The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Biden intends to hammer Putin on ransomware attacks. But the strategy might not work

with Aaron Schaffer

President Biden plans to take a hard line with Russian President Vladimir Putin during their upcoming summit over a rash of ransomware attacks that hit critical U.S. companies. 

But it will probably take a lot more than that to get the attacks to stop, experts say. 

The president is very determined on this, but the first thing Putin will do is say, ‘prove it.’ And he doesn’t mean ‘prove we did it.’ He means ‘prove you’ll do something back,’ ” Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies and a former cybersecurity official in the State and Commerce departments, told me. 

The White House “[is] not taking any options off the table” as it mulls responses to a pair of major ransomware attacks from Russian criminal groups that sparked turmoil in the United States, spokeswoman Jen Psaki said. The first of those attacks against Colonial Pipeline strangled gas supplies in the southeastern United States. The second, against JBS, is threatening to affect U.S. beef and pork supplies. 

During their summit in Geneva later this month, Biden intends to tell Putin that “harboring criminal entities … that are doing harm to the critical infrastructure in the United States is not acceptable,” Psaki said. 

The attacks have placed Biden in an all-to-familiar conundrum for U.S. officials. 

For more than a decade they’ve condemned increasingly brazen Russian cyberattacks targeting companies and government agencies in the United States and abroad as well as digital influence operations aimed at undermining the 2016 U.S. elections and deepening U.S. political divisions. 

But they’ve never found a way to force Russia to rein in those attacks

A raft of increasingly harsh sanctions has also produced no change in Russia’s behavior. And there’s little reason to believe Putin will have a change of heart now. 

“They’ve been doing this for 20 years and nothing’s ever happened except sanctions, which they’re totally unfazed by,” Lewis said. “The U.S. will have to decide whether it does nothing — and I’d include sanctions in the category of doing nothing — or if it wants to do something that puts more pressure on.” 

For Lewis, the only response likely to rein in Russian cyberattacks is a proportional retaliatory cyberattack by the United States. 

Such an attack might, for example, cripple the computer infrastructure used by the criminal groups responsible for the Colonial Pipeline and JBS hacks, he said. 

Although those hacks were launched by criminal groups, experts generally agree that those groups work in Russian territory with at least the tacit approval of the Kremlin. Psaki underscored that point during yesterday’s briefing, saying Biden “certainly thinks that President Putin and the Russian government ha[ve] a role to play in stopping and preventing these attacks.”

Other experts agreed it will take more than harsh words to halt Russia-based ransomware attacks. 

Russia might rein in cybercriminals operating on its territory if it faced a concerted effort that included economic consequences from the United States and its allies — all of whom have an increasingly urgent interest in reducing ransomware attacks, Megan Stifel, executive director for the Americas at the Global Cyber Alliance nonprofit group and a former National Security Council cybersecurity official, told me. 

The Biden administration might organize such a joint pressure campaign with the 66 nations that signed the 2001 Budapest Convention, the main international treaty on cybercrime, she said. 

The stakes are getting higher for everyone as we’re becoming more interconnected,” Stifel said. “The stakes are higher for the global community. We need to work the diplomatic side to say, ‘this is not just our problem.’ ”

And yet, the White House may have a better shot getting Russia to clamp down on ransomware than halting its other cyberattacks. 

There’s effectively no chance, for example, that Russia will step back from major espionage-focused hacks, such as the SolarWinds campaign, which allowed its spy services to steal reams of secret documents from a slew of U.S. government agencies. 

That’s partly because those hacks are extremely useful for the Kremlin’s spy services. It’s also because the United States and its allies also conduct espionage-focused cyber operations. 

When it comes to ransomware, however, Putin might be persuaded that the benefits of clamping down on it outweigh the benefits of letting it continue, Chris Painter, the State Department’s top cybersecurity official during the Obama administration, told me. 

“It’s going to be hard to get Russia or any country to stop doing espionage… [but] with criminal activity you might have a better chance,” he said. “If [Putin] can take action that gets him some approval from countries around the world and doesn’t cost him much, he might do that. Will it be long-lasting? Maybe not.”

The keys

Hackers probably linked to China breached New York’s subway system last month.

The breach raised concerns that hackers could have entered operational systems that control train movements, though there’s no evidence they did so, the New York Times’s Christina Goldbaum and William K. Rashbaum report. A forensic analysis found that customer data was not breached in the attack, which was not previously publicly disclosed.

“The MTA’s existing multilayered security systems worked as designed, preventing spread of the attack,” said Rafail Portnoy, the MTA’s chief technology officer. “We continue to strengthen these comprehensive systems and remain vigilant as cyberattacks are a growing global threat.” 

A partisan election audit in Arizona has been rife with security violations, observers said.

Prohibited items such as cellphones have been allowed onto the floor where votes are being counted, according to the office of Arizona Secretary of State Katie Hobbs (D). In one case, a software update caused so many errors that the company conducting the audit simply reverted to using old software.

Hobbs's office is documenting the alleged violations, which all happened over the past 10 or so days, Felicia Sonmez and Rosalind S. Helderman report.

The Arizona audit was ordered by the state’s Republican-led state Senate despite the fact that county officials, state judges and federal judges didn’t find any merit in claims that the election was tainted by fraud. A spokesman for the audit said he was not available to comment.

Hobbs is highlighting her election security record in a new bid to be governor of Arizona.

Hobbs, who announced her candidacy yesterday, is highlighting her pushback against baseless claims of election fraud, the Arizona Republic’s Andrew Oxford reports.

“We had a job to do, and that job was simple: Count every vote,” Hobbs says in a new campaign video. She described the partisan audit in Maricopa County as a failure of state government, which she charged is “being run by conspiracy theorists.”

Hobbs is entering the governor's race as a slew of Republicans who supported former president Donald Trump’s baseless election fraud claims launch bids to be their states’ top election officials. In Arizona, state Rep. Mark Finchem — a booster of fraud claims and calls for the audit in Maricopa county — is in the running to be the Republican candidate for Hobbs’s current job.

Government scan

Biden to amend Trump’s China blacklist, target key industries (Bloomberg)

Trump has grown increasingly consumed with ballot audits as he pushes falsehood that election was stolen (Josh Dawsey and Rosalind S. Helderman)

Industry report

  • FireEye is selling its security products business to a consortium led by Symphony Technology Group for $1.2 billion. Here’s more from CyberScoop’s Tonya Riley.

Chat room

FireEye's announcement should finally clarify for journalists which name to use for the company, which was created bya  merger of Mandiant and FireEye, journalist Kim Zetter notes:

Former FBI special agent James Harris:

Cyber insecurity

Impact of ransomware attack on Mass. Steamship Authority expected to continue Thursday (NBC Boston)

The Villages hospital crippled by ransomware attack (Villages-News)


  • Dr. Joseph Evans, the Pentagon’s Principal Director for 5G, and other officials speak at the Billington Cybersecurity 5G Security Summit, today at 11 a.m.
  • SANS hosts a debate on the cost and ethics of ransomware payments today at noon.
  • The Senate Homeland Security and Governmental Affairs Committee holds a hearing on the Colonial Pipeline hack on June 8 at 10 a.m.
  • The Middle East Institute hosts its annual cyber conference on June 9.
  • Quinn Carman, the director of operations of the NSA’s Red Team, speaks at the Silicon Valley Cyber Security Summit on June 9 at 10:50 a.m.  
  • Colonial Pipeline CEO Joseph Blount testifies before the House Homeland Security Committee on June 9 at noon. 

Secure log off