President-elect Joe Biden’s team will consider several options to punish Russia for its suspected role in the unprecedented hacking of US government agencies and companies once he takes office, from new financial sanctions to cyberattacks on Russian infrastructure, people familiar with the matter say.
The response will need to be strong enough to impose a high economic, financial or technological cost on the perpetrators, but avoid an escalating conflict between two nuclear-armed Cold War adversaries, said one of the people familiar with Biden’s deliberations, speaking on condition of anonymity.
The overarching goal of any action, which could also include stepped-up counter cyber espionage efforts, would be to create an effective deterrence and diminish the potency of future Russian cyber spying, the person said.
The unfolding crisis - and the lack of visibility over the extent of the infiltration into the computer networks of federal agencies including the Treasury, Energy and Commerce Departments - will push to the front of Biden’s agenda when he takes office on Jan. 20.
President Donald Trump only acknowledged the hacking on Saturday almost a week after it surfaced, downplaying its importance and questioning whether the Russians were to blame.
The discussions among Biden’s advisers are theoretical at this point and will need to be refined once they are in office and have full view of US capabilities.
Biden’s team will also need a better grasp of US intelligence about the cyber breach before making any decisions, one of the people familiar with his deliberations said. Biden’s access to presidential intelligence briefings was delayed until about three weeks ago as Trump disputed the Nov. 3 election results.
With Trump taking no action, Biden’s team are concerned that in the coming weeks the president-elect may be left with only one tool: bluster, according to one of the people familiar with his options.
“They’ll be held accountable,” Biden said in an interview broadcast on CBS on Thursday when asked about how he would deal with the Russian-led hack. He vowed to impose “financial repercussions” on “individuals as well as entities.”
The response could be an early test of the president-elect’s promise to cooperate and consult more effectively with US allies, as some proposals likely to be put before Biden could hit the financial interests or infrastructure of countries friendly to the US, a person familiar with the matter said.
“Symbolic won’t do it” for any US response, said James Andrew Lewis, a cyber security expert at the Center for Strategic and International Studies, a Washington think tank. “You want the Russians to know we’re pushing back”
A spokeswoman for Biden’s transition team did not respond to a request for comment.
The massive data breach, first reported by Reuters, enabled hackers believed to be from Russia’s SVR foreign intelligence service to explore the networks of government agencies, private companies and think-tanks for months.
Moscow has denied involvement.
One potential target for US Treasury financial sanctions would be the SVR, said Edward Fishman, an Atlantic Council fellow who worked on Russia sanctions at the State Department during the Obama administration.
Media reports have suggested the SVR-linked hacking group known as “Cozy Bear” or APT29 was responsible for the attacks. The US, Britain and Canada in July accused “Cozy Bear” of trying to steal COVID-19 vaccine and treatment research from drug companies and academic institutions.
“I would think, at the bare minimum, imposing sanctions against the SVR would be something that the US government should consider,” Fishman said, noting that the move would be largely symbolic and not have a major economic impact. The US Treasury has already imposed financial sanctions on other Russian security services, the FSB and the GRU.
Financial sanctions against Russian state companies and the business empires of Russian oligarchs linked to Russian President Vladimir Putin may be more effective, as they would deny access to dollar transactions, both Fishman and Lewis said.
Those targets could include aluminum giant Rusal, which saw US sanctions lifted in 2018 after blacklisted Russian billionaire Oleg Deripaska reduced his stake to a minority in a deal with the Treasury.
Lewis said a stronger option could be to cut Russia off from the SWIFT international bank transfer and financial messaging system, a crippling move that would prevent Russian companies from processing payments to and from foreign customers.
Such a move was contemplated in 2014 when Russia annexed Ukraine’s Crimean peninsula, but it would hurt the Russian energy sector, complicating gas sales to Europe and hit European companies with Russian operations.
Neither the Treasury nor State Department responded to questions about possible actions in response to the hacking.
The Pentagon’s US Cyber Command likely has options for counter actions that could cripple Russian technology infrastructure, such as disrupting phone networks or denial of internet actions, Lewis said, adding that this too could hurt European allies.
“They’ll need to think through the diplomacy of that,” Lewis said.
The hackers likely left behind some malicious code that would let them access US systems for retaliation against any US cyber attack and it will take months to find and eliminate those “Easter eggs,” he added.