Once, superpower summits were about nukes. Now, it’s cyberweapons.
By David E. Sanger
For 70 years, meetings between American presidents and Soviet or Russian leaders were dominated by one looming threat: the vast nuclear arsenals that the two nations started amassing in the 1940s, as instruments of intimidation and, if deterrence failed, mutual annihilation.
But as President Joe Biden prepared to meet with President Vladimir Putin in Geneva on Wednesday, for the first time cyberweapons were being elevated to the top of the agenda.
The shift has been brewing for a decade, as Russia and the United States, the two most skilled adversaries in the cyber arena, have each turned to a growing arsenal of techniques in what has become a daily, low-level conflict. But at summit meetings, that sort of jousting was usually treated as a sideshow to the main superpower competition.
No more. The rising tempo and sophistication of recent attacks on American infrastructure — from gasoline pipelines running up the East Coast, to plants providing one-quarter of America’s beef, to the operations of hospitals and the internet itself — has revealed a set of vulnerabilities no president can ignore.
For Biden, nuclear weapons still matter, and his aides say the two men will spend a good amount of time debating “strategic stability,” shorthand for containing nuclear escalation. But the more immediate task, Biden told his allies at a Group of 7 summit meeting in Cornwall, England, last week and a NATO meeting in Brussels, is to convince Putin he will pay a high price for playing the master of digital disruption.
It will not be easy. If a decade of intensifying cyberconflict has taught anything, it is that the traditional tools of deterrence have largely failed.
And while Putin loves to boast about his huge investments in new, nuclear torpedoes and hypersonic weapons, he also knows he cannot use them. His arsenal of cyberweapons, in contrast, is put to work every day.
Biden has made clear that he intends to give Putin a choice: Cease the attacks, and crack down on the cybercriminals operating from Russian territory, or face a rising set of economic costs and what Biden calls a set of moves by the United States to “respond in kind.” But Sunday, while still at the Group of 7 summit in Cornwall, he acknowledged that Putin may well ignore him.
“There’s no guarantee you can change a person’s behavior or the behavior of his country,” Biden said. “Autocrats have enormous power, and they don’t have to answer to a public.”
Deterrence is a problem that many of Biden’s top national security aides have been thinking about for years, drawing on their experience on the front lines of cyberconflict at the National Security Agency, the Justice Department and the financial sector. They are the first to say that arms control treaties, the main tool employed in the nuclear age, are not well adapted to the cyberrealm. There are just too many players — nations, criminal groups, terrorist organizations — and no way to do the equivalent of counting warheads and missiles.
But their hope is to get Putin to begin discussing targets that should be off the table in peacetime. The list includes electric grids, election systems, water and energy pipelines, nuclear power plants and — most delicate of all — nuclear weapons command-and-control systems.
On paper, that would seem to be relatively easy. After all, an expert group of the United Nations, with representatives of all the major powers, has repeatedly agreed to some basic limits.
In reality, it is proving agonizingly difficult — far more so than the first attempt at nuclear arms control that President Dwight Eisenhower broached with Nikita Khrushchev in Geneva 66 years ago, just before the Cold War spun into a terrifying arms race and, seven years later, nuclear confrontation in Cuba.
President Ronald Reagan said “we need to ‘trust, but verify,’” noted Eric Rosenbach, the former head of cyber policy at the Pentagon, who helped navigate the early days of cyberconflict with Russia, China and Iran when Biden was vice president. “When it comes to the Russians and cyber, you definitely cannot trust or verify,” he said.
“The Russians have repeatedly violated the terms of any agreements on cyber at the United Nations, and are now systematically trying to tie up the United States” in a morass of international legal issues “while hitting our critical infrastructure,” Rosenbach said.
Putin refuses to acknowledge that Russia uses these weapons at all, suggesting that the accusations are part of a giant, American-led disinformation campaign.
“We have been accused of all kinds of things,’’ Putin told NBC News over the weekend. “Election interference, cyberattacks and so on and so forth. And not once, not once, not one time, did they bother to produce any kind of evidence or proof. Just unfounded accusations.”
In fact, evidence has been produced, though it is far harder to show, much less explain, than the photographs of Soviet missiles in Cuba that President John F. Kennedy displayed on television at a critical moment in the 1962 Cuban missile crisis.
But Putin is right about one thing. The ease with which he can deny any knowledge of cyberoperations — something the United States has done as well, even after mounting major attacks on Iran and North Korea — demonstrates why the deterrents that kept an uneasy nuclear peace in the Cold War won’t work with digital threats.
During the Obama administration, a successful Russian effort to break into the unclassified email systems of the White House, the State Department and the Joint Chiefs of Staff was never publicly attributed to Moscow — even though everyone, including then-Vice President Biden, knew what the intelligence indicated.
The muted response to the Russian effort to influence the 2016 election came only after the results were in. Obama’s reaction was comparatively mild: the expulsion of Russian diplomats and the closing of some diplomatic compounds. It was, in the words of one senior official at the time, “the perfect 19th century response to a 21st century problem.’’
Then came Trump’s time in office, in which he repeated, approvingly, Putin’s improbable denials of election interference. America lost four years in which it could have been trying to set some global standards, what Brad Smith, the president of Microsoft, calls a “cyber Geneva Convention.”
While the U.S. Cyber Command stepped up its fight, sending the digital equivalent of a brushback pitch to a Russian intelligence agency and knocking a major ransomware group offline during the 2018 midterm elections, the Russian assaults have continued. What worries the Biden national security team is not the volume of the attacks, but their sophistication.
Rosenbach, the former Pentagon cyber policy chief, said that ransomware gives Biden an opening. “Rather than focus on naively abstract ‘rules of the road,’ Biden should press Putin hard on concrete actions, such as halting the scourge of ransomware attacks against U.S. critical infrastructure,’’ he said.
“Putin has plausible deniability,” he said, “and the threat of additional sanctions is likely enough to convince Putin to take quiet action against” the groups responsible for the attacks.
That would be a start, if a small one.
If the history of nuclear arms control applies again — and it may not — expectations should be low. It is far too late to hope for the elimination of cyberweapons, any more than one could hope to eliminate guns. Analysts say the best one can hope for might be a first attempt at a digital “Geneva Convention” limiting the use of cyberweapons against civilians. And the perfect place to try may be in Geneva itself.
But that is almost certainly further than Putin is willing to go. With his economy overly dependent on fossil fuels, and his population showing signs of restiveness, his sole remaining superpower is the disruption of his democratic rivals.