At Biden-Putin Assembly, Cyberweapons Are at Prime of the Agenda


GENEVA – For 70 years, meetings between American presidents and Soviet or Russian leaders have been dominated by an impending threat: the vast nuclear arsenals the two nations amassed in the 1940s as instruments of intimidation and, if deterrence failed, of mutual annihilation.

As President Biden prepares to meet President Vladimir V. Putin here in Geneva on Wednesday, cyber weapons will be high on the agenda for the first time.

Change has been brewing for a decade as Russia and the United States, the two most capable adversaries in the cyber arena, each turned to growing arsenals of techniques in an everyday low-level conflict. But at summits, these types of tournaments were usually treated as a sideshow to the main superpower competition.

No more. The increasing pace and sophistication of recent attacks on American infrastructure – from gasoline pipelines along the east coast to factories that supply a quarter of America’s beef to running hospitals and the internet itself – have exposed a number of vulnerabilities that none President can ignore.

Nuclear weapons are still important to Mr Biden, and his staff say the two men will spend a lot of time discussing “strategic stability,” which is a shortcut for containing the nuclear escalation. But the more immediate task, Mr Biden told his allies at a Summit of the Group of Seven in Cornwall, England last week and a NATO meeting in Brussels, is to convince Mr Putin that he will pay a heavy price to to play the master digital upheaval.

That will not be easy. If a decade of intense cyber conflict has taught us anything, it is that traditional deterrent tools have largely failed.

And while Mr Putin likes to brag about his huge investments in new nuclear torpedoes and hypersonic weapons, he also knows he cannot use them. Its arsenal of cyber weapons, on the other hand, is used every day.

Mr Biden has made it clear that he wants to give Putin a choice: stop the attacks and take action against the cyber criminals operating out of Russian territory, or see yourself with rising economic costs and what Mr Biden is as one Series of steps designated, faced by the United States, to “respond in kind”. But on Sunday, at the Summit of the Group of Seven in Cornwall, he admitted that Putin could possibly ignore him.

“There is no guarantee that you can change anyone’s behavior or that of their country,” Biden said. “Autocrats have enormous power and do not have to answer to any public.”

Deterrence is an issue that many of Mr. Biden’s senior national security advisors have pondered for years, based on their frontline experience of cyber conflict with the National Security Agency, the Department of Justice and the financial sector. You are the first to say that arms control treaties, the main instrument of the nuclear age, are not well adapted to cyber. There are just too many actors – nations, criminal groups, terrorist organizations – and there is no way to count warheads and missiles.

But their hope is to get Putin to discuss goals that should be off the table in peacetime. The list includes power grids, electoral systems, water and power lines, nuclear power plants and – most delicate – command and control systems for nuclear weapons.

It seems relatively easy on paper. After all, a group of experts from the United Nations with representatives from all major powers has repeatedly agreed on some fundamental limits.

In reality, it is proving excruciatingly difficult – far more difficult than the President’s first attempt at nuclear arms control Eisenhower spoke to Nikita S. Khrushchev in Geneva 66 years ago, just before the Cold War turned into a terrible arms race and seven years later into a nuclear confrontation in Cuba.

President Ronald Reagan said, “We have to ‘trust but verify,'” noted Eric Rosenbach, the former head of cyber policy at the Pentagon who helped navigate the early days of the cyber conflict with Russia, China and Iran. when Mr. Biden was Vice President. “When it comes to Russians and cyber, you definitely can’t trust or verify,” he said.

“The Russians have repeatedly violated the terms of all cyber agreements at the United Nations and are now systematically trying to bind the United States” into a swamp of international law problems “while they hit our critical infrastructure,” said Rosenbach.


June 15, 2021, 9:55 p.m. ET

Mr Putin refuses to acknowledge that Russia is using these weapons in the first place, suggesting that the allegations are part of a huge US-led disinformation campaign.

“We were accused of all sorts of things,” Putin told NBC News over the weekend. “Electoral disruption, cyberattacks and so on and so on. And not once, not even, not even bothered to come up with any evidence or evidence. Only unfounded allegations. “

Evidence has in fact been presented, but far more difficult to show and even less to explain than the photographs of Soviet missiles in Cuba that President John F. Kennedy showed on television at a critical moment in the 1962 Cuban Missile Crisis.

But there is one thing Mr Putin is right about. The ease with which he can deny any knowledge of cyber operations – which the United States has done, even after major attacks on Iran and North Korea – shows why the deterrents that maintained a troubled nuclear peace during the Cold War will not work with digital threats.

In the atomic age, America knew where every Soviet weapon was and who had authority to fire it. In the cyber age there is no way to count the threats or even to find out who has the finger on the keyboard – the modern “button”. A general? Hackers who work for the SVR, the leading Russian secret service? Other hackers, freelancing for a ransomware “service provider” like DarkSide, who was responsible for the attack on the company that operated the Colonial Pipeline? Teenagers?

In the atomic age it was perfectly clear what would happen to a country that unleashed its arms on the United States. In the cyber age, this is far from clear.

When North Korea’s Sony Entertainment studios were attacked in response to a Kim Jong-un film, 70 percent of the company’s computers were destroyed. The then head of the National Security Agency, Admiral Michael Rogers, later said he was certain the attack would bring a major American response.

It has not.

During the Obama administration, Moscow was never publicly credited with a successful Russian attempt to break into the unclassified email systems of the White House, State Department, and Joint Chiefs of Staff – though everyone, including then-Vice President Biden, knew what the intelligence indicated.

The cautious reaction to Russian efforts to influence the 2016 elections came after the results were available. Mr Obama’s reaction was comparatively mild: the expulsion of Russian diplomats diploma and the closing of some diplomatic ties. It was, in the words of a senior official at the time, “the perfect nineteenth-century answer to a 21st-century problem”.

Then came Mr. Trump’s tenure, during which he affirmed Putin’s unlikely denial of electoral interference. America lost four years in which it could have tried to set some global standards in what Brad Smith, president of Microsoft, calls a “Cyber ​​Geneva Convention”.

While the US cyber command stepped up its fight, sent the digital equivalent of a brushback pitch to a Russian secret service and switched a large ransomware group offline during the 2018 midterm elections, the Russian attacks continued. What worries the Biden National Security Team is not the volume of the attacks, but their sophistication.

The SolarWinds attack wasn’t just another hack: Microsoft estimates that around 1,000 SVR hackers were involved in a complex undertaking that brought the Russians into the software supply chain in government agencies, Fortune 500 companies and think tanks was funneled. Worse still, the attack was carried out from within the United States – from Amazon servers – because the Russians knew that American intelligence agencies are prohibited from operating on US soil.

Mr Biden said he wanted a “proportionate response” and opted for more economic sanctions – suggesting that there might be other “unseen” actions – but it is far from clear that these made an impression. “The subject of government-sponsored cyberattacks of this scale and scale remains of great concern to the United States,” said Jake Sullivan, the president’s national security adviser, on Air Force One en route to Europe last week. The subject, he said, was “not over”.

The SolarWinds hack was followed by a staggering increase in ransomware attacks, the headline-making blackmail programs where criminal groups of hackers lock a company or hospital’s data and then charge millions in Bitcoin to unlock it. Mr Biden has accused Russia of hosting these groups.

Mr. Rosenbach, the former head of cyber policy at the Pentagon, said ransomware is giving Mr. Biden a chance. “Instead of focusing on naively abstract ‘road rules’, Biden should urge Putin hard to take concrete action, such as stopping the scourge of ransomware attacks on critical US infrastructures,” he said.

“Putin can be plausibly denied,” he said, “and the threat of additional sanctions is likely enough to convince Putin to act quietly against the groups responsible for the attacks.

That would be a start, albeit a small one.

Should the history of nuclear arms control apply again – and perhaps not – expectations are likely to be low. It is far too late to hope for the elimination of cyber weapons any more than it is for the elimination of weapons. Analysts say the best one can hope for is a first attempt at a digital “Geneva Convention” that restricts the use of cyber weapons against civilians. And the perfect place to try might be in Geneva itself.

But that is almost certainly further than Mr Putin is ready to leave. With its economy overly dependent on fossil fuels and its population showing signs of unrest, its only remaining superpower is the dismantling of its democratic rivals.