Status: Open

New US Approaches to Risk Reduction in Cyberspace and Russia’s Place in It

December 18, 2021

Sergey Sebekin , Ilya Storchilov

The Valdai Discussion Club

 December 18, 2020.

It looks as if Washington’s activities are based on the unproductive premise of doing anything other than what Russia suggests. This approach will maintain the division for years without any hope for rapprochement in cyberspace or on the entire range of cooperation issues on the international agenda, Sergei Sebekin and Ilya Storchilov write.

On October 20, 2020, the US Department of State published a very interesting paper titled International Security in Cyberspace: New Models for Reducing Risk, by US Assistant Secretary of State for International Security and Nonproliferation Christopher A. Ford. Dr Ford articulated Washington’s views on combating threats in cyberspace based on promoting the norms of responsible state behaviour and deterrence-focused cyberspace security policy. Moreover, the main focus in the paper is on cybersecurity interaction with Russia.

It is notable that the paper has reaffirmed the emergence of a new era of great power competition. 

The return of long-term, strategic competition among nations was first highlighted in the National Security Strategy of the United States of America, published in December 2017, which said that “after being dismissed as a phenomenon of an earlier century, great power competition returned,” This concept was reaffirmed in the National Defence Strategy in January 2018, which claims, among other things, that “interstate strategic competition, not terrorism, is now the primary concern in US national security.” However, these two documents only mentioned great power competition in a general context, whereas the focus shifted to strategic competition in cyberspace in the Department of Defence Cyber Strategy and the National Cyber Strategy (both published in September 2018). The next step towards proclaiming cyberspace an area of long-term, strategic competition between great powers was made in a report of the US Cyberspace Solarium Commission published on March 11, 2020.

However, the October 2020 paper is especially interesting because the idea of the return of great power competition is seasoned with strong anti-Russia rhetoric. According to the paper, Russia is not just one of the main US adversaries, but also a revisionist state. In addition, Dr Ford uses terms with regard to the Kremlin that are unworthy of an official document like “barbarism,” “ugly tyranny,” and an authoritarian and dictatorial regime.  In particular, Moscow is accused of cyberattacks against critical infrastructure around the world, including in the United States, the use of cyber tools to influence US elections, disinformation, “egregious cyber behaviour,” as well as preparing for nothing less than “all-out warfare in the cyber domain.” 

Since numerous adversaries, including China, Iran and North Korea, are producing long-term, strategic cyber threats against the United States, the paper pointed out the possibility “that a future cyber attack could constitute a use of force or armed attack.”  Even though this is only a distant possibility, Washington has already issued a number of explosive warnings.

It is alarming that Dr Ford writes, citing the US Nuclear Posture Review of February 2018, that the United States does not rule out even the possible use of nuclear weapons in response to a cyber attack that constitutes a “significant non-nuclear strategic attack.”

This formula was first used in the 2018 Nuclear Posture Review, and it is this component of Dr Ford’s paper that has provoked the derision and criticism of American experts, who wrote immediately that the NPR clearly stipulated the possibility of using nuclear weapons in response to cyber attacks. Members of the Trump administration refuted the allegation, saying that the NPR does not stipulate that at all. “The idea that we would resort to a nuclear attack based on cyber is actually not supported by the document,” Vice Chairman of the Joint Chiefs of Staff Air Force Gen. Paul Selva pointed out. “That’s just fundamentally not true.”

The situation has changed dramatically since then. If the NPR did not directly define a cyber attack as a “significant non-nuclear strategic attack,” the 2020 State Department’s paper says clearly that nuclear weapons could be used in response to a cyber attack. This shift is extremely important. The NPR only mentioned significant non-nuclear strategic attacks in a general context, while experts assumed that such attacks could include cyber attacks. Now an official document on cybersecurity mentions the possible use of nuclear weapons in response to cyber attacks.

In our opinion, such statements are reckless, hazardous and can further destabilise the rapidly deteriorating international situation. The world has not accumulated any empirical experience when it comes to the potentially destructive effects of cyber attacks, and so the use of nuclear weapons in response to cyber attacks is absolutely out of line. However, the admission of this possibility in an official US document is extremely alarming.

We mentioned that the State Department’s paper formulates two methods for reducing cybersecurity threats: promoting the norms of responsible state behaviour and deterrence-focused cyberspace security policy. In other words, working together with Russia to ensure information security and promote standards for responsible state behaviour in cyberspace is not a choice for Washington. The White House is only ready to cooperate with “like-minded states” in ensuring cybersecurity. The approach has been indicated to lay the groundwork for identifying those behind a cyber threat since the ability to “find and punish” has not yet been fully developed.

Dr Ford accuses Moscow of reneging on its prior commitment to the principle of the applicability of international humanitarian law (IHL) to cyber operations in armed conflict, a consensus agreement which was reached within the framework of the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security in 2013 and reaffirmed in 2015. The worst part is that, according to the paper, such Russian logic would seem also to justify “indiscriminate massacres of civilians during armed conflict if it is ‘too hard’ to distinguish between civilians and combatants.”  The allegation that the Kremlin refuses to accept some principles so as to be able to freely massacre civilians is absurd and ungrounded. What massacres does Dr Ford have in mind? Russia has not undertaken any cyber attack to massacre anyone. The implication that Russia is systematically massacring non-combatants is pure allegation that is not based on any evidence.

Furthermore, while declaring the promotion of the norms of responsible state behaviour at the UN and emphasising US efforts towards this at the UN Group of Governmental Experts (GGE) on Developments in the Field of Information and Telecommunications in the Context of International Security in 2013 and 2015, the paper does not even mention Russia’s contribution to promoting universal norms of behaviour in the information space at the GGE. Washington has probably forgotten that it was Russia who added the issue of information security to the UN agenda in 1998, when it submitted a draft resolution on developments in the field of information and telecommunications in the context of international security at a meeting of the First Committee of the UN General Assembly. An impression is being created that the United States alone is promoting norms of responsible state behaviour and that Russia is not contributing in any way.

On September 25, 2020, that is, before the US paper on International Security in Cyberspace was published, President Vladimir Putin proposed a comprehensive programme of measures for restoring Russia-US cooperation in the field of international information security, which includes positive and applicable proposals. However, Washington rejected that offer in a somewhat provocative way, as “nothing more than dishonest rhetoric and cynical and cheap propaganda.”

Speaking about resetting Russian-US relations in this field, Dr Ford pointed out that the agreement to establish a communications channel for addressing cyberspace problems, including response groups for accidents at critical facilities, which Barack Obama and Vladimir Putin signed in 2013, “did not represent a fully adequate answer.” From his point of view, it did not reflect the entire range of problems and conditions at the time of its signing. As we are all aware, Russian-US communications in the field of international information security (IIS) were suspended after allegations of Russia’s “annexation” of Crimea and interference in the 2016 US presidential election. We believe that Washington’s negative response to President Putin’s proposal made in September 2020 is aimed at gradually destroying the entire system of bilateral agreements and encouraging China to join negotiations on the IIS and arms control.

The West is promoting the implementation of the 2001 Budapest Convention on Cybercrime, which the Council of Europe has approved. However, Moscow does not support this because it rejects the right of the parties to the convention, as set out in Article 32 (b), to access stored computer data located in another party for the purpose of preventing malicious activity. According to the paper we are discussing, “28 states joined in a Joint Statement on Advancing Responsible State Behaviour in Cyberspace” in 2019, and that 20 individual states – and the European Union as a whole – also joined in condemning Russia’s “disruptive cyber attack” against Georgia in 2019. 

Overall, the Western countries support the US position in this matter and hardly ever express dissenting views in the field of the IIS. A case in point is their attitude to China’s 5G technology, which allegedly contains loopholes for spying and collecting personal user data. Not surprisingly, they propose creating their own equipment.

No negotiations are planned with North Korea and Iran to prevent potential interference in the United States’ internal affairs. At the same time, Russia has expressed a willingness to negotiate with anyone on IIS issues. Russian diplomats have managed to rally a common opinion at the regional level, but they are so far unable to convince their Western colleagues of Russia’s unselfish intentions on the global stage. Moscow is only collaborating with its traditional partners, the number of which is gradually increasing through interagency consultations on IIS matters.

In light of the above, Dr Ford draws the conclusion that deterrence-focused cyberspace security policy is preferable in relations with such adversaries as Russia. The author writes in the Deterrence section that initially “the United States seemed almost to hope that the mere example of its good-faith engagement with malicious cyber actors such as Russia and the PRC might be enough to persuade them to rein in their bad behaviour.”  The author also cites the 2017 National Security Strategy, which included a passage according to which US policies “based on the assumption that engagement with rivals and their inclusion in international institutions and global commerce would turn them into benign actors and trustworthy partners turned out to be false.”

This is why the United States tries to deter Russia rather than negotiate with it.

As part of these efforts, the United States is planning to launch an international Cyber Deterrence Initiative to build a coalition of states and develop tailored strategies against cyber aggression. The idea is based on the use of “attribution diplomacy” in cyberspace. It is assumed that close international interaction can be used to identify malicious cyber actors with a high degree of certainty. There is no use arguing against this. But if the White House thinks this, why does it reject Russian initiatives? Why does it increase its demands on Chinese companies and designers without providing any evidence to substantiate the accusations against them? 

A careful analysis of the paper has failed to reveal the role private business is expected to play in creating a safe cyberspace. Given the cross-border nature of cyberspace, businesses are playing a major role in the digital domain. States are crucial actors, of course, but the activities of transnational corporations and tech lobbies must not be overlooked either. Non-state actors can definitely influence international affairs through their activities in cyberspace, using proxy servers for malicious purposes. However, Washington is only promoting the idea of a Cyber Deterrence Initiative as a coalition of states. It is notable that the United States is mostly relying on a narrow group of like-minded states when it comes to using diplomatic methods for promoting its international information security ideas at the UN Group of Governmental Experts.

It looks as if Washington’s activities are based on the unproductive premise of doing anything other than what we suggest. This approach will maintain the division for years without any hope for rapprochement in cyberspace or on the entire range of cooperation issues on the international agenda. In other words, the US Security Department’s paper reflects the customary US attitude towards Russia in the field of cybersecurity. No evidence is provided for the allegations made against Russia. Washington only points the finger at the Kremlin, claiming that it is the cause of all destructive developments in cyberspace. Bringing ungrounded accusations is simple and easy; Washington refuses to discuss problems or conduct joint investigations into global matters. An initiative on cooperation in cyberspace has been promoted by Russian leaders, which is evidence of a growing need to rebuild mutual trust. Unfortunately, the United States is only orchestrating new provocations at this point.

Imprint:

The Valdai Discussion Club. URL: https://valdaiclub.com/a/highlights/new-us-approaches-to-risk-reduction-in-cyberspace-/?sphrase_id=1278045