The Right Response to the JPMorgan Hack
Every day seems to bring a new story about a digital hack or intrusion—usually boring, only occasionally involving nudity. The recent incident at JPMorgan Chase, however, is worth paying attention to.
The bank revealed that a data breach had affected the accounts of 76 million households and 7 million small businesses. Exactly who conducted the attack, and why, is murky. But the perpetrators were sophisticated and ambitious, and investigators have pointed to Russia.
That makes some sense. Russia is mad at the U.S. generally for imposing sanctions over its invasion of Ukraine. Russia is mad at JPMorgan specifically for facilitating those sanctions. And Russia happens to be home to legions of talented cybercriminals whom the government notoriously tolerates.
If the Russian government was responsible for this attack, or knew it was happening and didn’t stop it, that could constitute a serious international incident. The U.S. should be ready to respond—yet in cyberwar, overreaction is a fool’s gambit.
That’s why it’s wise to let the FBI continue its criminal inquiry, try to identify the specific hackers who were responsible, and begin the long process of indicting them in a U.S. court. Being able to publicize unambiguous evidence of Russian involvement as part of a criminal trial is smart politics—just as when the U.S. recently indicted a squadron of Chinese hackers in a Pennsylvania courtroom. Jail time in either case is unlikely, but the important points are made.
The government should also shed some more light on precisely what it’s prepared to do when its interests are clearly threatened in cyberspace. The White House and the Pentagon have maintained an impassioned vagueness on this issue. In a way, this is smart: Ambiguity is a valuable deterrent, and because the provenance of cyber attacks can be unclear, committing to a specific form of retaliation would be a bad idea. But allowing hackers to repeatedly harm U.S. businesses without consequences will only invite more attacks. The U.S. should make clear that it has a lot of tools at its disposal—political, diplomatic, financial, and technological—and that it’s prepared to use them to respond to intrusions into its digital networks by foreign governments.
Another response, the importance of which can’t be emphasized enough, is to keep improving defenses. The financial industry deserves credit for taking this threat seriously and spending money on prevention (JPMorgan plans to devote $250 million a year to security), but securing American cyberspace will require congressional action, including a law regulating information-sharing between intelligence agencies and the corporate world. A hotline between the U.S. and other major players in cyberspace, on the Cold War model, could also help de-escalate a crisis.
More attacks like the one that hit JPMorgan are surely on the way. Someday soon, they’re going to require a response.