According to officials familiar with the discussions, those options included variations of steps that President Barack Obama considered and rejected after hacking state election systems in 2016. They used cyber tools to reveal or freeze assets secretly owned by President Vladimir V. Putin of Russia, exposing his ties to oligarchs or taking technological steps to break Russian censorship to help dissidents communicate with the Russian people at a time of political protest.
At a news conference in the White House on Tuesday, Jen Psaki, the press secretary, said a US response would come in "weeks, not months." But first, the United States will have to make a final statement that one of the Russian intelligence services was responsible.
"There's not much tension at the moment about what we're talking about," said Mr. Smith, adding that while Microsoft had not identified the intruders, it saw nothing to contradict US intelligence's preliminary finding that Russia was "probably" to blame.
Mr. Biden will then have to overcome another problem: differentiating what the Russians did from the kind of espionage the United States does, including against its allies. Officials are already preparing the grounds for that argument. Last week, Mr. Biden's intrusion "recklessly" because it affected more than 18,000 companies, mostly in the United States. In private, US officials are already testing an argument that Russia should be punished for "arbitrary" hacking, while the United States uses similar tools only for targeted purposes. It is unclear whether this argument will prove convincing to others to join steps to make Russia pay.
Mr. Biden's forthcoming actions are likely to include executive orders to improve the resilience of government agencies and businesses to attacks and proposals for mandatory disclosure of hackings. Many of the companies that lost data to the Russians have not admitted it, either out of embarrassment or because there is no legal obligation to disclose even a major breach.
But the subtext of much of the testimony was that the Russian intelligence agencies may have laced US networks with "back door" access. And that possibility – just the fear of it – could limit the kind of punishment Mr. Biden imposes. Although he pledged to impose "significant charges" during the presidential transition, previous pledges to hold Russia accountable did not create enough deterrent to worry them about punishment if they were caught doing the most sophisticated supply chain hacking in history.
"The reality is that they will come back, and they will be an ever-present violation," said Kevin Mandia, the CEO of FireEye, the cybersecurity company that first discovered the breach after the Russians stole its tools to fight. hackers. Mr. Mandia, a former Air Force intelligence officer, noted that "since the front door was locked," the hackers took advantage of known but poorly remedied vulnerabilities. In this case, they got into the network management software update system from the SolarWinds company. When users of the SolarWinds Orion software downloaded the updated versions of the code, the Russians were in.