The SolarWinds attack last year was a clear example of the rise in state-sponsored cybercrime, with attackers using the breach to spy on a huge number of organizations, including the Treasury Department and the Department of Homeland Security. It’s an act that saw the US government retaliate with sanctions on Russian intelligence officials.
In an article published last year, I argued that it’s a problem that is only likely to get worse in the coming years with the digital battleground becoming increasingly aggressive as Russia, North Korea, China, and Iran duke it out with western foes. The recent G7 summit in Cornwall was, therefore, something of a watershed moment, as state-sponsored cyberattacks were taken out of the shadows and placed firmly into the spotlight when Joe Biden met with Vladimir Putin with cybersecurity to the very top of their agenda.
It’s perhaps fair to say that expectations around the meeting were not especially high, especially as Putin has made pleading innocence/ignorance while causing mischief something of an art form. It’s that insouciance that allows him to brush off the kind of threats of retaliation seen at the G7, or indeed the actual sanctions that were issued in the wake of SolarWinds.
The meeting gave the visage of seriousness and presidential heft behind any retaliatory threats made by the US, but the proof will most definitely be in the pudding, as the threats made to date have done little to limit the attacks being made on key American infrastructure.
It’s quite clear that words, and indeed sanctions, have done little to limit the cyber ambitions of the Kremlin.
As such, it’s time for the US, and its western allies, to take a more aggressive approach to cybersecurity. After all, if the Kremlin had instigated a more traditional military offensive on American interests, it’s doubtful that the response would have been so measured, and it’s this knowledge that deters Russia from engaging on a military level.
On the offensive
Stern words and rebukes are not going to cut the mustard anymore, and the best form of defense is likely to be offense, with various cyberattacks of its own on key Russian targets. At the very least, the US administration needs to make it clear that such attacks are a very real option that they’re willing and able to deploy. Indeed, President Biden hinted at such an approach when he said that if Russia continues to violate basic norms that the country will not hesitate to respond in kind.
The importance of action cannot be overstated, not least because there has been no real shortage of conversations about cybersecurity between Russia and America. Alas, such diplomatic channels have produced no meaningful changes in behavior, so a different approach is urgently needed. Without tangible retaliatory actions, there is a strong sense that Russia will gladly continue engaging via these diplomatic channels under the guise that doing so is showing a willingness to maintain a friendly dialog, all the while they continue to enable and support cyberattacks on western infrastructure.
Terms of combat
At the meeting, Biden was quite ambiguous about just what might happen in the event of any future Russian-backed attack. He said that experts in both countries would be working to define what is specifically off-limits, with those experts then following on any specific cases that are believed to have originated in either country.
He went on to define 16 industries that were deemed to be critical infrastructure, including healthcare, financial services, water, and agriculture. This would obviously include the Colonial Pipeline that was the victim of a recent attack that significantly disrupted oil supplies to the country, while also covering the meat processing firm JBS, which was also attacked recently. It’s widely believed that both attacks were instigated by Russian criminals, and while the direct fingerprints of the Kremlin were absent from the attacks, it’s widely believed that they were instigated with state approval.
Where the waters get muddied is the inclusion in the 16 key industries of the likes of telecoms and IT services, both of which have been targets of American cyber-espionage in the past. Indeed, the Stuxnet attack that was widely believed to have originated in American and Israeli security services would have broken the red lines outlined by Biden during the G7 meeting.
The first step
While the meeting is the first step in improved cyber-relations between the West and Russia, there remains a justifiable degree of skepticism about just how effective it will be in actually changing Russian behavior.
Indeed, Biden himself told reporters at the summit that he wasn’t particularly confident that the meeting will result in any meaningful change. It’s a justifiable caution, not least as Biden was in the Obama administration that was unsuccessful in securing any ceasefire in cyber-hostilities from Russia.
As such, it’s quite probable that a full ceasefire was never a likely outcome, and a positive result will be a reduction in hostilities rather than their cessation. Such a reduction is only really likely if the United States can show that more severe consequences are inevitable in the wake of any subsequent attacks, as without that the tough rhetoric will sadly ring hollow.