Going beyond sanctions?
Current and former national security officials still agree that the U.S. must retaliate somehow for the latest Russian cyber campaign, in which likely Kremlin-backed hackers compromised IT management software from the vendor SolarWinds to break into as many as 18,000 networks globally. An intelligence assessment released Tuesday blamed that exploit on a Russian software supply chain operation, the closest the U.S. has come to formally pointing the finger at the Kremlin.
But the officials also concur that any U.S. cyber response should work in tandem with more traditional steps, such as sanctions and indictments. They say the United States should avoid overreacting to the SolarWinds breaches, which so far appear to be a Russian intelligence-gathering operation rather than a destructive act of war on the American public.
The Russians expect us to understand the distinction, the current U.S. official said.
Some security hawks have urged the U.S. to go further including former national security adviser John Bolton, who before joining the Trump administration in 2018 called for a retaliatory cyber campaign against Russia in response to the Kremlins interference in the 2016 presidential election. He later said that the retaliation should not be proportionate.
Such rhetoric alarmed some cyber experts, who warned that the U.S. needed to worry about Russias potential ability to respond in kind to attacks on critical infrastructure such as its electric grid. If youre covered in gasoline, be careful throwing matches, Michael Sulmeyer, now the senior cyber director of Bidens National Security Council, told POLITICO at the time.
Instead, the Biden administration is probably working through a series of potential actions that would make it harder for the Kremlins hackers to operate online, said the former Trump administration official, who spoke on the condition of anonymity to discuss the ongoing process.
The U.S. took a similar step during the 2018 midterm elections, when Cyber Command blocked online access to Russias infamous Internet Research Agency, a propaganda factory with ties to Putin that had been spreading misinformation about the election and had played a major role in the 2016 interference. Word of the U.S. reprisal leaked to the news media, but the militarys elite digital warfighting organization has yet to acknowledge it publicly.
The White House could opt to target Russias military and foreign intelligence services or their assets if Washington could show without doubt that they were at least heavily involved in the SolarWinds compromise, the former official said.
A Cyber Command spokesperson declined to comment for this story.
Risks of going too far…
In January, Biden ordered U.S. intelligence agencies to provide him with an assessment of the Russian hacking operation. But the administration risks complicating its options if it bundles its response to SolarWinds with its answers to other malicious activities by Moscow, such as Russias placing of bounties on U.S. soldiers in Afghanistan, its interference in last years presidential election and the poisoning of dissident Alexei Navalny.
That approach would be counterproductive because that just tells the Russians that this is typical Americans just hitting back at them, said Dmitri Alperovitch, co-founder of security firm CrowdStrike and now the executive chair of Silverado Policy Accelerator. It is not going to send them a message that they need to change one or two specific behaviors.
He argued that the U.S. shouldnt punish the Kremlin at all for the SolarWinds breach, which he said falls within the realm of traditional espionage and overall was very careful not to cause collateral damage.
The last thing you need is to basically send them a message that next time they can be a lot more reckless, Alperovitch said, adding that the U.S. and its Western allies have already sanctioned everything that breathes in Russia.
A former National Security Council official familiar with the issue argued that theres plenty of room to sanction Russia if thats the choice the Biden administration makes.
New sanctions could target more oligarchs close to Putin, or even Putin himself. One option is to expand existing U.S. prohibitions on dealing in non-ruble Russian sovereign debt to cover all types of sovereign debt transactions, the former official said.
The reality is that the U.S. could severely damage the Russian economy through sanctions, the current U.S. official said. The danger is that by turning up the dial too far the economic fallout could spread to Europe and beyond, eventually affecting the American market, too.
The administration has indicated that its response will include domestic elements, with Biden looking at executive orders designed to shore up the countrys digital defenses and better protect critical supply chains.
The U.S. could ‘turn the power off in Moscow,’ one former U.S. official said. ‘But that has so many dynamics in the wrong direction.’
Going beyond sanctions?