Biden Promises Retaliation Unless Putin Stops Cyberattacks16 Critical Infrastructure Sectors Especially Off Limits - Or Else, President Warns
At their Geneva summit meeting Wednesday, U.S. President Joe Biden told Russian President Vladimir Putin that if Russia continues to launch cyberattacks against the U.S., it will face retaliation.
"I pointed out to him that we have significant cyber capability. He knows that. … If, in fact, they violate these basic norms, we will respond in a cyber way," Biden said at a post-summit press conference.
Putin dismissed allegations that Russia or Russian-based malicious actors were responsible for cyberattacks in the U.S., including the recent ransomware attack on Colonial Pipeline Co. He said most cyberattacks originate from the U.S. and South America.
The Russian leader, however, noted there are areas of mutual interest on the cyber front that both nations can explore.
"We believe that cyberspace is extraordinarily important - in general, and in particular for the U.S., and to the same extent for Russia," Putin said during his separate post-summit press conference.
Putin said that Russia, like the U.S., is a major target of cybercriminals.
"We encounter this every year. For example, one of the health systems in a very important part of Russia was attacked. So, it means that this work is being coordinated," Putin said. "In the U.S., I don't think that the U.S. administration is particularly interested in organizing that or looking into it. All they do is to make insinuations. What we need is expert consultations between us. We agreed to that, in principle. Russia is prepared for that."
Currently, Russia has little incentive to cooperate with the U.S. on cybersecurity, says James Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.
"The best we can hope for is that Russian criminals will be told to lay off critical U.S. infrastructure and stick to other commercial targets," Lewis says.
Russia never extradites its citizens to face charges abroad. But on Sunday, Putin suggested Russia might extradite cybercriminals to the U.S. if the U.S. reciprocated. Lewis, however, says U.S. cybercriminals don't hack Russian networks.
"The only people Russia could indict would be U.S. government employees," Lewis says. "It would be very awkward if they asked us to turn over FBI agents."
Biden did not rule out taking action against any groups based in the U.S. that conduct attacks against organizations in other nations.
The U.S. president said all nations, including Russia, must take action against those waging cyberattacks from within their borders.
"Responsible countries need to take action against criminals who conduct ransomware activities on their territory," Biden said at his press conference.
Both leaders said the summit meeting had a positive tone. Biden noted, for example, that despite disagreements having been expressed, the discussion never became hyperbolic.
In a joint statement released by the White House and Moscow, the two sides note that "they are able to make progress on our shared goals of ensuring predictability in the strategic sphere, reducing the risk of armed conflicts and the threat of nuclear war."
Biden said he presented the Russian president with a list of 16 "specific entities," such as the energy sector and water systems, that the U.S. views as critical infrastructure and that should be off-limits to cyberattacks.
The U.S. president said he also confronted Putin about the May 7 Colonial Pipeline attack that the U.S. has attributed to the Russia-based DarkSide ransomware gang. The attack led the company to temporarily shut down the 5,500-mile pipeline serving much of the East Coast, providing 45% of the region's fuel.
"I looked at him and I said, 'Well, how would you feel if ransomware took on the pipelines from your oil fields?' He said, 'It would matter,'" Biden said at his press conference.
That the two sides have agreed to continue talking about cybersecurity is a positive sign, says Sam Curry, chief security officer at Cybereason. But he questions the attempt to define critical infrastructure targets that must never be targeted.
"'Having 'on the field' and 'off the field' targets isn't an auspicious beginning," he says. "On the other hand, saying that retaliation can escalate or even be an act of war for targeting critical infrastructure is different and might lead to some new cyber norms, if not 'cyber peace.'"
More progress came in the form of Biden and Putin agreeing to return ambassadors to each other's nations after diplomats from each country were asked to leave in April over sanctions imposed by the U.S., although Biden warned that he would not hesitate to take similar moves again, if warranted.
The Biden administration on April 15 formally sanctioned Russia over the supply-chain attack against security software vendor SolarWinds - which led to follow-on attacks against nine federal agencies and about 100 companies - as well for a Russian disinformation campaign tied to the 2020 U.S. elections. The sanctions included expelling 10 diplomats from the Russian Embassy.
Russia then expelled the same number of U.S. diplomats and requested the Biden administration recall its ambassador.
The Biden-Putin summit took place one day after the U.S. and its NATO allies endorsed a new cybersecurity defense policy that singled out Russia as a particular threat.
NATO members agreed that the organization's Article 5 provision, which states that an attack on one member nation is an attack on all, could now be applied to cyberattacks. But NATO would make any decisions to invoke Article 5 in response to a cyber incident on a "case-by-case basis," according to a NATO communique.