Senate Intelligence Committee Chairman Mark Warner said espionage campaigns like the SolarWinds hack merit discussion with Russian President Vladimir Putin.
Sen. Mark Warner, D-Va., wants the U.S. and allied nations to take espionage campaigns like SolarWinds into account when imposing consequences for cyberattacks but the White House is actively avoiding the issue as it focuses on reducing the threat of ransomware.
“I think that we need to also have a very strong message on cybersecurity, the direct Russian government hacking like we saw in the case of SolarWinds,” Warner said during a virtual event with the Washington Post Monday. The chairman of the Senate Intelligence Committee was responding to a question about what President Joe Biden should be looking to deliver in advance of a meeting with Russian President Vladimir Putin Wednesday.
But the White House would rather not mix a discussion of SolarWinds, which U.S. government agencies have attributed to the Russian Foreign Intelligence Service and believes was an intelligence-gathering mission, with its efforts to hold ransomware criminals accountable. As it currently stands, traditional espionage is fair game and the U.S. also engages in such activity.
“We're not looking for conflict,” Biden told reporters about the upcoming meeting, according to a readout the White House released Sunday. “We are looking to resolve those actions which we think are inconsistent with international norms.”
And National Security Advisor Jake Sullivan went further, distinguishing SolarWinds from the sort of ransomware attacks on Colonial Pipeline and meat processor JBS, according to another Sunday release.
“We do see a difference between SolarWinds, on the one hand, and ransomware attacks on the other hand,” Sullivan told reporters. “Ultimately, we don't judge Russia—the Russian government—was responsible for the ransomware attacks, but we have said it is Russia's sovereign obligation to deal with it, and we have communicated that to them. And that is a continuing dialogue between our countries.”
Biden himself, like Warner and Sen. Angus King, I-Maine, have noted that while ransomware groups like Darkside—which acknowledged responsibility for the Colonial Pipeline hack—are not officially connected to the Russian government, they nonetheless operate within Russia’s jurisdiction.
The president told reporters it was “potentially a good sign and progress” that Putin said he would be willing to turn cyber criminals over to the U.S. if the U.S. agreed to do the same. He stressed the meeting would be about finding ways to work together in a stable relationship. Sullivan later said this would be easy since the U.S. already works to hold cyber criminals to account.
Warner agreed that stability is important, but he told the Post U.S. and allied democracies should connect the wide-reaching SolarWinds hack to efforts to hold nation-states accountable for malicious cyber activity that occurs within their borders.
“SolarWinds was a case where the Russians got into 18,000 companies,” he said, referencing customers that installed a trojanized update from the company. U.S. officials said hackers went on to compromise nine federal agencies and over a hundred private companies.
“Luckily they only decided to exfiltrate out information in a sense, classic espionage, but nothing would have stopped them if they'd gotten into those 18,000 companies, and instead said, 'let's go ahead and shut all those companies down' the way that cyber criminal groups did in terms of Colonial Pipeline and the meatpacking plant and some of the other areas,” he said. “They could have brought our economy to a grinding halt.”
Warner said domestically, there should be a law to mandate companies report cyber incidents to the federal government. He’s working on legislation to that effect and during the event, he called for a debate about whether victims should pay in ransomware attacks.
“We also need some international set of standards so that ... we say to the Russians, whether it's coming from the Russian spy services, or a group of cyber criminals, ‘if you are attacking critical infrastructure in America, or for that matter in the West, where they shut down the Irish health care system a few weeks back, there will be consequences,” he said.