Vulnerabilities in America’s critical infrastructure are forcing the federal government to rethink its response to cyberattacks, a top cybersecurity adviser to President Biden acknowledged Wednesday.
Anne Neuberger, deputy national security adviser for cyber and emerging technology, told an Aspen Institute security forum that the federal government knows there are “gaps in security across our critical infrastructure” when responding to hostile cyber activity such as hacks and ransomware attacks.
She emphasized that the gaps represented one factor and not a limitation on the menu of options the federal government examines when considering how to answer a cyberattacker.
“The most effective way to address ransomware and other disruptive cyber activity coming from within a country’s borders is within that country’s leadership — shaping their expectations and shaping their calculations,” said Ms. Neuberger told the forum. “And I think you’ve seen the president doing that in a very thoughtful way across his personal engagements, the engagements he has built across our country’s inter-agencies and also in that approach both from national resilience, engaging allies and partners and making clear that other options will be considered as well.”
Mr. Biden’s critics have urged more forceful retaliatory attacks on cyberattackers, but Ms. Neuberger said the administration is focused on keeping the nation safe in cyberspace and thinking of the “long game.”
She said the government intends to accomplish its cyberspace goals through developing international norms, deterrence by denial to domestic systems, and ensuring the government can defend itself.
Mr. Biden has repeatedly warned Russian President Vladimir Putin this summer that there would be consequences for cyberattacks on critical infrastructure and disruptive actions in cyberspace, which U.S. officials have said originated from inside Russia.
Even some of Mr. Biden’s Democratic allies in Congress have grown frustrated with the Biden administration’s cyber strategy and approach to critical infrastructure attacks. Last week, Sen. Sheldon Whitehouse, Rhode Island Democrat, chastised the federal government over what he said was its failure to get key players to take cybersecurity seriously and confront what he called the lack of “real standards” for security.
In June, Mr. Whitehouse and Sen. Steve Daines, Montana Republican, proposed a bill directing the Department of Homeland Security to study the benefits and risks of authorizing private entities to take offensive cyber actions.
While the federal government debates the right response to attacks on critical infrastructure, Ms. Neuberger indicated that she thought Mr. Biden’s message that critical infrastructure was off-limits had been heard by potential adversaries.
She pointed to reported comments of BlackMatter, a new cybercriminal group and potential successor to ransomware gangs that have hit critical infrastructure. According to the cyber intelligence company Recorded Future, BlackMatter has pledged not to target certain industries, including critical infrastructure.
“We think we’re seeing a commitment and we will look to see the actions that follow up on that commitment,” said Ms. Neuberger of BlackMatter.