WASHINGTON — President-elect Joseph R. Biden Jr. accused President Trump on Tuesday of “irrational downplaying” of the widespread hack of the federal government and American industries, saying that the current administration was denying him intelligence and warning Russia that he would not allow the intrusion to “go unanswered” after he takes office.
“This assault happened on Donald Trump’s watch when he wasn’t watching,” Mr. Biden said at a news conference in Delaware. “It is still his responsibility as president to defend American interests for the next four weeks, but rest assured that even if he does not take it seriously, I will.”
The direct critique was a remarkable departure from tradition, in which incoming presidents are careful about not second-guessing the actions of the incumbent. But Mr. Trump’s refusal to recognize Mr. Biden’s election victory, and his effort to subvert the results, has clearly poisoned elements of the transition process.
In recent days, Mr. Biden’s aides have come to realize that the scope of the cyberattack — which landed the Russians inside the email system used by top Treasury officials and gave them access to the networks of the Energy, Commerce and Homeland Security Departments and dozens of American companies — could pose a threat in the first days of the new administration.
Mr. Biden indirectly acknowledged as much when asked about his statement that he could not ensure that government systems could be trusted when he takes office.
“Of course I can’t,” he said. “I don’t know what the state of them is. They’re clearly not safe right now.”
Privately, members of his staff have said that while they received briefings on the subject, they had been minimal. And the shutdown of recent cooperation between the transition team and the Defense Department has encompassed the National Security Agency and the United States Cyber Command, the quasi-civilian and military sides of the nation’s foreign offensive and defensive operations.
“There’s still so much we don’t know, including the full scale of the breach or the extent of the damage it has caused,” Mr. Biden said. He was alluding to the quiet internal warnings that Russia may have been able to place so-called back doors in government systems and, in the worst case, manipulate data or sabotage systems.
“It was carried out by using sophisticated cybertools, and the attacker succeeded in catching the federal government off guard and unprepared,” Mr. Biden said.
Unlike Mr. Trump, the president-elect left no doubt that he believed Russia was responsible, noting that both Secretary of State Mike Pompeo and Attorney General William P. Barr had said as much publicly, even if Mr. Trump would not. And Mr. Biden said once there was a formal determination of responsibility, a task that could take intelligence agencies weeks, “we will respond, and probably respond in kind.”
The Presidential Transition
That vow is likely to prove easier to issue from the stage in Delaware than it will be to execute from the Situation Room. Mr. Biden’s first encounter with President Vladimir V. Putin of Russia will be on another topic: The two men will have 16 days to negotiate an extension of up to five years of New Start, the nuclear arms control treaty that expires in early February.
That will force Mr. Biden to strike a deal to prevent one threat — a nuclear arms race — while simultaneously threatening retaliation on another.
Moreover, while the United States is awash in digital targets, Russia is a far less connected society, making an “in kind” response more difficult.
And it is hardly a state secret that the United States already spies on Russian systems and has turned off computers at the Internet Research Agency, the Kremlin-backed disinformation group that was involved in election interference in 2016. The New York Times reported last year that the United States had implanted malware into Russia’s electric power grid as a warning to Moscow after the discovery that Russia had done the same to the American grid.
“Of course the U.S. intelligence community does these every day and twice on Sundays,” said Dmitri Alperovitch, the chairman of the think tank Silverado Policy Accelerator and the former chief technology officer of the cybersecurity firm CrowdStrike, where he specialized in Russian cyberoperations.
“We have all used supply chain attacks, and we can’t say it’s OK for us and not for others.” he said on “Deep State Radio,” a podcast.
In fact, the Russians often cite such operations to argue that American outrage over espionage and even more extensive cyberattacks is manufactured.
Mr. Biden said that the United States should be “getting together with our allies to try to set up an international system that will constitute appropriate behavior in cyberspace” and “hold any other country liable for breaking out of those basic rules.”
Those efforts are hardly new. President Barack Obama tried a basic agreement with President Xi Jinping of China late in his term, after the Chinese were caught removing 22.5 million security clearance files from the Office of Personnel Management, another hacking that went largely undetected for a year. The accord quickly fell apart after Mr. Obama left office.
A parallel effort inside the United Nations also quickly frayed. While another one is expected to issue a report in 2021, Russia and China have hijacked much of the debate to focus on limiting dissent on the internet and pressing for the “true identity” of everyone online, which would make it easier for them to detect dissidents.
But the more immediate problem for Mr. Biden may be finding and securing vulnerable elements of the software supply chain that Russia exploited when it bored into network management software made by SolarWinds, an Austin, Texas company, and corrupted its updates with malware. That is one of several ways Russia is believed to have entered such an array of agencies and corporations.
During the investigation into the Russian hacking, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a report based on a two-year, still unfinished review of the risks to the United States of a supply chain attack.
The report concluded that supply chain risks “could have far-reaching and potentially devastating impacts,” an understatement as the government feverishly digs through its systems for evidence of Russian compromise.
Nicole Perlroth contributed reporting from Palo Alto, Calif.