WASHINGTON — President Joe Biden said he would "deliver" a message to Russian President Vladimir Putin about the latest ransomware attacks targeting American businesses, setting up a test of Biden's ability to balance his pledge to respond firmly to cyber breaches with his goal of developing a stable relationship with Russia.
The administration faces few easy options for a ransomware threat that in recent months has emerged as a major national security challenge, with attacks from Russia-based gangs that have targeted vital infrastructure and extorted multimillion-dollar payments from victims.
The White House says the damage from the latest attack — affecting as many as 1,500 businesses worldwide — appeared minimal, though cybersecurity experts said information remained incomplete. The malicious intrusion exploited a powerful remote-management tool run by Miami-based software company Kaseya. It occurred weeks after Biden made clear to Putin that the U.S. was growing impatient with cyberattacks emanating from Russia.
But Biden finds himself in a difficult position as he seeks to press Putin to crack down on Russian cyber gangs targeting U.S. and international business for financial gain and dial back Kremlin-connected cyber espionage. The administration is mindful that punitive actions against Russia can escalate into tit-for-tat exchanges that heighten tensions between nuclear superpowers.
The latest hack also comes after some Republicans accused the Democratic president of showing deference to Putin by meeting with him and making America weaker in the process. Biden has faced criticism of being too soft on Putin even though former President Donald Trump declined to blame Russia for hacks and interference in the 2016 election despite U.S. intelligence community findings.
Biden met Wednesday with Vice President Kamala Harris and top national security aides to discuss the problem. As he departed the White House to travel to Illinois, Biden was opaque when asked what exactly he would convey to Putin.
"I will deliver it to him," Biden told reporters.
A White House National Security Council spokesperson said in a statement Wednesday that combating ransomware remained a priority, but that the years-long threat "won't just turn off as easy as pulling down a light switch."
"No one thing is going to work alone and only together will we significantly impact the threat," the statement said.
U.S. officials say they've preached to the private sector about hardening cybersecurity defenses, worked to disrupt channels for ransomware payments and scored a success last month with the recovery of most of a multimillion-dollar payment made by a fuel pipeline company. But they've been cautious about carrying out retaliatory offensive cyber actions for fear it could quickly spiral into a greater crisis. There are also practical limits to what the U.S. can do to thwart Russian cyber gangs.
Biden and top administration officials repeatedly said around last month's meeting with Putin that their goal was building a "predictable," stable relationship. An all-out cyberwar would seem to work against this goal.
"It's a very fine line that they have to walk as far as providing some kind of consequence for that behavior without it escalating to where cyberattacks are out of control, or increase it to a conflict that goes beyond the cyberspace," said Jonathan Trimble, a retired FBI agent and cybersecurity executive.
White House press secretary Jen Psaki said Tuesday that Russian and U.S. representatives were meeting next week and would discuss the matter. She said administration officials used Wednesday's meeting to discuss building resilience to attacks and other efforts to combat the problem, and also addressed policies on payments to hackers.
The administration has yet to attribute the latest major attack to Russians hackers. Psaki did not directly answer how Biden might respond, but said he has "a range of options, should he determine to take action."
Cybersecurity experts swiftly identified REvil as responsible for the attack, and the notorious Russia-linked gang appeared to admit it publicly by offering on its dark web site to make available a universal decryptor that would unscramble all affected machines if paid $70 million in cryptocurrency.
Biden said he set red lines by handing a list to Putin of some 16 critical infrastructure entities, including water systems and the energy sector, in the U.S. that are off-limits to attack. He said "responsible countries need to take action against criminals who conduct ransomware activities on their territory."
The Kaseya attack did not appear to affect any critical infrastructure. Nevertheless, the incident shows that ransomware attacks, even if they don't target critical infrastructure, have the potential to be damaging when done on a massive scale.
Biden also suggested that he told Putin that he stood ready to retaliate should the Russians go too far.
"I pointed out to him that we have significant cyber capability. And he knows it," Biden said.
Further complicating matters, the Republican National Committee said Tuesday one of its contractors had been breached, though it did not say by whom. The RNC said no data was accessed.
The administration has already taken action against the Russians for cyberespionage, announcing in April the expulsion of 10 Russian diplomats and sanctions against several dozen people and companies over Kremlin interference in last year's presidential election and the hacking of federal agencies.
The U.S. has other tools at its disposal. Assuming it can gather the evidence it needs to identify the hackers, the Justice Department can bring indictments — though absent the defendants voluntarily departing Russia, there is little chance of them facing justice in American courts. Hacks not only from Russians but also the Chinese have continued even after indictments.
There's also the chance investigators in at least some cases can recover from criminals ransom that has been paid. The Justice Department clawed back a portion of the $4.4 million forked over to a Russian-linked cyber gang responsible for the attack on Colonial Pipeline, an attack that stymied the gasoline supply in the southeast U.S. for days.
James Lewis, a senior vice president at the Center for Strategic and International Studies, said the U.S. has been for too long in a "defensive crouch" when responding to ransomware attacks. The administration's options for assertiveness against ransomware criminals could include limiting their access to financial networks or hacking their command and control infrastructure.
"These are all tough choices and the default position is to be cautious, which is why we keep getting whacked," Lewis said.