The Chinese government claimed the hackers responsible for the OPM breach were arrested in September, before a...
meeting between Chinese President Xi Jinping and U.S. President Barack Obama, at which an antihacking agreement was reached between the two nations.
Despite a recent report by China's official Xinhua news agency alleging the OPM breach was a criminal case and not state-sponsored, it remained unclear whether the hackers arrested had connections to the Chinese government.
The OPM breach occurred in two waves. The first attack took place in December 2014, and affected 4.2 million background-investigation applications. The second attack was detected in April 2015, and affected an additional 21.5 million records.
The FBI blamed China-based hackers from the start, though it has never been clear if the hackers were connected to the Chinese government or not. And experts said the Chinese government needs to release more details on the arrests.
Adam Meyer, chief security strategist for SurfWatch Labs Inc., in Sterling, Va., noted that there is still no evidence to prove the hackers arrested are those responsible for the attack.
"It's hard to not think, at first glance, that the individuals arrested are simply fall guys to show some level of good faith on China's part to address the issue," Meyer said. "Let's not forget that an arrest does not mean a conviction, and so far, it appears that the Chinese government is keeping the details of the case rather close. There could be several reasons for this, but it's likely that they do not want too many details coming out, because it would either expose government affiliations, or expose that the individuals charged didn't actually have the means to pull off the attacks if they were just fall guys."
Daren Glenister, field CTO at Intralinks Inc., based in New York, said it was suspicious that the announcement came just before another round of talks between China's Public Security Minister Guo Shengkun, U.S. Secretary of Homeland Security Jeh Johnson and Attorney General Loretta Lynch, at which the U.S. and China agreed to take more steps in fighting cybercrime.
"There is no evidence that this is a sign of cooperation -- maybe I am cynical, but when announcements like this happen around a public meeting, it appears to be more staged than reality," Glenister said. "If there is true cooperation, then we should expect to see a series of arrests and exposure of cybercriminals over the coming weeks, rather than a single political act."
Glenister said the history between the U.S. and China makes the news sound more like political theater.
"Both governments have been hacking each other for years. Today, we call it hacking, but in the past, it was called spying," Glenister said. "Today, the spying arena has moved from the 'James Bond era' to cyberterrorism or cyberthreat mitigation. By announcing these arrests, both governments have the ability to tell the world that they do not sanction cyberespionage, while continuing to attack each other behind the scenes."
Meyer was slightly more optimistic about taking this as a sign of better relations between the U.S. and China.
"It does signal some kind of forward progress on the issue, but I still think much more needs to be done before there is even a fraction of trust to be had," Meyer said. "Let's also not forget that even with the ceremony of handshakes, phone calls and criminal proceedings, the data is still lost and that impact remains. Whether the attack was state-sponsored or not, they still have the data and they will use it."
The Department of Homeland Security refused to comment on the news.
Learn more about the disagreement between the U.S. and China over software backdoors.