In a phone call, Biden warned Putin that Russia must take action to disrupt ransomware groups operating there, or the United States would impose consequences, the president said.
“I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said.
Asked if there would be consequences, Biden said, “yes.” The president did not elaborate.
“It went well,” Biden said of their conversation. “I’m optimistic.”
Biden’s call to Putin came after a meeting between the two leaders three weeks ago in Geneva, during which Biden delivered a similar warning. It was the first time the two spoke since and reflected the sense of urgency surrounding the surge in ransomware attacks — something the Biden administration has elevated to a national security threat.
The attacks have grown in frequency over the last year and a half, officials said. Hospitals were targeted last fall amid the coronavirus pandemic, and there were fears ransomware would cripple election systems before the November presidential election. But it was an assault on Colonial Pipeline in May, leading to gasoline shortages in much of the Southeast, and a June attack on meat supplier JBS, that pushed the issued to the forefront.
The leader-to-leader engagement on this issue is unprecedented — “something the president feels as vital” given the threat, White House press secretary Jen Psaki said. “Certainly the president knew, even when they met in Geneva, that there would be a need for ongoing discussions and engagements.”
After the Geneva summit, the two sides also began strategic consultations involving White House cyber and regional experts and their Kremlin counterparts. Another virtual meeting is scheduled for Wednesday.
While in Europe last month, Biden also raised the issue of cyber attacks with allies in the Group of Seven and the European Union. The G-7 — the world’s largest advanced economies — issued a statement calling on Russia to hold to account criminals within its borders who conduct ransomware attacks.
Biden was direct in his call with Putin, and underscored that if Moscow did not take action to disrupt ransomware groups operating on Russian soil, the United States would, according to people familiar with the exchange, who spoke on the condition of anonymity because of the matter’s sensitivity.
“Clear, unambiguous leader-to-leader conversation doesn’t leave room for misinterpretation and allows us to convey what our expectations are and what the potential consequences will be if those expectations aren’t met,” said Christopher Painter, the State Department’s top cyber official in the Obama administration.
Some national security experts say Putin has had enough time to curb the attacks. “It’s time to take the gloves off,” said David Laufman, a former senior Justice Department official who oversaw prosecution of state-sponsored cyber attacks. He said Biden should impose consequences now, such as economic sanctions, export controls and law-enforcement actions, to disrupt criminals’ use of computer infrastructure.
According to the Kremlin’s readout of their call, Putin told Biden that Russia had expressed willingness to cooperate on the issue, but that U.S. law enforcement agencies had not approached Russian authorities about the recent cyberattacks.
A senior administration official disputed that. “We have relayed multiple specific requests for action on cyber criminals” to Moscow, “and been clear about what Russia’s responsibility is with regard to taking action, including again today,” said the official, speaking on the condition of anonymity under ground rules set by the White House.
Russian security services are able to identify criminal hackers without U.S. help, say current and former U.S. officials. Biden, on the call, expressed confidence in the Russian government’s ability to do so, the people familiar with their exchange said.
Biden’s remarks inevitably raise expectations that the United States will take decisive action to punish Moscow if the attacks do not abate quickly. Administration officials sought to temper those expectations.
“This is a broad campaign and won’t have an immediate on-off effect like a light switch,’’ the senior administration official said, “but we’re going to have to stay on top of it over a long period of time.”
The official alluded to Biden’s statement in Geneva that “we’ll find out within six months to a year” whether the engagement with Russia is working.
“The president really meant what he said . . . when he said that our assessment of this process, and our evaluation of Russia’s actions, would take time,” the official said.
The White House strategy extends beyond the bilateral talks. “This is really about our own resilience as a nation in the face of these attacks,” the official said. “It’s about addressing the challenges posed by cryptocurrency, which provides fuel for these sorts of transactions. It’s about ensuring that our allies and our partners are working with us collaboratively and upping their own game when it comes to resilience.”
Painter, the former State Department cyber official, said he, too, would not expect attacks to cease overnight. But “we can now expect Putin to take action” and Biden’s remarks have “set the stage for [imposing consequences on Russia] if they don’t.”
But, he warned, setting red lines and failing to act when they’re crossed is dangerous.
“If you don’t get the change of behavior you’re looking for and you don’t then take an action, you look like a paper tiger,” he said. “It puts you in a weaker position.”
Robyn Dixon contributed to this report.