In a late July 2020 speech at the Office of the Director of National Intelligence (DNI), President Biden stated that “if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach.” This definitive pronouncement comes at a time when the United States has suffered a series of cyber-attacks at the hands of Russian cyber criminals suspected of operating under the tacit approval of the Russian government. More importantly, these attacks have successfully disrupted the operations of critical infrastructure organizations – Colonial Pipeline and JBS meat supplier – and directly impacted the civilian population. Washington has already accused Moscow of conducting the SolarWinds supply chain hack that impacted U.S. government agencies and multinational companies.
During their mid-June 2021 meeting in Switzerland, these infrastructure attacks prompted Biden to issue Russian counterpart Vladimir Putin a list or industries deemed unacceptable for cyber-attack targeting. According to one source, Biden claimed that he warned Putin that the U.S. would use offensive cyber operations in the future unless Moscow curbed cyber strikes such as ransomware attacks and election interference. This marked the strongest language from Biden to date regarding Russian cyber malfeasance. The challenge was quickly met on July 5 when the Russian ransomware gang responsible for the JBS attack, amongst others, conducted a supply chain ransomware attack against Miami-based software company Kaseya that impacted approximately 2,000 customers globally. Shortly after, REvil “retired,” but not before firing a final shot across the United States’ bow.
On a positive note, one key takeaway from the summit was establishing ongoing cybersecurity dialogues, three rounds of which have already occurred. However, there has been no indication as to what has been discussed or what, if any, headway is being made. Per one Russian news outlet, one particular point of contention is that Moscow has replied to twelve requests from the U.S. government pertaining to cyber-attacks, while Moscow’s eighty requests the past two years have gone unanswered from Washington.
If true, such a lack of reciprocity often obstructs any diplomatic efforts. Senior U.S. officials do not believe Putin has any inclination that he will rein in his potent cyber-criminal groups. Biden’s recent National Security Memorandum for improving the cybersecurity of critical infrastructure certainly suggests the U.S. are realists about this prospect. After the stern warning from Biden, one cybersecurity company claims that Russian hackers have continued operations, potentially signaling that Putin doesn’t respond to threats, no matter how serious they are or who issues them.
Which brings us to Biden’s recent statement directly linking a presumably serious cyber breach (a threshold which has never been articulated or set) to the next major state-on-state military engagement and can be interpreted as a change of policy that sees the United States willing to escalate a cyber-attack to military action. This may not seem as unintentional as it first appears. In a June 2021 meeting, NATO reinforced its commitment to Article 5 in which it affirms that cyber-attacks directed against the critical infrastructure of NATO members could result in kinetic responses. Certainly, the backing of the largest military alliance has given Biden more confidence when engaging his Russian adversary.
But being willing to cause kinetic damage – and by extension, the possibility of human deaths – in response to a digital breach or attack is a dangerous course of action and one that raises a host of questions that need to be carefully considered. Determining the threshold that meets such a response must be communicated clearly. All attacks are not the same even if they do exploit critical infrastructure. It would be difficult to convince a global audience that physical and human destruction is on par with a temporary disturbance of digital operations. Proper proportionality is essential to not only executing an appropriate response but avoiding the danger of unintended escalation.
Additionally, setting a threshold threatens to invite attackers to come close to but not cross the line of demarcation. Therefore, instead of deterring actor willingness to target, the threshold serves as a challenge for them to see how close they can get before retaliation is taken. The criteria defining the threshold becomes something to shoot for, thereby potentially increasing attacks rather than reducing them. They may not be as sophisticated or powerful, but hackers may feel empowered just enough to become pestering gadflies that require enough attention to swat at – but not necessarily kill.
Perhaps the worst-case scenario in implementing kinetic responses to digital attacks is the threat of escalation. Just because the United States may feel it’s fair to apply kinetic retaliation does not mean the offender does. A nation state on the receiving end of such a response may misinterpret the reprisal and/or feel it disproportionate to the initial attack and look to respond in kind. In this scenario, Biden’s prophecy becomes true because a state may quickly abandon cyberspace in favor of more conventional strikes when none may have been warranted in the first place.
If Biden’s proclamation was a threat, it was a dangerous one to make. Words matter on the international stage. When world leaders speak, other world leaders listen. Their words are dissected an analyzed. This process is imperfect at best and can be misinterpreted and tested. The recent disappearance of ransomware groups like REvil and DarkSide should not be viewed as the result of Biden’s warning to Putin. Nor should these shutdowns be taken as a “victory” by the United States as much as a token of good faith, a confidence building measure that could be quickly retracted. Since these groups disbanded, a new one dubbed BlackMatter has emerged. While the group’s operational mantra has restricted the targeting of critical infrastructures, how long this condition lasts may depend on the results of the cybersecurity talks between Moscow and Washington.
Let’s hope that a “shooting war” is not the only way to deter adversaries in cyberspace or punish them for destructive acts that transpire there. It’s too easy a response and one that there’s little backtracking from once initiated. A true multilateral effort that has likeminded governments executing similar sanctions (e.g., economic, political, trade) has yet to be implemented and might prove successful if given the chance. But that would require governments being willing to commit to such actions and stand by them. While this may take some time to show any impact, the one thing a government does not want to do is let a genie escape from the bottle that it has no hope getting back inside. Those repercussions could have far more lasting effects, none of which may be advantageous to anyone. Hopefully, that is something this the Biden Administration understands.