Those options, according to officials familiar with the discussions, include variants of steps that President Barack Obama considered and rejected after the 2016 hacking of state election systems. They included using cybertools to reveal or freeze assets secretly held by President Vladimir V. Putin of Russia, exposure of his links to oligarchs or technological moves to break through Russian censorship to help dissidents communicate to the Russian people at a moment of political protest.
At a news briefing at the White House on Tuesday, Jen Psaki, the press secretary, said that an American response would come in “weeks, not months.” But first the United States will have to make a definitive declaration that one of Russia’s intelligence agencies was responsible.
“There is not a lot of suspense at this moment about what we are talking about,” said Mr. Smith, who added that while Microsoft had not identified the intruders, it saw nothing to contradict the tentative finding of American intelligence that Russia was “likely” to be the culprit.
Mr. Biden will then have to surmount another problem: Differentiating what the Russians did from the kind of espionage the United States does, including against its allies. Officials are already preparing the grounds for that argument. Last week, Mr. Biden called the intrusion of the malware “reckless” because it affected more than 18,000 companies, mostly in the United States. In private, American officials are already testing an argument that Russia needs to be punished for “indiscriminate” hacking, while the United States uses similar tools for only targeted purposes. It is unclear that argument will prove convincing to others to join in steps to make Russia pay.
Mr. Biden’s coming actions appear likely to include executive orders on improving the resiliency of government agencies and companies to attacks and proposals for mandatory disclosure of hackings. Many of the companies that lost data to the Russians have not admitted to it, either out of embarrassment or because there is no legal requirement to disclose even a major breach.
But the subtext of much of the testimony was that Russia’s intelligence services might have laced American networks with “backdoor” access. And that possibility — just the fear of it — could constrain the kind of punishment that Mr. Biden metes out. While he promised during the presidential transition to impose “substantial costs,” previous promises to hold Russia accountable did not create enough of a deterrent to concern them about the penalty if they were caught in the most sophisticated supply-chain hacking in history.
“The reality is that they are going to come back, and they are going to be an ever-present offense,” said Kevin Mandia, the chief executive of FireEye, the cybersecurity company that first found the intrusion after Russians stole its tools for fighting hackers. Mr. Mandia, a former Air Force intelligence officer, noted that “since the front door was locked,” the hackers turned to known but little-addressed vulnerabilities. In this case, they got into the update system of network management software made by a company called SolarWinds. When users of the SolarWinds Orion software downloaded the updated versions of the code, the Russians were in.
