U.S.-Russian Cyber Stability Needs ‘Drunken Party’ Approach: Limits, Deterrence and Communication
(Russia Matters – russiamatters.org – Joseph S. Nye – Oct. 6, 2021)
Joseph S. Nye is a professor at Harvard and author of “Do Morals Matter? Presidents and Foreign Policy from FDR to Trump.”
Thus, even though a cyber treaty would be unverifiable, it may still be possible to set limits on certain types of behavior and to negotiate rough rules of the road by combining deterrence and norms and appealing to the self-interest of the states involved. For example, during the Cold War, informal norms that took shape between Washington and Moscow governed the treatment of each other’s spies, with expulsion rather than execution as the norm. Moreover, in 1972 the U.S. and the Soviet Union negotiated a preventing-incidents-at-sea agreement to limit naval behavior that might lead to escalation. The U.S. and Russia might negotiate limits to their behavior regarding the extent and type (not the existence) of their cyber espionage. Or they might agree to set limits on their interventions in each other’s domestic political processes. While precise treaty language is unlikely, the two sides could make unilateral statements about areas of self-restraint and establish a consultative process to contain conflict. Ideological differences would make a detailed agreement difficult, but even greater ideological differences did not prevent agreements to avoid escalation during the Cold War. Prudence can sometimes be more important than ideology.
At their Geneva summit in June 2021, President Joe Biden handed his Russian counterpart, Vladimir Putin, a list of 16 areas of critical infrastructure—including energy, healthcare, IT, financial services, chemicals and communications—that “should be off limits to attack, period.” Biden disclosed that he asked Putin how he would feel if Russian pipelines were taken out by ransomware, and in a subsequent press conference said, “I pointed out to him that we have significant cyber capability and he knows it. He does not know exactly what it is, but it is significant. And if in fact they violate these basic norms, we will respond with cyber. He knows.” But the 16 areas are very broad (and available on government websites) and the absence of strong replies to attacks originating in Russia suggests that the Biden administration has not established deterrence.
Some critics worried that specifying what needed to be protected might have implied that other areas were fair game. Besides, red lines must be enforced to be effective. But the focus of the warnings should be on the amount of damage done, not on precise lines or methods. An analogy is telling the hosts of a drunken party that if the noise gets too loud, you will call the police. The objective is not the impossible one of stopping the music, but the more practical one of lowering the volume to a more tolerable level.
When Russia or others cross such a line we will have to respond with targeted retaliation. This could involve public sanctions, but also cyber actions against politically connected actors, such as freezing bank accounts or releasing embarrassing information about oligarchs. The recent sanctioning of a crypto currency exchange based in Russia is a case in point. More generally, CYBERCOM’s practice of “defending forward” and “persistent engagement” can also be useful here, although it would best be accompanied by a process of quiet communication. This can be done in formal working groups, but can also be handled in intelligence channels.
Non-state actors often act as state proxies to varying degrees, but U.S.-Russian rules of the road could require their identification and limitation. Ransomware is a case in point. Here the U.S. and Russia might cooperate by treating criminals as a third party and forgo their use as proxies. In addition, as Dmitri Alperovitch has argued, we can use our offensive as well as regulatory capabilities to disrupt criminal ransomware networks and payments as we did with the ISIS terrorist network in 2015. And because the rules of the road will never be perfect, they must be accompanied by a consultative process that establishes a framework for warning and negotiation. Such a process, together with implementation of stronger deterrent threats, is unlikely to fully stop interference, but if it reduces the level, it could enhance stability in cyberspace.
Article also appeared at russiamatters.org/analysis/us-russian-cyber-stability-needs-drunken-party-approach-limits-deterrence-and, with different images, bearing the notice: “© Russia Matters 2018 … This project has been made possible with support from Carnegie Corporation of New York,” with a footer heading entitled “Republication Guidelines” linking to: russiamatters.org/node/7406, which bears the notice, in part:
“If you would like to reprint one of these articles, a blog post written by RM staff, one of our infographics or a fact-check, we ask that you follow these guidelines:
- Include a prominent attribution to Russia Matters as the source and link back to the original at RussiaMatters.org.
- Retain the hyperlinks used in the original content.
- Do not change the meaning of the article in any way.
- Get an ok from us for non-substantive changes like partial reprints or headline rewrites and inform readers of any such modifications (e.g., This article first appeared on the Russia Matters website with the headline “Russian Election Interference in Trump’s Own Words”).
- Let us know about the reprint and send a link!
Please note that Russia Matters cannot grant permissions for third-party content, including articles, photographs and other materials not produced by our team.
Questions? Email us at RussiaMatters@hks.harvard.edu.”