Worries about a potential cyber conflict with Russia are placing a rising demand on President Joe Biden: Make it clear how the U.S. will respond if Moscow goes too far.
The concern is growing more urgent as tensions ramp up over the 100,000 troops that Russia has placed on Ukraine’s border, and as U.S. officials warn that Vladimir Putin’s regime may be fomenting a pretext to invade. The Biden administration has threatened to respond with sanctions that would cripple the Russian economy — a development that could in turn prompt Russia to retaliate with cyberattacks against the U.S.
That risk — underscored by a barrage of hacks that crippled and defaced more than a dozen Ukrainian government websites Friday — follows years of calls from national security experts for the U.S. to stiffen its deterrence against Russian cyber-aggression. Efforts to respond to past intrusions by imposing sanctions, indicting hackers and ejecting Moscow’s diplomats have failed to stem subsequent cyber-espionage operations or criminal ransomware attacks emanating from Russia.
One missing ingredient, some intelligence leaders say, is an explicit message from Washington about the consequences Russia would face for a cyberattack on critical targets such as the United States’ power grid.
“While I think the red lines have been made clear for several years now — and underscored most recently in the president’s signal to President Putin that targeting of infrastructure remains a clear red line for the U.S. — what has been less clear has been the U.S. articulation of the specific consequences for crossing those red lines,” Senate Intelligence Chair Mark Warner (D-Va.) said in a statement to POLITICO.
During a meeting in Geneva last year, Biden handed Putin a list of the 16 infrastructure sectors that the U.S. has long defined as “critical,” telling him they should be off limits to cyberattacks. The sprawling list includes energy, dams, food, hospitals, financial services, communications and government facilities.
“I pointed out to him we have significant cyber capability, and he knows it,” Biden told reporters afterward. Biden added, “He knows I will take action.”
But Friday’s hack of the Ukrainian websites — which early indications linked to Russia — show that Putin may be willing to test those boundaries.
Biden needs to be willing to respond aggressively if Russia crosses the line, said Rep. Jim Langevin (D-R.I.), chair of the House Armed Services Committee’s cybersecurity subcommittee.
“Should Russia — or the criminal hackers that Putin allows to freely operate within his borders — threaten American hospitals, utilities, or other critical infrastructure, the U.S. must consider using all instruments of state power in response to such blatant aggression,” Langevin said in a statement Thursday.
Russia and other nations including China, Iran and North Korea have not been shy in attacking U.S. companies and agencies over the past decade, penetrating targets including banks, insurance companies, the electric grid and the U.S. agency that maintains the nation’s nuclear weapons.
Russia has long staked out its spot as a key cyber adversary — U.S. authorities have accused it of two major breaches of State Department emails, along with the unclassified email system used by the Joint Chiefs of Staff. In 2018, the Cybersecurity and Infrastructure Security Agency warned that Russian hackers were actively targeting groups in the energy, nuclear, water, aviation, and critical manufacturing sectors.
Most serious of all was the massive Russian effort to influence the 2016 U.S. presidential election, which included the theft and release of troves of internal emails from the Democratic Party and Hillary Clinton’s campaign in the months before Donald Trump’s upset victory. Then-President Barack Obama responded by expelling dozens of Russian diplomats and levying sanctions — but only after the election, fueling complaints that his administration had been overly timid.
The Trump administration later took more direct action against Russia, including a U.S. Cyber Command operation that shut down a St. Petersburg-based troll farm during the 2018 midterms. But Trump himself undermined the U.S. position by using a 2018 summit with Putin in Helsinki to say he didn’t believe that Russia was to blame for the 2016 interference.
“I talked to a Russian friend who has connections the FSB” — Russia’s Federal Security Service — “and he said, ‘after the 2016 election interference, we kept waiting to see what the Americans would do back, and when they didn’t do anything, we decided we had overestimated the risk,’” said James Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies.
“We need to rebuild that credibility,” Lewis stressed. “The Russians and the Chinese aren’t afraid of us, so why would they stop.”
Biden’s responses included levying sanctions on Russia in April in connection to SolarWinds. The White House also hosted a virtual counter-ransomware initiative meeting in October that brought together over 30 countries to discuss ways to counter these disruptive attacks, and cybersecurity has been an ongoing topic of discussion between Washington and Moscow.
These talks may have made some headway in Moscow, with the Russian FSB announcing Friday that it had detained members of the Russian-linked REvil ransomware group and confiscated hundreds of thousands of dollars in victim payments. The group was linked to attacks on the major meat processing company JBS and the software maker Kaseya last year, and was among the groups the administration had been asking Moscow to rein in.
Later Friday, the White House said the arrested hackers also included a perpetrator of the May ransomware attack on Colonial Pipeline, which authorities have blamed on the Russia-based gang DarkSide.
“Everyone is thinking, how do we push back on the Russians,” Lewis said. “The Biden administration’s biggest success is in that collective effort, but I think Putin got the message on high-profile events.”
The administration is also clearly aware of the potential for Russia to use cyberattacks to retaliate against the U.S. should tensions further escalate. The FBI, CISA, and the National Security Agency put out a joint alert Tuesday underlining potential Russian threats to the nation’s critical infrastructure.
Russia has shown its ability to take down critical infrastructure in the past, particularly in Ukraine, where Moscow-linked hackers turned the lights off for nearly a quarter-million people for several hours in the winter in 2015, followed by a similar attack the next year.
John Hultquist, the vice president of Threat Intelligence at cybersecurity group Mandiant, said his company was tracking a rise in Russian-linked cyber aggression against Ukraine.
“We’ve definitely seen a lot of Russian cyber activity targeting Ukraine,” Hultquist said. “That is absolutely to be expected — they are in the middle of a very tense situation. Both sides I’m sure are collecting as much as possible.”
Lawmakers are increasingly calling for stronger deterrence against cyberattacks as well, especially as more of their constituents fall victim to ransomware attacks linked to Russian groups.
“As I’ve maintained since 2018, the U.S. should, with our allies, make clear to foreign adversaries the specific forms of response — whether those are [persona non-grata] determinations, sanctions, criminal prosecutions, or retaliatory actions — that are tied to particular violations of international cyber norms,” Warner said.
In the House, top Homeland Security Republican John Katko argued in favor of a “logical policy and a strong, steady adherence to that policy to ensure malign action is either too politically costly or operationally infeasible.”
“Threats to critical infrastructure are real and growing,” the New York Republican said. “The only way to address these threats is with a strong domestic security posture that enables us to identify the highest risks and work with the private industry to mitigate to the greatest degree.”
The congressionally established Cyberspace Solarium Commission also considered the deterrence issue as it weighed the nation’s cyber needs, eventually issuing more than 100 recommendations that led to actions such as the establishing of a national cyber director in the White House. Sen. Angus King (I-Maine), a co-chair of the commission, told POLITICO last month that the “single biggest piece of unfinished business is and was the publication by the president of a clear declaratory cyber deterrent policy.”
“That hasn’t happened yet,” King said during a Q&A with POLITICO. “It needs to be clear and unequivocal that, if this country is attacked in cyberspace, there will be a costly response — costly to the attacker. And so far, in our recent history, that hasn’t been the case.”
Amid the Russian buildup, national security adviser Jake Sullivan told reporters that the administration would “respond robustly to any naked aggression that might occur.”
Still, the U.S. also has to face the risk that Russia will have a robust response of its own — such as a cyberattack — to any punishment Washington imposes for an invasion of Ukraine.
“This is one of the ways in which the Russians project power, so given our dependency on computer networks, it certainly wouldn’t be surprising to respond this way to sanctions they don’t like,” said Christopher Painter, the former coordinator for cyber issues at the State Department under both the Obama and Trump administrations.
“We have to show strength,” Painter said. “You set red lines, you say things are unacceptable, and then they flaunt it and do it, you have to respond. You can’t just sit back.”