with Aaron Schaffer

Expectations were set exceedingly low for President Biden making any progress on U.S.-Russia hacking tensions during his meeting yesterday with Vladimir Putin. And it seems Biden cleared that very low bar.

The president stressed to Putin the United States won’t hesitate to retaliate against Kremlin and criminal hackers who target U.S. critical infrastructure, such as pipelines, airports and power plants. The leaders agreed that experts from both countries will meet to work out what’s specifically off limits. 

But whether Russia will abide by any agreement and whether the United States will put enough muscle behind Biden’s tough words remains to be seen

“I think Biden delivered the right message. If the Russians didn’t know we were serious, it’s unavoidable now,” James Lewis, a former top government cyber official, told me. “But Putin isn’t going to make any concessions. They’re going to test us …The next phase is coming up with ways to more comprehensively threaten them or to actually use our cyber capabilities.” 

Here are four big takeaways from the summit:

1. Words alone won’t fix this.

Analysts widely agree the Kremlin will keep pushing the envelope in cyberspace until the United States and its allies strike back aggressively enough that it’s no longer worth it. So far, a bevy of economic sanctions, indictments of Russian government hackers and stern speeches calling out Russian hacking operations haven’t come close to doing the trick. 

At this point, many experts say Russia will stop only when the United States launches its own aggressive cyberattacks against Russian targets or makes abundantly clear it’s prepared to do so

“Everybody knows we have this stuff,” Lewis said of advanced cyberweapons, “and the question is, what are we going to do with it.”

Biden hinted at that during his post-summit news conference, saying he “pointed out to [Putin] that we have significant cyber capability, and he knows it. He doesn't know exactly what it is, but it's significant.”

If Russia continues to “violate these basic norms,” he said, “we will respond…in a cyber way.”

To be clear, that probably means the United States will respond in a number of ways including cyber retaliation, as Ellen Nakashima reports

Biden stopped short of saying whether he outlined specific acts of retaliation that will follow specific cyberattacks on critical infrastructure either by the Kremlin or by cybercriminals operating within Russian territory. 

2. Don’t meet for the sake of meeting.

Russia has rarely shied away from talking about cybersecurity with the United States and its allies. But more than a decade of such diplomatic talks has not produced substantial changes in Russian behavior. And the Kremlin has sometimes used such talks to falsely argue that it’s being constructive rather than adversarial. 

“Russia pushed for a long time to restart high-level talks,” Chris Painter, the State Department’s top cyber official during the Obama administration, told me, referring to cyber talks that President Barack Obama scrapped after the Russian annexation of Crimea. 

“The problem with that is it sort of signals that everything is okay and let’s move forward. And that’s not where we are now,” Painter said. “It doesn’t serve the U.S. interest to have a dialogue for the sake of having a dialogue. It has to be concrete.”

More from Painter:

3. Even the simple terms Biden laid out for the talks could get complicated quickly.

Biden’s terms were clear and limited: “We agreed to task experts in both our countries to work on specific understandings about what's off-limits [for hacking] and to follow up on specific cases that originate in … either of our countries.”

As a starting point, he cited the 16 industry sectors the United States has designated as critical infrastructure including agriculture, energy, health care, water and financial services. 

That would cover the recent ransomware attacks against Colonial Pipeline that disrupted U.S. oil supplies and against the meat processor JBS, which threatened the U.S. meat supply. U.S. officials believe both those hacks were conducted by Russia-based criminals rather than the Russian government but with at least the Kremlin’s tacit approval. 

But those 16 sectors also include telecommunications, information technology and the defense industrial base. Those sectors are all common targets for espionage-focused hacking, which U.S. officials have long insisted is perfectly appropriate. 

CyberScoop’s Sean Lyngaas:

U.S. officials also frequently figure out that something is critical only after it’s hacked. 

Election systems, for example, were not on DHS’s critical infrastructure list when Russia interfered in the 2016 election. Outgoing DHS secretary Jeh Johnson added them to the list before leaving office in January 2017. That was an effort to make clear the United States would respond forcefully to any future election interference. 

One of the cyberattacks that produced the most forceful White House response during the Obama administration was the North Korean-attributed hack of Sony Pictures Entertainment. But movie studios are still nowhere on the critical infrastructure list. 

In that case, officials said the hack was extra serious because the hackers attempted to inhibit the U.S. ideal of free expression — by forcing the studio to shelve the stoner comedy “The Interview,” which played the assassination of North Korean leader Kim Jong Un for laughs. 

4. Yet, Biden’s no Pollyanna on Russian hacking.

The president made clear multiple times during his post-summit press conference he doesn’t expect a change in Russian behavior to be easy or automatic. 

"I’m not confident of anything. I’m just stating the facts,” he told reporters in one testy exchange

“We’ll find out within the next six months to a year whether or not we actually have a strategic dialogue that matters,” he said. 

That skepticism is warranted. Obama unsuccessfully tried both dialogue and retribution to get Putin to stand down in cyberspace. Trump largely appeased Russia and things got even worse. The odds are against Biden making major progress on this front and there’s zero possibility of Russian cyber aggression ceasing entirely. 

The best he can likely hope for is a gradual long-term shift in which the Kremlin judges the United States will impose heavier consequences for its cyberattacks and tempers them accordingly

If the United States ratchets up the consequences for hacking, then Russia “won’t be cowed, but they will be willing to negotiate seriously,” Lewis told me. “Right now, there’s no incentive for them to make concessions. You can have talks with the Russians but they’re not going to give you anything.”

The keys

Ransomware is upending the cyber insurance industry.

A surge in ransomware is increasing the requirements and costs of cyber insurance coverage at a time when more companies need it than ever, Rachel Lerman and Gerrit De Vynck report. Many companies are changing tactics by declining to take on new clients or capping coverage at about half of what they were previously offering.

“This is a tipping point this year,” said John Kerns, an executive managing director at insurance brokerage Beecher Carlson. “I’ve been in business for 32 years, and haven’t seen a market quite like this.” Ransom claims have surged at least 300 percent in the past year, Kerns said.

A bipartisan bill would slap additional penalties on hackers who target critical infrastructure.

Sens. Sheldon Whitehouse (D-R.I.) and Lindsey O. Graham (R-S.C.) will be laying out details of the bill at a news conference this morning. It will create new criminal violations for hackers who target power plants, dams, hospitals, election infrastructure and other critical infrastructure, a person with knowledge of the bill told The Cybersecurity 202. A similar bill passed the Senate Foreign Relations Committee last Congress but never became law. 

The bill’s chances could be far better this year as Congress ramps up its scrutiny of cyberthreats to critical infrastructure, following the ransomware attack against Colonial Pipeline and JBS.

The legislation also would criminalize trading access to botnets and give prosecutors legal tools for dismantling the networks of zombie computers. Hackers frequently use botnets to launch attacks that overwhelm victims with network traffic and render them incapable of doing business. 

Police in Ukraine arrested six people with alleged links to a ransomware gang.

Law enforcement said they seized cars, computers and around $185,000 in cash, NBC News’s Kevin Collier reports. It's one of the rare cases in which ransomware hackers have actually faced arrest. 

The group, called Cl0p, is known for hacking targets including American universities, and demanding that victims pay ransoms to keep their systems online or to not publish stolen data.

“While they weren’t considered a top-tier ransomware actor, their methods were fairly sophisticated,” Recorded Future ransomware analyst Allan Liska said.

A Senate committee endorsed Biden’s top cybersecurity nominees.

Chris Inglis and Jen Easterly were unanimously approved by the Senate Homeland Security and Governmental Affairs Committee, the Hill’s Maggie Miller writes. Inglis and Easterly now have to be confirmed by the full Senate.

Biden nominated Inglis as National Cyber Director and Easterly as director of the Cybersecurity and Infrastructure Security Agency in April.

Cyber-focused lawmakers are pushing for the pair to be confirmed by the full Senate before the Fourth of July holiday. Inglis and Easterly are priority nominees, a committee aide told The Cybersecurity 202, adding that “we hope to see them confirmed quickly.” 

Securing the ballot

Global cyberspace

Cyber insecurity

Privacy Patch

Mentions

  • The University of Pittsburgh’s Institute for Cyber Law, Policy and Security has launched the Pitt Disinformation Lab, which is designed to create a “new, community-centered system of malign influence warning, understanding, and response.”

Daybook

  • A Senate Homeland Security and Governmental Affairs Committee panel holds a hearing on cybersecurity threats to state and local governments today at 10:15 a.m.
  • The University of Southern California’s Election Cybersecurity Initiative will hold its final spring workshop today at 4:30 p.m.
  • Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence who has been detailed to President Biden’s National Security Council, discusses Biden’s recent cybersecurity executive order at a National Security Institute event on Friday at 1 p.m.
  • The R Street Institute hosts an event on the implementation of President Biden’s cybersecurity executive order on June 21 at 3:15 p.m.
  • The Senate Armed Services Committee’s cyber panel holds a hearing on ransomware on June 23 at 2 p.m.

Secure log off