While a hot war rages in Ukraine, America’s cyberwarriors are preparing for battle at home.
Officials predict that Russian President Vladimir Putin will unleash cyberattacks against critical U.S. infrastructure — anything ranging from the electric grid to banks — as retaliation for supporting Ukraine’s resistance. Many say it’s just a matter of when.
If that moment comes, President Joe Biden will face a difficult question: how to respond with strength without escalating a conflict between the world’s two great nuclear powers.
“We’re extremely concerned that any kind of response in kind or kinetic response to a Russian attack against critical infrastructure would spiral out of control,” said Josh Lospinoso, CEO and co-founder of cybersecurity company Shift5, and a former senior official at both U.S. Cyber Command and the NSA’s cyber intelligence office.
Threading the needle between escalation and response is tricky. Biden levied sanctions on Russia last year for its involvement in the Solarwinds hack, which compromised a dozen federal agencies, and the Justice Department has issued indictments against numerous alleged Russian hackers, but still, Moscow’s hacking operations have continued.
Russia has probed and likely penetrated critical sectors of U.S. digital infrastructure, from banks to electrical grids to election systems, cybersecurity experts say. Likewise, U.S. officials have hinted that the American government has considerable access and power to do the same, or even to launch cyberstrikes directly against Moscow’s hacking operations.
Former NSA Deputy Director Richard Ledgett said in an interview that Putin was aware that the U.S. would respond to a cyberattack, explaining that “we’ve made that clear, let’s put it that way.”
Biden warned in March that “evolving intelligence” showed the Russian cyberattacks against U.S. critical infrastructure are coming and urged the private sector to take steps to strengthen cybersecurity. And after Ukrainian officials announced last week that Russian hackers had tried to disable a large power substation with destructive malware, the U.S. government warned U.S. energy companies to step up cybersecurity for critical industrial control systems.
“The operation tempo is significant right now,” said Michael Weigand, another of the original officials who stood up Cyber Command and the co-founder of Shift5. He said Cyber Command has been at an “elevated force posture” since the beginning of the Ukraine conflict.
It’s a high-stakes game of chicken, with neither side backing down, but neither yet ready to countenance the dangers of engaging in a superpower cyberwar.
And the cyber realm is particularly murky when it comes to figuring out what would count as escalation. Lawmakers have long called for greater clarity on what the U.S. response might look like should there be a serious Russian attack. The administration has steadfastly refused to release such details, saying that doing so would give Russia too much insight into U.S. strategies.
Biden told Putin in Geneva last year that the U.S. would retaliate if Russia launched cyberattacks against U.S. companies in any of 16 critical infrastructure sectors, including energy, water and financial services.
“I’ve had, as they say in southern Delaware, where they are very religious, we’ve had an ‘altar call,’ he and I, on this issue,” Biden said during a speech at the Business Roundtable in March. “We’ve had a long conversation about, if he uses it, what would be the consequence.”
But what would these consequences look like? While the White House isn’t revealing details, experts and former officials tell POLITICO that the president has a range of proportional responses at his disposal: from levying additional sanctions, to indicting or hacking back against Russian hackers, to turning off the lights in Moscow or hacking into weapons systems and disabling them.
Officials have said there are formulated response plans to a Russian cyberattack on the U.S. Gen. Paul Nakasone, director of both the NSA and Cyber Command, testified to the Senate Armed Services Committee earlier this month that in response to the Ukraine crisis, his agencies have “crafted options for national decision makers and are conducting operations as directed.”
Option 1: More sanctions
The top option Biden is likely to use is levying further sanctions on Russia. Sanctions are viewed as an easier way to crack down on a foreign government than taking direct offensive cyber actions and have already been a key weapon employed by the Biden administration to punish Russia for invading Ukraine.
“The response does not have to be cyber or cyber assault. The U.S. has lots of elements of national power, and we could use any or all of these to respond to a cyber event that is not necessarily a cyber response,” Ledgett said.
Ledgett noted, however, that with so many sanctions already in place, additional punishments may not make much, if any, impact on preventing further cyberattacks: “I think we are already sanctioned up.”
Jim Lewis, the director of the Strategic Technologies Program at the Center for Strategic and International Studies, said there’s room to further sanction Russian oligarchs and go after more of Putin’s holdings in Western banks. But, he argued, sanctions would be unlikely to be seen as an aggressive enough response to a major Russian cyberattack.
“If the Russians were crazy enough to directly attack critical infrastructure, the response will go beyond sanctions,” Lewis said.
Option 2: Go after the hackers
Biden could go a step further than sanctions by taking sweeping action against the individuals behind the hacking operations and disabling their systems.
“To put it crudely, hack the hackers,” Shift5’s Lospinoso said. He suggested the idea of aiming destructive attacks against the infrastructure used to conduct Russian cyber operations, or releasing Russian malware to security experts to limit their ability to use it.
It would be a larger-scale version of the U.S. takedowns of Russian troll farms. Former President Donald Trump confirmed to The Washington Post in 2020 that he authorized a U.S. Cyber Command attack on the St. Petersburg-based Internet Research Agency ahead of the 2018 midterm elections to stop the group from interfering in the election process.
The Justice Department has done some of this in recent weeks, including disrupting a botnet used by the Sandworm hacking group to infect and take over thousands of devices worldwide, and unsealing indictments against Russian hackers allegedly responsible for targeting energy infrastructure in 135 countries.
Cyber Command cyber mission forces, which Nakasone testified comprised 6,000 personnel across 133 teams, could be used to penetrate networks of top Russian government hacking operations to wreak havoc. This could have the added benefit of making it more difficult for Russia to retaliate further.
“You can imagine setting back the offensive cyber capabilities in Russia by a year or more through some of these actions,” Lospinoso said. “That kind of activity is far more likely … to be the kind of response that we would see rather than, for example, taking out a power grid in Moscow.”
Option 3: A cyberstrike against Russian infrastructure
A third option would send the loudest message, but also raise the stakes for an escalatory response. The U.S. has advanced cyber capabilities that match or exceed those in Russia, including the ability to interfere with the functioning of critical infrastructure in other countries. A report released last year by the International Institute for Strategic Studies concluded that U.S. offensive cyber capabilities “are more developed than those of any other country,” and include the ability to disable command and control systems of adversaries and disrupt weapons systems.
The U.S. has demonstrated these capabilities in the past. The U.S. and Israel have been widely linked to a worm called Stuxnet that damaged centrifuges used by Iran’s nuclear program before its discovery in 2010.
“We have substantial capabilities to respond,” Senate Intelligence Committee member Angus King (I-Maine) said in an interview. He declined to elaborate further.
But an attack that damages physical systems in Russia or elsewhere would be a massive escalation, and almost guarantee a response from Moscow.
“Even if there was some sort of really, really devastating critical infrastructure attack, I find it unlikely that the U.S. would engage in kinetic options or even like a response in kind just because we are dealing with a nuclear power here,” Lospinoso said.
When NBC News reported in February that one option presented to Biden to disrupt Putin’s ability to interfere in Ukraine was shutting off power in parts of Russia, the administration pushed back quickly and forcefully. Then-National Security Council spokesperson Emily Horne told POLITICO at the time that the report was “wildly off base and does not reflect what is actually being discussed in any shape or form.”
But Ledgett argued that an attack on U.S. infrastructure — imagine the lights being turned off in a major city or water filtration systems being taken down — is exactly the type of thing that could prompt Biden to respond aggressively.
“The Russians I believe know that there is a red line there that if they cross it to something that successfully takes down our infrastructure that there will be pretty severe consequences,” Ledgett said.