Why Joe Biden Should Start a Cybersecurity Dialogue With Russia

February 18, 2021 Topic: Cyber Security Region: Europe Blog Brand: The Buzz Tags: RussiaNATOCybersecuritySolarWindsJoe BidenVladimir Putin

Why Joe Biden Should Start a Cybersecurity Dialogue With Russia

High-level political dialogue might identify the slim common ground to curb cyber-hostilities, with quid-pro-quos not necessarily confined to the cybersphere.

 

The United States and Russia have corralled themselves into an adversarial relationship for the foreseeable future, with cyber-space as one of its major battlegrounds. The unprecedented scale of the recent SolarWinds cyber breach, attributed to Russian intelligence services, raised a debate whether the failure was due to a flawed U.S. strategy that needs a revision, or just a problem of execution. President Joe Biden promised to elevate the status of cyber within government and to launch an urgent initiative to improve capability, readiness, and resilience in cyberspace, as well as to act firmly against Russian actions. Incorporating a high-level U.S.-Russian cyber dialogue in the administration’s nascent approach towards Moscow could have considerable benefits and poses very limited risks.

Cybersecurity was on the U.S.-Russian political agenda until the end of the Obama administration. Its high-point was the establishment of “cyber-hotline,” which was used before the 2016 elections to warn Moscow against interfering. During the Trump administration, Russian attempts to initiate dialogue had floundered, as the United States was highly skeptical about Russian motives. Instead, the United States continued “imposing costs”: sanctioning and “naming and shaming.”

 

The U.S. Cyber Command had adopted a proactive approach towards Russia, including taking responsibility for offensive cyber operations and contemplating to retaliate for Russian influence operations in a similar way. Bilateral talks with Russia on cyber were considered “toxic” because they were seen as potentially turning a blind eye to or even legitimizing Moscow’s aggressive actions. Vladimir Putin’s September 25 call for a “cyber reset,” less than two months before the U.S. elections fell on deaf ears and was considered by Washington to be a cynical ploy.

The potential value of dialogue was overshadowed by deep animosity, lack of confidence, and opposing views of cybersecurity. The United States views Russia as a revisionist-revanchist power that seeks to re-establish itself and its sphere of influence. Russia, on the other hand, sees the United States as a reckless actor that must be deterred from its destructive unilateral behavior. Both accuse each other of illegal interference in each other’s internal affairs.

When it comes to cyber, the two sides simply view the realm differently and have even established competing forums on cyber at the United Nations General Assembly. Russia seeks to regulate cyberspace as a part of “international information security space,” including limitations on the freedom of ideas, while the United States understands this position as a basic challenge to the ideal of Western liberal democracy. The United States sees Russia in general, and Putin in particular, as a rogue and so it is reluctant to engage in comprehensive discussions with Moscow other than to point out the latter’s wrongdoings.

Russia is not a declining power, but a formidable rival with multifaceted capabilities to confront the West and absorb pressures, as Ambassador Michael McFaul explained in a recent article. Better and more coordinated cyber defense and pressuring Moscow might not be enough for the Biden administration to prevent escalation from spiraling out of control in cyberspace.

The silver lining in the gloomy future of bilateral relations is the willingness of both parties to recognize the importance of arms control, as is evident from the swift and unconditioned extension of the New START treaty. President Donald Trump was frequently suspected of being “too friendly” with Putin and did not believe in arms-control. The Russians were frustrated when he left the Intermediate-Range Nuclear Forces (INF) and Open Skies Treaties and tried to pressure them on START extension. President Biden can act freely in a dialogue with Moscow, without a fear that he will compromise U.S. national interests, as everybody expects him to be harsh on Kremlin.

McFaul’s formula for containing Russia allows for “selective engagement,” including an “attempt to reach an agreement on which assets can and cannot be legitimately targeted” in cyberspace. We agree that both sides would be well-served to consider their respective cybersecurity interests and develop a framework to discuss, deescalate, and even possibly agree on guidelines on the subject.

There are authoritative voices, both in Moscow and in Washington claiming that the dialogue is a complete waste of time. Yet in our opinion, there is a critical need and opportunity to move beyond the current impasse. This is rooted in several reasons. First, the changing attitude towards social media in the United States (and Europe) and the willingness to regulate it, offer a stark departure from previously held beliefs about the sanctity of freedom of speech, while recognizing the threat of disinformation.

Second, the threat of tremendous collateral damage is growing. When Russian affiliated cyberattack NotPetya was released in Ukraine, it had a devastating effect well beyond its intended targets, including shipping, pharmaceutical companies, and hospitals, evaluated at billions of dollars lost. 18,000 entities affected by the SolarWinds attack imply that the scale of potential damage could have been much wider, had it been used to destroy computer systems and not only spy on them.

Third, past experience shows that there is a potential for strategic dialogue and partial understanding about lowering the scope and intensity of cyber and intelligence ops. Russian expert Maxim Suchkov even proposed recently that Russia’s strategic logic in employing cyber operations in the United States is to bring the Americans to the negotiating table. The United States and China had come to terms on the matter during the Obama presidency, and it led to a significant drop in Chinese cyber activity in the United States for some time. The change in the atmosphere during Trump’s presidency negated the potential positive effect of those agreements. Although Russia and China have vastly different economic relations with the United States, it is not impossible to arrive at a similar outcome.

Fourth, there is a demand for better deconfliction mechanisms in an era of competition and adversity. The importance of online activities during the pandemic has grown exponentially at a time when the United States and Russia are willing to compete more forcefully, while other players (China, North Korea, Iran) with significant capabilities of their own are also engaging in cyber operations that can have significant effects (such as the WannaCry worm that devastated Britain’s National Health Services). The turbulent situation and the potential for miscalculation make it far more important to have open lines of communication between Russia and the United States, involving technical experts.

And finally, it is still possible to agree on basic rules of the game and to prevent unwanted escalation even between bitter enemies. If Israel and Hamas can reach common ground on various issues and mostly avoid escalation, even returning to a quasi-dialogue after periods of intense confrontation, then surely the United States and Russia can reap benefits from engagement.

How can we assure that such a dialogue will not be futile, like the U.S.-Russian confrontation on this exact subject in the UN? Many like to quote Winston Churchill, that “Russia is a riddle wrapped in a mystery inside an enigma,” neglecting the fact that he went on to say that, “but perhaps there is a key. That key is Russian national interest.” Russia weaponizes cyber to promote its wider interests and offset its weaknesses, and not only for the sake of cyber-space domination in and of itself. High-level political dialogue might identify the slim common ground to curb cyber-hostilities, with quid-pro-quos not necessarily confined to the cybersphere—as was achieved with some success regarding the Chinese during Obama’s tenure.

We are not so naïve as to propose a dialogue as the main course of action with the Russians, but it could expand the toolbox of the new administration. Therefore, we think that such a channel should be incorporated in a wider framework of strategic dialogue. The U.S. side should have an interdepartmental team, led by upper political level officials which include both professionals with deep understanding in cyber and military affairs and specialists on Russia.

The idea that engaging Russia on cyber may provide legitimacy to its behavior should be replaced with the understanding that dialogue is the best way to address and convey concerns without compromising on your values and interests, while creating the opportunity to arrive at mutually beneficial arrangements. McFaul thinks that the “Biden team loses nothing by offering to talk.” In the worst-case scenario, after talks, the United States will have a better understanding of Russian positions on the subject and deny Moscow the rhetorical allegation that Washington refused to talk. The same ideas were also expressed by Rose Gottemoeller, the U.S. chief negotiator of the New START treaty, who stated that “Nuclear arms control treaty negotiations cannot be done on a drive-by basis. You need sustained effort over a long period of time, and a dedicated delegation that stays in place to keep it up.” If agreements in the cyber realm are to be realized, then applying the same logic should be considered.

Daniel Rakov is a retired Lt. Col. from the Israel Defense Forces (IDF) and currently an expert on Russian policy in the Middle East at the Institute for National Security Studies (INSS) in Tel Aviv.