10 October 2021

US-Russian Cyber Stability Needs ‘Drunken Party’ Approach: Limits, Deterrence and Communication

Joseph S. Nye

For two decades, Russia has proposed a cyber treaty at the U.N., and the U.S. has resisted it as unverifiable, in part on the grounds that there is often no difference between a cyber weapon and a harmless program except the unknowable intent of the user. Instead, experts from 15-25 countries have been gathering at the U.N. since 2004 to sketch cyber norms that can enhance stability. But shortly after Russia signed off on the 2015 U.N. Group of Governmental Experts report, which recommended refraining from attacks on “critical infrastructure,” Moscow seemed to violate the spirit of the document by allegedly launching cyberattacks on Ukraine’s electricity grid (a charge Russia has denied).

With mistrust high between the U.S. and Russia, it is not clear that normative agreements can really enhance cyber stability, especially without enforcement and deterrence. But there is a positive interaction to keep in mind: Norms can enhance deterrence. All too often international relations are modeled as a game of prisoner’s dilemma where each side has overwhelming incentives to cheat in a particular instance. But as political scientists have shown in computer tournaments with repeated games of prisoner’s dilemma, tit-for-tat reciprocity turns out to be the best strategy for players in the long run. Moreover, in the tacit bargaining that is involved, norms are useful points of salience. As Thomas Schelling has pointed out, in tacit negotiation, the parties may search for common points visible to both sides even if they are not explicitly articulated. And some norms—like not interfering with the “public core” of the internet, proposed by the non-governmental Global Commission on Stability in Cyberspace (of which I was a member)—are in the interest of all countries.

Thus, even though a cyber treaty would be unverifiable, it may still be possible to set limits on certain types of behavior and to negotiate rough rules of the road by combining deterrence and norms and appealing to the self-interest of the states involved. For example, during the Cold War, informal norms that took shape between Washington and Moscow governed the treatment of each other’s spies, with expulsion rather than execution as the norm. Moreover, in 1972 the U.S. and the Soviet Union negotiated a preventing-incidents-at-sea agreement to limit naval behavior that might lead to escalation. The U.S. and Russia might negotiate limits to their behavior regarding the extent and type (not the existence) of their cyber espionage. Or they might agree to set limits on their interventions in each other’s domestic political processes. While precise treaty language is unlikely, the two sides could make unilateral statements about areas of self-restraint and establish a consultative process to contain conflict. Ideological differences would make a detailed agreement difficult, but even greater ideological differences did not prevent agreements to avoid escalation during the Cold War. Prudence can sometimes be more important than ideology.

At their Geneva summit in June 2021, President Joe Biden handed his Russian counterpart, Vladimir Putin, a list of 16 areas of critical infrastructure—including energy, healthcare, IT, financial services, chemicals and communications—that “should be off limits to attack, period.” Biden disclosed that he asked Putin how he would feel if Russian pipelines were taken out by ransomware, and in a subsequent press conference said, “I pointed out to him that we have significant cyber capability and he knows it. He does not know exactly what it is, but it is significant. And if in fact they violate these basic norms, we will respond with cyber. He knows.” But the 16 areas are very broad (and available on government websites) and the absence of strong replies to attacks originating in Russia suggests that the Biden administration has not established deterrence.

Some critics worried that specifying what needed to be protected might have implied that other areas were fair game. Besides, red lines must be enforced to be effective. But the focus of the warnings should be on the amount of damage done, not on precise lines or methods. An analogy is telling the hosts of a drunken party that if the noise gets too loud, you will call the police. The objective is not the impossible one of stopping the music, but the more practical one of lowering the volume to a more tolerable level.

When Russia or others cross such a line we will have to respond with targeted retaliation. This could involve public sanctions, but also cyber actions against politically connected actors, such as freezing bank accounts or releasing embarrassing information about oligarchs. The recent sanctioning of a crypto currency exchange based in Russia is a case in point. More generally, CYBERCOM’s practice of “defending forward” and “persistent engagement” can also be useful here, although it would best be accompanied by a process of quiet communication. This can be done in formal working groups, but can also be handled in intelligence channels.

Non-state actors often act as state proxies to varying degrees, but U.S.-Russian rules of the road could require their identification and limitation. Ransomware is a case in point. Here the U.S. and Russia might cooperate by treating criminals as a third party and forgo their use as proxies. In addition, as Dmitri Alperovitch has argued, we can use our offensive as well as regulatory capabilities to disrupt criminal ransomware networks and payments as we did with the ISIS terrorist network in 2015. And because the rules of the road will never be perfect, they must be accompanied by a consultative process that establishes a framework for warning and negotiation. Such a process, together with implementation of stronger deterrent threats, is unlikely to fully stop interference, but if it reduces the level, it could enhance stability in cyberspace.

No comments: