Paper

US-Russian Contention in Cyberspace

| June 2021

Are Rules of the Road Necessary or Possible?

Read the full version on Russia Matters:

Download the PDF version:


Introduction

By Natasha Yefimova-Trilling and Simon Saradzhyan

In recent years, as news of U.S.-Russian tensions in the cyber domain has dominated headlines, some strategic thinkers have pointed to the need for a bilateral cyber “rules of the road” agreement. American political scientist Joseph Nye, a former head of the U.S. National Intelligence Council, wrote in 2019 that, even “if traditional arms-control treaties are unworkable” in cyberspace, “it may still be possible to set limits on certain types of civilian targets, and to negotiate rough rules of the road that minimize conflict.” Robert G. Papp, a former director of the CIA’s Center for Cyber Intelligence, has likewise argued that “even a cyber treaty of limited duration with Russia would be a significant step forward.” On the Russian side, President Vladimir Putin himself has called for “a bilateral intergovernmental agreement on preventing incidents in the information space,” comparing it to the Soviet-American Agreement on the Prevention of Incidents on and Over the High Seas. Amid joint Russian-U.S. efforts, the Working Group on the Future of U.S.-Russia Relations recommended several elements of an agreement in 2016, among them that Russia and the U.S. agree “on the types of information that are to be shared in the event of a cyberattack” (akin to responses to a bio-weapons attack) and prohibit both “automatic retaliation in cases of cyberattacks” and “attacks on elements of another nation’s core internet infrastructure.” Most recently, in June 2021, a group of  U.S., Russian and European foreign-policy officials and experts called for “cyber nuclear ‘rules of the road.’”

Hearing some of these calls, we at Russia Matters and the U.S.-Russia Initiative to Prevent Nuclear Terrorism were moved to probe them further: Is a cyber rules-of-the-road agreement feasible? If so, what form could it take? If not, what are some next-best alternatives? We proceeded to formulate research questions (see Appendix 2) and seek out authors who could separately explore the American and the Russian perspectives on the cyber-treaty idea. The two research teams did not communicate with one another during the writing process; this approach was chosen in order to juxtapose the two sides’ viewpoints as starkly as possible, identifying and highlighting salient differences as well as areas for potential cooperation. While the authors are all affiliated with different institutions, they have written this paper in their personal capacity, representing the views of neither their organizations nor their governments.

Below we outline points on which the authors agree, disagree or cover ground that their counterparts did not. The overarching question imparting urgency to this exploration is: Can U.S.-Russian contention in cyberspace cause the two nuclear superpowers to stumble into war? In considering this question we were constantly reminded of recent comments by a prominent U.S. arms control expert: At least as dangerous as the risk of an actual cyberattack, he observed, is cyber operations’ “blurring of the line between peace and war.” Or, as Nye wrote, “in the cyber realm, the difference between a weapon and a non-weapon may come down to a single line of code, or simply the intent of a computer program’s user.”

Points on which the Russian and U.S. authors agree:

  • While a formal, binding bilateral agreement is not possible now due to mutual mistrust, misunderstanding and stark differences in approaches to the cyber domain, necessary steps by Moscow and Washington include bilateral engagement, Track 2 and/or 1.5 dialogues and well thought-out confidence-building measures.
  • The U.S. and Russia should strive toward a much better understanding of one another’s red lines (i.e., what actions would trigger retaliation, especially kinetic retaliation) and cyber-mission priorities, intents, capabilities and organization.
  • The U.S. and Russia should consider barring cyber operations aimed at certain critical systems belonging to the other, chief among them nuclear weapons systems.
  • Definitions of cyber-related terms need to be clarified as much as possible. (Currently, ambiguity can be problematic even within a single language, much less across languages; the term “cyberattack,” for example, is widely used in English-language news media and everyday speech to mean any sort of breach of cyber systems, while the U.S. military defines a “cyberspace attack” more narrowly.)
  • The distinction between cyber defense and cyber offense can be elusive.
  • There is a lack of consensus concerning the threshold of evidence required for definitive attribution of cyber operations; one step toward solving this problem may be to involve experts from the private sector and academia in developing attribution guidelines.
  • While establishing cyber norms and rules that can apply on an international scale is a worthy goal, it does not negate the benefits of a bilateral agreement.
  • Both the U.S. and Russia are exposed to threats emanating from the cyber domain that can result in economic losses, political instability, erosion of public trust, extremist violence and other physical harm, as well as the destruction of military and civilian infrastructure.
  • Both the U.S. and Russia view misinformation and disinformation disseminated by cyber means as highly problematic.
  • The Russian government tries to maintain greater control over domestic cyberspace than does the U.S., primarily to ensure political stability.
  • At some point the U.S. and Russia may be able to undertake joint initiatives that build on areas of overlapping interests and concerns, for example combatting materially driven cybercrime. (NB: The U.S. authors are more skeptical about such efforts than the Russian author.)
  • If ever a cyber rules-of-the-road agreement is signed, the U.S. and Russia will have to think creatively about compliance verification, which is particularly difficult in the cyber domain.

Points on which the Russian and U.S. authors disagree:

  • While the Russian author believes that a risk of cyber-related escalation to kinetic conflict between Russia and the U.S. does exist (for instance, in the event of a cyber breach of the other side’s weapons systems), the U.S. authors are hesitant to affirm the likelihood of such escalation as there have not yet been significant real-world examples of it and, more generally, the risks are still underexplored. (At least one study has concluded that great-power cyber competition in the 21st century does not “create new escalation risks.”) Instead, the U.S. authors consider the greater risk to come from unintended, or intended, destruction or catastrophic damage resulting from malware.
  • While the Russian author believes the U.S. should “be more open to dialogue without preconditions,” the American authors call for “codified procedures for negotiations,” with a “clearly defined timeline and set list of topics,” as one of the conditions for moving toward a bilateral cyber agreement. Moreover, the U.S. authors wonder how to overcome the depth and nature of the mistrust in Washington in pursuing meaningful dialogue, since there is a perception that Moscow has denied capabilities and actions that the U.S. considers to be well established.
  • While the U.S. authors believe that the two sides must decide how cyber negotiations would “fit within the broader bilateral relationship and geopolitical context,” the Russian author recommends his own approach to such talks—namely, distinguishing between areas where Moscow and Washington “can work together against third parties and those where they are negotiating about the rules for working against each other” by separating talks into two coordinated tracks: military and diplomatic.
  • The authors likewise have differing assessments of cyber-related progress on the diplomatic front: While the Russian author describes “impressive successes” in bringing the U.S. and Russian positions on cybersecurity closer together at the U.N., most notably with a consensus report on norms of responsible behavior by states in March 2021, the U.S. authors note that Russia has used multilateral institutions, including two U.N. groups on cybersecurity, “to advance its own conceptualization of cyber norms, sometimes undermining Western influence.”
  • Finally, as noted above, the U.S. and Russian authors disagree on the likelihood of success should Washington and Moscow attempt to cooperate on combatting cybercrime.

Points on which the respective authors cover ground that their counterparts do not:

  • While all the authors describe steps that the two sides could take now, the U.S. authors devote considerable attention to five prerequisites they consider necessary for the start of future talks on bilateral cyber rules of the road: codified procedural norms (as noted above), the appropriate rank of participants on both sides, clear attribution standards, a mutual understanding of proportional retaliatory actions and “costly signaling.”
  • The Russian author believes that Moscow must agree to discuss cyber-related topics in a military context. (Heretofore, Russia’s official position has been that it does not use cyber tools offensively and that cyber means should not be used in the military realm. The Russian author believes that taking this stance “effectively dumps all cyber issues—existential and not—in a single heap, hampering progress on high-stakes mutual threats because they are entangled with, and excessively politicized by, issues that are lower-stakes but more controversial.”)
  • The Russian author likewise believes the U.S. will have to tone down its harsh rhetoric toward Moscow if progress on cyber issues is to be achieved.
  • The U.S. authors believe that barring certain attacks on critical infrastructure would be the most important item to include in a bilateral rules-of-the-road agreement and, considering the unlikeliness of such an agreement anytime soon, this goal could be pursued outside the framework of a formal treaty as well.
  • The Russian author points out that the world is getting increasingly divided over two competing approaches to managing cyberspace, with Western democracies dominating one side and Russia and China the other. By tallying several key indices for countries cosponsoring competing cyber-related resolutions proposed by Russia and the U.S. at the United Nations in 2018 and 2020, he demonstrates that the countries on Russia’s side are “much less technologically advanced and politically less integrated into the digital world” than those on the U.S. side: “There seems to be a clear borderline between the nations that pursue strong government control similar to Russia’s ‘sovereign internet’ or China’s ‘Great Firewall’ and those that promote freedom of speech and a more democratic internet.”
  • If the goal of concluding a U.S.-Russian cyber treaty were to become more realistic, the U.S. authors conclude that buy-in from the U.S. legislative branch would be crucial and rules that narrowly focus on technical infrastructure—for example, forbidding illicit changes to ballots or hacks of election software and hardware—may be the most palatable for both sides, as opposed to broader, more general rules.
  • The U.S. authors believe that key concerns for the U.S. government in the cyber domain include stopping foreign interference and disinformation intended to undermine American democracy, protecting critical infrastructure, preventing or guarding against reckless malware and safeguarding confidential communications, and that some of the related threats emanate “directly from Russia.” One of Moscow’s chief interests, in the U.S. authors’ view, is “weaponizing cyber capabilities to sow discord and embarrass Western powers it views as undermining its sovereignty (principally the United States).”
  • The Russian author does not speculate on national interests per se but does describe major cyber-related disagreements between Russia and the U.S. in at least three major areas: the role of government in overseeing cyberspace; the militarization of cyberspace and the related applicability of existing international law; and the idea of legally binding treaties versus non-binding guidelines for how information and communication technologies should be used.

 

Table of Contents:

Introduction    1

Prospects for US-Russia Cyber Rules of the Road: An American Perspective    7

Why a US-Russia Cyber Agreement Is Needed but Currently Not Possible     10
Conditions Necessary for Negotiating a Successful Agreement     13
Structure of a US-Russia Cyber Agreement    17
Should the US and Russia Pursue Confidence-Building Measures and, if So, Which Ones?    27
Conclusion: Long Road Ahead    31

Prospects for US-Russia Cyber Rules of the Road: A Russian Perspective    33
Cyber Bones of Contention in US-Russian Relations    37
Russia’s Approach to Internet and Information Regulation: 
A Digital Iron Curtain?    41
Russian Threat Perception Vis-à-Vis US Cyber Priorities    45
Potential Basis for Cooperation    48
Conclusions and Recommendations     63

Conclusion: In Search of Understanding    65

Appendix 1     67
Appendix 2     69


Read the full version on Russia Matters:

For more information on this publication: Belfer Communications Office
For Academic Citation: Zabierek, Lauren, Christie Lawrence, Miles Neumann and Pavel Sharikov. “US-Russian Contention in Cyberspace.” Edited by Simon Saradzhyan. Paper, June 2021.

Editor