Why the JPMorgan Hack Is Scary

Was it Russians who got inside?

Every day seems to bring a new story about a digital hack or intrusion -- usually boring, only occasionally involving nudity. The recent incident at JPMorgan Chase & Co., however, is worth paying attention to.

The bank revealed last week that a data breach had affected the accounts of 76 million households and 7 million small businesses. Exactly who conducted the attack, and why, is murky. But the perpetrators were sophisticated and ambitious, and investigators have pointed to Russia.

That makes some sense. Russia is mad at the U.S. generally for imposing sanctions over its invasion of Ukraine. Russia is mad at JPMorgan specifically for facilitating those sanctions. And Russia happens to be home to legions of talented cybercriminals whom the government notoriously tolerates.

If the Russian government was responsible for this attack, or knew it was happening and didn't stop it, that could constitute a pretty serious international incident. The U.S. should be ready to respond -- yet in cyberwar as in chess, overreaction is a fool's gambit.

That's why it's wise to let the Federal Bureau of Investigation continue its criminal inquiry, try to identify the specific hackers who were responsible, and begin the long and slow process of indicting them in a U.S. court. Being able to publicize unambiguous evidence of Russian involvement as part of a criminal trial is smart politics -- just as when the U.S. recently indicted a squadron of Chinese hackers in a Pennsylvania courtroom. Jail time in either case is unlikely, but the important points are made.

The government should also shed some more light on precisely what it's prepared to do when its interests are clearly threatened in cyberspace. The White House and the Pentagon have maintained an impassioned vagueness on this issue. In a way, this is smart: Ambiguity is a valuable deterrent, and because the provenance of cyberattacks can be unclear, committing to a specific form of retaliation would be a bad idea. But allowing hackers to repeatedly harm U.S. businesses without consequences will only invite more attacks. The U.S. should make clear that it has a lot of tools at its disposal -- political, diplomatic, financial and technological -- and that it's prepared to use them to respond to intrusions into its digital networks by foreign governments.

Another response, which can't be emphasized enough, is to keep improving defenses. The financial industry deserves credit for taking this threat seriously and spending money on prevention -- JPMorgan plans to devote $250 million a year to security -- but securing American cyberspace will require congressional action, including a law regulating information-sharing between intelligence agencies and the corporate world. A hot line between the U.S. and other major players in cyberspace, on the Cold War model, could also help de-escalate a crisis.

More attacks like the one that hit JPMorgan are surely on the way. Someday soon, they're going to require a response.

--Editors: Timothy Lavin, Michael Newman

To contact the editor on this story:
David Shipley at davidshipley@bloomberg.net