One particular outcome of the Russia–U.S. summit was that bilateral consultations on information security were announced to be launched. While this is not a new issue for Russia and the United States, it has never been a top priority at a bilateral summit. It is emblematic that another negotiation track launched by Vladimir Putin and Joe Biden focuses on strategic stability, which has been the traditional pocket of cooperation between the two countries for decades. The decision to start a cyber dialogue reflects the increased importance of the digital dimension of national security, while serving as a reminder of how difficult it is to forge agreements in this area. While Moscow and Washington have garnered rich experience in nuclear arms talks, they are yet to find workable solutions to cyberspace issues.
At the meeting, a lot of emphasis was put on protection against cyberthreats, which came as no surprise to anyone who had followed the parties’ statements immediately before the summit and their bilateral relations in recent years. U.S. officials and businesses have been accusing Russia of organizing cyberattacks ever since the scandal surrounding the interference in the U.S. 2016 presidential elections. These accusations have served as pretexts for expelling diplomats, imposing sanctions, and probably using America’s cyber capabilities against Russian organizations (one such attack was confirmed by none other than Donald Trump). The U.S. leadership considers Russia one of America’s main adversaries in cyberspace, which was enshrined in strategic documents adopted during Trump’s presidency. However, this perception will most likely subsist under the current administration.
By the time of the summit, both Russia and the United States had formulated specific proposals on cooperation in cyberspace. Russia’s main proposals had been expounded on in Vladimir Putin’s September statement. The document outlines the programme of restoring cooperation to include four points: resuming inter-agency dialogue; maintaining communication channels on ICT-related matters (instruments established back in 2013); drafting an agreement on preventing incidents in cyberspace; and exchanging guarantees of non-interference in domestic affairs. Finally, the document contained another proposal addressed to all states: to make a political commitment of no-first-strike with the use of ICTs against each other.
The United States put two items on the summit’s agenda. First, Biden called upon Russia to be more active in combating cybercrime. Second, the President proposed that the sides agree that critical infrastructure should not be a target for cyberattacks.
Diplomats and representatives of government agencies from both sides will take part in consultations, where they will determine which topics from the wide range of issues are most promising to ensure the security of Russia and the United States. The interests of both parties will need to be carefully balanced here. This will require compromises and—in the case of the United States—explaining why such concessions are needed to those who believe that there is no point trying to negotiate with Russia.
The parties are not launching this process from scratch, since they have a long history of negotiations on cyber issues. This is crucial to the success of the consultations.
In addition to the bilateral track, Russia and the United States have worked together on ICT issues within the multilateral framework of the United Nations. Since the 2000s, the countries—in working in a number of successive Groups of Governmental Experts (GGEs) and the Open-Ended Working Group (the OEWG)—have succeeded in devising norms of responsible state behaviour in cyberspace, reaching the general understanding on the applicability of international law to this area, and setting up cooperation mechanisms that countries could use to strengthen national and international security. Even though the relations between the two countries may be at a low ebb, U.S. and Russian diplomats were actively engaged in adopting two important cybersecurity reports this spring: one in March under the auspices of the OEWG (which comprises all UN members) with another in May under the auspices of the GGE (which is made up of experts from 25 nations). The latter contains a range of applied recommendations that could be useful for U.S.–Russia consultations as well.
In spite of this experience, Russia and the United States have failed to resolve the serious cybercrime issues. This is hardly surprising, as the technical features of the digital environment distinguish it from the physical world, and customary instruments for resolving disputes are not easily applicable here.
However, inter-state rivalry, including in cyberspace, is rooted in political motives, which means that solutions can also be found within the political dimension. Moreover, should Russian and U.S. law enforcement agencies succeed in setting up working relations, the issue of combating cybercrime could, to some degree, be depoliticized. In that sense, the decision to launch consultations on information security is an important achievement that allows Moscow and Washington start looking for ways to arrive at more stable relations together.
One particular outcome of the Russia–U.S. summit was that bilateral consultations on information security were announced to be launched. While this is not a new issue for Russia and the United States, it has never been a top priority at a bilateral summit. It is emblematic that another negotiation track launched by Vladimir Putin and Joe Biden focuses on strategic stability, which has been the traditional pocket of cooperation between the two countries for decades. The decision to start a cyber dialogue reflects the increased importance of the digital dimension of national security, while serving as a reminder of how difficult it is to forge agreements in this area. While Moscow and Washington have garnered rich experience in nuclear arms talks, they are yet to find workable solutions to cyberspace issues.
Cyber Espionage and Extortionists
At the meeting, a lot of emphasis was put on protection against cyberthreats, which came as no surprise to anyone who had followed the parties’ statements immediately before the summit and their bilateral relations in recent years. U.S. officials and businesses have been accusing Russia of organizing cyberattacks ever since the scandal surrounding the interference in the U.S. 2016 presidential elections. These accusations have served as pretexts for expelling diplomats, imposing sanctions, and probably using America’s cyber capabilities against Russian organizations (one such attack was confirmed by none other than Donald Trump). The U.S. leadership considers Russia one of America’s main adversaries in cyberspace, which was enshrined in strategic documents adopted during Trump’s presidency. However, this perception will most likely subsist under the current administration.
The first cyber crisis happened before Joe Biden’s inauguration. In December 2020, the cybersecurity company FireEye discovered that SolarWinds, a software package used by thousands of customers, including U.S. government agencies, had been hacked. The attack, which many believed had been carried out by Russia, was a big story in the media for weeks. Biden was eventually forced to make a statement about the attack, where he promised to make cybersecurity a top priority, ensuring that the people or governments behind the attacks would face a forceful response. In April, the United States officially accused the Russian intelligence agency of the SolarWinds attack and imposed new sanctions against the country.
However, a month prior to the summit, another incident—the ransomware attack on Colonial Pipeline, the operator of the America’s largest fuel pipeline—highlighted the relevance of cyber threats for the United States. While the hackers failed to disable the infrastructure, they still infected the corporate information systems with a virus that forced the company to suspend the pipeline’s operations for six days. This provoked panic purchases of fuel on the East Coast of the United States, with prices surpassing anything that had been seen in recent years. The U.S. government accused the “ransomware as a service” hacking group DarkSide, which rents its ransomware out to partners. DarkSide hackers have alleged ties with Russia or other Eastern European countries, though Joe Biden and high-ranking members of his administration stressed that they did not consider Russia to be involved in the incident. The President said that he was planning to discuss with Putin certain standards for actions that countries could take against cybercriminals behind such ransomware attacks.
The Dangers of Attribution
Russia has an entirely different view of the information security as a dossier in the U.S.–Russia relations. The Russian authorities have consistently denied the accusations put forward by the United States and its allies, citing a lack of evidence and the fact that Russia has no reason to carry out such attacks. The West considers public attribution of cyberattacks (i.e. identifying the guilty party) a tool for deterring such actions, a practice that Russia criticizes, since the (if not deliberately false, then insufficiently substantiated) attribution of responsibility can be used as a pretext for hostile retaliatory steps: imposing sanctions, conducting cyber operations or even a military response. These concerns are based on the fact that the NATO members have recognized cyberspace as a theatre of operations as they declared in 2014 that a cyberattack could serve as a reason to invoke Article 5 of the North Atlantic Treaty.
Although Russia condemns public cyberattack attribution, Russian officials sometimes make statements indicating that they see the United States as a source of cyber threats. For instance, in August 2020, Oleg Khramov, Deputy Secretary of the Security Council of the Russian Federation, noted, “[Our] analysis of reports by leading foreign and Russian companies working in information security indicates that the largest number of computer attacks are carried out using the information infrastructure located in the United States”, with Vladimir Putin having made a similar assessment at the post-summit press conference. In September 2020, Andrei Krutskikh, Special Representative of the President of the Russian Federation for International Cooperation in Information Security, said that the DDoS attacks on the infrastructure of the Central Electoral Commission and other government agencies carried out during voting on the amendments to the Russian constitution came from the United States, the United Kingdom, Ukraine and a number of CIS states.
Russia believes that information security issues must be handled jointly and that unilateral actions that could have dangerous implications should be avoided. However, the U.S.–Russia dialogue on the subject has been frozen over the last five years. When the Trump administration came to power, Russian diplomats proposed launching U.S.–Russia consultations on information security. The U.S. and Russian Presidents discussed such possible cooperation at the G20 meeting in July 2017. However, these attempts proved unsuccessful owing, among other things, to the fact that Russia and cyberattacks were a sensitive issue for Trump throughout his presidency as well as a source of constant criticism by his political opponents.
In September 2020, Vladimir Putin proposed a comprehensive programme for restoring U.S.–Russia cooperation in information security. With the presidential campaign underway, the United States negatively responded to these proposals, but Russia’s suggestion was clearly addressed to the new administration as well. Sergey Lavrov said that Russia confirmed its proposed information security programme following Joe Biden’s inauguration and expected to receive some response in Geneva.
Points for Discussion
By the time of the summit, both Russia and the United States had formulated specific proposals on cooperation in cyberspace. Russia’s main proposals had been expounded on in Vladimir Putin’s September statement. The document outlines the programme of restoring cooperation to include four points: resuming inter-agency dialogue; maintaining communication channels on ICT-related matters (instruments established back in 2013); drafting an agreement on preventing incidents in cyberspace; and exchanging guarantees of non-interference in domestic affairs. Finally, the document contained another proposal addressed to all states: to make a political commitment of no-first-strike with the use of ICTs against each other. At the post-summit press conference, Vladimir Putin also noted that while Russia had responded to American inquiries concerning cyberattacks against U.S. facilities, the United States had not responded to a single one of Russia’s 80 inquiries made over the course of the past 18 months.
The United States put two items on the summit’s agenda. First, Biden called upon Russia to be more active in combating cybercrime—in particular, with groups using ransomware (along with the Colonial Pipeline, hospitals and city authorities have faced this problem during the past two years as late May saw an attack against the large meat producer JBS). Second, the President proposed that the sides agree that critical infrastructure should not be a target for cyberattacks. At the press conference, he said that he had given Russia a list of 16 critical infrastructure sectors. Curiously, this list was approved in the United States back in 2013 and includes industrial enterprises, the financial sector, emergency services, government facilities (including the electoral infrastructure) and other important areas. The U.S. definition of critical infrastructure largely overlaps with those areas Russia lists in its law “On the Security of the Critical Information Infrastructure of the Russian Federation” (Federal Law 187-FZ).
At his press conference, Joe Biden emphasized that the United States had major cyberspace capabilities and was willing to use them should Russia interfere with the operations of U.S. critical infrastructure. Some consider the question that Biden asked Putin about how he would feel if Russian pipelines got taken out by ransomware as such a warning. The United States is thus signalling that it is set to engage in deterrence in cyberspace. Russia has an equivocal attitude to such an approach. In 2018, Andrei Krutskikh said the model of deterrence does not apply in cyberspace. However, in 2019, he stated, “Those who come to us (cyber)sword in hand will die by the sword.” The deterrence concept is enshrined in Russia’s official documents: the 2014 Military Doctrine names reducing the risk of using the ICT for military and political purposes as one of the principal deterrence objectives; and the 2016 Information Security Doctrine considers deterrence as a key area in ensuring information security.
Prospects for Consultations
Diplomats and representatives of government agencies from both sides will take part in consultations, where they will determine which topics from the wide range of issues are most promising to ensure the security of Russia and the United States. The interests of both parties will need to be carefully balanced here. This will require compromises and—in the case of the United States—explaining why such concessions are needed to those who believe that there is no point trying to negotiate with Russia.
The parties are not starting this process from scratch as they have a long history of negotiations on cyber issues. This is crucial to the success of the consultations. Meetings on this subject began over two decades ago. The first known example is the visit of a U.S. military delegation to Moscow in 1996. Talks were most active in the early 2010s and resulted in Vladimir Putin and Barack Obama adopting a set of arrangements on cyber issues in June 2013 that saw special communication channels established (according to a statement made by Putin in September 2020, these should be maintained in working order) and a working group set up on issues of threats to use information and communication technologies (ICTs) and on the ICTs in the context of international security that is to meet on a regular basis. The 2013 agreements became known as the world’s first bilateral set of confidence-building measures in cyberspace.
In 2014, the ICT working group was frozen amid the Ukrainian crisis—along with the work of the bilateral Presidential Commission. The next (and last) bilateral meeting between U.S. and Russian delegations was in Geneva in April 2016, where they discussed, among other things, the 2013 agreements. At that meeting, as Andrei Krutskikh said, they discussed the idea of preventing cyberspace incidents. The next meeting was to be held in February 2018, but the U.S. delegation told the Russian side at the last moment that the meeting had been rescheduled (effectively cancelled).
In addition to the bilateral track, Russia and the United States have worked together on ICT issues within the multilateral framework of the United Nations. Since the 2000s, the countries—in working in a number of successive Groups of Governmental Experts (GGEs) and the Open-Ended Working Group (the OEWG)—have succeeded in devising norms of responsible state behaviour in cyberspace, reaching the general understanding on the applicability of international law to this area, and setting up cooperation mechanisms that countries could use to strengthen national and international security. Even though the relations between the two countries may be at a low ebb, U.S. and Russian diplomats were actively engaged in adopting two important cybersecurity reports this spring: one in March under the auspices of the OEWG (which comprises all UN members) with another in May under the auspices of the GGE (which is made up of experts from 25 nations). The latter contains a range of applied recommendations that could be useful for U.S.–Russia consultations as well.
In spite of this experience, Russia and the United States have failed to resolve the serious cybercrime issues. This is hardly surprising, as the technical features of the digital environment distinguish it from the physical world, and customary instruments for resolving disputes are not easily applicable here.
However, inter-state rivalry, including in cyberspace, is rooted in political motives, which means that solutions can also be found within the political dimension. Moreover, should Russian and U.S. law enforcement agencies succeed in setting up working relations, the issue of combating cybercrime could, to some degree, be depoliticized. In that sense, the decision to launch consultations on information security is an important achievement that allows Moscow and Washington start looking for ways to arrive at more stable relations together.