KEY TAKEAWAYS
- The president said he handed over a list of 16 areas of critical infrastructure.
- Secretary of Defense Lloyd Austin was recently asked whether there’s a definition of what constitutes a cyberattack on the U.S. He struggled to answer.
- The Biden administration cannot rely on simply handing over a “do not attack” list to Putin and hoping for things to get better.
President Joe Biden and Russian President Vladimir Putin held a mid-June summit in Geneva, after which Biden told reporters, “I talked about the proposition that certain critical infrastructure should be off-limits to attack, period—by cyber or any other means.”
The president said he handed over a list of 16 areas of critical infrastructure that are broadly defined currently by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Leading up to the July Fourth weekend, news broke that Kaseya, an information technology management software provider, had suffered a massive software supply chain ransomware attack that has spanned the globe, affecting businesses, grocery store chains, schools, and more everywhere, from the U.S. to Germany to New Zealand.
Kaseya said that “critical infrastructure” has not been affected by the attack. About 50 of its customers have been hit, leading to downstream effects of 800 to 1,500 “local and small businesses” hurt by the ransomware attack.
However, Kaseya could be considered one of those 16 critical infrastructure sectors as “infrastructure technology.” The FBI continues to investigate the broader set of victims of this attack, so it may be some time before we know its full impact, which could be more extensive than current reporting.
REvil, a Russian-based ransomware-as-a-service group that carried out previous high-profile attacks, such as against JBS meatpacking, has claimed responsibility for the ransom and has demanded $70 million in bitcoin cryptocurrency while claiming to have affected more than “a million” systems.
With the onslaught of ever-growing cyberattacks, Biden’s approach to cyber diplomacy is on shaky ground.
“We agreed to task experts in both our countries to work on specific understandings about what’s off-limits [for hacking] and to follow up on specific cases that originate in … either of our countries,” he said, shortly after his summit with Putin. White House press secretary Jen Psaki stated that “expert level” discussions are ongoing with a session on ransomware set for next week.
One can have a differing opinion on the severity of these various cyberattacks or crimes, and whether or not they are state-backed, but the fact remains that they are increasingly affecting everyday Americans.
Businesses, hospitals, schools, and other entities in the U.S. and elsewhere may not be deemed “critical infrastructure,” but ransomware attacks against them have a significant impact economically and personally to individuals and organizations.
For example, a recent ransomware attack against Ireland’s hospital networks has led to weeks of disruptions of hospital information technology functions that have affected scheduling capabilities for blood tests and diagnostics.
Secretary of Defense Lloyd Austin was recently asked whether there’s a definition of what constitutes a cyberattack on the U.S. He struggled to answer an important question that our country must be ready to answer and outline to our foes in this new battlefront.
Former Director of National Intelligence John Ratcliffe noted that the U.S. needs to attribute these attacks and either overtly or covertly retaliate against those responsible, thereby creating deterrence for the future.
If the response is against Russian cybercriminals directly, the Putin regime should be put on notice that the U.S. means business when it comes to protecting our digital assets, “critical” or otherwise.
It’s well-known that the Russian government turns a blind eye to various cybercriminals originating from its turf. At times, cybercriminals have a tangential connection to Russian intelligence or military assets.
The Trump administration reportedly relaxed the bureaucratic decision-making process on utilizing America’s offensive cybercapabilities, and it would behoove the Biden administration to continue those efforts and expeditiously structure forward-leaning response measures to these cyber and ransomware attacks.
We have now seen in the past seven months a massive software supply chain cyberespionage campaign in SolarWinds conducted by Russian intelligence, a global-scale cyberattack by the Chinese state-sponsored group Hafnium, and an array of ransomware attacks that have picked up in recent years, including the DarkSide Russian criminal attack on the Colonial Pipeline and REvil’s $12 million ransom of JBS.
Fundamental changes to the U.S. cyberdefense posture via a recent executive order, the Cyberspace Solarium Commission legislative recommendations, and congressional efforts for further government-private sector information-sharing and breach-reporting practices are currently in the pipeline.
At some point, however, the U.S. must grapple with a mixed-use offensive and diplomatic framework to tackle nation-state and state-backed cyberattacks and espionage campaigns.
The Biden administration cannot rely on simply handing over a “do not attack” list to Putin and hoping for things to get better.
We should be telling the Russian, Chinese, Iranian, and North Korean governments that there will be no tolerance for state-backed cyberattacks and that willful ignorance of cyber actions against the United States will be cause for significant response. Finally, we should coordinate with allied partners around the globe—who face the same onslaught of those attacks—to join us in these efforts.
Dustin is a Research Fellow in Technology Policy at The Heritage Foundation.