“This assault happened on Donald Trump’s watch when he wasn’t watching,’’ Biden said at a news conference in Delaware. “It is still his responsibility as president to defend American interests for the next four weeks, but rest assured that even if he does not take it seriously, I will.”

The direct critique was a remarkable departure from the usual one-president-at-a-time tradition, in which incoming presidents are careful about not second-guessing the actions of the incumbent. But Trump’s refusal to recognise Biden’s Electoral College victory, and his effort to subvert the results, has clearly poisoned elements of the transition process.

In recent days Biden’s aides have come to realise that the scope of the intrusion — which landed the Russians inside the email system used by top Treasury officials, and won them access to the networks of the Energy, Commerce and Homeland Security departments and dozens of American companies — could pose a threat in the opening days of the new administration.

Biden acknowledged as much, indirectly, when asked about his statement that he could not ensure government systems could be trusted when he take office.

“Of course I can’t,’’ he said. “I don’t know what the state of them is. They’re clearly not safe right now.”

Privately, members of his staff have said that while they have received briefings on the subject, they have been bare-bones. And the shutdown of recent cooperation between the transition team and the Defence Department has encompassed the National Security Agency and US Cyber Command — the quasi-civilian and military sides of the nation’s foreign offensive and defensive operations.

“There’s still so much we don’t know including the full scale of the breach or the extent of the damage it has caused,’’ Biden said. He was alluding to the quiet internal warnings that Russia may have been able to place “back doors” in government systems and, in the worst case, manipulate data or sabotage systems.

“It was carried out by using sophisticated cybertools, and the attacker succeeded in catching the federal government off guard and unprepared,” Biden said.

Unlike Trump, he left no doubt he believed that Russia was responsible, noting that both Secretary of State Mike Pompeo and Attorney General William Barr have said as much publicly, even if Trump would not. And he said once there was a formal determination of responsibility, a task that could take intelligence agencies weeks, “we will respond and probably respond in kind.”

That vow is likely to prove easier to issue from the Wilmington stage than it will be to execute from the Situation Room. Biden’s first encounter with President Vladimir Putin of Russia will be on another topic: The two men will have 16 days to negotiate an extension of up to five years of New START, the nuclear arms control treaty that expires in early February.

That will force Biden to be striking a deal to prevent one threat — a nuclear arms race — while simultaneously threatening retaliation on a newer type of threat.

Moreover, while the United States is awash in digital targets, Russia is a far less connected society, making an “in kind” response more difficult.

And it is hardly a state secret that the United States already spies on Russian systems, and has turned off computers at the Internet Research Agency, the Kremlin-backed disinformation group that was involved in the 2016 election interference. Last year, The New York Times reported that the US had also implanted malware into Russia’s electric power grid — as a warning to Moscow after the discovery that Russia had put malware in the US grid.

“Of course the US intelligence community does these every day and twice on Sundays,’’ Dmitry Alperovitch, the chairman of Silverado Policy Accelerator, a think tank, and the former chief technology officer of the cybersecurity firm CrowdStrike, where he specialised in Russian cyberoperations.

Speaking on Deep State Radio, a podcast, he said, “we have all used supply chain attacks, and we can’t say it’s OK for us and not for others.”

In fact, the Russians often cite such US operations to argue that American outrage over espionage and even more extensive cyberattacks is manufactured.

Biden said that the United States should be “getting together with our allies to try to set up an international system that will constitute appropriate behaviour in cyberspace” and “hold any other country liable for breaking out of those basic rules.”

Such efforts are hardly new. President Barack Obama tried a basic agreement with President Xi Jinping of China late in his term, after the Chinese were caught removing 22.5 million security clearance files from the Office of Personnel Management, another hack that went largely undetected for a year. The accord quickly fell apart after Obama left office.

A parallel effort inside the United Nations also quickly frayed. While another one is expected to issue a report in 2021, much of the debate has been hijacked by Russia and China to focus on limiting dissent on the internet and pressing for the “true identity” of everyone online — which would make it easier for them to sniff out dissidents.

But the more immediate problem for Biden may be finding, and securing, vulnerable elements of the software supply chain that Russia exploited when it bored into network management software made by SolarWinds, an Austin, Texas firm, and corrupted its updates with malware. That is one of several ways Russia is believed to have entered such an array of agencies and corporations.

Amid the investigation into the Russian hack, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a report based on a two-year, still-unfinished review of the risks to the United States of a supply chain attack.

The report concluded that supply chain risks “could have far-reaching and potentially devastating impacts,” a bit of an understatement as the government feverishly digs through its systems for evidence of Russian compromise.

c.2020 The New York Times