The rapid development of Internet technology has and will continue to generate unforeseen threats and opportunities. From unprecedented interconnectedness on social media to attacks on critical infrastructure, the implications of Internet technology deserve attention on the global stage.
Cybersecurity has emerged at the forefront of diplomacy worldwide but remains underdeveloped as states look for workable “rules of the road” that can be agreed upon. This is especially true in the United States and Russia, where the US accuses Russia of allowing hackers to attack infrastructure and businesses and to interfere in US elections. Russia, meanwhile, holds that most cyberattacks on its institutions and businesses come from the US and accuses the US of interfering in the Russian 2021 parliamentary elections.
It is critical for the US and Russia to seriously consider cybersecurity cooperation. This paper will discuss the evolving framework for this, examining cybersecurity issues in the appropriate context of each country, exploring the recent history and failures of cybersecurity cooperation, and offering potential avenues for the cybersecurity cooperation in the future.
Cybersecurity in Context
Cybersecurity is an ambiguous term, whose contested interpretation highlights the complexity of establishing a US-Russia framework of cybersecurity cooperation. The US Cybersecurity Infrastructure Security Agency defines cybersecurity as, “The art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.” This definition aligns with the US perspective of cyberspace as a domain for the free exchange of information.
The Russian term for cybersecurity is most aptly translated into English as “information security.” In Russia, “cybersecurity” is largely thought of as a US concept. The Doctrine of Information Security of the Russian Federation defines information security as, “The state of protection of the individual, society and the State against internal and external information threats, allowing to ensure the constitutional human and civil rights and freedoms, the decent quality and standard of living for citizens, the sovereignty, the territorial integrity and sustainable socio-economic development of the Russian Federation, as well as defense and security of the State.” This definition aligns with the Russian perspective of cyberspace as a domain of information flow that warrants heavy state regulation. These different views on cybersecurity have changed over time, alongside the cybersecurity doctrine and technological development of each country.
While US cybersecurity doctrine gradually transitioned from a central focus on information security to a central focus on network and application security, Russian doctrine gradually increased its focus on information security.
The evolution of related warfare doctrine in the US and Russia can further elucidate these concepts. Early on, US cybersecurity doctrine focused on the detection and mitigation of information-gathering cyber-attacks against the US and US based systems. Beginning in 2003, the US cyber doctrine entered a modern militarization phase, acknowledging that cyber warfare, like kinetic attacks, can cause damage to strategic capabilities and critical infrastructure. The culmination of this phase likely occurred in 2010, during the alleged joint US-Israeli cyberattack known as Stuxnet on Iranian nuclear facilities.
By 2012, US cyber warfare doctrine was beginning to take a strategic-diplomatic approach. Policy, international regulations, Internet governance, and agreements all began to play a significant role in the cyber environment. However, at the same time, US-Russia relations were beginning to deteriorate with the US Magnitsky Act and Russia’s adoption ban, resulting in an environment unconducive to cyber cooperation.
Russia’s concept of information warfare has also evolved considerably over the past two decades. Russia’s leadership gradually shifted from a view that armed violence is the baseline of warfare, to a broadened baseline that included non-military and non-kinetic measures.
Starting in the early 2000s, the Color Revolutions and Arab Spring presaged a future where the use of non-military and information communication technology (ICT) could be used to invoke and support regime-threatening protests. Thus, the 2014 Russian Military Doctrine characterizes modern military conflict as, “the integrated use of military force, political, economic, informational, and other non-military measures implemented with the widespread use of the protest potential of the population and special operational forces.”
Additionally, the emergence of the Internet as a global forum triggered the Russian government’s fear of cognitive threats in the information sphere. Russia has often pointed out that the Internet and social media are dominated by US-based companies, providing the US a strategic advantage in information capabilities. Russia has expressed concern about outside informational influence on the Russian population and decision-makers, and the effects of that influence on social values and stability. Such concerns are rarely and poorly understood in the US.
The two different perspectives of the US and Russia, resulting from different starting points and histories, have been one of the main causes of the unsuccessful history of cybersecurity cooperation between the two countries.
History of US-Russia Cybersecurity Cooperation
An initiative by the EastWest Institute in 2011 and 2014 sought to establish basic definitions around three key cluster areas of cybersecurity terminology. However, this initiative was unsuccessful. The agreed definitions did not actually match in translation and left a false impression that consensus had been achieved, when in fact it remained as far apart as ever. Additionally, definitions outlined in the initiative were not reflected in official US and Russia doctrine.
The most promising bilateral cybersecurity cooperation between the US and Russia happened in 2013, when the two engaged in dialogue to assess emerging information communication technology (ICT) threats and to propose a joint measure to address them.
Key agreements were made, largely using existing infrastructure. To facilitate the regular exchange of information on cybersecurity risks surrounding critical system risks, like malware, the countries arranged for links between computer emergency response teams. To reduce the chance of national security threats like nuclear crises stemming from ICT security incidents, the two counties agreed to an exchange of notifications through the Nuclear Risk Reduction Centers. Finally, the two countries authorized a direct secure voice communication line between the White House and the Kremlin.
This bilateral cooperation appears to have been mostly aligned with the US perspective on cybersecurity, focusing on networks and applications rather than information. However, the agreements and cooperation were frozen in 2014 amid increasing tensions over Ukraine.
President Putin offered the US an opportunity to restore bilateral cybersecurity cooperation in a September 2020 official statement. This was at a time when cyber accusations against Russia were building and Russia’s duma elections were still upcoming. Russia had expressed concern that interference was being laid against its elections.
Putin’s offer had four points, most of which would have restored the cooperation agreed upon in 2014. First, to restore a regular full-scale bilateral interagency dialogue on key issues of cybersecurity. Second, to maintain communication channels through the Nuclear Risk Reduction Centers, Computer Emergency Readiness Teams, and high-level officials. Third, to jointly develop and conclude a bilateral intergovernmental agreement on cyber incident prevention. Fourth, to exchange guarantees of non-intervention into internal affairs, including electoral processes, by the means of ICTs and high-tech methods. He called on the US to greenlight Russian-American expert dialogue on cybersecurity without constraints from current political disagreements between the two countries. These suggestions also seem to align more closely with the US perspective on cybersecurity and showed genuine effort on Russia’s part.
The White House did not respond to the offer.
UN-Centered Multilateral Efforts
Efforts within the United Nations to establish an international cyber code of conduct are the primary example of multilateral US-Russia cyber cooperation. However, they have been largely ineffective and are unlikely to produce outcomes desirable for both countries.
In 2015, the United Nations’ First Committee Group of Governmental Experts (GGE) convened to discuss international security in the context of ICTs and negotiate rules for state behavior in cyberspace. The group consisted of 25 selected member states, including the US and Russia. Its two major achievements are outlining the global cybersecurity agenda and introducing the principle that international law applies to cyberspace. Before the GGE completed work in early 2021, it managed to come up a list of voluntary norms. Experts point out that Russia likely regards such norms as a steppingstone towards treaty negotiations, while other countries like the US view voluntary norms as an enabler of malevolent ambitions in cyberspace.
Russia would also prefer to see the norms be enforceable as demonstrated by its push for a new global cybercrime treaty from the UN in 2019. The push supports Russia’s goal of replacing the Budapest Convention (the only legally binding international treaty on cybercrime which Russia has not signed) with a new treaty that allows for increased state regulation of the Internet, which is in line with Russia’s vision – and may actually be in line with US developments to potentially regulate Facebook and other social media.
Russia received Chinese support, but the treaty effort was shot down by the US and its allies because the vague language used sparked concern on a number of human rights and procedural concerns, including the treaty’s potential to allow the targeting of free speech.
The Open-Ended Working Group (OEWG) was established by the UN in 2018 in parallel with the GGE to include all interested UN member states, rather than a select 25. Its task is to continue the development of international-cyberspace rules, norms, and principles that began with the GGE. The OEWG will continue work until 2025 but is similarly limited by opposing US and Russian views on the international governance of cyberspace.
The 2021 Biden-Putin Summit included cyber conversations that are a step in the right direction, but nonetheless flawed.
Prior to the meeting, President Biden announced that “Russia’s cyber aggression” would be a big part of the conversation. The US has blamed the Russian government for several recent cyber incidents like the SolarWinds attack, the Colonial Pipeline ransomware, the US Aid cyberattack and the JBS cyberattack. Even if the Russian government did not mastermind these incidents, the US has stated that the Russian government is responsible and has the ability to stop them.
The US has not explained how Russian surveillance through its SORM monitoring system and security agencies’ activities should be able to stop these when crimes occurring from US-based servers cannot be contained with US PRISM monitoring and security agency activity. Russia has mostly responded to the accusations with exasperation.
Inviting Russia to the table while maintaining that Russia is untrustworthy and aggressive towards a benevolent US may be in alignment with US thought on current cybersecurity issues. However, it is unlikely to produce productive results. The plan coming out of the summit is to task experts in both countries to work on a list of off-limits targets and follow up on specific cyber cases originating from each country.
This may prove to be at least a significant olive branch on cybersecurity cooperation between Biden and Putin. Building on this, here are several avenues that can bolster the framework of cooperation and prevent its deterioration or complete failure as has happened in the past.
Potential Frameworks for US-Russia Cybersecurity Cooperation
First, both countries still need to start with the basics. The development of officially agreed upon terms and definitions on major cybersecurity principles will be a crucial first step to building a cooperative framework. For maximum effectiveness, this should be done by official government experts, who convene to agree upon key terms and ensure the proper translation of the terms in both languages. For this purpose, it would be useful to include linguistic experts.
A leading Russian perspective on cybersecurity cooperation suggests that further bilateral dialogue should be broken into two tracks, military and diplomatic, to allow for agreements despite major differences on key cybersecurity principles.
The military track should focus on establishing redlines whose crossing would warrant a kinetic response and set ground rules for cyber activities on nuclear facilities. This is likely to be successful despite military cyber policy obstacles because both countries have an inherent interest in preventing escalation caused by misinterpretation or misunderstanding.
The diplomatic track should focus on reaching greater transparency and stability in cyberspace. One proposed method to accomplish this is to focus on areas of mutual concern such as cybercrime or online terrorist recruitment. The US and Russia could work toward increased information sharing and unified responses in these areas. However, there is a high probability that the US will be unable and unwilling to trust Russia on issues of cybercrime in light of recent US statements on the topic. Additionally, cooperation on terrorism is likely to be thwarted by US concerns that Russia may use vague terrorism definitions to allow freedom of speech to be targeted.
An alternative method for the diplomatic track involves more nuanced negotiations between the US and Russia that provide each country with substantial benefit even if only one side remains within the cyber domain. For example, President Biden could persuade President Putin to increase the Russian government’s mitigation of cyberattacks on US infrastructure from Russian cybercriminals by granting sanctions relief or increased collaboration on economic agreements.
While there may be many arguments against such an agreement, if followed through, this would be an essential step towards building trust between the two countries and paving the path for formal bilateral cybersecurity agreements that serve the interests of both countries, which is the ultimate goal of a cybersecurity cooperation framework.
Conclusion: A Possible Future on US-Russia Cybersecurity Cooperation
In light of recent damaging events in the cyber domain, pursuing cybersecurity agreements or at least trust building is in the interest of both the US and Russia.
To achieve this, differences in the US and Russian perspectives, as developed through the evolution of each country’s cyber warfare doctrine, must be worked through. Multilateral efforts at establishing a code of conduct in cyberspace have been unsuccessful and highlight the future obstacles to US-Russia cybersecurity cooperation, namely issues of Internet governance and human rights. However, the recent conversations on cybersecurity at the 2021 Biden-Putin summit prove the potential and mutual desire for increased cybersecurity cooperation.
The most effective way to build off those conversations would be for the US and Russia to engage in an initiative to agree upon key cybersecurity terms and definitions as well as to engage in bilateral dialogue following the two distinct tracks outlined above.