Every day seems to bring a new story about a digital hack or intrusion. The recent incident at JPMorgan Chase & Co., however, warrants extra attention.

The bank revealed last week that a data breach had affected the accounts of 76 million households and 7 million small businesses. Exactly who conducted the attack, and why, is murky. But the perpetrators were sophisticated and ambitious, and investigators have pointed to Russia.

That makes some sense. Russia is angry at the U.S. generally for imposing sanctions over its invasion of Ukraine. Russia is angry at JPMorgan specifically for facilitating those sanctions. And Russia happens to be home to legions of talented cybercriminals whom the government notoriously tolerates.

If the Russian government was responsible for this attack, or knew it was happening and didn’t stop it, that could constitute a pretty serious international incident. The U.S. should be ready to respond – but in cyberwar, as in chess, overreaction is a fool’s gambit.

That’s why it’s wise to let the FBI continue its criminal inquiry, try to identify the specific hackers who were responsible and begin the long and slow process of indicting them in a U.S. court. Being able to publicize unambiguous evidence of Russian involvement as part of a criminal trial is smart politics – just as when the U.S. recently indicted a squadron of Chinese hackers in a Pennsylvania courtroom. Prison time in either case is unlikely, but the important points are made.

The White House and the Pentagon have maintained an impassioned vagueness on the issue of what the U.S. is prepared to do when its interests are clearly threatened in cyberspace. In a way, this is smart: Ambiguity is a valuable deterrent, and because the provenance of cyberattacks can be unclear, committing to a specific form of retaliation would be a bad idea.

But allowing hackers to repeatedly harm U.S. businesses without consequences will only invite more attacks. The U.S. should make clear that it has a lot of tools at its disposal – political, diplomatic, financial and technological – and that it’s prepared to use them to respond to intrusions into its digital networks by foreign governments.

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.