“We are extremely concerned that any type of in-kind or kinetic response to a Russian attack on critical infrastructure would spiral out of control,” said Josh Lospinoso, CEO and co-founder of cybersecurity firm Shift5, and former senior government official. from both the US Cyber Command and the NSA Cyber Intelligence Bureau.
Threading the needle between escalation and response is tricky. Biden imposed sanctions on Russia last year for its involvement in the Solarwinds hack, which compromised a dozen federal agencies, and the Justice Department has issued indictments against numerous suspected Russian hackers , but Moscow’s hacking operations continued.
Russia has probed and likely penetrated critical sectors of America’s digital infrastructure, from banks to power grids to electoral systems, cybersecurity experts say. Similarly, US officials have suggested that the US government has considerable access and power to do the same, and even to launch cyberattacks directly against Moscow’s hacking operations.
Former NSA Deputy Director Richard Ledgett said in an interview that Putin was aware that the United States would respond to a cyberattack, explaining that “we said it clearly, let’s say it that way.”
Biden warned in March that “evolving intelligence” showed that Russian cyberattacks on US critical infrastructure are coming and urged the private sector to take action to strengthen cybersecurity. And after Ukrainian officials announced last week that Russian hackers had tried to disable a large electrical substation with destructive malware, the US government has warned US energy companies to tighten the cybersecurity of industrial control systems. reviews.
“The pacing of the operation is important right now,” said Michael Weigand, another early official who put together Cyber Command and co-founder of Shift5. He said Cyber Command had been in a “high force posture” since the start of the conflict in Ukraine.
It’s a high-stakes game of chicken, with neither side backing down, but neither side yet ready to accept the dangers of engaging in superpower cyber warfare.
And the cyber realm is particularly murky when it comes to determining what would count as an escalation. Lawmakers have long called for greater clarity on what the US response might look like in the event of a serious Russian attack. The administration has staunchly refused to release such details, saying it would give Russia too much insight into US strategies.
Biden told Putin in Geneva last year that the United States would retaliate if Russia launched cyberattacks on American companies in any of 16 critical infrastructure sectors, including energy, water and services. financial.
“I had, as they say in southern Delaware, where they’re very religious, we had an ‘altar call’, him and I, on this issue,” Biden said during a speech. at the Business Roundtable in March. “We had a long conversation about, if he uses it, what would be the consequence.”
But what would those consequences look like? Although the White House won’t reveal specifics, experts and former officials tell POLITICO the president has a proportional range of responses: from imposing additional sanctions to indicting or hacking the hackers Russian computers, passing by the extinction of the lights in Moscow. or hack into weapon systems and disable them.
Officials say there are plans to respond to a Russian cyberattack on US General Paul Nakasone, director of NSA and Cyber Command, testified before the Senate Armed Services Committee earlier this month Here that in response to the Ukrainian crisis, its agencies have “designed options for national decision-makers and conducts operations as directed.”
Option 1: More sanctions
The main option Biden is likely to use is to impose new sanctions on Russia. Sanctions are seen as an easier way to suppress a foreign government than taking direct offensive cyber actions and have already been a key weapon used by the Biden administration to punish Russia for invading Ukraine.
“The response does not have to be a cyberattack or a cyberaggression. The United States has many elements of national power, and we could use some or all of those to respond to a cyber event that isn’t necessarily a cyber response,” Ledgett said.
Ledgett noted, however, that with so many penalties already in place, additional penalties may not have much, if any, impact on preventing further cyberattacks: “I think we’re sanctioned already.”
Jim Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, said there is room for more sanctioning of Russian oligarchs and more pursuit of Putin’s holdings in Western banks. But, he argued, the sanctions are unlikely to be seen as a sufficiently aggressive response to a major Russian cyberattack.
“If the Russians were crazy enough to directly attack critical infrastructure, the response will go beyond sanctions,” Lewis said.
Option 2: Prosecute the Hackers
Biden could go further than sanctions by taking sweeping action against the individuals behind the hacking operations and disabling their systems.
“To put it roughly, hack the hackers,” Shift5’s Lospinoso said. He suggested the idea of targeting destructive attacks against the infrastructure used to conduct Russian cyber operations, or disseminating Russian malware to security experts to limit their ability to use it.
It would be a scaled-up version of the US takedowns of Russian troll farms. Former President Donald Trump confirmed to The Washington Post in 2020 that he authorized a US Cyber Command attack on the St. Petersburg-based Internet Research Agency ahead of the 2018 midterm elections to prevent the group from interfering in the electoral process.
The Department of Justice has done some of this in recent weeks, including disrupting a botnet used by hacking group Sandworm to infect and take over thousands of devices around the world, and unveil indictments against Russian hackers allegedly responsible for targeting energy infrastructure in 135 countries.
Cyber Command’s cyber mission forces, which Nakasone testified to, comprised 6,000 personnel in 133 teams, could be used to penetrate the networks of major Russian government hacking operations to wreak havoc. This could have the added benefit of making it harder for Russia to retaliate further.
“You can imagine rolling back Russia’s offensive cyber capabilities by a year or more with some of these actions,” Lospinoso said. “This type of activity is much more likely … to be the type of response we would see rather than, say, taking out a power grid in Moscow.”
Option 3: A cyberattack against Russian infrastructure
A third option would send the strongest message, but also raise the stakes of a phased response. The United States has advanced cyber capabilities that match or exceed those of Russia, including the ability to interfere with the operation of critical infrastructure in other countries. A report released last year by the International Institute for Strategic Studies concluded that US offensive cyber capabilities “are more developed than those of any other country” and include the ability to disable adversaries’ command and control systems and disrupt weapon systems.
The United States has demonstrated these capabilities in the past. The United States and Israel have been widely linked to a worm called Stuxnet that damaged centrifuges used by Iran’s nuclear program before it was discovered in 2010.
“We have substantial capabilities to respond,” member of the Senate Intelligence Committee Angus King (I-Maine) said in an interview. He declined to give further details.
But an attack that damages physical systems in Russia or elsewhere would be a massive escalation and almost guarantee a response from Moscow.
“Even if there was some kind of really, really devastating critical infrastructure attack, I find it unlikely that the United States would engage in kinetic options or even as an in-kind response just because we’re dealing to a nuclear power here,” Lospinoso said.
When NBC News reported in February that an option presented to Biden to disrupt Putin’s ability to interfere in Ukraine was to cut power to parts of Russia, the administration pushed back quickly and forcefully. Then-National Security Council spokeswoman Emily Horne told POLITICO at the time that the report was “grossly flawed and does not reflect what is actually being discussed in any form.”
But Ledgett argued that an attack on US infrastructure — imagine the lights being turned off in a major city or the water filtration systems being dismantled — is exactly the type of thing that could spur Biden to react in a way agressive.
“I believe the Russians know there’s a red line there and if they cross it into something that succeeds in destroying our infrastructure, there will be some pretty serious consequences,” Ledgett said.