In theory, a massive breach of the federal government in which hackers stole personal information from four million current and former federal employees should merit an equally massive retaliatory response. In practice, though, the rules for cyber conflict - a new battlefield - have not yet been written.
Cyber security experts say all signs point to China as the perpetrator of the breach, and House Homeland Security Committee Chairman Mike McCaul, R-Texas, suggested on CBS' "Face the Nation" Sunday that it might be the handiwork of the Chinese government. The data could be used in a range of applications, says CBS News Senior National Security Analyst Juan Zarate. The hackers could simply be looking for an economic edge or they may be trying to exploit vulnerabilities in U.S. defense systems and employees. The uncertainty about the perpetrators' motive adds to the peril.
"The danger here is we're not quite sure what they're going to use it for and when you have millions of records taken, some of it very sensitive, with not just Social Security information but with people's information about their relatives overseas, Chinese Americans who have Chinese family members overseas, that gets very dangerous and potentially intimidating and problematic from a national security perspective so this is really a wake up call," Zarate said.
What is the appropriate response? In addition to simply augmenting its defenses, the U.S. must also determine with greater certainty who's behind the hack. If it is the Chinese government, the U.S. could be constrained by the fact that its own government also conducts espionage in the cyber world.
"Insofar as this is espionage - which is to say insofar as it was not the hackers coming in and actually changing data, or destroying a database, or doing damage versus stealing information - we've always made quite clear that all governments engage in espionage," Ken Lieberthal, an expert in U.S.-China relations at the Brookings Institution, told CBS News. "We're limited in any kind of retaliatory measures we can take because presumably we're doing the same thing to them."
The U.S. may just be "better at not getting caught," he said.
If the U.S. government is eventually able to clearly identify the Chinese government as the source of the hack, Lieberthal said that may help encourage China to engage in discussions about establishing "peacetime norms" - not attacking critical infrastructure of friendly governments.
Lawmakers are also working through rules of engagement in cyber war. Following a briefing from national security officials Tuesday evening, the top Democrat on the House Intelligence Committee, Washington Rep. Adam Schiff, is calling for a discussion about the rules of cyber warfare, what responses are appropriate in which circumstances.
"What is a symmetrical response? What is a commensurate response to a particular kind of attack? And how do you do it in a way that you are confident that those you are attacking back are those who attacked you," he said. "This is not an easy problem. That's why it hasn't been solved yet, but I think we need to put a lot more thought into how we not only build out our defenses but how we build out our deterrent."
He said he thinks the U.S. hasn't done enough to deter hackers, citing the hack of Sony Pictures that was carried out by the North Korean government.
"I'm not sure that North Korea has gotten the message that there's a price to pay for something like that. Similarly for some of the worst hackers in the world, the worst cyber villains, which come out of Russia and China, I am not sure there is enough of a deterrent to their conduct," he said.
On the other side of the Capitol, Sens. Chuck Schumer, D-New York, and Lindsey Graham, R-South Carolina, wrote a letter to Christine Lagared, the head of the International Monetary Fund (IMF), to call on the IMF to disallow China's yuan to be designated as a reserve currency until the country stops hacking. The breach disclosed last week provided "another example of China's rapacious actions that are aimed at disrupting the global economy and undermining the stability of international market participants," the senators wrote.
It's a little easier for the U.S. to pursue hackers looking for an economic edge rather than traditional espionage. Last year, the Department of Justice filed charges against five Chinese military hackers, accusing them of stealing trade secrets and other proprietary or sensitive information from the makers of nuclear and solar technology. Zarate also predicted that the government will more heavily rely on an executive order signed by President Obama that allows the U.S. to use financial sanctions against malignant cyber attacks seeking an economic edge.
"The reality is China continues to engage in these activities and we have to demonstrate that we can bite back and that we're willing to push back but we're going to have to do that with some degree of attribution to say that, 'look we know you're doing it, we know who's doing it, and we know that you're either sponsoring it, supporting or allowing it to happen and it has to stop,'" he said.