The Problem With Biden’s Red Line to Putin on Cyberattacks
(Bloomberg Opinion) -- Did President Joe Biden just issue a red line to Russian leader Vladimir Putin? When Biden described the warning he presented to Putin on cyberattacks, it certainly sounded like one. This is both surprising and potentially problematic, but could also spur much-needed progress in the development of norms and doctrine in cyberspace.
Biden called his handing to Putin a list of 16 untouchable infrastructure entities a “proposition.” But it was an odd proposition indeed, as it came with the promise of serious consequences if such sites were hacked.
After Wednesday’s summit, in response to a question about the penalties that such an attack would incur, Biden stated: “I pointed out to him that we have significant cyber capability. And he knows it. He doesn’t know exactly what it is, but it’s significant. And if, in fact, they violate these basic norms, we will respond with cyber. He knows.”
Biden also revealed that he asked Putin how he would feel if Russian pipelines got taken out by ransomware. It could have been a casual question, but Putin likely took it as a warning, particularly given that such pipelines are the lifeblood of Russia’s economy, with oil and gas making up roughly a third of the country’s gross domestic product.
The implicit red line was surprising, for two reasons. First, although widely discussed, the utility of red lines in the world of cyber has generally not been seen as a good idea. In September 2016, when Biden was vice president, General Kevin McLaughlin, the deputy head of U.S. Cyber Command, explained to the Intelligence and National Security Summit that the U.S. had decided against drawing “red lines” in cyberspace: “Ambiguity, not locking yourself in, is the way that our government prefers to do this.”
Of course, much has changed in the realm of technology since then, but the value of maintaining the freedom to respond to cyberattacks however the U.S. sees fit continues to be valuable.
Second, for Biden and many administration senior officials, the debacle over President Barack Obama’s red line regarding the Bashar al-Assad regime in Syria is surely seared in their minds. At a press conference on Aug. 20, 2012, Obama told journalists: “We have been very clear to the Assad regime that a red line for us is we start seeing a whole bunch of chemical weapons moving around or being utilized. That would change my calculus.”
While at first the statement seemed to have a deterrent effect, by the end of the year the administration had detected signs of chemical-weapons use. The following August, a large-scale chemical attack in the Damascus suburbs led to the deaths of more than a thousand Syrians. What followed was a foreign affairs fiasco, with the administration talking about punitive strikes, only to have the president subsequently back down once he determined there was no support in Congress for military action.
Obama’s failure to defend his own red line was noticed by allies and adversaries around the world, knocking America’s credibility in defending norms it claimed to live by.
An implicit red line to Putin carries all of the potential complications that Obama’s threat to Assad turned out to have. It limits the administration’s flexibility in responding to cyberattacks, and carries the possibility that a failure to do so will harm American credibility at a time when Biden is rightly keen to show U.S. resolve to Putin and the rest of the world, especially China.
Moreover, by specifying what entities need to be protected, the implication may be that other sites are fair game.
Finally, determining that the Russian state — as opposed to the sort of cybercriminals who apparently launched the attack on America’s Colonial Pipeline — was responsible for any offensive operation will likely be considerably harder than attributing chemical weapons use to the Assad regime. Biden acknowledged in his press conference that there was a meaningful distinction between the Russian government and these nonstate actors. In reference to the recent ransomware attacks, he said of the Putin regime, “I don’t think they planned it, in this case.”
One can only hope that Biden made it very clear to Putin that he will be held responsible for any cyberattack against America — and that the U.S. government has confidently assessed that Putin has the ability to fully control these groups should he want to.
The exception to the analogy with the Obama red line is that if faced with a Russian cyberattack on one of these 16 untouchable entities, the Biden administration will not have the complication (or the excuse) of needing to consult with Congress about its response. Whereas there are strong legal arguments that the president should seek authorization from lawmakers of imminent military action, no such law exists for cyber.
This brings us to the areas where Biden’s implicit red line could have some benefits. For many years, experts have noted that the damage done by cyberattacks could be comparable to military strikes. But the recent ransomware attacks against U.S. entities have brought this reality into stark relief, and underscored how deficient the development of norms and doctrine has been, given the state of technology. This weakness persists despite laudable efforts by various United Nations bodies, the Global Commission on the Stability of Cyberspace, and the Paris Call for Trust and Security in Cyberspace of 2018.
Biden’s implicit red line to Putin could add real meat to a strategic dialogue on cyber-issues between Washington and Moscow; if it spurs much-needed great-power cooperation around the effort to build norms of behavior, it would be a meaningful step in moving the world beyond just identifying such rules to important actors internalizing them.
In addition, should the Biden administration find itself bound by the president’s words to initiate a cyberattack against Russia, Congress is likely to wake up to the fact that it has not exerted its constitutional authorities in a growing sphere of conflict — sparking hearings, deliberations and possibly new legislation.
Policy making is usually about choosing between bad options. Understandably, Biden felt it was urgent to halt the alarming trend of damaging cyberattacks coming out of Russia. He and his staff likely debated the pros and cons of a red line, and decided embracing one was the best course of action, despite its obvious downsides.
Yet it is difficult to see the benefits of making such an exchange public. Biden might have been able to create nearly the same deterrent effect by underscoring the untouchability of these 16 areas, and the guaranteed consequences of a cyberattack on them, in private with Putin. Now that the world is on watch, the U.S. government will need to intensify its effort to formalize what has thus far been informal in the world of cyber.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Meghan L. O’Sullivan is a Bloomberg Opinion columnist. She is a professor of international affairs at Harvard’s Kennedy School, the North American chair of the Trilateral Commission, and a member of the board of directors of the Council on Foreign Relations and the board of Raytheon Technologies Corp. She served on the National Security Council from 2004 to 2007.
©2021 Bloomberg L.P.