects the Chinese government's censorship apparatus.
This move would allow the US to show China that it has the ability directly to affect the country's political control.
However, any aggressive moves are likely to be met with significant pushback from Chinese officials.
The legal route has been tried in the past. The US indicted five members of China's People's Liberations Army last year for cyber espionage against six American targets.
"For too long, the Chinese government has blatantly sought to use cyber espionage to obtain economic advantage for its state-owned industries," said FBI director James Comey at the time.
However, the action has been criticised as a symbolic punishment as those involved are not likely to face trial unless they voluntarily go the US.
A report analysing the fallout from the OPM hack, published by the Congressional Research Service, detailed the options available to the US government, but noted that "criminal charges appear to be unlikely in the case of the OPM breach".
Nevertheless, the report did outline some of the other options currently open to the US government.
"If the US chooses to respond in other ways to intrusions from China, experts have suggested that China has multiple vulnerabilities that the US could exploit," the report said.
"China's uneven industrial development, fragmented cyber defences, uneven cyber operator tradecraft, and the market dominance of Western IT firms provide an environment conducive to Western [computer network exploitation] against China."
The congressional report stops before directly blaming China for the cyber attack, but comments by James Clapper, director of national intelligence, identified China as the "leading suspect" in the investigation.
The Obama administration has remained mute on the subject of cyber attacks and possible retaliation.
China has denied involvement
Yet officials in China have explicitly denied involvement in the attacks. "Maybe it is better to clarify one's own matters before rushing to make unfounded accusations against others, so as to make oneself sound more convincing," said foreign ministry spokesman Lu Kang in June.
Cyber awareness is now on the agenda of the US government. A "30-day sprint" was announced earlier this year to enhance federal cyber security and "assess and improve the health of all federal assets and networks, civilian and military".
US chief information officer Tony Scott announced the results of the programme, saying that more than half of the largest government agencies have now implemented a stronger level of authentication for users.
"Our economy, and the credibility and viability of our most cherished and valuable institutions, depend on a strong foundation of trust and the protection of critical assets and information," he said.
"Let me be clear: there are no one-shot silver bullets. Cyber threats cannot be eliminated entirely, but they can be managed much more effectively."
Deal intended to help organisations chip away at their unstructured data
Nvidia takes aim at organisations looking to incorporate AI and VR
Cook told Apple staff in an email that "hate is a cancer"
Galaxy Note 8 will offer IP68 certification, a Samsung Exynos 8895 CPU, 6GB of RAM, 64GB of storage and IP68 certification