Putin-Biden Summit: Can America Pushback in Cyberspace?

The U.S. must develop a cyber deterrence strategy

President Biden and President Putin will have their first in-person meeting tomorrow, Wednesday, June 16, 2021. The summit has high drama but low expectations, best summed up by the Michael Kimmage essay “When Biden Meets Putin. The High-Stakes, Low-Expectations Summit.” Putin is being Putin, and during interviews with NBC News, he’s employed the time-honored Kremlin practice of admitting nothing, denying everything, and making counter-accusations. Having watched Russian intelligence services, disinformation proxies, and criminal hackers subvert American democracy for years while they simultaneously hack into critical U.S. industries and government entities, I don’t believe the U.S. should be engaging with Russia at all. Putin literally tried to prevent President Biden from being elected. That being said, I respect that the new administration seeks to re-establish some stability between the two countries, and giving diplomacy a chance is a more calm and measured approach. However, two decades of diplomatic engagement and “resets” have led to sustained Russian aggression, particularly in cyberspace.

Since 2009, I’ve sat in discussions or participated in panels on what the U.S. should do in response to Russia’s malign activities in cyberspace. The threat of Kremlin state-sponsored hacking and Russian criminal hackers has steadily grown and a decade of conventional wisdom on cyberspace has led up to our current crisis—America’s economy, democracy, and society being upended by cyberattacks and interference stemming from Russia.  

In just the last few months, the following activities have been revealed:

  • Ransomware hacking collectives (by all accounts residing in Russia) disrupted one of the Western world’s largest beef providers.

  • Russia-based hacking collectives closed an oil pipeline for most of the American Southeast, prompting panic-buys at gasoline stations along the East Coast.

  • Russian intelligence-backed news sites were sanctioned for interfering in the U.S. 2020 election and laundering pandemic and vaccine conspiracies targeting U.S. audiences.

  • We learned that Russia sought to influence the 2020 U.S. election using an agent, Ukrainian MP Andrei Derkach, to denigrate President Joe Biden and provide manipulated information to President Trump’s personal lawyer, Rudy Giuliani. This manipulation campaign was pushed onto several American social media platforms.

  • The American leader of the accelerationist U.S. domestic terror group The Base, Rinaldo Nazarro, now resides in Russia, and has surfaced on social media recently, promoting training courses in Oregon and North Carolina this summer.

  • Russia’s intelligence service hackers, APT 29, snuck into America’s cyber supply chain, executing a massive hack into government computers and servers via SolarWinds.

  • Leading up to tomorrow’s U.S.-Russia summit, Putin is openly coming to the defense of January 6 insurrectionists—and Russian state television interviewed and promoted the case of one of the insurrectionists: the insurrectionist that broke into the office of the Speaker of the House, Congresswoman Nancy Pelosi, and infamously put his boots on Pelosi’s desk.

For more than a decade, I’ve been told we could not fight back against Russia in cyberspace because we have too much to lose, that retaliation might bring about further losses to hackers and the Kremlin, a cyber “Pearl Harbor.” The Kremlin is in our networks and in our audience space. Our infrastructure and economy are being shut down every week these days. It’s not going to happen, it is happening—the undoing of America in cyberspace.

In anticipation of the upcoming summit, I authored a short post at the Foreign Policy Research Institute (FPRI) titled “Russia is Hammering the U.S. in Cyberspace, Why is Biden Meeting with Putin at All?”

A note on conventional thinking in recent years regarding threats to the U.S.: Many who read the FPRI article will declare the concept of offensive cyber high-risk lunacy, enticing doomsday scenarios. But those in the Capitol Beltway have also claimed the assassination of Iranian General Qassim Suleimani would start a U.S.-Iran war (incorrect), that Russian social media influence operations didn’t matter (they did), and that Saddam Hussein and Iraq possessed WMD in 2003 (they did not). If nothing else, after the Biden-Putin summit, I’m hoping the national security establishment will re-evaluate their assumptions with respect to cyber deterrence. Here’s the start of the aforementioned post:

In 2009, while working in Washington, D.C., I remember the issue of Russian criminal syndicate hacking arising for the first time. Discussions about an appropriate measured response—one that would deter criminal hacking groups in places like Russia—quickly led to a common refrain: “America has too much to lose in cyberspace; we’re too vulnerable, and if we were to strike back, our infrastructure and our economy could be crippled by cyber attacks.” In subsequent years, Richard Clarke, former presidential advisor for counterterrorism who’d warned of al Qaeda and Bin Laden before 9/11, published his book Cyber War, which warned of the next great threat to America’s national security: a no-notice catastrophic cyber attack. Clarke accurately foretold of the coming danger on the internet battlefield. After 2011, every cybersecurity conference or event mentioned the possibility of a “cyber Pearl Harbor” or a “cyber 9/11.”

While Clarke was likely writing his book, we later found out that in 2010, “elite hackers, most likely from Russia, used at least two zero-day vulnerabilities to penetrate the computer network operated by Nasdaq Stock Market, a hack that allowed them to roam unmolested for months and plant destructive malware.” Again, I sat in a meeting of cybersecurity experts and asked: “Why don’t we fight back? Why don’t we do a counterattack?” Again, arguments claiming that we “have more to lose” and we’re “too vulnerable” arose. The same solutions posed five years before were again offered as a vision for cyber defense: improve our cybersecurity at home, harden our systems, increase user training, and improve information sharing regarding attacks and attackers between the public and private sectors. The U.S. incrementally took these steps, each year spending more and more to defend America from hackers of all types. And yet, the hacking continued and became more voluminous and sophisticated.

Soon came the next unprecedented Russian cyber attack using malware known as BlackEnergy, an attack that shut down the Ukrainian power grid in December 2015. Seemingly an act of war against a U.S. partner, the discussion of deterring Russian cyber attacks again surfaced. Hackers in Russia—some working for Russian intelligence services, some working for criminal syndicates, some criminal syndicates working for the Russian government—were bringing cyber Pearl Harbor events to American allies and partners in Russia’s backyard.

Sitting in a panel on cybersecurity in early 2016, I inquired about establishing deterrence through offensive cyber operations. D.C.’s consensus quickly set in: America was too vulnerable; Russia’s response could be apocalyptic, like turning off the internet; we must respect cyber sovereignty; too much risk. I personally found the argument over cyber sovereignty perplexing, given that Russia had so deeply violated Ukrainian sovereignty by shutting off its power in the dead of winter. Further, I had just been notified a few months prior that the FBI had visited the think tank at which I am a fellow to notify them that they’d been the target of a cyber attack. The agents would not reveal the attacker, but noted it might have something to do with articles that I had written, specifically one on Russia. My team was in the midst of trackingthe rebirth of the Kremlin’s active measures which targeted the 2016 U.S. presidential election. While cybersecurity hand-wringing over cyber sovereignty ensued, Russia’s intelligence service hackers compromised the Democratic National Convention, the Democratic Congressional Campaign Committee, a presidential campaign chairman, a former Secretary of State and Chairman of the Joint Chiefs, the NATO commander, and American electoral systems. Russia was not respecting our cyber sovereignty to say the least.

Read the rest at: