According to officials familiar with the discussions, these options include variants of steps that President Barack Obama considered and rejected after hacking the state electoral systems in 2016. These included using cyber tools to expose or freeze assets secretly held by President Vladimir V. Putin of Russia, exposing his links to oligarchs, or technological measures to break Russian censorship and help dissidents in a moment of political protest to communicate with the Russian people.
Speaking at a press conference at the White House Tuesday, Jen Psaki, the press secretary, said an American response would come in “weeks, not months”. But first, the United States must make a definitive statement that one of the Russian intelligence agencies was responsible.
“There’s not much tension right now about what we’re talking about,” said Mr Smith, who added that while Microsoft had not identified the intruders but saw nothing in line with American intelligence’s preliminary finding that Russia was “probably” the culprit be.
Mr Biden then has another problem to overcome: distinguish what the Russians have done from the kind of espionage the United States is doing, including against its allies. Officials are already preparing the reasons for this argument. Last week, Mr Biden described the malware’s intrusion as “reckless” as it hit more than 18,000 companies, mostly in the US. In private, American officials are already testing an argument that Russia should be punished for “indiscriminate” hacking, while the US only uses similar tools for targeted purposes. It is unclear whether the argument will prove convincing to others to join in steps to make Russia pay.
Mr Biden’s upcoming actions are likely to include instructions from the executive branch to improve the resilience of government agencies and corporations to attack, as well as proposals on mandatory disclosure of hacking. Many of the companies that lost data to the Russians did not admit it, either out of embarrassment or because there is no legal requirement to disclose even a serious breach.
The subtext of much of the testimony, however, was that Russian intelligence services may have provided American networks with “back door” access. And that possibility – just the fear of it – could limit the type of punishment Mr. Biden imposes. While he pledged to impose “significant costs” during the presidential change, previous promises to hold Russia accountable did not create enough deterrence to worry them about the penalty for embroiling in the most sophisticated hacking in the supply chain in history.
“The reality is that they will come back and be a ubiquitous crime,” said Kevin Mandia, the executive director of FireEye, the cybersecurity firm that first found the intrusion after the Russians stole its tools for the hackers. Mr. Mandia, a former Air Force intelligence officer, noted that the hackers had been addressing known but little-addressed security holes “since locking the front door”. In this case they got into the network management software update system made by a company called SolarWinds. When users of the SolarWinds Orion software downloaded the updated versions of the code, the Russians were there.