WASHINGTON — The Biden administration is preparing sanctions and other measures to punish Moscow for actions that go beyond the sprawling SolarWinds cyber espionage campaign to include a range of malign cyber activity and the near-fatal poisoning of a Russian opposition leader, said US officials familiar with the matter.
The administration is casting the SolarWinds operation, which hacked government agencies and private companies, as ’'indiscriminate’' and potentially ’'disruptive.’' That would allow officials to claim the Russian hacking was not equivalent to the kind of espionage the United States also conducts, and to sanction those responsible for the operation.
Officials also are developing defensive measures designed to make it harder for Russia and other sophisticated adversaries to compromise federal and private-sector networks, said the officials, several of whom spoke on condition of anonymity because of the matter’s sensitivity.
Part of the administration’s response, too, will be an attribution statement stronger than the one the intelligence community released in January saying that Moscow ’'likely’' was behind the SolarWinds operation. A White House official said last week that the Russian campaign hit nine US government agencies and about 100 private companies.
But the aim of the various measures, officials said, is to convey a broader message that the Kremlin for years has used cyber tools to carry out an array of actions hostile to the interests of the United States and its allies: interfering in elections, targeting coronavirus vaccine research, and creating a permissive atmosphere for criminal hackers who, among other things, have run ransomware botnets that have disrupted American public health facilities.
In a speech to the Munich security conference last week, President Biden said that ’'addressing . . . Russian recklessness and hacking into computer networks in the United States and across Europe and the world has become critical to protecting our collective security.’'
National security adviser Jake Sullivan said Sunday that the response, expected in coming weeks, ’'will include a mix of tools seen and unseen, and it will not simply be sanctions.’' The bottom line, he told CBS’s ’'Face the Nation,’' is that ’'we will ensure that Russia understands where the United States draws the line on this kind of activity.’'
The administration is also working on an executive order that will improve the Department of Homeland Security’s ability to ensure the resilience of government networks. Part of that is deploying a new technology, a senior administration official said, that gives federal defenders at the department’s Cybersecurity and Infrastructure Security Agency ’'visibility’' into networks that was missing in the SolarWinds hacks.
’'You can’t defend against something you can’t see,’' the official said in an interview.
The punishment for the cyber hacks is intended to be part of broader measures aimed at holding Moscow accountable for other actions, such as its use of a banned chemical weapon against anti-corruption activist Alexei Navalny.
Politico on Monday reported on the administration’s plan to impose sanctions for the poisoning and jailing of Navalny, in coordination with European allies.
The government in January characterized Solar Winds as ’'an intelligence-gathering effort.’' Espionage is an activity the United States and virtually every other country conducts against its adversaries — and even allies. But senior Biden administration officials have said they view the Russian activity as more than just classic espionage.
Last week, Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at a news briefing that ’'when there is a compromise of this scope and scale, both across government and across the US technology sector . . . it’s more than a single incident of espionage. It’s fundamentally of concern for the ability for this to become disruptive’' — damaging computers or undermining their operation.
What’s notable about these breaches is they were enabled by the Russians hacking software used in the victims’ networks — what is known as a ’'supply chain’' attack.
For instance, some of the victims had downloaded poisoned software updates from the Texas company SolarWinds, which was the Russians’ initial steppingstone into their computers. About 18,000 entities worldwide received the updates. But only a fraction were compromised. The Russians designed the operation so they could choose which targets to victimize. Those they chose to ignore received a ’'kill switch,’' dismantling the malware.
Some US officials argue privately that that feature — the selective targeting and disabling of the malware — made the campaign ’'discriminate,’' and not as alarming as an attack that compromised every person whose computer downloaded the poisoned update.
But the senior administration official viewed it differently. ’'We’re seeing that this kind of broad, indiscriminate compromise, and the access that it enabled the hackers to have, crosses a line of concern to us because it can be turned to be disruptive so quickly,’' the official said. ’'So, at its centrality, it is destabilizing.’'