President Joe Biden told U.S. intelligence officials on Tuesday that he thinks a cyber breach could lead to a “shooting war” with a major global power.
“I think it’s more likely we’re going to end up—if we end up in a war, a real shooting war, with a major power—it’s going to be as a consequence of a cyber breach of great consequence,” Biden said during a visit to the Office of the Direct of National Intelligence, according to a recording of his visit.
Biden did not clarify how the U.S. measures a breach “of great consequence,” but his remarks come after a series of Russian ransomware attacks and other cyberattacks have hit U.S. government and private sector entities. The American public has become intimately familiar with how ransomware attacks, especially those against a pipeline operator and meat supplier in recent months, can cause disruptions in Americans’ day-to-day lives.
“We’ve seen how cyberthreats including ransomware attacks increasingly are able to cause damage and disruption in the real world,” Biden told the approximately 120 ODNI staff in attendance.
The U.S. has long taken actions to retaliate against cyberattacks that have pummeled U.S. entities in recent years. It has sanctioned individuals it says are linked with attacks, indicted some, and called out different foreign government entities, such as China’s counterintelligence agency, the Ministry of State Security, for its involvement in cyberattacks. Cyber Command has worked to disrupt Russian government-linked hackers that sought to intervene in U.S. elections in recent years by sending them direct messages and interrupting their internet access.
And while Biden has said in recent months that he wouldn’t rule out a retaliatory cyberattack in response to one targeting U.S. entities, his remarks raised the specter that the U.S., or another adversary, might escalate its responses to cyberattacks in the future.
Sen. Angus King (I-ME), a member of the Senate Intelligence Committee, echoed Biden’s concerns in comments to The Daily Beast.
“I think what it means is he understands that a cyberattack can be easily as destructive if not more so than a dropping of a missile or a bomb and that… it could be a very serious breach of international law and the law of war, depending upon the nature of the attack,” King, a co-chair of the congressionally mandated Cyberspace Solarium Commission, told The Daily Beast. “I don’t think there’s any question that if there is a future shooting war it will start with cyber. That will be not necessarily the triggering event, but it will be what the adversary does to initially try to blind… us or whoever the war is between. That’ll be the first step of any shooting war in the future will be cyber.”
Rep. Jim Langevin (D-RI), co-chair of the Congressional Cybersecurity Caucus, told The Daily Beast the president’s analysis is spot-on and warned that a breach could lead to armed conflict.
“The president is right, and anyone who doesn’t think that a cyber breach could lead to armed conflict is living in an alternate reality,” Langevin, who serves on the House Armed Services Committee and the House Committee on Homeland Security, told The Daily Beast. “In just the last five years, Russian and Chinese state hackers have caused billions of dollars in damage to our economy, and as we speak they are probing our critical infrastructure.”
It’s not the first time the U.S. government has raised the prospect that a kinetic response could come following a cyberattack. The Obama and Trump administrations both acknowledged that the U.S. reserves the right to respond to cyberattacks with the military.
Biden’s remarks hinting at possible escalation come after his administration has repeatedly but unsuccessfully demanded that the Kremlin step up to the plate and help tamp down on hackers within its borders targeting U.S. entities.
Biden could very well be signaling to foreign adversaries like Russian President Vladimir Putin that the administration is prepared to take things up a notch in case of any future cyberattacks against the U.S., Larry Pfeiffer, a former senior CIA and NSA official, told The Daily Beast.
“President Biden is expressing two things, I believe. One, he is putting Russia and China and others on notice that we are not bound to limit our response to a cyber attack to solely the cyber domain,” Pfeiffer, now the director of the Hayden Center, said. “He is also expressing concern about what could happen with a cyberattack gone wrong—one that creates an unexpected cascade of consequences that go well beyond the intended effects.”
If a cyberattack led to fatalities or other extremely destructive outcomes, the U.S. could escalate things beyond just retaliating in cyberspace, Matt Tait, a former analyst at the U.K. signals intelligence agency GCHQ, tells The Daily Beast.
That said, “the public should not assume cyber incidents generally are an automatic precursor to an armed conflict, or that this is a meaningful change of posture by the U.S.,” Tait added.
According to the Cyberspace Solarium Commission, adversaries’ influence operations and intellectual property theft might not warrant a “major” response, but they could warrant responses including cyber and non-cyber capabilities.
Cyber-operations have bled over into the physical realm in recent years. The Pentagon launched a drone strike in 2015 to kill Junaid Hussain, who ran the Islamic State’s hacking arm and encouraged violence against U.S. officials. In 2019 Israel’s military announced it had launched airstrikes targeting a building it said housed Hamas soldiers preparing to launch a cyberattack. It was the first time a government announced it was responding to a cyberattack or cyber behavior with a kinetic response, or warfare that can include lethal force.
If an adversary launched a cyberattack that destroyed critical infrastructure in the U.S., the government would likely respond with more than just a cyberattack, Paul Rosenzweig, former deputy assistant secretary for policy at the Department of Homeland Security, told The Daily Beast.
“To take but one extreme example, I have no doubt that if a Russian military unit used a cyber method to destroy the Hoover Dam, we would see that act as no different than had they used a missile,” said Rosenzweig, now a resident senior fellow on cybersecurity and emerging threats at R Street Institute. “The challenge, as it always has been, is in drawing a line where the physical harm becomes so great that America considers itself justified in entering into an armed conflict.”
Biden, of course, warned Putin earlier this year that he should consider critical infrastructure off limits, and that the U.S. would take “any necessary action” to defend critical infrastructure in the U.S. At the time, Biden did not specify what those responses might look like.
Several hacking incidents have already crossed the rubicon that could lead to an escalation of conflict, warns Joe Slowik, who previously ran the Incident Response team at Los Alamos National Laboratory. Russia’s cyberattacks on Ukrainian power companies and its electrical grid infrastructure, for instance, would likely warrant a more forceful response from the federal government should that happen in the U.S., Slowik told The Daily Beast.
“I think this makes explicit that which has long been assumed in the US perspective on cyber events: we’ll tolerate a number of things [such as] espionage, ransomware… but some items are unacceptable and would result in a disproportionate response,” Slowik, now threat detection lead at the network-monitoring firm Gigamon, told The Daily Beast.
U.S. intelligence officials have previously assessed Russian hacking and efforts to turn out the lights in Ukraine could serve as a testing ground for future hacking operations targeting other countries, including in the U.S.
Escalating cyberattacks to boots on the ground or other kinetic responses, however, could be a slippery slope sacrificing American lives, especially as Russia and China continue to conduct brazen cyber-operations targeting U.S. entities, warns Ben Johnson, a former NSA hacker.
“With Russia and China continuing to be aggressive, the White House does not have an easy job,” Johnson, the co-founder of Obsidian Security, told The Daily Beast. “Our leadership and federal agencies need to continue pushing forward on strategic planning and capabilities development, and be careful in the responses we use to try to limit escalation before lives are lost.”
Rep. Elissa Slotkin (D-MI) told The Daily Beast she thinks the U.S. ought to create a clear policy on what is acceptable and not acceptable behavior from adversaries in cyberspace and what these kinds of responses might look like.
“Folks who have been looking at cyber threats for a long time have known for many, many years that the future of warfare is one that intertwines new technology like cyber and [artificial intelligence] and hypersonics and directed energy and conflict in space with more traditional conventional military engagement,” Slotkin, a former CIA analyst now serving on the House Armed Service’s Subcommittee on Intelligence, Emerging Threats and Capabilities, told The Daily Beast in a phone call. “No one wants that, but I think he’s absolutely right in talking about that more openly.”