Cyberattacks: Biden's red line to Putin; at what cost

DID President Joe Biden just issue a red line to Russian leader Vladimir Putin? When Biden described the warning, he presented to Putin on cyberattacks, it certainly sounded like one. This is both surprising and potentially problematic, but could also spur much-needed progress in the development of norms and doctrine in cyberspace.

Biden called his handing to Putin a list of 16 untouchable infrastructure entities a "proposition." But it was an odd proposition indeed, as it came with the promise of serious consequences if such sites were hacked.

After Wednesday's summit, in response to a question about the penalties that such an attack would incur, Biden stated: "I pointed out to him that we have significant cyber capability. And he knows it. He doesn't know exactly what it is, but it's significant. And if, in fact, they violate these basic norms, we will respond with cyber. He knows."

Biden also revealed that he asked Putin how he would feel if Russian pipelines got taken out by ransomware. It could have been a casual question, but Putin likely took it as a warning, particularly given that such pipelines are the lifeblood of Russia's economy, with oil and gas making up roughly a third of the country's gross domestic product.

The implicit red line was surprising, for two reasons. First, although widely discussed, the utility of red lines in the world of cyber has generally not been seen as a good idea. In September 2016, when Biden was vice president, General Kevin McLaughlin, the deputy head of US Cyber Command, explained to the Intelligence and National Security Summit that the US had decided against drawing "red lines" in cyberspace: "Ambiguity, not locking yourself in, is the way that our government prefers to do this."

Of course, much has changed in the realm of technology since then, but the value of maintaining the freedom to respond to cyberattacks however the US sees fit continues to be valuable.

Second, for Biden and many administration senior officials, the debacle over President Barack Obama's red line regarding the Bashar al-Assad regime in Syria is surely seared in their minds. At a press conference on August 20, 2012, Obama told journalists: "We have been very clear to the Assad regime that a red line for us is we start seeing a whole bunch of chemical weapons moving around or being utilised. That would change my calculus."

While at first the statement seemed to have a deterrent effect, by the end of the year the administration had detected signs of chemical-weapons use. The following August, a large-scale chemical attack in the Damascus suburbs led to the deaths of more than a thousand Syrians. What followed was a foreign affairs fiasco, with the administration talking about punitive strikes, only to have the president subsequently back down once he determined there was no support in Congress for military action.

Obama's failure to defend his own red line was noticed by allies and adversaries around the world, knocking America's credibility in defending norms it claimed to live by.

An implicit red line to Putin carries all of the potential complications that Obama's threat to Assad turned out to have. It limits the administration's flexibility in responding to cyberattacks, and carries the possibility that a failure to do so will harm American credibility at a time when Biden is rightly keen to show US resolve to Putin and the rest of the world, especially China.

Moreover, by specifying what entities need to be protected, the implication may be that other sites are fair game.

Finally, determining that the Russian State — as opposed to the sort of cybercriminals who apparently launched the attack on America's Colonial Pipeline — was responsible for any offensive operation will likely be considerably harder than attributing chemical weapons use to the Assad regime. Biden acknowledged in his press conference that there was a meaningful distinction between the Russian government and these nonstate actors. In reference to the recent ransomware attacks, he said of the Putin regime, "I don't think they planned it, in this case."

One can only hope that Biden made it very clear to Putin that he will be held responsible for any cyberattack against America — and that the US government has confidently assessed that Putin has the ability to fully control these groups should he want to.