Less than a month after U.S. President Joe Biden warned Russian President Vladimir Putin at their first summit meeting in Geneva that there would be “consequences” for future cyberattacks, the Russian leader appears to be testing Biden’s resolve with a fresh series of attacks reportedly emanating from Russia. Most recently, these include attacks against a Republican National Committee contractor and Kaseya, U.S. information technology firm.
Some cyber experts said such escalation was to be expected ahead of any substantive negotiations between Moscow and Washington. “Putin is going to keep escalating,” said Richard Andres, a cyber expert at the National War College who served under U.S. Presidents George W. Bush and Barack Obama. “All his probes have been successful in the past. He’s going to try again.” Putin’s goal, Andres and other experts said, seems clear: to define what Biden’s red lines are and what the U.S. president might do to retaliate—and then to see how Biden reacts when Putin counterpunches.
At the Geneva summit, Biden gave Putin a list of 16 “critical” sectors he suggested should be off limits to cyberattacks. Biden also told Putin that Washington has “significant cyber capability,” and if the Russians “violate these basic norms, we will respond with cyber.” Referring to the Colonial Pipeline hacks—believed to come from a criminal group inside Russia called REvil—Biden also obliquely warned Putin that Russia’s oil and gas pipelines were even more vulnerable, since Russia’s economy is far more dependent on energy than the United States’ economy. “I looked at him and I said, ‘Well, how would you feel if ransomware took on the pipelines from your oil fields?’ He said it would matter,” Biden said.
But where are Biden’s red lines, short of a major attack on a U.S. nuclear power plant, defense, critical manufacturing, or the emergency services sector? Experts question whether Biden is really ready to escalate with attacks on Russia’s own infrastructure, possibly causing civilian injuries and deaths, especially if the United States can’t prove definitively the Kremlin is responsible.
“Our policy traditionally has been passivity,” Andres said. “Generally, we bluster a little bit and don’t do anything. And for every iteration of these attacks over the past 10 years, our adversaries have become a little more aggressive.”
Now, the Biden administration has said policy will change, even as it is conducting “expert-level talks” with Moscow, which White House spokesperson Jen Psaki said will continue next week. But “if the Russian government cannot or will not take action,” she added, “we will take action.”
Just what that action might be is yet to be resolved, according to people familiar with the administration’s thinking. They suggest a U.S. cyber-counterattack may well end up being out of the public eye—a quiet attempt to warn Putin and then, if he doesn’t respond, hit the Russian president where he lives: perhaps by targeting the vast personal wealth he and his cronies have stashed away in overseas banks or a critical political power base like Gazprom, Russia’s giant state-run energy company. As U.S. National Security Advisor Jake Sullivan told ABC on June 20: “Biden has been pretty clear from the outset that he wants to be able to have a space—to be able to engage directly, privately, candidly with President Putin—and then to determine whether the actions that Russia takes in the months ahead match up with the discussions that took place in Geneva.”
But Putin may have left Geneva with a different reading.
“The risk is Putin thinks we ‘blinked,’ and some of his language since the summit kind of implies he thinks he’s toying with us a bit,” said Michael Mazarr, a defense and cyber expert with the Rand Corporation. “But we are in such a geostrategically stronger position I think we can afford that because it’s unlikely to tempt him into anything really insanely stupid.” At the same time, Mazarr added, Washington also has to be careful not to let on what its sources and methods of attribution are—as it came close to doing when, in 2018, it indicted 12 Russian intelligence officers for hacking offenses related to the 2016 election. “Doing that constantly has a significant price,” Mazarr said.
Some experts also worry that by drawing clear lines around identifiable targets, Biden is making a mistake analogous to what former U.S. Secretary of State Dean Acheson did in his notorious 1950 speech at the beginning of the Cold War, when he outlined a U.S. defense perimeter in Asia that didn’t include the Korean Peninsula. With Moscow’s assent, former North Korean leader Kim Il Sung launched the Korean War shortly afterward.
“Specifying what needed to be protected might have implied that other areas were fair game and that ransomware attacks from criminals in Russia might continue,” said Harvard University’s Joseph Nye, a veteran U.S. diplomat.
The Biden administration admits it is still in the beginning stages of distinguishing between ransomware attacks like the one on the Colonial Pipeline in May—which shut down petroleum supplies and which Biden suggested could result in retaliation—and this week’s alleged hack of a Republican National Committee contractor by a Kremlin-affiliated group called Cozy Bear. The latter attack is one Washington tends to classify as espionage and may not warrant direct retaliation. Nor has the administration been clear in classifying last Friday’s ransomware attack on U.S. information technology firm Kaseya, which affected up to 1,500 businesses around the world. Hackers infiltrated Kaseya, accessed its customers’ data, and demanded ransom for the data’s return. As it did with Colonial Pipeline, Russian-language-speaking group REvil claimed responsibility for that hack.
Those hacks were apparently carried out by nonstate groups. What is difficult to figure out is what connection, if any, exists between Russian criminal hackers and Moscow’s state-directed efforts. Last year, Washington did manage to trace the notorious SolarWinds hack to the Russian Foreign Intelligence Service. That attack allowed the Russians to compromise major U.S. companies, such as Microsoft, Intel, and Cisco Systems, as well as some federal agencies, including the U.S. Defense Department. Yet the SolarWinds hack also appears to fall into the category of espionage.
Meanwhile, the Kremlin continues to deny knowledge of any of these latest attacks. “We can only repeat that whatever happened, and we don’t know specifically what took place here, this had no connection to official Moscow,” Kremlin spokesperson Dmitry Peskov said this week.
In the long run, without a larger diplomatic detente between the United States and Russia, some cyber experts believe no real agreement on averting future cyberattacks is possible. The reason is the hackers’ targets can be so diverse, including an array of nonmilitary targets, that U.S. retaliation could only end up doing more harm than good, hitting innocent targets. For example, if anonymous Russian hackers took down a U.S. power plant in winter, would Washington respond by disabling a Russian one, possibly causing civilians to freeze to death?
“It’s like shooting a high-velocity projectile at a wall in a playground full of children,” said cybersecurity expert Edward Amoroso, the former chief security officer for AT&T. “Who is it going to hit? Would that be wise? That’s what cyber counteroffensives are like. If U.S. Cyber Command hits back, the hackers are not going to retaliate against our military. Instead, maybe they would hit a community bank somewhere.” The way REvil seems to be able to attack any possible victim from meat processing plants to the Irish health care system is a case in point.
Biden officials acknowledge the cyber struggle will be a long haul that will require building up U.S. defenses as much as going on the offense—in particular, pushing a recalcitrant private sector to work with the government in improving preparedness, tracing, and disruptions to ransomware payment channels as well as building an international coalition to hold countries harboring ransom hackers accountable.
Stopping cyberwar “won’t just turn off as easy as pulling down a light switch,” a White House National Security Council spokesperson said on Wednesday, speaking on condition of anonymity. “As we’ve said, we’re pushing at all angles, from building resiliency at home, including urging the private sector to prioritize cybersecurity.”
In May, Biden issued an executive order calling for a whole-of-government approach to defend against cyberattacks. Earlier this week, Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, held a virtual meeting with U.S. mayors across the country to review their cybersecurity posture, and she has also been reaching out to major companies.
But some experts, such as Amoroso, said the administration has to go further and launch a slew of cyber training programs for U.S. students analogous to the push for new science training during the gloomiest days of the Cold War.
“The whole concept of asking an adversary to please stop misses the point,” Amoroso said. “The problem is facing us all in the mirror. We have not done a good job of protecting ourselves. The first thing is to solve our skills shortage. All that energy spent negotiating with Putin would be better spent buying calculus books for students and training them in cyber.”