Empty Threats and Warnings on Cyber

On July 9, President Biden warned Russian President Vladimir Putin that the United States will take “any necessary action,” including imposing unspecified “consequences,” if Russia does not disrupt ransomware attacks from its soil. The problem with this warning is that the United States has been publicly pledging to impose “consequences” on Russia for its cyber actions for at least five years—usually, as here, following a hand-wringing government deliberation in the face of a devastating cyber incident. This talk has persisted even as adverse cyber operations have grown more frequent and damaging. It is ineffective and, in the aggregate, self-defeating.

Biden’s warning on July 9 is the latest in a series of verbal threats against Russia by the Biden team since the 2020 election. Consider:

• In late June 2021, Secretary of State Antony Blinken said: “We expect Russia to take action to prevent these cyberattacks from happening again …. If Russia continues to attack us, or to act as it did with the SolarWinds attacks, the intrusions into our elections, and the aggression against Navalny, then we will respond.”
• On June 16, Biden said: “[Putin] knows there are consequences …. He knows I will take action.” Biden boasted that the United States has “significant cyber capabilities.” He added: “[Putin] knows it. He doesn't know exactly what it is, but he knows it’s significant. If in fact they violate these basic norms, we will respond.”
• President-elect Biden, in December 2020, said of SolarWinds: “We can't let this go unanswered. Cyberattacks must be treated as a serious threat by our leadership at the highest levels. That means making clear and publicly who is responsible for the attack [in this case Russia], and taking meaningful steps to hold them in account.”
• A few days earlier, Biden said of SolarWinds: “We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place …. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.”

We heard similar things in public from the Trump and Obama administrations. A selective list:

• President Trump’s national security adviser, John R. Bolton, stated in 2019: “You [Russia] will pay a price if we find that you are doing this. And we will impose costs on you until you get the point that it’s not worth your while to use cyber against us.”
• December 2016. After suspicions of Russian interference in the 2016 election surfaced, Obama stated: “Our goal continues to be to send a clear message to Russia or others not to do this to us, because we can do stuff to you .... Some of it we do publicly, some of it we will do in a way that they know but not everybody will.”
• In October 2016, U.S. intelligence officials told NBC News that the U.S. government “is contemplating an unprecedented cyber covert action against Russia in retaliation for alleged Russian interference in the American presidential election.” They said that the CIA had been asked to develop a wide-ranging “clandestine” cyber operation designed to harass and “embarrass” the Kremlin leadership.

What is the point of this talk? How many times does the United States need to send the message? What is the message sent by sending so many messages?

Any such message should have been sent only once. The reason to send it would be to establish red lines that, if crossed, would be met by a response more painful than the gains of the action. But this is clearly not what has been happening. The persistent braggadocio about how powerful our capabilities are and how we will use these weapons if Russia does something bad is met, time and time again, with another Russian operation, and then more warnings and threats.

Yes, the United States is also imposing retaliatory pain on Russia in “secret,” as we sometimes learn after the fact. But the combination of puffed-up threats, news reporting on government uncertainty about how to respond to cyber operations from Russia, a covert retaliatory operation, and then the next revelation about an unexpected and very damaging cyber operation sends a clear message of extraordinary weakness. This is exactly the opposite of the message one should want to send, not just to the Kremlin, but to other adversaries who are watching and learning from our fecklessness. (It is also hard to understand why the United States, alone among nations, boasts about living in adversary networks and publicly reveals, through studied leaks, many of its cyber operations in adversary networks. This is a related problem, but for another day.)

Amazingly, the United States is in exactly the place it was five years ago when the Russians interfered in the 2016 election. It still has not figured out how to impose costs on the Russians that outweigh the Russians’ perceived benefits from these cyber operations. Whatever combination of public and secret sanctions it has been imposing clearly is not doing the trick. The repeated warnings over a period that has been marked by damaging cyber operations only emphasize that reality.

The United States could, of course, do much more, but at least two major hurdles stand in the way. One, the less serious hurdle, is international law, which limits U.S. options, at least those involving forcible measures, in the face of the Russian operations below the threshold of uses of force or armed attacks.

Second, the more serious hurdle, is the escalation threat. As David Sanger and Nicole Perlroth explained a few days ago:

Whenever counterstrikes are debated in the White House, veterans of those debates note, an air of caution eventually settles in. The United States may possess what Mr. Biden calls “significant cybercapability”—made clear more than a decade ago when, as vice president, he participated in the meetings on the Stuxnet cyberattacks on Iran’s nuclear centrifuges. But it is also more vulnerable to cyberattacks than most nations because it is so digitized and most of its critical infrastructure is owned by businesses that have not adequately invested in their digital defense. Thus, any escalation risks blowback.

Sanger and Perlroth report that “[i]n recent days, however, a growing number of experts have argued that the United States is now facing such a barrage of attacks that it needs to strike back more forcefully, even if it cannot control the response.” But the experts have not just been arguing this “in recent days.” They have been arguing this since the 2016 Russian interference in the U.S. election, and even before. (One aim of the much-ballyhooed 2018 “Defend Forward” strategy—which basically involves Cyber Command conducting more proactive and persistent operations to counter and disrupt adversary cyber threats—was to skirt the escalation problem.) Even if Biden responds to the latest ransomware operations, and he surely will, it is hard to see how he can impose pain enough to slow the operations while at the same time avoiding a serious risk of on-balance harmful escalation.

And so the United States remains stuck in response to these ever-more-menacing cyber operations. It cannot defend its networks from increased attacks. And it cannot credibly threaten greater consequences for the attacker, thereby deterring the attacker. The government has worked very hard on both of these approaches. And it has clearly failed. But it sure is talking a good game.