Red lines and US foreign policy have a tangled past. So it was not without risk that Joe Biden attempted to lay down some of his own to curb cyberwarfare when he met Russian president Vladimir Putin last week.
“Certain critical infrastructure should be off-limits to attack, period,” Biden said after handing Putin a list of 16 areas that both Russian state operatives and cyber criminals ought to spare.
The no-go zones include sectors — energy, health, IT and commercial facilities — that have already allegedly been targeted by Russian hackers since the 2020 elections. Others include transport, financial services, chemicals and communications.
The list is no surprise: The cyber security and infrastructure security agency, a government body, has long warned that the assets, systems and networks of these sectors are so vital that “their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety”.
The difference, says James Lewis, a cyber security expert at the Center for Strategic and International Studies, is the way the warning has been delivered. “Knowing there’s a list somewhere on the web and having a president tell you are different things,” he said.
The aim now is for both sides to agree these areas are off-limits. But the next question is what exactly Biden will do if Russia trespasses his red lines.
The US president has lowered the bar for holding Russia responsible for various cyber misdemeanours. Notably he has indicated that he would be inclined to hold the Kremlin responsible for harbouring supposedly independent Russian cyberhackers targeting US assets.
The Biden administration is signalling its response will become harsher. It has already imposed sanctions over the Solarwinds hack, which the US attributed to Russian intelligence. The US may undertake cyber attacks of its own too.
“[I]f, in fact, they violate these basic norms, we will respond with cyber. He knows,” Biden said referring to Putin.
Quentin Hodgson, former director for cyber plans at the department of defence, said the US had become more open about its offensive cyber capacity. “It’s something the United States 10-plus years ago wouldn’t even mention in public”.
Lewis said Washington could potentially go after computer infrastructure used by ransomware hackers in Russia and Europe. “I think the US is looking for the right kinds of targets to hit in Russia,” he said.
Biden has also spurred Nato into action. Members of the transatlantic pact said last week a cyber attack could lead to the invocation of Article 5, which stipulates an attack on one is an attack on all.
“Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack,” the Brussels-based military alliance said in its statement, noting cyber threats were “becoming ever more frequent”.
That matters because Russia’s goal is to avoid direct military confrontation with the US, said Lewis. No matter how aggressive Moscow may be, the US believes Russia has structured its policies so its engagements will always fall short of war.
Despite potential for the temperature to rise, few experts expect a fundamental shift.
Fiona Hill, former senior Russia director in the National Security Council who was among experts who advised Biden ahead of the summit, said the Russians would keep testing US resolve.
“Never mind 16 areas; they should have given him 1,600 areas that were off-limits,” she told the Financial Times. “The Russians go right up to the line; they’ll find something else,” she said. Moscow will probably continue to violate Biden’s no-go zones anyway, she noted.
“The Russians are never going to change their behaviours unless they change the goals — you have to change their calculations,” she said.
On his European tour, the US president tried to do just that: he spoke about Russia’s need to be seen as an international player. He said Moscow risked being squeezed by China. But convincing Putin of it may be the hardest task of all.