ArchiveOODA Original

Biden Threw the Cyber Gauntlet – Be Careful What You Wish For

In his first meeting with Russian President Vladimir Putin, U.S. President Joe Biden claimed to have presented his counterpart with a list of 16 red-line targets, ostensibly the critical infrastructure sectors that are listed on the Department of Homeland Security’s webpage.  Such sectors are considered vital to the United States, and any potential incapacitation or destruction of them can gravely impact the “security, national economic security, and national public health or safety.”  This move by the U.S. president comes in the wake of two potent ransomware attacks that impacted U.S. oil and food supply chains, causing shortages and spikes in cost to the general public.  While these attacks proved short-lived (both victimized companies ended up paying ransom demands – Colonial Pipeline paid USD 5 million and JBS paid USD 11 million), they did serve as proof-of-concepts of how citizens are invariably effected by disruptions to such important sectors.

Critical infrastructure has long been recognized as important for the continued health and prosperity of countries.  The United States has an extensive history in identifying the protection of critical infrastructure as far back as 1998 under then President Bill Clinton’s Presidential Decision Directive 63 that established the National Infrastructure Protection Center.  Since then, there have been periodic strategies and plans developed over time including but not limited to the 2006 National Infrastructure Protection Plan (2006 NIPP), the 2009 NIPP, the 2013 NIPP, and then-President Donald Trump’s 2017 Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.  Two themes shared by these documents are the understanding that critical infrastructure protection is integral to sustaining stability and prosperity, and that cyber attacks are an easy means to disrupt them due to a variety of reasons that include accessibility, poor security practices, legacy systems, and increasingly savvy attackers, among others.

Unsurprisingly, there has been a marked increase in hostile actors targeting critical infrastructure.  However, what gives pause for concern is that some of the more notable attacks against U.S. infrastructure appears to have a nexus to a nation state or its proxies, indicating that adversarial governments’ view U.S. critical infrastructure as viable targets to be exploited or disrupted, depending on the intent and motivation of the attackers.  Indeed, some of the more notable incidents include unauthorized access into a New York dam by Iranian state actors; the exploitation of a Florida water facility by an unknown actor trying to increase levels of sodium hydroxide; the Colonial Pipeline attack that ceased oil supply; and most recently, the ransomware attack that halted operations for meat supplier, JBS.  And this does not include long held speculation that sophisticated Chinese and Russian state actors have already successfully infiltrated the U.S. electricity grid.

Therefore, Biden’s “come to Jesus” moment with Putin may seem a rational undertaking on the surface, addressing one of the United States’ primary enemies and letting him know that such attacks will not be tolerated.  However, the way Biden communicated the message and the lack of consideration of what such a talk should entail has been a glaring misstep for an Administration that essentially failed to look before it leapt.  By handing Putin “the list,” Biden attempted to signal a “point of no return” that if crossed would be met by a substantial and proportional retaliatory response. The overture was clumsy at best, as deterrence doctrines need to be socialized, understood, and exercised before they have any real chance of being effective.  Instead, Biden merely handed over a catalogue of industries and sectors, telling Putin “don’t touch,” a thin threat at best considering Russian officials and entities have already been sanctioned, indicted, and even conducted cyber attacks against Russia’s power grid for past malfeasance.  Clearly, such punishment has yet to deter Russia’s behavior, and it raises the question how red-lining critical infrastructures will accomplish this.  The Russian side gave little indication that it took Biden’s threat seriously, with the Russian Ambassador to the United States pushing for cyber security dialogue and that as a rule Russia did not execute cyber attacks.

Worse, “the list” presents a new set of challenges that Biden may not have thought through.  For example, by identifying the sectors that were off-limits, one wonders if Biden did not give inadvertent consent for Russia – or any other adversary for that matter – to target anything else not specifically on the red-line list.  After all, if the message is not clearly defined and communicated, interpretation is left up to its recipient.  A second challenge that arises is that the president not only validated those areas that the United States deems most important, but also those that are perhaps most vulnerable to cyber attacks.  While critical infrastructure may seem a no-brainer for malicious targeting purposes, the chief executive has now confirmed what an adversary may have only previously suspected.  Such an admission could prompt a sophisticated adversary like Russia to purposefully execute clandestine cyber operations for the purpose of exploiting target networks on which to gain access and maintain a presence for later cyber malfeasance.

 

Further complicating matters is that by codifying red-lines, Biden has set a threshold that hostile actors can brush up against but not cross, thereby technically circumventing any U.S. response.  Biden can of course elect to change the goal posts, but risks tarnishing his own credibility if the U.S. is perceived as “changing the rules.”  More problems arise if the United States fails to execute a proper response to a red-line infraction.  Any failure to carry out significant punitive actions in response to broken red-lines will quickly erode U.S. stature, encouraging hostile actors to continue their courses of action and even compelling other hostile actors to engage in similar behavior.  This can be a difficult tightrope for the United States to navigate as too soft a response invites continued attacks, and one too harsh risks escalation.

What’s more, with “the list” Biden commits the United States to honoring that it will not attack those same targets in other countries, or at the very least, not get caught attacking.  This may prove more difficult than Biden anticipates as the United States has allegedly targeted critical infrastructures in other countries when it has sought to punish governments for their kinetic or digital activities.  For example, circumstantial evidence pints to U.S. involvement in the forementioned Russian power grid attack, the 2014 cyber attack that knocked North Korea off the Internet, and the notorious 2010 cyber attack against Iran’s nuclear facility that introduced the world to Stuxnet.  It would presume that these are now “off limits” to U.S. retaliatory measures as well.

Biden reportedly asked Putin how he would feel if ransomware had disrupted Russia’s oil field, to which Putin replied, “It would matter.” Ostensibly, from this Biden may believe that he has an understanding with the Russian leader.  In fact, one U.S. Congressman said that this officially put Putin “on notice,” as if the United States has achieved some victory by doing so.  In reality, the acceptance of red-lines in any formal or informal agreement or treaty ultimately benefits Russia, a fact not lost on Putin. States will do what states will do as long as they perceive it to be in their national interests, regardless of what agreements are in place and with whom.  China quickly violated its “no hack” agreement established by then-President Obama, despite having reached an accord, largely because it was in its interests to do so.  But the United States is supposed to be a cut above China or Russia.  Failing to adhere to the very mandates it has set would put the United States in a poor light in the international community.  After all, while Russia has repeatedly broken its promises, the world expects the United States to honor its own.

Does anyone truly believe that either government will not attack (a term that in and of itself needs to be well defined and understood by all parties.  Does this include network exploitation or strictly disruptive/destructive activities?) the other’s critical infrastructures?  Probably not, but the United States will be held to the same if not higher standards that it sets for others.  The government that gets caught breaking these terms will ultimately have to be made an example of.  Everyone expects Russia to be the first, but what if it is not?  Russia has rarely called out alleged U.S. cyber activities against it, indicating that either they are not happening (doubtful), or that they are going on undetected (again, doubtful), a testament to what Biden termed U.S. “significant cyber capability.”

And what if Moscow has been waiting for the right public environment to do so, one where it can seize the strategic advantage at a time when the United States is beset with its own domestic and international challenges?  Such exposure will require the type of appropriate punishment that Washington has been aching to deliver on Moscow, and the kind that is necessary to solidify the credibility of cyber red-lines in the first place.  Only this time, Moscow gets to pull the trigger, an unexpected role reversal and per Washington’s own parameters.  Red-lines may not change the game as much as how the game is played.  Once the rules are established, no government wants to be the first one caught cheating, especially the one that stood them up in the first place.

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.