Russia’s negative image as a “cyber aggressor” makes it more difficult for it to suggest arguments on the peaceful use of information technology to the Americans. The search for a common denominator is complicated by the fact that Moscow and Washington have completely different interpretations of interference, writes Valdai Club expert Pavel Sharikov.
Issues of cyber and information security have long become a priority in policies of both Russia and the United States. Although these issues obviously have a domestic dimension, international cooperation on countering cyber-threats is no less important. With time, it is becoming increasingly clear that national approaches to resolving cybersecurity issues differ and that they are exerting a mounting influence on foreign policy.
The role of Russian-US relations in global information security
The international community unreservedly recognises the urgency of cybersecurity. These issues are discussed at all international venues including the UN and regional organisations. That said, Russian-US relations play a special role in international security. Twenty years ago, it was Russia that launched a discussion on a package of global information security issues at the UN. Having the most powerful information and technology potential at the time, the US systematically rejected Russia’s initiatives. Today, US rhetoric has undergone a big change. In 2020, US Secretary of State Michael Pompeo declared that Russia’s “cyber activities demonstrate a complete disregard for public safety and international stability.”
Relations with the US on this issue have two dimensions: the global dimension that is linked with working out the norms of responsible behaviour of states in cyberspace and a bilateral dimension. The latter was aimed at building trust, but this area of cooperation was curtailed together with many others after events of 2014. A Russian-US dialogue on cybersecurity is in some ways similar to nuclear arms control, but there are many nuances in this respect.
Many experts and decision makers in Moscow and Washington express concern over the current state of bilateral relations in cybersecurity, especially since, in theory, an incident in this area could lead to an undesirable military escalation. Of course, the US and Russian positions on cybersecurity are probably very different; thus, consensus between Moscow and Washington on this issue could be a real breakthrough in ensuring global information security.
Moscow’s position is explained in detail not only in official documents but also in domestic research papers, including articles in MSU, MGIMO and IMEMO, and the International Affairs journal, to name a few. It would be necessary to clarify what American priorities are in order to conduct a productive dialogue with the US.
US military strategy on cybersecurity
Not long ago, the concept of “persistent engagement” evoked a broad discussion. This term does not translate exactly into Russian. “Persistent” means “continuous,” “permanent.” It is used in the same sense as the term “Advanced Persistent Threat” that translates in Russian as a “targeted” or “purposeful” attack or an “advanced sustained threat.” US official military-political publications used these terms to describe the activities of various hacker groups that threaten national security in this area. They mean that such groups present a permanent threat because they do not let up on their attacks. The word “engagement” describes the character of involvement in the conflict. “Rules of engagement” specify the rules of using arms” or “the rules of conducting combat.” So, “persistent engagement” could be explained to Russian audiences as “permanent unfriendly influence.”
This concept is studied in detail in many US publications. Judging by the open information on cybersecurity strategy, it implies a long-term information campaign conducted by the enemies of the US, including primarily China, North Korea, Iran and Russia. However, it does not go beyond the threshold of an armed conflict.
It follows from this meaning that the US views cyberattacks as forms of aggression that do not inflict heavy damage and do not pose a military threat. Hence, they do not require a military response. At the same time, they assume that a cyberattack can be powerful enough to be perceived as an act of armed aggression. This threshold is likely only defined in a classified section of the strategy along with any potential response measures that can be taken as part of the nation’s right to self defence. Military-cyber technology would probably be used in the process, but conventional arms could be employed as well. There is very little information on US offensive potential in this respect. A package of issues on defining offence and defence in cyberspace arises.
Considering the number of accusations against Moscow related to cyberattacks, the threshold of “war” has not been crossed and the right to self-defence has not been used. Alternatives for countering a Russian cyber threat are being discussed at various levels and by different US departments. Thus, investigative bodies have submitted indictments in court that show that the US is seeking a legal solution to the problem rather than seeking to use force.
Importantly, in the event of an armed conflict as a result of the further deterioration of Russian-US relations, the instruments of cyber aggression are most likely to be used in parallel with armed forces. Therefore, the efforts to prevent a cyber-aggression are unlikely to avert a conventional conflict.
The rhetoric linked with mutual accusations on interference in elections and internal affairs is a source for special concern. Indicatively, in both Russia and the US, these accusations are linked with information campaigns and cyberattacks. They have a powerful negative impact on bilateral ties and have no clear prospects for settlement.
Although Russia accused the US of interference long before 2016, this issue needs to be discussed in any agenda on cyber security. Russia’s negative image as a “cyber aggressor” makes it more difficult for it to suggest arguments on the peaceful use of information technology to the Americans. The search for a common denominator is complicated by the fact that Moscow and Washington have completely different interpretations of interference.
Russia promotes the adoption of international standards that prohibit cyber weapons to deprive their owners of the legal basis for using the right to self-defence in case of cyberattack. The US don’t believe that Russia is not developing its own military potential. Numerous accusations of cyberattacks against Russia are linked with the performance of Russian military departments, including the GRU.
Military cyber capabilities: Analogies with nuclear deterrence
To a certain extent, the Russian position is an attempt to use the concept of “mutually assured destruction (MAD)” in cyberspace, that is, a zero-sum game as regards any cyberattack – military or otherwise.
Many analysts have studied the issue of whether the concept of nuclear deterrence can be applied to cyberspace. Most believe that information deterrence is ineffective or altogether impossible.
First, nuclear deterrence is aimed at preventing any nuclear attack whereas cyberattacks take place regularly. By some estimates, millions are made every day.
Second, to deter a threat, the enemy must be convinced that in case of an aggression it will face powerful retaliation. In case of nuclear deterrence there are verification measures and tests confirming the potential of such retaliation. Meanwhile, a demonstration of cyber weapon capability would instantly deprive its owner of any advantage.
Third, there is the problem of attribution. A nuclear strike could only be made by Soviet/Russian military forces against American ones and vice versa. An unauthorised nuclear attack is highly unlikely. At the same time, cyberattacks could easily be mounted by third parties, not just under orders of military-political leadership, but state proxies, non-state actors and others.
Finally, it is not clear how to ensure parity, which is also a foundation in Russian-US nuclear deterrence.
Nevertheless, in a dialogue with the US on cybersecurity, it would be possible to use bilateral arms control agreements, especially since this practice is already being partially used.
First, there is the threshold of war. If Russia recognises cyber weapons as a class, it would become possible to discuss cybersecurity in the context of arms control issues. The key problem that will have to be resolved is to formulate the difference between military and non-military cyberattacks, as well forms of response to both.
Second, considering that it is impossible to achieve parity in offensive cyber potential and verification, perhaps it would be possible to use the logic of the ABM Treaty and concentrate on defence issues. In this case, it might be possible to reach, at least as a declaration, an agreement on what targets cannot be hit. The creation of artificial vulnerability in cyberspace, which could come down to a mutual, reasonable reduction in the secrecy of military cyber potential and a strategy for its use could parallel the “limited ABM” approach. To accept a commitment to renounce offensive actions in cyberspace it is necessary to define the difference between offence and defence. It makes sense to partially publish doctrines and strategies on using cybersecurity by analogy with publications on nuclear strategies.
Prevention of incidents. Regretfully, the absence of a constructive dialogue between Moscow and Washington increases the risk of incidents that could provoke the escalation of tensions. In the 1960s, after the Cuban crisis, the USSR and the US adopted confidence-building measures that reduced the risk of nuclear incidents. Thus, they established a hotline between the White House and the Kremlin. In 2013, a similar hotline was established for information exchange on cybersecurity issues.
It is very important to develop dialogue with the US with due account of its domestic political balance of forces. Following the election, it is quite possible that the Democratic Party will enhance its position in Congress and probably also in the White House. Therefore, the position on cybersecurity may also see change. In the past four years, the development of offensive cyber capabilities has been a priority for the Republican Party on cybersecurity.
Assistant Secretary of State for International Security and Nonproliferation Christopher Ford noted: “Accordingly, the United States has long rejected efforts to impose traditional arms control measures on offensive cyber capabilities. Such a stance is especially important given the degree to which Russian and PRC campaigns to promote ‘arms control’ in cyberspace have focused less on actual measures to reduce the risk of conflict involving technical cyber operations than they have focused on efforts merely to co-opt arms control rhetoric in support of campaigns by those authoritarian regimes to legitimise oppressive controls over the political content of Internet.” It is clear from this statement that Russia and the US have very different priorities on cyber and information security issues. He refuses to discuss offensive cyber capabilities but at the same time admits that a “sufficiently significant non-nuclear strategic attack,” a term used in US nuclear doctrine, includes the instruments of cyber-aggression.
The Democrats pay a lot of attention to the guarantees of information confidentiality, net neutrality and protection of the electoral infrastructure. If the Democrats win, there is reason to expect less interest in the issues of Russian interference and the development of offensive military cyber capabilities. In this case, an opportunity for a productive dialogue is more likely.
Apparently, as long as cyberattacks are in the grey zone of international law, the incidents capable of triggering an escalation remain highly probable. Obviously, to increase predictability and reduce tensions it is important to search for common ground. Probably, common rules on using military cyber capabilities can be negotiated in the context of arms control.