Foreign Affairs Foreign Affairs

Russia Seeks a Better Cyber Security Relationship with the U.S.

Russia has recently expressed interest in getting the Russia-U.S. cyber security cooperation back on track.   Once in late September 2020 and again in October 2020, Vladimir Putin indicated that he has reached out to Washington for re-engagement on a hot-button issue that many experts consider a leading national security concern.  The timing of these overtures is of note given Russia’s involvement in various election meddling activities in the 2016 U.S. presidential election, and its suspected involvement in various disinformation campaigns that have been transpiring for at least a year prior to the current election cycle.  Notably, Russia has routinely denied these allegations.

Putin’s proposal was not addressed to the President but to the United States government writ large, given the potential change in Administrations.  According to Russian media outlet sources, Putin would like to jointly develop a comprehensive program that features “practical measures” to help reset engagement with the two cyber powers.  Key components of the proposal include:

  • The establishment of regular full-scale bilateral inter-agency dialogue on key issues of high-level international information security.
  • The maintenance of continuous communication between both countries’ stakeholder agencies via nuclear risk reduction centers, computer incident response teams, and senior officials overseeing international information security issues.
  • The joint development of a bilateral agreement on the prevention of incidents in the information space (similar to a joint agreement on the Prevention of Incidents on and Over the  High Seas agreed to by the United States and the then Soviet Union in 1972).
  • Agreement on a way to establish guarantees of non-interference in each other’s internal affairs to include use and exploitation of information and communication technologies.

As of this writing, the United States has not responded to the offer.

This is not the first time that two of the world’s most sophisticated cyber powers have tried to find a common way forward in the information and communications technology arena.  The two governments first made gains in 2013, when they gained consensus in identifying key confidence-building measures designed to increase transparency and reduce the potential for misunderstanding over incidents that could negatively impact relations between Moscow and Washington.  Ultimately this progress proved temporary, halting after Russia’s activities in Ukraine in 2014 and the United States’ subsequent imposition of sanctions.  Two years later, the governments agreed to resume discussions, with Moscow soliciting Washington support in combating Internet-related crime.  In 2018, Russian press suggested that Moscow made overtures to Washington for cooperation on preventing sabotage targeting critical infrastructure entities in the two countries during a summit in Helsinki, Finland, even though no formal joint statement was made.

The concept of governments coming to accord concerning activities in cyberspace is not new.  Several countries have engaged in cyber agreements that mark out areas of mutual concern.  For example, the Budapest Convention of Cyber Crime was the global community’s first attempt to create an international treaty that addressed Internet and computer crime.  Also, China has engaged in several “no-hack” pacts with governments, a theme that carried over to the G20.  In 2019, 27 countries signed a joint agreement advocating that states should follow international law when it comes to responsible state behavior in cyberspace.  These undertakings suggest that the appetite for coming to consensus exists even if there has been little headway in actually achieving it. 

Therefore, it makes practical sense that Russia and the United States reach common ground on how to address the volume, intensity, and impact of malicious cyber-enabled activities.  On the surface, this should not be difficult, as Moscow and Washington have been able to accomplish just that with respect to nuclear (New START), chemical, and biological weapons (CWC), in addition to the aforementioned On or Above the High Seas treaty.  The level of distrust exhibited by both Russia and the United States when it comes to malicious cyber activity is analogous to these other national security issues.  The potential for misunderstanding incidents surrounding nuclear arms, bio/chemical weapons, and maritime/aerial movements can quickly escalate tensions and ultimately lead to kinetic conflict.  When it comes to cyberspace where state actors operate with benefit of near-anonymity, use non-state actor proxies, or potentially hire cyber mercenaries, the potential for misunderstanding intent is very high.  Lack of any established procedures or special channels to immediately reach out to counterparts prior to the execution of needless retaliatory strikes only increases the risk of escalation.  Formal treaties, such as those outlined above, can offer a blueprint on how similar measures can be applied to cyber/information security as well.  However, whether they can be as successful in the digital domain remains to be seen.

Under the current geopolitical climate, the United States. is very unlikely to come to a cyber agreement with Russia, largely because it simply does not trust Russia to adhere to any agreed upon stipulations.  Unlike China whose offensive cyber activities have primarily supported intellectual property theft, Russia’s have largely focused on intelligence gathering, disruptive attacks, and influence operations, information-enabled activities that support national level strategies and objectives.  This means that as long as decision-makers in Moscow deem them “necessary,” they will continue to engage in questionable activity regardless of any agreement.  An agreement permitting this type behavior invariably favors Russia which bears a reputation for being unreliable when it comes to international partnerships with other governments.

However, Russia’s repeated offer of engagement puts the United States in a tenuous light, particularly as the U.S. is also viewed as an aggressive cyber actor accused of perpetrating or supporting hostile cyber operations.  Washington needs to publicly respond to Moscow and provide its own counter proposal that highlights key positions that reflect those of international law.  Several governments including the U.S. have expressed their positions on this approach, providing Washington a base from which to influence what components need to be included in any agreement between the two cyber powers.  This in turn puts the proverbial ball back into Moscow’s court, forcing it to explain why international law cannot be applied to the cyber problem, a tough sell to a global community searching for stability in the digital domain.  Not only does the United States regain the upper hand in this tete-a-tete, it demonstrates its commitment to following international law and being a leader driving the establishment of norms of responsible state behavior in cyberspace.