Warning the Russians against hacking infrastructure is fine, but deterrence must be credible

Last Wednesday, President Biden told reporters in Geneva that he discussed with Russian President Vladimir Putin “the prospect that certain types of infrastructure should be off limits to attack by cyber or any other means.”  He said, “I gave them a list, if I’m not mistaken – I don’t have it in front of me – of 16 specific entities…16 defined as critical infrastructure under U.S. policy.”

While many critics took to social media to criticize the President for not making “all” cyberattacks off limits, there could be a reason why Biden’s advisers suggested he initially focused on those 16 which were named “critical” as part of former President Obama’s Presidential Policy Directive 21 (PPD-21).

PPD-21 made it “the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats” and was an important step in the right direction when it comes to America’s national and homeland security. It helped organize the Federal Government to better support the civilian owners and operators of the 16 infrastructure sectors identified, each with a Federal “Sector Specific Agency” or “SSA.”

For example, the Department of Homeland Security is the SSA for a number of these infrastructures ranging from chemical plants to dams, the Department of the Treasury is the SAA for financial services, and the Department of Energy is the SSA for the energy sector.

A significant challenge facing America now is that while the owners and operators of these 16 types of infrastructures may desire to defend themselves against cyberattacks and while they may have some organized assistance from the Federal Government to do so, all of that is likely insufficient to prevent them being taken down by a determined adversary.

For evidence, look no further than the Colonial Pipeline hack, the JBS S.A. hack, or the Oldsmar City Florida water treatment plan hack – all of which were reportedly precipitated by non-state actors (even if some had state-level support).

As a result, deterrence is an important part of any cybersecurity strategy.  Recognizing this, the March 2020 Cyberspace Solarium Commission, chartered under the 2019 National Defense Authorization, brought together some of the nation’s most experienced cybersecurity professionals under the leadership of its Co-Chairs Senator Angus King, Jr. (I-ME) and Representative Mike Gallagher (R-WI), to develop new cybersecurity strategy recommendations for the United States.

The Cyberspace Solarium Commission’s inaugural report may provide a glimpse into why President Biden’s top security advisors could have suggested he warn Putin about cyberattacks in these 16 critical infrastructure sectors:

“Rather than clearly communicating an ultimatum to a target, which may tie their hands and create politically infeasible “red lines,” states may prefer to retain strategic ambiguity and flexibility.”

President Biden’s focus on all 16 critical infrastructures may be intended to provide the United States the “strategic ambiguity and flexibility” the Commission suggested with respect to “red lines.” This means the Russian government cannot be certain which infrastructure sectors will provoke an immediate American response if hacked.

The Solarium Commission produced its first report in March 2020 with more than 80 recommendations to implement a new strategy of “layered cyber deterrence.”   The report described this “deterrence” by saying that “[I]t combines enhanced resilience with enhanced attribution capabilities and a clearer signaling strategy with collective action by our partners and allies,” and “[I]t is a simple framework laying out how we evolve into a hard target, a good ally, and a bad enemy.”

Additionally, while sending a signal to Russia, the President’s advisors were likely wanting to send a signal to the owners and operators of the nation’s 16 critical infrastructures, one that reinforces an important finding of the Commission: “deterrence will require private-sector entities to step up and strengthen their security posture.”

Many of the ways that both the private sector and the government can “step up and strengthen their security posture” are outlined in the Commission’s four subsequent white papers, including its last one published on January 19^th and titled “Transition Book for the Incoming Biden Administration.”

On Thursday, the Administration got one step closer to accomplishing a major recommendation of this Transition Book with the Senate’s confirmation of Mr. Chris Ingles as the National Cyber Director (NCD). The Solarium Commission recommended the creation of the NCD as a new position within the Executive Office of the President “to lead national-level coordination of cybersecurity strategy and policy, both within government and with the private sector.” Mr. Ingles, who served on the Solarium Commission, is an excellent choice for the job, but will need Congress to provide funding for him to hire staff and support.

A key challenge for Mr. Ingles will be to operationalize what the Solarium Commission’s Transition Book defined as “one of the bright spots of the Trump administration’s cyber policy,” – the “defend forward concept and the delegation of authorities for offensive cyber operations.”

According to one of the Commission’s directors, Dr. Erica Borghard, defend forward “entails the proactive observing, pursuing, and countering of adversary operations and imposing costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior, using all the instruments of national power.”

In other words, America would be able to assertively defend its infrastructure from attack, and not wait for another major pipeline, meat processor, or water treatment system to be compromised.

Ultimately there was nothing wrong with the Biden administration decision to warn Putin against attacks on our critical infrastructure. But more important is ensuring that such warnings are actually credible. To do that we must be ready to “defend forward” and we must be well-prepared to execute offensive cyber operations.

Only then can we be confident that such warnings will be backed up with real consequences.