June 28, 2021
President Joe Biden recently embarked on his inaugural foreign trip, meeting first with our North Atlantic Treaty Organization (NATO) partners and the G-7 Group of Nations, followed by a highly-anticipated tete-a-tete with Russian President Vladimir Putin in Geneva, Switzerland. One of the most closely watched topics in all of these discussions, especially with Putin, was cybersecurity and how to counter foreign threats to American critical infrastructure, including to our elections systems.
This issue took on even more importance in the lead-up to these meetings because of a number of recent high-profile ransomware attacks where cybercriminal groups gained access to a victim’s network, stole their data and locked their systems, and demanded a ransom from the company to regain access and control. These criminal outfits are usually located overseas, in countries such as Russia, and often have ties to hostile intelligence services, who like to use them as arms of their foreign policy agendas. This is certainly the case with the foreign interference the Russian government has undertaken on our political system under Putin’s leadership.
The goals for Biden’s meeting with Putin were bounded but important: to develop a working relationship and modalities in which to address contentious subjects (such as cyber attacks); evaluate whether Putin is interested in having a constructive relationship on issues where our countries might be able to work together; and make clear that the promotion of democratic values is core to the Biden team’s policy agenda and attempts by Russia to meddle in other countries (especially ours) will be met with a real response.
The U.S. must be willing to use whatever tools we can to pressure countries like Russia, to convince them that there will be consequences if they continue to interfere in our political system or allow criminal enterprises located in their country to disrupt our infrastructure. This pressure tends to take the form of a “carrot and stick approach,” ie: Are there any incentives big or important enough that we could offer to Putin to stop meddling? And are there enough concrete threats the U.S. could make to convince him that dealing with our response won’t be worth the effort? There is a strong argument to be made that it’s the latter piece of that equation — the threat — that is the most important to convey to an autocrat like Putin. There is also, of course, a real open question about whether any carrot or stick could convince Putin that the risk isn’t worth the reward.
It’s too early to tell whether any real progress will come on cybersecurity from this US-Russia summit. We do know that Biden told Putin there are 16 kinds of critical infrastructure the U.S. believes should be off-limits to cyberattacks, likely a reference to the 16 sectors designated as critical by the Department of Homeland Security, which importantly for our mandate would include elections infrastructure. Previous attempts to carve out cybersecurity “safe zones” or “no-go zones” with the Russians have not been very successful, so we will watch to see how this unfolds. Biden did also say that both countries agreed to task their experts to work together on potential specific understandings about what is off-limits in the cyber realm.
This nefarious cyber activity that Russia, Iran, and other adversaries are undertaking is part of a larger ideological battle that Biden has essentially made the cornerstone of his foreign policy doctrine: that of democracy versus authoritarianism. Our foreign adversaries want us to be politically divided, susceptible to inflammatory information online, and distrustful of our democratic institutions so that they can sow doubt about our system of government and prevent us from functioning well as a democratic society. They are literally trying to undermine democracy itself.
Against this ideological backdrop, in another meeting during that same week, the 30 NATO member countries took an important step by agreeing that major cyber attacks on a member state could be considered an armed attack — a significant designation that could lead to the invocation of NATO’s collective security provision, Article 5. This provision has only been used once in NATO’s history, to defend the United States after the 9/11 terrorist attacks.
Given NATO was founded in the wake of World War II to counter the Soviet Union and provide collective security for Western European states, this update to its mission to take account of the major cyber threat emanating from Russia and elsewhere is a smart and necessary one. Whether Article 5 is invoked in response to a given cyber attack will be considered on a case-by-case basis, but the NATO communique did make clear that joint action could indeed follow, writing, “If necessary, we will impose costs on those who harm us.”
Allies could provide technical support or intelligence assets to one another, for example, including potentially using offensive cyber capabilities to impose costs on those responsible for cyber attacks. This is an area of warfare that is rapidly evolving, in terms of offensive state capabilities and ethical discussions about when and how to utilize those capabilities. It is important for the NATO member states to engage in this debate and determine how best to defend ourselves by considering all of the options at our disposal.
Whether NATO or other like-minded alliances will be able to effectively counter the growing and relatively low-cost threat of cyber warfare remains to be seen. In such an asymmetrical situation — where our adversaries can cause quite a bit of damage with very little overhead or resources — countries have to be willing to impose large costs to deter bad actors from continuing their behavior. How do Western states make the cost so high to Russia or to these criminal organizations that they are deterred from continuing their attacks? That’s the key question that Western Allied states are grappling with, and it’s an encouraging sign that they put the issue front and center during this most recent meeting.
Marie Harf
International Elections Analyst, USC Election Cybersecurity Initiative
Marie Harf is a strategist who has focused her career on promoting American foreign policy to domestic audiences. She has held senior positions at the State Department and the Central Intelligence Agency, worked on political campaigns for President Barack Obama and Congressman Seth Moulton, and served as a cable news commentator. Marie has also been an Instructor at the University of Pennsylvania and a Fellow at Georgetown University’s Institute of Politics and Public Service.