GENEVA – For 70 years, meetings between American presidents and Soviet or Russian leaders have been dominated by a looming threat: the vast arsenals of nuclear weapons that the two nations began amassing since 1940s, as tools of intimidation and, if containment fails, mutual annihilation.
Now, as President Biden prepares to meet Vladimir V. Putin in Geneva next Wednesday, cyberweapons are at the top of the agenda for the first time.
This shift took place over a decade, as Russia and the United States, the two most skilled adversaries in cyberspace, each turned to a growing arsenal of techniques that have become a daily low-level conflict. But at summits, that kind of jostling is often seen as a sideshow for the main superpower rivalry.
No more. The increasing pace and complexity of recent attacks on American infrastructure – from gas pipelines that run along the East Coast, to factories that supply a quarter of America’s beef, to operations. The actions of hospitals and the internet itself – have exposed a series of vulnerabilities that no president can afford to ignore.
For Mr. Biden, nuclear weapons are still important, and his aides say the two will spend a lot of time debating “strategic stability,” short for curbing nuclear escalation. multiply. But the more immediate task, Mr. Biden told his allies at last week’s Group of Seven summit in Cornwall, Britain, and a NATO meeting in Brussels, was to convince Mr. Putin that he would have to pay dearly for playing the master of. digital interruption.
It’s not easy. If a decade of intensifying counter-cyber violence has taught anything, it’s that traditional deterrence tools have largely failed.
And while Mr. Putin likes to brag about his huge investments in nuclear torpedoes and new hypersonic weapons, he also knows he can’t use them. On the contrary, his cyber arsenal is put to work on a daily basis.
Mr. Biden has made it clear that he intends to give Mr. Putin a choice: Stop the attacks and crack down on cybercriminals operating from Russian territory, or face a host of rising economic costs and what. Mr. Biden called a series of moves by the United States to “respond in kind.” But on Sunday, while still attending the Group of 7 summit in Cornwall, he conceded that Mr Putin would probably ignore him.
“There’s no guarantee that you can change a person’s behavior or the behavior of his country,” Biden said. “Autocrats have great power and they don’t need to answer in public.”
Deterrence is an issue many of Biden’s top national security aides have pondered over the years, drawing on their experiences on the front lines of cyberattacks at the National Security Agency. Ministry of Justice and the financial sector. They were the first to say that arms control treaties, the main tool used in the nuclear age, did not adapt well to cyber conditions. There are just too many players – countries, criminal groups, terrorist organizations – and no way to do the equivalent of counting warheads and missiles.
But their hope is to get Mr. Putin to begin discussing undisputed goals in peacetime. The list includes power grids, election systems, water and energy pipelines, nuclear power plants and – most sophisticatedly – nuclear weapons command and control systems.
On paper, that seems relatively easy. After all, a panel of experts from the United Nations, with representatives of all major powers, has repeatedly agreed on some basic limits.
In fact, it is proving extremely difficult – far more than the first nuclear arms control effort that the President Eisenhower spoke with Nikita S. Khrushchev in Geneva 66 years ago, just before the Cold War turned into a terrifying arms race and seven years later the nuclear confrontation in Cuba.
President Ronald Reagan said “we need to ‘trust, but verify,’ noted Eric Rosenbach, a former cyber policy lead at the Pentagon, who helped navigate the early days of cyber conflict with Russia. , China and Iran when Biden was vice president. “When it comes to Russians and cyberspace, you certainly can’t trust or verify.” He said.
“The Russians have repeatedly violated the terms of any agreement on cyberspace at the United Nations, and are now systematically trying to tie up the United States,” Rosenbach said.
Putin refuses to acknowledge that Russia fully uses these weapons, suggesting that the allegations are part of a massive US-led disinformation campaign.
“We’ve been accused of all sorts of things,” Putin told NBC News over the weekend. “Electoral interference, cyberattacks, and so on. And not once, not once, not once, they didn’t bother to give any kind of proof or proof. Just baseless accusations.”
In fact, the evidence that has been given, although much harder to show, is far less explanatory than the photographs of Soviet missiles in Cuba that President Kennedy displayed on television at the crucial time. during the Cuban Missile Crisis of 1962.
But Mr. Putin is right about one thing. The ease with which he can deny any knowledge of cyber activity – which the US has also done, even after launching major attacks on Iran and North Korea – proves why. why deterrence measures maintaining an uneasy nuclear peace during the Cold War would not work with its digital successor.
In the nuclear age, the United States knew where all Soviet weapons were located and who had the authority to fire them. In a cyber environment, there’s no way to count threats or even find out who has their finger on a keyboard – modern day “buttons”. A general? Hackers working for SVR, Russia’s top intelligence agency? Are other hackers, freelance for a ransomware “service provider” like DarkSide, responsible for the attack on the company that runs Colonial Pipeline? Teenager?
In the nuclear age, it is very clear what happens to a country that throws weapons at the United States. In cyberage it is anything but clear.
When Sony Entertainment’s studio was attacked by North Korea, in response to a movie mocking Kim Jong-un, 70% of the company’s computers were destroyed. The head of the National Security Agency at the time, Adm. Michael Rogers, said later that he was sure that the attack would bring about a major American response.
It didn’t do.
During the Obama administration, a successful Russian attempt to break into the unclassified email systems of the White House, State Department, and Joint Chiefs of Staff was never made public by Moscow – although though everyone, including then-Vice President Biden, knew the intelligence indicated that the hack came from Moscow.
The silent response to Russia’s attempt to influence the 2016 election came only after the results. Obama’s response was relatively mild: expel Russian diplomats and closed some diplomatic compounds. In the words of a senior official at the time, it was “the perfect 19th-century response to a 21st-century problem.”
Then came Mr. Trump’s time in office, in which he repeated, endorsing, Putin’s staunch denials of election meddling. America has spent four years trying to set some global standards, what Brad Smith, president of Microsoft, calls the “Geneva convention on networking”.
While the US Cyber Command ramped up the fight, sending the digital equivalent of a pitch to the Russian intelligence agency and knocking a large group of ransomware offline during the midterm elections. In 2018, Russian attacks continued. But what worries the Biden national security team is not the number of attacks, but their sophistication.
According to Microsoft’s estimates, the SolarWinds attack was more than just another hack: Around 1000 hackers at SVR, according to Microsoft’s estimates, were involved in an elaborate attempt to get the Russians involved in the supply chain. The software application was then introduced into government agencies, Fortune 500 companies, and tanks. Worse still, the attack was carried out from within the United States – from Amazon’s servers – because the Russians knew that American intelligence agencies were prohibited from operating on American soil.
Mr Biden said he wanted a “proportionate response”, and more economic sanctions resolution – hinting that there could be other “unseen” actions – but it was far from clear. Those actions leave an impression. Jake Sullivan, the president’s national security adviser, said on Air Force One flight en route to Europe last week: “The issue of state-sponsored cyberattacks is at the scale and That scale remains a matter of concern for the United States. The problem is not over yet, he said.
Following the SolarWinds hack comes a staggering rise in ransomware attacks, high-profile blackmail schemes in which criminal hacker groups lock up a company or hospital’s data, then claim millions Bitcoins to unlock. Mr. Biden has accused Russia of harboring these groups, even if they don’t work for the Russian government.
Mr. Rosenbach, a former director of cyber policy for the Pentagon, said that ransomware gave Mr. Biden an opening. Instead of naively focusing on abstract ‘rules of the road’, Biden should pressure Putin with concrete actions, such as averting the scourge of drone attacks, he said. Ransomware targeting critical US infrastructure ”.
“Putin has a legitimate denial, and the threat of additional sanctions is likely enough to persuade Putin to take silent action against” the groups responsible for the attacks, he said. .
That would be a start, if a small step.
If historic nuclear arms control were to be reintroduced – and possibly not – expectations would be low. It’s too late to hope to eliminate cyberweapons, anyone can hope to get rid of guns. The best we can do might be the first attempt at a digital “Geneva Convention” restricting the use of cyber weapons against civilians. And the perfect place to try might be in Geneva itself.
But that is almost certainly further than what Mr. Putin is willing to go. With his economy so dependent on fossil fuels and his population showing signs of resistance, his only remaining superpower is the disruption of his democratic opponents.