Biden’s vague statement, delivered as he was departing for a trip, left it unclear whether he was planning another verbal warning to Putin — similar to the one he issued three weeks ago during a one-on-one summit in Geneva — or would move ahead with more aggressive options to dismantle the infrastructure used by Russian-language criminal groups.
Each option runs significant risk, because Russia is capable of escalating its own behaviour. And as the ransomware deluge has shown, many companies in the private sector and federal and state government agencies remain rife with vulnerabilities that Russian actors can find and exploit.
After more than three decades in government, Biden seems comparatively less concerned about hacking operations focused on espionage, activity that all countries conduct and that the United States carries out every day against its geopolitical rivals. But he has been alarmed by the economic disruption of ransomware, especially since gasoline, jet fuel and diesel shortages gripped the East Coast after a ransomware attack on Colonial Pipeline two months ago.
Attacks using ransomware, a form of malware that encrypts data until the victim pays, have grown increasingly disruptive and costly.
The White House’s argument is that the attacks are emanating from Russian territory, so it is Putin’s responsibility to take them down — and that the United States will act if he does not.
Biden’s aides provided few details of the Wednesday morning meeting, which included key leaders from the State Department, the Justice Department and the Department of Homeland Security, and other members of the intelligence community. But they said it focused on immediate options — not the longer-term policy for dealing with ransomware that is expected in the coming weeks.
Biden is under growing pressure to take some kind of visible action — perhaps a strike on the Russian servers or banks that keep them running — after delivering several stark warnings to Moscow that he would respond to cyberattacks on the United States with what he has called “in-kind” action against Russia. The president’s most recent warning came right after the meeting with Putin at a lakeside estate on the edges of Geneva, where Biden gave him the Department of Homeland Security’s list of 16 areas of “critical infrastructure” that the United States considers off limits and would merit a response if attacked.
The most recent attack, over the July 4 holiday, was mounted by a Russian-language group that calls itself REvil, an abbreviation of “ransomware evil.” The immediate victim was a Florida company, Kaseya, that provides software to companies that manage technology for thousands of smaller firms, which largely do not have the technology or people to manage their own systems. By getting into Kaseya’s supply chain of software, REvil was able to hold up to 1,500 companies hostage, including grocery chains, pharmacies and even railways in Sweden.
In the United States, the municipal government of North Beach, Maryland, and several small companies were affected, but Biden’s aides said the larger effects were relatively muted.
“We got lucky,” one senior official involved in cyberdefense said, noting that the ransomware group appeared to have borrowed some techniques from the Russian intelligence agency that last year manipulated the software code sold by a company called SolarWinds that maintained broad access to government and corporate networks.
A preliminary review by administration officials determined that the ransomware attack over the weekend did not affect the kind of critical infrastructure — power grids, water distribution systems, the working of the internet itself — that Biden had warned Putin would mark a red line.
Biden said late Wednesday that he was awaiting a report from the FBI about whether the Republican National Committee was deliberately targeted last week when one of its contractors was hit by a cyberattack that appeared to be the work of the SVR, the most skilled intelligence-gathering operation in Russia.
“The FBI is working with the RNC to determine the facts,” Biden said. “When we find out the facts, I’ll know what I am going to do tomorrow.”
(RNC officials said the access was quickly cut off and nothing was stolen.)
But it was the sophisticated nature of the Kaseya attack that concerned experts. It used a “zero day” — an unknown flaw in Kaseya’s technology — then spread the ransomware to the company’s clients and hundreds of their customers. Those techniques are considered unusually sophisticated for cybercriminals and help thwart traditional defenses, like the antivirus software that runs on most commercial networks and individual computers.
For months, the National Security Council has been weighing options to stop the ransomware that has debilitated gas pipelines, meat processing plants, hospitals and schools. A task force at the Justice Department, in concert with the FBI, has been working to prevent ransomware operators from getting access to some of the cryptocurrency wallets where ransoms are deposited, or moved. Last year, U.S. Cyber Command, which runs cyberoperations for the military, disabled the servers for another Russian-language group that the United States feared Moscow might use to interfere in the 2020 presidential election.
Any combination of those techniques could be used again. Dmitry Alperovitch, a founder of the cybersecurity firm CrowdStrike, and now the founder of the Silverado Policy Accelerator think tank, has argued that until Biden moves to cut significantly into Russia’s oil revenue, he will not get Putin’s attention.
But so far, those steps have proved insufficient to deter further attacks. The question for the White House now is whether REvil’s recent attacks come close enough to the red line set by Biden in Geneva that he cannot let the moment pass, even if the damage to U.S. interests was limited.
“If it did, we need to follow through, and we have not been great at following through in the past,” said Chris Painter, who served in the State Department as the top diplomat negotiating rules of the road for cyberspace with other nations.
“We can’t set a red line and just not do anything about it when we’re breached continuously,” he said. “I don’t think we can afford to just sit there and wait for the next attack to happen and the next attack after that, because clearly they are not stopping.”
Whenever counterstrikes are debated in the White House, veterans of those debates note, an air of caution eventually settles in. The United States may possess what Biden calls “significant cybercapability” — made clear more than a decade ago when, as vice president, he participated in the meetings on the Stuxnet cyberattacks on Iran’s nuclear centrifuges. But it is also more vulnerable to cyberattacks than most nations because it is so digitized and most of its critical infrastructure is owned by businesses that have not adequately invested in their digital defense. Thus, any escalation risks blowback.
In recent days, however, a growing number of experts have argued that the United States is now facing such a barrage of attacks that it needs to strike back more forcefully, even if it cannot control the response.
“You don’t want escalation to get out of control, but we can’t be so afraid of that that we bind our own hands,” Painter said.
William Evanina, who recently left a top counterintelligence post in the U.S. government and now advises companies, said he would advise Biden “to be bold.”
“We need to give Putin something to think about,” he said. “And while I know people in the government like the idea of having ‘unseen’ cyberoperations, we have to show the American people and the private sector that we are doing something about this.”
Putin has denied that many of the attacks have come from Russia and has argued that the United States, with its cyberoperations around the globe, is the most active disruptive force on the internet.
But clearly a large number of the ransomware demands come out of Russia, and the ransomware code is often written to avoid hitting Russian-speaking targets.
If Moscow wanted to stop Russia’s cybercriminals from hacking American targets, experts say, it would. That is why, some Russia experts argue, the United States needs take aim at Russia’s kleptocracy, either by leaking details of Putin’s financials or by freezing oligarchs’ bank accounts.
“The only language that Putin understands is power, and his power is his money,” said Garry Kasparov, the Russian chess grandmaster and a Putin critic. “It’s not about tanks; it’s about banks. The U.S. should wipe out oligarchs’ accounts, one by one, until the message is delivered.”
For now, REvil has shown no sign that it is diminishing operations.
In recent days, its cybercriminals continued to hijack U.S. companies’ networks. On Wednesday, REvil hit a new target: a Florida defense contractor, HX5, that sells space and weapon launch technology to the Army, the Navy, the Air Force and NASA.
REvil posted hacked documents to its naming-and-shaming website, “The Happy Blog.” None appeared to be of vital consequence, but HX5 is just the latest contractor to be hit.