China's Next-Level Hack

A dose of restraint.

Photographer: Aaron P. Bernstein/Getty Images

Chinese hackers have become such a persistent presence on American computer networks -- both public and private -- that sometimes their meddling slips by with little notice. Not this time.

Late last year, intruders stole the records of some 4 million U.S. government workers from a federal data center. The attack, disclosed last week and attributed to Chinese hackers, was linked to previous breaches at health insurers Anthem Inc. and Premera Blue Cross. And it included the records of workers who had applied for security clearances.

The implications are ominous. Embarrassing information dredged up in a background check could be used for blackmail. Red flags in a security-clearance application -- dependencies, emotional problems, financial woes -- are just the sort of thing another government might look for when recruiting spies. And social engineering attacks, such as spear phishing, are a lot easier when hackers have a wealth of personal material to work with.

And it's not just individuals at risk. Applying big-data tools to such a vast trove might yield insights into U.S. intelligence and military strategy, expose a revealing web of government relationships, or find unexpected correlations that Chinese analysts could exploit. In short: This is bad. The U.S. would be within its rights to respond aggressively.

It shouldn't.

Restraint, though unsatisfying, is the prudent response. The U.S.-China relationship is complicated but strategically important. Even as the U.S. resists Chinese incursions into the South China Sea, it needs China's cooperation in Afghanistan and elsewhere. And the economies of both countries are inextricably linked. A direct reprisal for this attack -- whether economic or electronic -- would intensify many risks without advancing many strategic goals.

So what can and should U.S. officials do? For one, they can warn their Chinese counterparts that the U.S. has a lot of tools at its disposal, digital and otherwise, if these attacks continue. More diplomatically -- and there are high-level talks scheduled for later this month -- they should emphasize the benefits of a more trusting relationship between the two countries, including easier Chinese investment in U.S. markets and increased economic growth. It could also allow for more collaboration on everything from counterterrorism to climate change to space travel.

Within the U.S., this incident should serve as a wake-up call about cybersecurity. Smarter approaches to government database management -- modeled on the banking industry, say -- would help reduce the harm of intrusions when they inevitably occur. The Homeland Security Department should boost its cooperation with private companies (it only got around to opening a Silicon Valley office this year) in trying to protect civilian agencies. And serious cybersecurity legislation is long overdue. China isn't the only country interested in American files, and federal workers deserve more than credit monitoring from their overseers.

Nation-states have always engaged in espionage, of course, and always will, whether they use a dead drop or a network virus. In cyberspace, as in real life, it's a game of managing risks -- and avoiding overreaction at all costs.  

To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at davidshipley@bloomberg.net.