U.S. President Joe Biden promised in December that he would “not stand idly by” after Russia’s latest massive cyberattack on the U.S.
Well over 100 days later, his administration has yet to make it clear how hard it plans to punch back.
The U.S. has employed a range of punishments for Moscow’s digital intrusions in the past, including leveling sanctions on Russia’s two leading intelligence services, shuttering consulates, indicting alleged hackers and ejecting suspected spies — only to learn in December that Russian President Vladimir Putin’s regime had unleashed one of its most audacious hacking assaults yet against at least nine federal agencies and roughly 100 private companies.
The Biden administration is preparing a new round of penalties that it could announce as soon as this week, according to a person familiar with the internal deliberations, who requested anonymity to disclose sensitive discussions. The steps could include imposing sanctions on Russian intelligence agencies and a new round of ejections of Russian diplomats, the person said.
At the same time, it has sent signals it may offer a stronger deterrent — a message the president reinforced during a call Tuesday with Putin, in which the White House said Biden pledged that the U.S. “will act firmly in defense of its national interests” in response to “cyber intrusions and election interference.”
Unnamed U.S. officials also told The New York Times last month that the administration was planning an even blunter response — a quiet counterattack that would nonetheless get Putin’s attention. National security adviser Jake Sullivan said in February that the U.S. response to Russia’s hacking would be both “seen and unseen,” a phrasing that raised more questions.
In truth, the United States’ options for retaliating may be surprisingly limited, despite the country’s own arsenal of potent cyber weapons.
U.S. security leaders have long expressed caution about deploying offensive cyberattacks to cripple adversaries’ critical infrastructure or expose embarrassing information on their leaders, for fear of triggering an escalating conflict that could see foreign hackers shutting off the lights in the United States. Even less aggressive digital responses would risk exposing crucial details about closely held hacking capabilities, eliminating U.S. options in a future conflict.
An “extreme” hypothetical retort would be to “turn the power off in Moscow,” a former Trump administration defense official said. “That’s always a handy one to put on the table. But that has so many dynamics in the wrong direction. We don’t want that happening in the U.S.”
Sullivan’s use of “seen and unseen” to describe the United States’ potential actions was a sign of a White House still weighing its tactics, a U.S. official familiar with the issue told POLITICO.
“It’s a standard talking point: We have options, but haven’t decided what to do so we’re not telling you,” said the U.S. official, who spoke on condition of anonymity to speak candidly.
Going beyond sanctions?
Current and former national security officials still agree that the U.S. must retaliate somehow for the latest Russian cyber campaign, in which likely Kremlin-backed hackers compromised IT management software from the vendor SolarWinds to break into as many as 18,000 networks globally. An intelligence assessment released Tuesday blamed that exploit on a “Russian software supply chain operation,” the closest the U.S. has come to formally pointing the finger at the Kremlin.
But the officials also concur that any U.S. cyber response should work in tandem with more traditional steps, such as sanctions and indictments. They say the United States should avoid overreacting to the SolarWinds breaches, which so far appear to be a Russian intelligence-gathering operation rather than a destructive act of war on the American public.
The Russians “expect us to understand the distinction,” the current U.S. official said.
Some security hawks have urged the U.S. to go further — including former national security adviser John Bolton, who before joining the Trump administration in 2018 called for “a retaliatory cyber campaign against Russia” in response to the Kremlin’s interference in the 2016 presidential election. He later said that “the retaliation should not be proportionate.”
Such rhetoric alarmed some cyber experts, who warned that the U.S. needed to worry about Russia’s potential ability to respond in kind to attacks on critical infrastructure such as its electric grid. “If you’re covered in gasoline, be careful throwing matches,” Michael Sulmeyer, now the senior cyber director of Biden’s National Security Council, told POLITICO at the time.
Instead, the Biden administration is probably working through a series of potential actions that would make it “harder” for the Kremlin’s hackers to operate online, said the former Trump administration official, who spoke on the condition of anonymity to discuss the ongoing process.
The U.S. took a similar step during the 2018 midterm elections, when Cyber Command blocked online access to Russia’s infamous Internet Research Agency, a propaganda factory with ties to Putin that had been spreading misinformation about the election and had played a major role in the 2016 interference. Word of the U.S. reprisal leaked to the news media, but the military’s elite digital warfighting organization has yet to acknowledge it publicly.
The White House could opt to target Russia’s military and foreign intelligence services or their assets if Washington “could show without doubt” that they were at least heavily involved in the SolarWinds compromise, the former official said.
Risks of going too far…
In January, Biden ordered U.S. intelligence agencies to provide him with an assessment of the Russian hacking operation. But the administration risks complicating its options if it bundles its response to SolarWinds with its answers to other malicious activities by Moscow, such as Russia’s placing of bounties on U.S. soldiers in Afghanistan, its interference in last year’s presidential election and the poisoning of dissident Alexei Navalny.
That approach would be “counterproductive because that just tells the Russians that this is typical Americans just hitting back at them,” said Dmitri Alperovitch, co-founder of security firm CrowdStrike and now the executive chair of Silverado Policy Accelerator. It is “not going to send them a message that they need to change one or two specific behaviors.”
He argued that the U.S. shouldn’t punish the Kremlin at all for the SolarWinds breach, which he said “falls within the realm of traditional espionage” and overall was “very careful not to cause collateral damage.”
“The last thing you need is to basically send them a message that next time they can be a lot more reckless,” Alperovitch said, adding that the U.S. and its Western allies have already “sanctioned everything that breathes” in Russia.
A former National Security Council official familiar with the issue argued that there’s plenty of room to sanction Russia if that’s the choice the Biden administration makes.
New sanctions could target more oligarchs close to Putin, or even Putin himself. One option is to expand existing U.S. prohibitions on dealing in non-ruble Russian sovereign debt to cover all types of sovereign debt transactions, the former official said.
The reality is that the U.S. could severely damage the Russian economy through sanctions, the current U.S. official said. The danger is that by turning up the dial too far the economic fallout could spread to Europe and beyond, eventually affecting the American market, too.
The administration has indicated that its response will include domestic elements, with Biden looking at executive orders designed to shore up the country’s digital defenses and better protect critical supply chains.
… or not far enough
The Russian intrusion was so widespread and penetrated so many networks so deeply that Washington must respond now to it as a major espionage effort, argued Jamil Jaffer, senior vice president at the firm IronNet Cybersecurity. He said the U.S. should also be prepared to respond with serious, public action by the military or the spy community if Moscow threatens to go further.
The administration’s rhetoric that it will respond, if ever, at a date and time of its choosing “could play into a larger narrative that the U.S. isn’t currently prepared to respond in a public way to action by the other side,” he said in an interview.
Jaffer, who also served in senior positions in the Bush administration and on Capitol Hill, said one cyber response the administration might consider is to “make clear” that the U.S. has access to Russia’s networks on par with what the Kremlin gained through SolarWinds. Or it could go a step further and use that advantage to reveal embarrassing or damaging information about the Russian government.
Another menu option could be to expose other malign digital activities Moscow has waged against Washington apart from SolarWinds, such as exploits in which Russian hackers are currently surveilling or hiding in federal networks.
However, he noted, all those scenarios carry risks by exposing the United States’ own cyber capabilities, rendering them useless afterward. Those could also potentially go beyond the reconnaissance mission that the Kremlin’s hackers have embarked upon so far.
Other, less risky alternatives could include deepening digital ties with allied nations, such as having members of Ukraine’s military rotate through Cyber Command and the NSA to learn how to better fend off the Kremlin’s future attacks.
Cyber Command’s chief, Army Gen. Paul Nakasone, said last month that the digital warfighting unit conducted 11 “hunt forward” operations in nine countries in the run-up to November’s election to detect and combat potential foreign cyberattacks.
Michael Daniel, a cyber coordinator during the Obama administration, speculated that the Biden administration could use its cyber prowess to expose Russian activity in an allied nation or another country, but not the U.S.
But any response, including one that features a digital counterattack of some kind, will be “the choice of the administration based on what broader geopolitical goals that they have,” said Daniel, the president and CEO of the Cyber Threat Alliance. “How does that fit in with other activities they’re doing? How does that fit with what the conversations they’re having with their allies?”
That said, he acknowledged that there are instances when Washington wants to make it known it was responsible.
“You want it to be like: ‘Yes, we did this to you. Hugs and kisses. Love, Cyber Command,’” he said.
Nahal Toosi and Natasha Bertrand contributed to this report.