President Joe Biden is a famously nice guy. Maybe he should stop being nice, just for a while.
His administration is reportedly close to punishing Russia for a series of glaring transgressions and abuses, including the epic SolarWinds Corp. computer hack that has left governments and businesses worldwide exposed to a mammoth data breach. As Bloomberg News reported Wednesday, the White House may soon announce economic sanctions against individuals close to Russian President Vladimir Putin and expel Russian diplomats from the U.S. There also may be "private talks with Russia laying out further actions the U.S. would be prepared to take."
I don't know. When you haven't taken any action, telling the people who have been picking your pocket that there are further actions you would be prepared to take if they don't change their ways doesn't seem threatening.
And the clock is ticking. The SolarWinds hack burst into view in December, but by then it had been running undetected for months. In late February, amid congressional inquiries into the intrusion, National Security Advisor Jake Sullivan said the Biden administration would soon deploy a "mix of tools seen and unseen" against Russia that went well beyond economic sanctions. Those actions were said to be just weeks away. In March, White House Press Secretary Jen Psaki said a "mix of actions seen and unseen" were on the way.
Now it's April, and Biden still hasn't acted. What's more, he has yet to appoint a national cyber director, the person with the authority to coordinate speedy responses to cyberattacks. Congress created the position late last year through defense legislation that overcame a veto from former President Donald Trump. The expectation was that Biden's White House, which has prioritized cybersecurity, would fill the role quickly. But bureaucratic squabbles have left it empty.
The scale and methods involved in the SolarWinds hack were frightening and unusual. Approximately 1,000 Russian operatives orchestrated the attack, penetrating at least 100 companies around the globe, as well as nine U.S. agencies. The Russians found their way onto those servers by targeting SolarWinds, an Austin, Texas-based company that provides network and information-technology software. Tech heavyweights such as Microsoft and Amazon.com were ensnared in the hack, and the federal government and business leaders still don't fully understand how Russia pulled it off.
China has also been fighting hard on the digital battlefield. In March, Microsoft disclosed that it was caught up in a sprawling hack engineered by China that began Jan. 3 but was uncovered only recently. Small businesses and schools were among the victims. The Wall Street Journal reported Thursday that China made use of reams of personal information it had stolen in earlier hacks to feed into the bigger attack.
The national security stakes in all this are tremendous. For a harrowing account of how far behind the U.S. has fallen in the digital arms race, read "This Is How They Tell Me the World Ends," by Nicole Perlroth, a reporter with the New York Times — a book based on seven years of interviews with hundreds of people engaged in the cyber-arms industry and digital warfare. Perlroth's chilling account explains how the U.S. lost its early lead in information warfare after legions of the digital sleuths it trained went overseas to teach everyone else what they knew.
At a minimum, the U.S. needs to prepare for protracted, dog-eat-dog cyberwarfare that, at best, may involve containment. It's unlikely that any government will ever win this war, particularly with two superpowers (the U.S. and China) and a trio of dangerous rogue states (Russia, Iran and North Korea) all engaged in the same kind of subterfuge.
Perhaps realpolitik explains why Biden is slow-walking his cyberattack response. He may be letting it ride in order to secure Russian cooperation in bringing Iran back into a nuclear arms agreement. He may be giving Russia and China a chance to cooperate because the U.S. cannot fully stem the sophisticated attacks.
Or, Biden may prefer a diplomatic solution. But that road is no longer promising. That's not to say it would be appropriate for him to respond by, say, shutting down part of Moscow's power grid or upending other networks its citizens rely on. Such an escalation would only invite a heightened response. On the other hand, there's precedence for destroying computer networks that Russian intelligence relies on.
However this plays out, Biden needs to do better than promise but not deliver actions seen and unseen.
Timothy L. O'Brien is a senior columnist for Bloomberg Opinion.