Director of National Intelligence James Clapper said China is the “leading suspect” of the Office of Personnel Management (OPM) hack resulting in the theft of personal information of millions of current and former employees.

“On one hand, and please don’t take this the wrong way, you have to kind of salute the Chinese for what they did,” he said June 25 during a speech at the GEOINT Symposium 2015. When asked whether he was confirming China’s responsibility for the breach, he walked those comments back. “Well, I mean, that’s the leading suspect.”

Clapper declined to comment on the plan of action he would recommend to the president if investigations prove China is the culprit.

In a speech earlier that morning, Rep. Devin Nunes (R-Calif.), chairman of the House Permanent Select Committee on Intelligence, said the perpetrators of the OPM breach have crossed a “red line” and should China be found responsible, Congress would likely take action.

 “If indeed the Chinese did hack into OPM and steal a lot of data from our systems, clearly that would be a red line for myself and I think most of Congress,” he said in a panel preceding Clapper’s speech. “I’m not going to get into what the appropriate response would be that this stage, but there would be a variety of options. We would work closely with the White House … to build that response.”

Rep. Adam Schiff (D-Calif.), the top Democrat on the House intelligence committee, said the government must establish “rules of the road” that delineate what constitutes an attack and what the U.S. response will be.

“We have to let our adversaries know when they attack us that there will be repercussions,” he said. “This is an area of policy making that I think we are on the threshold of and have a lot of work to do.”

The penalty for cyber attacking United States websites and infrastructure would probably vary depending on the actor responsible, its purpose and the extent of damage, he said.

Clapper agreed that until the government forms a policy to deter cyber attacks as well as penalties for entities conducting such activities, such intrusions will likely continue.

“That is a dialogue that we’re still struggling with,” he said. “So what we must do in the meantime is pay more attention to defense.”

As a result of the breach, the personally identifiable information of approximately 4 million individuals may be compromised, OPM has said. Although the intrusion occurred last December, it wasn’t until April that the office discovered it while updating its cybersecurity posture. The White House publicly disclosed the attack earlier in June.

Despite the public’s focus on China, Clapper believes Russia poses a more sophisticated cyber threat. While China receives more attention because their attacks are “noisy” and noticeable, “I worry much more about the Russians,” he said. “They’re a lot more subtle about this and they have tremendous capability.”