President Joe Biden is in a bind. In response to numerous Russian cyberattacks on the United States in the lead-up to the Geneva summit, Biden laid down clear redlines. He told Russian president Vladimir Putin if Russian cyberattacks were to continue in sixteen areas, there would be a strong U.S. response. The Wall Street Journal reports that the Russian hackers behind the JBS Meats attack have now launched new attacks on hundreds of targets worldwide including in the U.S. Unless the White House attempts to make the problematic argument that these latest hacks do not fall in one of the sixteen areas, it has to face up to the fact that its red lines have been crossed.
This development should be no surprise. Over the past fourteen years, at least since the Russian cyberattack on Estonia in 2007, Putin has been a serial provocateur, looking for weak spots in his neighborhood and the West to probe. The Biden administration took office with a pronounced intention to stand up to Kremlin provocations, including in the cyber sector. The administration made good on this intention when it strongly backed Ukraine against the Kremlin’s massing of forces in northern Crimea and on Ukraine’s eastern border and when it sanctioned Moscow for the 2020 Solar Winds hack inter alia.
But Biden took no action when, in the run-up to Geneva, the United States suffered three major cyberattacks emanating from Russia and numerous smaller hits. Indications are that at least the last two—on USAID and JBS Meats—may well have been undertaken by groups connected to or protected by the Russian state. But even the first high-profile attack of this new wave—conducted by a Russian ransomware outfit on Colonial Pipeline—is ultimately Russia’s responsibility. Biden chose to deal with this in Geneva by laying down clear redlines, both in the meeting with Putin and in his press conference afterward.
So it is now decision time for Biden. On July 3, he asked his team to look into the attacks to determine if the attack came from Russia. But that seems like a bid for time. If the investigation lasts too long, it will seem like waffling. The United States needs to respond to this latest cyberattack. If Biden fails to act, then his attempt to rebuild cyber deterrence will be an order of magnitude more difficult—and Putin will be further emboldened. The question is how.
Thus far, the United States has combined public shaming, diplomacy, and sanctions—to negligible effect. It has also warned U.S. firms to bolster cyber defenses, tightened cyber defense regulations, recaptured ransom Bitcoin payments, and set up a DOJ/FBI Cyber Taskforce. U.S. diplomacy has attempted to rally an international coalition against Russia and to a lesser extent the other global cyber saboteur countries: China, Iran, North Korea, and Venezuela. As the recent surge of cyberattacks demonstrates, these steps have not worked, although sanctions on Russia at least have the effect of weakening the economy of a state with revisionist objectives.
There is, however, a better way to handle this challenge. While the United States has been fully on the defensive lately, not long ago the National Security Agency’s U.S. Cyber Command went on offense with a remarkable pair of cyber battle victories. Our cyber warriors first protected the 2018 midterm elections by a combination of taking scores of individual Russian hackers offline for several days, sanctioning them, and following up with international indictments. The threat was clear, fully understood, and reacted to as intended, though Russia was also intent on laying off so that it could focus on the bigger prize of the 2020 election. It attempted but failed to throw off U.S. intel agencies in the process, deceiving them into feeling falsely secure and keeping American cyber defenses down.
A surge of Russian full spectrum/cyberwarfare was expected in an attempt to again try to steal a U.S. presidential election, and the Kremlin was ramping up its offensive when the NSA offensive cyber team, headed by Army Gen. Paul Nakasone, won a second cyber battle with Russia by going on offense in order to achieve defense. The United States placed pernicious malware all over the Russian energy grid, with the threat—fully clear about what the United States was narrowly trying to prevent/deter—that if Russia went through with what it was planning (and had tried out on the Ukraine election in 2019), the United States would turn out Russia’s lights and then some.
It worked, Russia backed off and Putin surprisingly—and perhaps not in good faith—offered the United States a mutual cyber non-aggression pact: if you don’t interfere in our election, then we don’t interfere in yours. This was the first time Russia tacitly admitted it had interfered in the 2016 U.S. election. However, it only held off from going through with its election attack. As Russian foreign intelligence continued the Solar Winds hack, criminal groups with ties to the security services struck various U.S. entities—including Trickbot Wizard Spider’s ransomware and malware operation against hospitals—all wreaking cyber havoc in the run-up to the 2020 election.
These partially successful examples lay out the path for the administration. Biden has now laid down cyber redlines, appropriate in light of how constant cyberattacks from Russia have inflicted significant damage on the U.S. economy and unprecedented harm to the lives of millions of Americans: gas shortages, food price spikes, delayed ambulances, canceled medical appointments, etc. Thus, due to these acts of (cyber) war, it is now incumbent upon the Biden administration to make good on its Geneva threat, for there is a strong case for not waiting for Moscow to more blatantly cross the redline.
The United States should mount calibrated offensive operations to punish, but more importantly to deter Moscow from further cyber action. As demonstrated by winning two cyber battles while simultaneously losing a separate one, cyber deterrence is decidedly different and more difficult to establish and keep in place—compared to traditional military and even nuclear deterrence. In the cyber warfare realm, threats have to be pinpoint and clarion, detailing precisely what response will occur for precisely which cyber incursion. The United States must avoid being too narrow in its cyber offensive threats, from this point forward.
Effective deterrence, of course, rests on a credible threat of suffering a highly damaging response to any provocation. Nakasone has the authorization that he needs to target a range of Russian entities. He could go after every single GRU hacker and proxy group hacker (taking them offline for a prolonged period and sanctioning them), major Russian firms operating in rogue states (such as Rosneft in Venezuela), key Russian energy and transport infrastructure, and sizable business firms vital to Russia’s trade balance.
The United States may further wish to take advantage of another key Kremlin vulnerability: corruption and a taste at high levels for the “good life” in the West. America’s intelligence community undoubtedly has good information on the holdings of Putin and his senior associates in the West. Why not release a portion of this information as a warning (with a threat to release the rest should a single additional major cyber-attack occur)?
Biden remembers well the hit President Barack Obama and American credibility took when his Syria redline was crossed without an American response. The stakes now are even higher.
Some analysts believe that the White House has been weak in responding to Kremlin mischief because it would like to “park” the relationship with Moscow in order to concentrate on China. This dubious approach is much like appeasing Benito Mussolini in order to wean him from Adolf Hitler. It does not take into account that China has been watching closely the U.S. reaction to serial Kremlin challenges. Letting Putin cross Biden’s redline with impunity would only encourage the China hawks anxious to move on Taiwan. A strong response to this latest provocation will put Putin in his place and solidify U.S. credibility across the world.
John Herbst is the Director of the Eurasia Center at the Atlantic Council and formerly U.S. Ambassador to Ukraine during the Orange Revolution.
Dr. Jeffrey A. Stacey is a former State Department official in the Obama Administration and current UN consultant, author of “Integrating Europe” and the forthcoming “Joe Biden and the Fight for Global Democracy.”