Biden weighs direct action against Russian targets following cyberattacks
WASHINGTON (Sinclair Broadcast Group) — Between the massive SolarWinds hack that targeted U.S. government agencies and the debilitating ransomware attack that shut down Colonial Pipeline last month, the targeting of the global meatpacking giant JBS, marked the third major cyberattack the administration has laid at the feet of the Russian government in less than two months.
Following the latest attack, President Biden said he was "looking closely" at possible retaliation against Russia.
White House press secretary Jen Psaki told reporters Wednesday that the administration was "not taking any options off the table in terms of how we may respond" to the attacks.
In a statement attributing the JBS ransomware attack to the Russia-based group REvil (also known as Sodinokibi), the FBI said it was focused on "imposing risk and consequences and holding responsible cyber actors accountable."
President Biden also plans to deliver a clear message to Russian President Vladimir Putin during their first bilateral meeting June 16 in Geneva, Switzerland. "The president's message will be that responsible states do not harbor ransomware criminals and responsible countries must take decisive action against these ransomware networks," Psaki said Thursday.
So far, the threats have done nothing to prompt Russia to take action against domestic cyber threat actors that have shut down at least two U.S. critical infrastructure targets. Sanctions on dozens of entities tied to the SolarWinds hacking group did not stop the same network from attempting to breach State Department email accounts along with hundreds of accounts tied to international development and humanitarian groups.
The pressure has been building for years for the United States to raise the cost of cyberattacks and now President Biden is facing calls to go beyond what has been done in the past to publicly deter cyber adversaries.
"The president needs to be very forceful," Rep. Mike McCaul, the ranking Republican on the House Foreign Affairs Committee told Fox News. "I think the president should be very clear to Putin that if these continue...that we are going to hit back and we're going to respond with a cyber-offensive attack that we're very capable of doing as a nation."
Cybersecurity experts agree that Biden will have to move past stern warnings and sanctions to use U.S. cyber capabilities to either directly disrupt foreign cybercriminal networks or hit a Russian target.
"The president needs to say, if something happens like this again from within the territory of Russia, we will take appropriate response action directly inside Russia," said Bryan Cunningham, executive director of the University of California, Irvine Cybersecurity Policy & Research Institute.
When another attack comes the U.S. should damage something significant to the Russian people, like critical infrastructure, that "isn't large enough to start a war."
"Then Biden needs to announce we did it," Cunningham continued. "He needs to let the world know that and he needs to let the American people know that."
Previous administrations avoided publicly discussing U.S. cyber capabilities or taking credit for their use against foreign targets. Cunningham, who formerly worked as a White House lawyer and National Security Council legal adviser under President George W. Bush, explained the policy was based on the idea that it would invite other countries to target U.S. infrastructure.
That argument has lost credibility, he said, particularly as adversaries target U.S. water, power, fuel, food and election infrastructure.
"We need to assume we’re in a low-grade cyberwar," Cunningham continued. "We’re not helping ourselves if we’re the only ones that aren't fighting."
The Biden administration has stopped short of directly threatening to use offensive cyber tools against the Russian state, but the president recently signaled that criminal networks operating within Russia could be fair game.
At a May 13 press conference on the Colonial Pipeline attack, Biden said he had spoken with leaders in Moscow and urged them to take action against ransomware networks launching attacks within their borders. "We are also going to pursue a measure to disrupt their ability to operate," Biden advised.
Most of the U.S. offensive cyber capabilities are classified, but the disruptions could involve destabilizing networks used by criminal hackers, infecting their computers and otherwise crippling their ability to operate.
Scott White, director of the cybersecurity program at George Washington University, emphasized that the U.S. should consider "intelligence-led cyber interventions" to disrupt criminal networks preemptively. "This would be a relatively new strategy," White said. It would involve U.S. intelligence or law enforcement agencies identifying known criminal targets and disrupting or incapacitating the networks before they launched an attack.
The remedy would avoid the challenge of trying to extradite or arrest individuals who have safe harbor in Russia, many of whom are believed to be operating under the auspices of the Kremlin. However, White said it was unclear whether the current legal framework would support the federal government conducting those types of operations. Without clear rules, it could raise the risk of escalation.
"It's a very murky area," he noted. "Whether it's terrorism or organized criminal activity, with countries that engage in safe havens, it becomes a very difficult thing to do, especially when you're dealing with nuclear powers."
The administration's current focus is a more traditional diplomatic approach of pressuring Russia to adhere to international expectations that it will not harbor criminals or terrorists.
Secretary of State Anthony Blinken emphasized that Russia had "an obligation" to find the criminals responsible for the recent ransomware attacks and bring them to justice. He told CNN Wednesday, that countries must "make commitments and then make good on those commitments, not to harbor criminal enterprises that engage in these attacks and on the contrary to seek them out and to stop them."
The Biden administration has signaled that it is working to build an international coalition to hold countries who harbor ransom actors accountable. The United States has coordinated with Europe to impose economic and diplomatic costs on Russia, but those have yet to have a significant impact on Russia's behavior.
"We've been sanctioning Russia for so long that all the low-hanging fruit is gone," said Emily Harding, the deputy director of the International Security Program at the Center for Strategic and International Studies. "We've got to be very creative in the next steps."
That should include working with allies to create a more robust sanctions net across Europe, she said. It could also involve federal indictments against specific individuals tied to the JBS or Colonial Pipeline attacks. The United States previously indicted 12 Russian intelligence officers for hacking crimes and interfering in the 2016 election. The Justice Department also indicted five Chinese hackers in 2020 for attempting to hack into dozens of U.S. companies.
"You're not going to go to Russia and arrest them. They're not going to get extradited here, it's true," Harding acknowledged. "But doing nothing is worse."
Ahead of the June 16 summit between Biden and Putin, the United States is rolling out new policies to address cyberattacks and ransomware.
Deputy Attorney General Lisa Monaco announced Thursday that the Justice Department would now require federal prosecutors to inform senior officials when they learn about a new ransomware attack, to allow authorities to track and counter the attacks more effectively.
The National Security Council's top cyber official, Anne Neuberger, issued a rare open letter Wednesday calling on private corporations to "take ransomware crime seriously and ensure your corporate cyber defense match the threat."
Last month, Biden implemented new cyber incident reporting standards across all federal agencies and among all federal contractors. The administration is also working with the private sector to improve cyberdefenses and better coordinate best practices to address threats from criminal networks and nation-state actors.
