President Biden used a summit with Russian President Vladimir Putin to confront Moscow over its aggressive behavior in cyberspace and communicate that there would be future consequences if Russian state-backed cyberattacks continue.
Biden said he gave Putin a list of 16 types of critical infrastructure that should be “off limits” from cyberattacks, such as the energy and water sectors. Biden also pressed Putin to stop harboring Russian cyber criminals and hold them accountable for attacks overseas, following two major ransomware attacks targeting a major pipeline company and meat supplier.
“The principle is one thing. It needs to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory,” Biden told reporters at a press conference following about three hours of meetings between U.S. and Russian officials.
The summit seemed to reduce the high tension between the U.S. and Russia that has simmered over the past several years. At the same time, it’s unclear whether it will yield any change in Russia’s behavior, which has grown increasingly aggressive and bold in cyberspace despite penalties like sanctions from the West.
Indeed, Putin during his own news conference on Wednesday claimed that the U.S. and the West, not Russia, are responsible for the bulk of offenses in cyberspace while denying Moscow’s involvement in recent cyberattacks.
Both presidents said U.S. and Russian officials would have follow-up discussions in the area of cybersecurity.
Since Biden last met with Putin a decade ago as vice president, cybersecurity has become one of the largest areas of contention between the U.S. and Russia. It was a top item on the agenda following a wave of escalating attacks tied to either Russian hackers or those based in Russia.
The SolarWinds hack, first discovered in December, allowed Russian-government backed hackers to compromise nine U.S. federal agencies and 100 private sector groups for most of 2020 to conduct espionage activities.
More recently, the FBI has tied both the ransomware attacks on Colonial Pipeline and JBS USA to cyber criminals likely based in Russia, though not directly tied to the Russian government.
The U.S. has also sanctioned Russia over hacking related to election meddling efforts.
These attacks have heightened calls from both sides of the aisle to address concerns around Russia and other nations allowing cybercriminals to attack foreign critical infrastructure from within their borders without any consequences.
Biden told reporters that while he had not discussed potential U.S. military responses to future Russian-linked cyberattacks, he had communicated to Putin other potential consequences.
“I pointed out to him we have significant cyber capability, and he knows it, he doesn’t know exactly what it is, but it’s significant,” Biden said. “If they violate these basic norms, we will respond.”
The Biden administration has tried to make cybersecurity more of a priority than it was during the Trump administration. Biden in April imposed a raft of sanctions on Russia over the unprecedented SolarWinds hack and 2020 election interference.
Biden also signed an executive order last month to heighten federal cybersecurity in the wake of the escalating attacks, and multiple agencies have made investigating and addressing ransomware attacks a key priority.
“There has been a sea change in a sense that cyber is more of a priority in the administration,” said Chris Painter, who served as the State Department’s coordinator for cyber issues under both the Obama and Trump administrations. “You’ve got people who really get it and prioritize it more than they have before.”
Still, experts express doubt that Moscow will alter its behavior.
“They’ve long been sponsoring this kind of destabilizing behavior and part of that is that’s in line with Putin’s goals,” said Painter, noting Russia’s efforts to undermine Western democracies. “To the extent this is causing chaos, great.”
Jamil Jaffer, who served as an associate counsel in the George W. Bush White House and is currently an executive at IronNet Cybersecurity, said there is no evidence from the summit that Biden’s words would effectively deter future Russian cyberattacks.
“He didn’t talk about what our capabilities are. He didn’t talk about when we would respond, what the red lines would be and if they were crossed, what would happen,” Jaffer said on a call with reporters. “It’s very hard to deter somebody, any adversary, when you don’t make clear what your red lines are, what the penalties are if they’re crossed, and what your capabilities are to deliver those penalties.”
Ahead of the summit, lawmakers on both sides of the aisle on Capitol Hill urged Biden to take a tough stance against Putin on cybersecurity concerns, including on the potential that Russia was harboring cyber criminals.
Senate Intelligence Committee Chairman Mark Warner (D-Va.) tweeted Tuesday that he hoped Biden would make “clear that any exploitation of compromised networks to produce harmful effects will prompt an appropriate and proportional response.”
Senate Intelligence Committee Vice Chairman Marco Rubio (R-Fla.) wrote Biden a letter Tuesday stressing the need to ensure Putin understood the U.S. would “meet any cyberattack from Russia with a strong response.”
Following the summit, House Intelligence Committee Chairman Adam Schiff (D-Calif.) praised the summit as being a “new turn” in U.S.-Russia relations.
“I am encouraged by the news that Biden provided Putin with a clear list of industries and critical infrastructure that must never be the target of cyber-attacks and hacks, and promised real consequences if Russia did not cooperate in efforts to hold those responsible to account,” Schiff said in a statement.
Sen. Richard Blumenthal (D-Conn.), a member of the Senate Armed Services Committee, told The Hill Wednesday following the summit that he saw the need for “some agreement on cyber” in the realm of treaties between the U.S. and Russia on nuclear weapons.
“In my view, Russia has already attacked us in what can be regarded as an act of war, and we need to respond proportionally if it is done again,” Blumenthal said. “To prevent that kind of attack, sending a clear message as President Biden has done is absolutely the right thing to do.”