Advertisement

Cyber experts question Biden’s tit-for-tat approach with Russia

To some, the president's words reflected dated and misguided thinking.
President Joe Biden talks to reporters during a news conference in the East Room of the White House on Jan. 19, 2022. (Photo by Chip Somodevilla/Getty Images)

President Joe Biden said this week that the U.S. government could respond to Russian cyberattacks on Ukraine “the same way, with cyber.”

The answer may have been a standard U.S. government response about responding in-kind, especially in the context of a deteriorating security situation on the border between Ukraine and Russia, with Biden predicting a Russian invasion. National security experts, foreign leaders and Biden’s domestic political opponents criticized his overall remarks on the potential Western response to any Russian incursion, but the cyber-specific comments got their own round of questions from cybersecurity experts as well.

To some, Biden’s words reflected dated and misguided thinking that sounds good and tough but makes no sense in the real world.

“Tit-for-tat cyber has always been a fantasy for policymakers,” tweeted Jacquelyn Schneider, a Hoover Fellow at Stanford University and expert in cyber policy and national security. She pointed to the difficulty that the Obama administration had, for instance, in determining a proportional response to the Sony hack by North Korea, and cyber experts have for years questioned what this actually looks like.

Advertisement

Over time a more coherent and broad strategy has emerged that includes identifying and indicting foreign government hackers — known as “naming and shaming” — economic sanctions, and increased U.S. government offensive cyber actions against ransomware groups, for example.

Biden has a “superstar group of professionals” in key cyber positions in his administration, Schneider told CyberScoop, “so I don’t know why we are using a lot of the language that we used in the Obama administration. I think we’ve learned a lot in the last four to eight years, so I’m not sure why we’re reverting.”

Matt Tait, the COO of Corellium and a former information security specialist with the United Kingdom’s GCHQ, asked in a tweet why policymakers are “always so obsessed about domain-symmetric responses in this, and only, this tactical domain,” and said the thinking is “stuck in a time vortex from the late 90s.”

Schneider agreed, and said cyber-operations are mostly effective in support of other foreign policy efforts, such as intelligence gathering or as a means to slow down adversaries, confuse them or create uncertainty. Economic sanctions targeting oil exports are the more likely option in this case, some experts argue, even if they would also hurt some economies in Europe and U.S.

But if Biden’s comments reflected an attempt at deterrence, “don’t bother,” she said. “Cyber operations have a very poor record of being credible signals of deterrence.”

Advertisement

She added that it’s not clear that the U.S. government would want to engage in back-and-forth cyberattacks on government agencies or other targets that spill into the civilian sector. “[Biden] implied it would be a proportional tit-for-tat,” she said, offering a hypothetical example of Russians targeting critical infrastructure that effect civilians on a broad scale. “Is that something the United States really wants to tit-for-tat? That feels morally inappropriate.”

Even as the U.S. government has become more vocal about its use of offensive cyber-operations against adversaries, it’s not clear how that would apply in the context of Russian cyber-operations against Ukraine.

The U.S., British and Canadian governments have each issued warnings in recent days to critical infrastructure operators to be on the lookout for Russian cyberattacks and infiltrations of critical infrastructure networks, but there is no indication that these systems have been attacked. On Friday the U.S. and Russian governments agreed to keep negotiating in efforts to forestall a military conflict even as military buildups continue on both sides, The New York Times reported.

Dmitri Alperovitch, the co-founder and chair of the Silverado Policy Accelerator and the co-founder and former CTO of cybersecurity firm CrowdStrike, said “there was no way” the U.S. government would escalate the conflict by attacking Russian systems, which would lead to retaliation and escalation from the Russians.  

“That is not in the cards and bluster from the administration,” he said, noting that Biden threatened Russian President Vladimir Putin over a spate of ransomware incidents this summer, but then seemingly did nothing. “We tend to get ahead of ourselves rhetorically on these things and it’s really unfortunate because I think we do lose credibility when we don’t follow through.” 

Advertisement

He added that the NotPetya attacks on the Ukrainian electric grid in 2015 and 2016 were “much more consequential, have been attributed, and we did not retaliate in cyberspace. And I don’t see us doing that now.”

Latest Podcasts