lolloj - Fotolia

Biden proposes critical infrastructure safe zones for hacking

The U.S. wants Russia to agree to make critical infrastructure targets off limits to hacking, but some infosec experts are skeptical such an agreement can be enforced.

The Biden administration is pushing the idea of "off-limits" agreements to prevent governments from targeting critical infrastructure with cyber attacks, even as the White House opened the door for offensive hacking against nation-state adversaries such as Russia.

Speaking at a summit last week, President Joe Biden said he proposed a deal with Russian President Vladimir Putin that would see the two nations agree to a set of 16 different business sectors where attacks would not take place on either side.

The comments come as Russia's government stands accused of either sponsoring or carrying out attacks against critical U.S. infrastructure. Most notably, Russia was accused of perpetrating the supply chain attack at SolarWinds that resulted in thousands of U.S. companies being put at risk of network breaches, thanks to backdoored IT management software.

The deal, presumably, would see the two nations protect healthcare, utilities and other critical infrastructure from cyber attacks that would have the ability to create public safety threats. It is not known how seriously Putin was considering the proposal.

"I talked about the proposition that certain critical infrastructure should be off limits to attack -- period -- by cyber or any other means," Biden said during a press conference last week.

"I gave them a list, if I'm not mistaken -- I don't have it in front of me – [of] 16 specific entities; 16 defined as 'critical infrastructure' under U.S. policy, from the energy sector to our water systems."

Later in a press conference, Biden took a stronger tone against Putin, perhaps even leaving the door open for the U.S. to retaliate with its own hacking operations against Russia.

"I pointed out to him that we have significant cyber capability. And he knows it," Biden said. "He doesn't know exactly what it is, but it's significant. And if, in fact, they violate these basic norms, we will respond with cyber."

Even if Russia does not dismiss the idea of "off-limits" areas, actually getting the Kremlin to adhere to a critical infrastructure truce is unlikely to happen, according to some infosec experts. Dan Tentler, co-founder of cybersecurity vendor Phobos Group, noted that Putin's regime can simply disguise the source of the attacks it and its sponsored groups carry out.

"The thing folks in security say time and time again is that 'attribution is hard.' If some IP [address] in India or Pakistan starts attacking a host in the U.S., is that 'India' doing the attack, or is that just a machine being run by a Russian attacker?" Tentler said. "How can we tell? There's so much ambiguity with regards to attribution that it's trivial for Russia to say, 'Oh, sure, we'll play ball,' then proxy all their attacks through Canada or the U.K."

Fellow Phobos Group co-founder Ali-Reza Anghaie said on top of having to deal with proxy groups and contracted hackers, the U.S. government would also have to keep watch over a massive set of networks and systems, just to be sure Russia wasn't breaking its end of the bargain.

"Governments can agree on anything and use proxy actors to 'officially' maintain decorum. It's often posturing. The privateer markets aren't without their government clientele," Anghaie pointed out.

"Further, most large networks and, certainly, government networks have massive technical debt, such that they couldn't even accurately identify what is what. Under their conditions, 'off limits' is also dubious."

Next Steps

Chinese hackers targeting U.S. critical infrastructure

Dig Deeper on Security operations and management