GENEVA — For 70 years, meetings between American presidents and Soviet or Russian leaders were dominated by one looming threat: the vast nuclear arsenals that the two nations started amassing in the 1940s, as instruments of intimidation and, if deterrence failed, mutual annihilation.
Now, as President Biden prepares to meet with President Vladimir V. Putin here in Geneva on Wednesday, for the first time cyberweapons are being elevated to the top of the agenda.
The shift has been brewing for a decade, as Russia and the United States, the two most skilled adversaries in the cyberarena, have each turned to a growing arsenal of techniques in what has become a daily, low-level conflict. But at summit meetings, that sort of jousting was usually treated as a sideshow to the main superpower competition.
No more. The rising tempo and sophistication of recent attacks on American infrastructure — from gasoline pipelines running up the East Coast, to plants providing a quarter of America’s beef, to the operations of hospitals and the internet itself — has revealed a set of vulnerabilities no president can ignore.
For Mr. Biden, nuclear weapons still matter, and his aides say the two men will spend a good amount of time debating “strategic stability,” shorthand for containing nuclear escalation. But the more immediate task, Mr. Biden told his allies at a Group of 7 summit meeting in Cornwall, England, last week and a NATO meeting in Brussels, is to convince Mr. Putin he will pay a high price for playing the master of digital disruption.
It will not be easy. If a decade of intensifying cyberconflict has taught anything, it is that the traditional tools of deterrence have largely failed.
And while Mr. Putin loves to boast about his huge investments in new, nuclear torpedoes and hypersonic weapons, he also knows he cannot use them. His arsenal of cyberweapons, in contrast, is put to work every day.
Mr. Biden has made clear that he intends to give Mr. Putin a choice: Cease the attacks, and crack down on the cybercriminals operating from Russian territory, or face a rising set of economic costs and what Mr. Biden calls a set of moves by the United States to “respond in kind.” But on Sunday, while still at the Group of 7 summit in Cornwall, he acknowledged that Mr. Putin may well ignore him.
“There’s no guarantee you can change a person’s behavior or the behavior of his country,” Mr. Biden said. “Autocrats have enormous power, and they don’t have to answer to a public.”
Deterrence is a problem that many of Mr. Biden’s top national security aides have been thinking about for years, drawing on their experience on the front lines of cyberconflict at the National Security Agency, the Justice Department and the financial sector. They are the first to say that arms control treaties, the main tool employed in the nuclear age, are not well adapted to the cyberrealm. There are just too many players — nations, criminal groups, terrorist organizations — and no way to do the equivalent of counting warheads and missiles.
But their hope is to get Mr. Putin to begin discussing targets that should be off the table in peacetime. The list includes electric grids, election systems, water and energy pipelines, nuclear power plants and — most delicate of all — nuclear weapons command-and-control systems.
On paper, that would seem to be relatively easy. After all, an expert group of the United Nations, with representatives of all the major powers, has repeatedly agreed to some basic limits.
In reality, it is proving agonizingly difficult — far more so than the first attempt at nuclear arms control that President Eisenhower broached with Nikita S. Khrushchev in Geneva 66 years ago, just before the Cold War spun into a terrifying arms race and, seven years later, nuclear confrontation in Cuba.
President Ronald Reagan said “we need to ‘trust, but verify,’” noted Eric Rosenbach, the former head of cyber policy at the Pentagon, who helped navigate the early days of cyberconflict with Russia, China and Iran when Mr. Biden was vice president. “When it comes to the Russians and cyber, you definitely cannot trust or verify,” he said.
“The Russians have repeatedly violated the terms of any agreements on cyber at the United Nations, and are now systematically trying to tie up the United States” in a morass of international legal issues “while hitting our critical infrastructure,” Mr. Rosenbach said.
Mr. Putin refuses to acknowledge that Russia uses these weapons at all, suggesting that the accusations are part of a giant, American-led disinformation campaign.
“We have been accused of all kinds of things,’’ Mr. Putin told NBC News over the weekend. “Election interference, cyberattacks and so on and so forth. And not once, not once, not one time, did they bother to produce any kind of evidence or proof. Just unfounded accusations.”
In fact, evidence has been produced, though it is far harder to show, much less explain, than the photographs of Soviet missiles in Cuba that President John F. Kennedy displayed on television at a critical moment in the 1962 Cuban Missile Crisis.
But Mr. Putin is right about one thing. The ease with which he can deny any knowledge of cyberoperations — something the United States has done as well, even after mounting major attacks on Iran and North Korea — demonstrates why the deterrents that kept an uneasy nuclear peace in the Cold War won’t work with digital threats.
In the nuclear age, America knew where every Soviet weapon was located and who had the authority to fire them. In the cyberage, there is no way to count the threats or even figure out who has their finger on the keyboard — the modern-day “button.” A general? Hackers working for the SVR, the premier Russian intelligence agency? Other hackers, freelancing for a ransomware “service provider” like DarkSide, which was responsible for the attack on the company that ran the Colonial Pipeline? Teenagers?
In the nuclear age, it was abundantly clear what would happen to a country that unleashed its weapons on the United States. In the cyberage it is anything but clear.
When Sony Entertainment’s studios were attacked by North Korea, in response to a movie that mocked Kim Jong-un, 70 percent of the company’s computers were destroyed. The head of the National Security Agency at the time, Adm. Michael Rogers, said later he had been sure the assault would bring a major American response.
It did not.
During the Obama administration, a successful Russian effort to break into the unclassified email systems of the White House, the State Department and the Joint Chiefs of Staff was never publicly attributed to Moscow — even though everyone, including then-Vice President Biden, knew what the intelligence indicated.
The muted response to the Russian effort to influence the 2016 election came only after the results were in. Mr. Obama’s reaction was comparatively mild: the expulsion of Russian diplomats and the closing of some diplomatic compounds. It was, in the words of one senior official at the time, “the perfect 19th century response to a 21st century problem.’’
Then came Mr. Trump’s time in office, in which he repeated, approvingly, Mr. Putin’s improbable denials of election interference. America lost four years in which it could have been trying to set some global standards, what Brad Smith, the president of Microsoft, calls a “cyber Geneva Convention.”
While the United States Cyber Command stepped up its fight, sending the digital equivalent of a brushback pitch to a Russian intelligence agency and knocking a major ransomware group offline during the 2018 midterm elections, the Russian assaults have continued. What worries the Biden national security team is not the volume of the attacks, but their sophistication.
The SolarWinds attack was not just another hack: Roughly 1,000 hackers at the SVR, according to an estimate by Microsoft, were involved in a complex effort that got the Russians into the supply chain of software funneled into government agencies, Fortune 500 companies and think tanks. Worse yet, the attack was mounted from inside the United States — from Amazon servers — because the Russians knew that American intelligence agencies are forbidden to operate on U.S. soil.
Mr. Biden said he wanted a “proportional response,” and settled on more economic sanctions — hinting there may be other “unseen” actions — but it is far from clear those left an impression. “The issue of state-sponsored cyberattacks of that scope and scale remains a matter of grave concern to the United States,” Jake Sullivan, the president’s national security adviser, said aboard Air Force One on the way to Europe last week. The issue, he said, is “not over.”
The SolarWinds hack was followed by an astounding surge in ransomware attacks, the headline-grabbing extortion schemes in which criminal hacker groups lock up a company or hospital’s data, then demand millions in Bitcoin to unlock it. Mr. Biden has accused Russia of harboring those groups.
Mr. Rosenbach, the former Pentagon cyber policy chief, said that ransomware gives Mr. Biden an opening. “Rather than focus on naïvely abstract ‘rules of the road,’ Biden should press Putin hard on concrete actions, such as halting the scourge of ransomware attacks against U.S. critical infrastructure,” he said.
“Putin has plausible deniability,” he said, “and the threat of additional sanctions is likely enough to convince Putin to take quiet action against” the groups responsible for the attacks.
That would be a start, if a small one.
If the history of nuclear arms control applies again — and it may not — expectations should be low. It is far too late to hope for the elimination of cyberweapons, any more than one could hope to eliminate guns. Analysts say the best one can hope for might be a first attempt at a digital “Geneva Convention” limiting the use of cyberweapons against civilians. And the perfect place to try may be in Geneva itself.
But that is almost certainly further than Mr. Putin is willing to go. With his economy overly dependent on fossil fuels, and his population showing signs of restiveness, his sole remaining superpower is the disruption of his democratic rivals.