Idaho Sen Jim Rischthe committee’s top Republican, said only that “there have been such conversations.” He said he wanted to keep negotiations on cybersecurity aspects of the sanctions package private.
Menendez and Risch have been hard at work in recent weeks hammering out a sanctions package. Menendez described it Tuesday as “the mother of all sanctions” during a virtual Washington Post Live event, with the proposed package laying out a crippling set of consequences for Russian aggression against Ukraine that would target top Russian officials and the broader economy.
The package is meant to serve as a compromise between diverging approaches of sanctioning Russia before or after an invasion, with Republicans pushing for sanctions to be imposed ahead of time, and Democrats supporting taking action following Russian troops crossing the Ukrainian border. But cyberattacks are an area where many agree that early action is needed.
Sen. Richard Blumenthal (D-Conn.) also argued for sanctions for any recent cyberattacks by Russia against Ukraine. Last month, hackers defaced and disabled about 70 Ukrainian government websites — an attack Ukraine has blamed on Russia. US officials have not formally attributed the attack to anyone
“I have strongly and consistently said we should be imposing sanctions beginning right now, in fact yesterday, because Putin understands only the force of economic or military action,” Blumenthal said. “This sanctions bill is more than a message. It’s really an instrument of persuasion.”
President Joe Biden has said the US would retaliate with its own cyberattacks if Russia launches a major cyber strike in Ukraine, but has not publicly committed to levying sanctions for cyberattacks. Sanctions could be seen as equally damaging to Russia as they stood to cripple the economy and isolate Russia from international trade.
The US has previously imposed sanctions on Russia for attacks against American targets, such as the sprawling SolarWinds espionage operation discovered in late 2020, in which Russian hackers compromised computer systems of at least a dozen federal agencies and 100 private companies. The Justice Department has also indicted several alleged Russian hackers in recent years.
Biden has not taken a formal stance on slapping sanctions on Russia specifically for cyberattacks inside Ukraine, but has supported taking strong measures against Moscow, including shutting down the Nord Stream 2 gas pipeline in the event of an invasion.
It’s unclear how serious a cyberattack would have to be to trigger sanctions or counterstrikes under the scenarios the senators are contemplating. The attacks on Ukrainian websites are minor compared with some possible assaults. In 2015, Russian hackers shut down part of Ukraine’s power grid, leaving around a quarter of a million people without power. Another attack in 2017 disabled networks of thousands of organizations in the public and private sectors.
“This is one of those areas where it would be great if there was this complete black-white distinction, but there is cyber activity on a regular basis from Russia to Ukraine,” said Senate Intelligence Chair Mark Warner (D-Va.). “It’s something we have to sort through.”
Senators are considering economic sanctions that would target Russian banks and make it difficult for Russians to participate in the global economy, along with providing lethal weapons to Ukraine as part of a broader aid package. They have not said which of these would be on the table in response to a cyberattack.
“We need to share whatever we possibly can in terms of helping them to prepare and defend, and I think we need to keep all options on the table for our response to a cyberattack,” Senate Intelligence member Angus King (I-Maine) said in an interview.
Lawmakers are also pushing to include more aid to Ukraine to help it prevent or respond to cyberattacks. Senate Foreign Relations member Rob Portman (R-Ohio), who led a bipartisan delegation to Ukraine in January, said he was working with Murphy to include “millions” in funding for cyber aid to Ukraine in the wider sanctions deal.
Menendez confirmed that cyber assistance is “also under consideration.”
But there are limits to how much such aid can help in the fast-moving crisis.
“It would have taken years to build up defenses that would have made their critical infrastructure less vulnerable to the kind of attacks that the Russians are probably planning,” said Senate Intelligence ranking member Marco Rubio (R-fla.).
Rubio emphasized the need for quick action when a cyberattack occurs.
“There should be consequences for cyberattacks regardless of whether it’s linked to an invasion,” he said.
The US has already provided $38 million in aid to Ukraine for cybersecurity following numerous hacks linked to Russia over the past decade. European Union and NATO nations have stepped in to assist as well.
But Ukrainian President Volodymyr Zelenskyy told last month’s congressional delegation that more cybersecurity assistance was his “No. 1” request, according to Rep. Mark Green (R-Tenn.), who led the Republican members of the delegation.
“He did not state specifically what he wanted, but it was the first thing on his list,” Green said last week.