President Joe Biden last week warned Russian President Vladimir Putin about the “significant cyber capability” the United States possessed to retaliate in case Moscow didn’t curb cyberattacks stemming from its territory that have crippled key American companies.
The warning may have to be backed by action to convince the Kremlin of America’s seriousness.
“I’ve been working cybersecurity policy for more than a decade. I am not so naïve as to think that Putin is going to turn around tomorrow and arrest the hackers his government has been cozying up to for years,” said Rep. Jim Langevin, D-R.I., chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies and Information Systems. “But he is now on notice.”
Biden “very clearly articulated that we will take concrete action if [Putin] continues to ignore the cyber criminals operating within Russia,” Langevin told CQ Roll Call in an email. “I just hope the President is prepared to act swiftly and decisively when the time comes.”
After the two leaders met in Geneva, Biden told reporters at a news conference that he gave Putin a list of 16 critical U.S. infrastructure sectors — which include water and sewage treatment plants, pipeline companies, agricultural and food processing plants and others — that should be off-limits to attacks.
In the past couple of months, Russia-based criminal groups have attacked Colonial Pipeline, which led to a shutdown of gasoline supplies along the U.S. East Coast, and JBS, one of the world’s largest meat processing companies, which led to a brief closing of beef plants.
“I looked at him … I said how would you feel if ransomware took on the pipelines from your oil fields? He said it would matter,” Biden said. “This is not about just our self-interest; it’s about a mutual self-interest.”
“I pointed out to him we have significant cyber capability, and he knows it. He doesn’t know exactly what it is, but it’s significant, and if in fact they violate these basic norms, we will respond,” Biden said.
At a news conference, Putin dismissed questions about cyberattacks stemming from Russia.
In recent years, several U.S. administrations have tried to reach agreement with major cyber powers not to attack one another’s critical infrastructure, which include water and sewage facilities, food processing plants and fuel supplies. In 2015, President Barack Obama also reached agreement with Chinese President Xi Jinping that called for Beijing to stop cyber espionage and theft of intellectual property. But in all those cases, the attacks and espionage continued after a brief pause.
Russia and China, along with the United States and more than 20 other countries, recently agreed to norms at the United Nations not to attack each other’s critical infrastructure or shelter cyber criminals.
Such bilateral and multinational agreements don’t appear to be effective, said cyber policy expert Jim Lewis, senior vice president at the Center for Strategic and International Studies.
“We have boundaries that the Russians have agreed to now three times,” Lewis said. “Well … what’s changed? Until there’s a political decision by Putin to reel things back in, nothing will change.”
Putin’s attitude and reaction to Biden’s warning is likely to be “Prove it,” Lewis said. “So the ball is back in our court, and if we do something to make the Russians and Putin reconsider … there could be some benefit in talking. But short of that, the Russians are just going to see if we are bluffing.”
The United States so far has turned to striking back in cyberspace only in a limited context. After the 2016 presidential election, when Russian-backed trolls and Kremlin intelligence services were shown to have interfered, Congress expanded the authority of the U.S. Cyber Command to use its considerable powers to shut down threats.
Before the 2018 midterm elections, the U.S. Cyber Command used its new authorities to send cyber sleuths to Macedonia, Montenegro and Ukraine to identify Russian intelligence networks as well as tools the Kremlin might use against the United States.
Called Operation Synthetic Theology, the 2018 effort is said to have shut down Russian networks to prevent any interference. The command repeated the move in the run-up to the 2020 election.
Asked if the Cyber Command would need new authorities to back up Biden’s warning to Putin, Langevin said the command “has the authorities it needs right now.”
But, Langevin said, “When it comes to taking action directly against cyber criminals, I look first to law enforcement, not to the military.”
U.S. intelligence agencies also need to focus their efforts on providing “additional support to ransomware investigations, given the urgent nature of the threat and its broad national security implications,” Langevin said.
Lewis said officials in the Biden administration are engaged in a debate about how far the United States should push the Russians.
Biden appears to be a “little more in the ‘we need to push them’ camp,” Lewis said. Internal discussions are likely to continue “until the next time the Russians do something, and then we’ll take action.” But before that, the administration is likely to line up the backing and concurrence of allies for any such action, Lewis said.
“Neither the Russians nor the Chinese particularly fear us” on the cyber front, Lewis said. “So they don’t feel bound by agreements” not to engage in cyberattacks, he said. Unlike Obama and former President Donald Trump, “Biden has a better sense of this, and he seems to know what he has to do moving forward.”