Defending Against Cyber Espionage: The US Office of Personnel Management Hack as a Case Study in Information Assurance

Sarah Harvey, Diana Evans


In April 2015, the United States Office of Personnel Management (OPM) suffered the most extensive digital theft of government data in history, with a cyber hack that resulted in the loss of 21.5 million personnel records. Those affected included virtually all applicants for background checks since 2000. The scale of this breach has potentially catastrophic consequences for American national security, with some reports suggesting that US intelligence personnel has already been recalled from Beijing due to safety risks. The OPM hack reawakened the debate on how to better secure government data and limit potential damage to US national security. In broad terms, the US has the option to take defensive countermeasures as a form of protection, or offensive countermeasures as a form of deterrence. Defensive strategies center on allocating energy and resources to securing vulnerable systems. In contrast, offensive tactics involve economic sanctions, legal indictments, diplomatic protests, and offensive cyber operations of a pre-emptive nature. The Obama Administration is currently trying to determine the most effective route to retaliate against the primary suspect —China— without escalating an already tense bilateral relationship into an all-out cyber war. This paper outlines the US government’s options in strengthening the protection of classified information. Specifically, should Washington adopt a defensive stance, or opt for an offensive response to cyber threats? To answer this question, this paper will examine the OPM hack case study under the prism of Information Assurance (IA), defined as the overall approach to identifying, understanding, and managing the risks to information systems. Based on the above methodology, this paper will argue that improving defensive security measures through the expansion of IA operations is prudent for two reasons: firstly, because they have a higher potential of actually securing classified information; and secondly, because they are less likely to jeopardize America’s delicate relationship with China.


Cybersecurity; Information Assurance; Office of Personnel Management

Full Text: PDF


  • There are currently no refbacks.