Should the U.S and Russia agree on a set of cyber rules and is doing so even possible? The answer according to a recent U.S.-Russian exploratory paper we published, is yes, but not yet. The answer according to Elena Chernenko, head of Russian daily Kommersant’s international news desk, and Joe Nye, Professor Emeritus at Harvard University, as provided during a July 20 event at The Center for the National Interest was also affirmative, with both speakers pointing to U.S.-Soviet Incidents at Sea Agreement of 1972 as a model for a bilateral cyber deal.

In their remarks at the event Chernenko and Nye both cautioned against aiming for anything as grand as a cyber treaty. Nye noted that Russia has been proposing such a treaty for the past 20 years at the United Nations, but said that in his view, this is simply unrealistic because it would be unverifiable. He also noted that a U.S.-Russian cyber agreement, even if reached, could be derailed by adverse developments in other spheres of the bilateral relationship. He went on to suggest that while it is possible that the sides would be able to reach an agreement in the cyber domain that would remain effective for a little while, the risk is it could then become increasingly ignored, particularly if bilateral relations continue to deteriorate, as was the case with the 1972 agreement. Chernenko concurred with Nye’s proposition that Moscow and Washington should aim for an agreement rather than a treaty that would need to be ratified.

Nye added that with or without an agreement, the United States should continue to focus on deterrence with respect to Russia and to other state and non-state actors. He invoked a noisy party analogy when describing how that deterrence would work.

The two speakers also noted differences in the level of priority that the United States and Russia have assigned to the cyber component of their relationship: Nye argued that cyber ranks higher in the U.S. government’s view, than in the Russian government’s, while Chernenko noted that this component is “not very central” to Russia’s view of the bilateral relationship. Rather, the Russian side views cybersecurity as one of the many components of maintaining strategic stability in the U.S.-Russian dyad. High-level U.S.-Russian dialogue on strategic stability is to resume on July 28, per an agreement reached by Biden and Putin at their June 2021 summit, and the Russian side can be expected to continue pushing for the adoption of a proposition that nuclear command and control should be off limits when it comes to cyber targeting, according to Chernenko. The summit also saw the two leaders agree to launch cyber consultations while Biden also urged Putin to agree that 16 sectors of the U.S. cyber infrastructure should be off limits, but Nye wondered whether this proposition should be more nuanced. “When you declare 16 types of infrastructure off limits, then does it mean the rest are on limits?” he asked, indicating that things can happen beyond the scope of these 16 areas that should be taken very seriously. If you engage in espionage on such a scale that it seems you are preparing a battlefield—as seems to have been the case with the SolarWinds hack—then perhaps that should be off limits too, he noted. It’s one thing to engage in espionage, but if it reaches the level of the SolarWinds hack, that requires a response, he said.   

In addition to offering their thoughts on interaction between U.S. and Russian state actors in the cyber domain, the two speakers took questions on actions of non-state criminal actors. Chernenko insisted that the Russian government is interested in cooperating with U.S. authorities in fighting cybercrime, per Putin’s repeated statements on the issue while Nye noted that in the U.S. view, the Russian authorities continue to control groups of cyber criminals which they use as proxies in the cyber domain.

The two speakers were also asked whether they see any evidence of Russian-Chinese cooperation on cyber-attacks and both answered in the negative. A general Russian-Chinese alliance of convenience certainly exists in cyber, but there has not been coordination of cyberattacks by Russia and China, Nye said. Chernenko said she would not expect coordination of cyberattacks by Russia and China. Moreover, one month ago the Russian government published a great deal of technical information about a massive cyberattack on Russian infrastructure with the use of targeted phishing and a U.S. company (Sentinel Labs) deduced from that information that it was possible that the Chinese were behind that attack, Chernenko said. When asked to comment on that assessment the Russian government would neither confirm nor deny, which indicates that the Russian government may have divulged that information to let the Chinese know that the Russians know about their cyber espionage in Russia, she said.

Both Chernenko and Nye were reasonably upbeat about the short-term prospects of U.S.-Russian cyber relations. Chernenko said she had grown cautiously optimistic about these prospects after June’s Biden-Putin summit. Perhaps reports that Russian cyber ransom group REvil—which targeted U.S. assets—has gone offline could be a sign that the Russian side is trying to make the party less noisy, per Nye’s analogy, she said. Nye said he generally agreed with Chernenko’s forecast, but wanted to “hedge [his] bets a bit.” If something goes wrong in the general US-Russian relationship, that could derail their interactions in the cyber domain, he said.

Photo by kalhh, shared via Pixabay through a Creative Commons license.