16 Sectors Off-limits to Hacking
President Joe Biden said he gave Russian President Vladimir Putin a list of 16 critical infrastructure sectors, from energy to water, that should not be the subject of malicious cyber activity during a meeting between the two men in Geneva on Wednesday.
The two heads of state also agreed to task cybersecurity experts from each government “to work on specific understandings about what’s off-limits and to follow up on specific [cyber incidents] that originate in either of our countries,” Biden said at press conference after a roughly three-hour meeting with Putin.
“I talked about the proposition that certain critical infrastructure should be off-limits to attack, period, by cyber or any other means,” Biden said. A White House official said Biden was referring to 16 critical infrastructure sectors designated by the U.S. government. In addition to energy and water, that list includes election systems, health care and the financial sector.
The bilateral meeting came weeks after two disruptive ransomware attacks on Colonial Pipeline, which supplies some 45% of fuel consumed on the East Coast, and meat processor JBS, which accounts for an estimated one-fifth of U.S. beef production. The FBI has blamed separate Russian-speaking cybercriminal groups for the hacks.
Biden on Wednesday reiterated that he believed the Russian government had a responsibility to curb the activity. He said he asked Putin how he would feel if ransomware disrupted a pipeline servicing Russian oil fields.
“A principle is one thing; it has to be backed up by practice,” Biden said. “Responsible countries need to take action against criminals who conduct ransomware activities on their territory.”
Asked what the penalty would be for Russian cyber-operations against critical infrastructure, Biden suggested that the U.S. would respond in cyberspace.
“I pointed out to [Putin] that we have significant cyber capability, and he knows it,” Biden said. “He doesn’t know exactly what it is, but it’s significant. And if in fact they violate these basic norms, we will respond [in cyberspace]. He knows.”
For his part, Putin said the two sides would “begin consultations” over cybersecurity issues, while saying that Russia has also been the victim of cyberattacks. Both Putin and Biden described the meeting as professional and even-tempered.
Biden said it remains to be seen whether the cybersecurity dialogue with Russia will lead to changes in Moscow’s behavior. “We’ll find out whether we have a cybersecurity arrangement that begins to bring some order,” Biden said.
The U.S. and Russia had previously agreed at the United Nations that certain critical infrastructure should not be attacked, but the new discussions in Geneva “take it to a new level of bilateral specificity,” said Christopher Painter, who was the top cyber diplomat at the State Department from 2011 to 2017. “Of course, presenting a list is one thing, the important thing is responding to violations and accountability when they occur.”
Still, there’s a low bar for improvement in U.S.-Russia cyber cooperation.
After the Colonial Pipeline incident, in which 5,500 miles of U.S. pipeline shut down for days, the Justice Department didn’t bother asking its Russian counterparts for help because Moscow’s history of harboring cybercriminals essentially makes it a waste of time, a senior department official said.
The meeting between Biden and Putin “generated some progress on risk reduction [the strategic stability talks], bilateral relations [returning ambassadors after Putin pushed them out], and perhaps some discussions of cyber aggression red lines,” Daniel Fried, the former U.S. ambassador to Poland, told CyberScoop. “But Biden also made clear that the U.S. will not tolerate Putin’s aggression against the U.S. or our friends and allies.”
As Biden and Putin were meeting, the U.S. Justice Department announced that a federal jury had convicted Russian national Oleg Koshkin for his alleged role in facilitating the use of a notorious hacking tool that cybercriminals have used to infect computers with ransomware. It’s part of an ongoing U.S. effort to crack down on operators of ransomware, many of whom are based in Eastern Europe and Russia, and make it harder for them to rebuild their services.
Perhaps more so than any previous U.S. presidential trip, cybersecurity has featured prominently during Biden’s first trip abroad as commander-in-chief.
The U.S. and other members of NATO on Monday slammed Russia for “turning a blind eye to cyber criminals operating from its territory.” A day earlier, the G7 called on Russia to “hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.”