A pact on cyber aggression is lacking in the current roster of U.S.-Russia bilateral agreements, despite having been proposed by Russia in various forms almost yearly since 2008. Russia’s overtures have been declined by both Republican and Democratic administrations for a combination of myopic domestic political reasons and more thoughtful and legitimate strategic national interest reasons.

Now, though, as we approach the end of the Putin era with no succession plan in sight, and as we clean up the halls of governments and boardrooms of corporations following yet another devastating Russian cyberattack (SolarWinds), and, most importantly, as we embark on a new U.S. administration, the time is right to negotiate a cybersecurity agreement. Strategically, such a deal would fit snugly as an early building block within the broader rapprochement begun with the signing of the “New START” treaty extension in February.

Moreover, there is every possibility that a cybersecurity treaty will lead to meaningful and positive practical outcomes, the most obvious of which being decreases in transnational cybercrime, decreases in state-sponsored cyberattacks against the private sector, and the fostering of a semblance of state-level governance over the cyber domain. And, while that latter point will sound libertarian alarm bells, it should be readily acknowledged that codifying rudimentary cyber behavioral norms is a concept whose time has arrived, with the social media conglomerates’ currently deciding whether the former U.S. president should once again be allowed a voice on their platforms.

Putting Principles First

Treaties are frameworks for future cooperation leading to mutual benefit. They need not serve as comprehensive resolutions of grievances or disagreements. It should be expected that any cyber deal, particularly a version 1.0, will leave large swaths of governance issues unresolved. This “going-in” view is critical, lest the past two decades of mutual cyber aggression and domain complexity overwhelm the effort.

Second, given the exponential rate at which cyber technology evolves, a cyber treaty’s ability to measure and monitor activity will by necessity be limited to specific and often quite narrow domain characteristics. This is an important distinction from standard treaties like conventional arms, where measurement and monitoring are foundational and permissibility is codified down to muzzle size, reasonable given it takes years if not decades to meaningfully evolve capabilities. Achieving aggression-checking in this fashion in the cyber domain, by defining operating parameters on offensive capabilities, for example, is impractical if not impossible.

Third, and as a consequence of these challenges, early versions of an agreement should favor process over substance. In Canada, where treaty negotiations between governments and First Nations are a mainstay of the political process, success has been elusive but where it has been found it has largely flowed from process work, and in particular introspective efforts to build a view of “the other” into the fabric of negotiations. Such work in this instance might consist of building state-level domain oversight into treaty protocols in recognition of its importance to Russia and a curbing of influence activities that are affronts to the United States but taken as normative by Russia.

First Steps Towards an Agreement

In the early years of Russia’s cyber truce overtures towards the United States, circa 2008-2012, much was on offer and little was held back. Russia was playing a weak hand well, as it is often believed to do, parlaying concessions for breathing room in the wake of the standing up of dedicated cyber arms of the U.S. national security apparatus and tactical shows of strength like Stuxnet.

Importantly, Russia’s more recent offers signal less of a willingness to limit its capabilities, likely a result of its tremendous success in advancing those capabilities over the past decade. Moreover, there is an implied view that in the high arc of cyber evolution, the United States is becoming ever more reliant on its interwoven cyber networks, making it increasingly vulnerable, comparatively, to cyberattack than its peers. Arguably, therefore, the longer the United States waits to strike a cyber truce with Russia, the greater Russia’s comparative advantage becomes. In short, the United States is, and will remain, asymmetrically vulnerable in the cyber arena.

As such, the United States should anchor its approach to an agreement on a topic of mutual benefit and one of particular appeal to Russia: the state-level cyber domain oversight issue mentioned above. Recognition of a meaningful state role in cyber has always loomed large on Russia’s agenda, and while in the United States such a view runs counter to the nation’s libertarian cultural fabric, the new administration has an opportunity to build on a growing public distrust in the ability of the private sector to effectively regulate the cyber domain. Importantly, this public sentiment was not the majority view in the United States even a year ago; it grew from the internal social unrest and political divisiveness of the last few years and culminated in the public’s horror at the siege of the American capital by insurrectionists on January 6, 2021.

Alongside domain oversight, both parties would benefit from a third-party arbiter to help guide the conversation, affording separation and a blame-shouldering venue as disagreements arise. The United Nations (UN) is well suited for the task and indeed has served as an effective broker in this regard often. Moreover, Russia has a history of sponsoring cyber resolutions at the General Assembly, and three of those resolutions, in 2010, 2013, and 2015 led to consensus amongst member states.

The parties should next look for precedence upon which to structure an agreement, and here the UN again provides good fodder. The 1958 Geneva Convention on the High Seas, a foundational treaty in delineating state responsibility amongst a litany of contradictory national laws and historical norms, and the subsequent 1972 U.S.-Soviet Incident at Sea Agreement, which established de-escalation and deconfliction procedures for international shipping, would be good start points for cyber negotiators. In fact, Russia’s latest cyber truce overture, in September 2020, references the de-escalation provisions of 1972 agreement as one of four themes around which to base a first cyber treaty. (Two of the other three formalized dialogue and regular operational level communications both also flow logically from the 1972 agreement, while the third, guarantees of non-intervention into internal affairs, seems ready-made for U.S. acceptance.)

Finally, as treaty conversations progress there is likely to be a flurry of ideation and cooperation that will need to be codified into policies, procedures, protocols, working instructions, and the like. This activity will serve to introduce more nuanced and difficult topics, such as surveillance acceptability and offensive operations boundaries. Adequately capturing this momentum will be crucial to the long-term intent of peaceful coexistence, and as such both sides might benefit from the establishment of a permanent joint operations organization.

Overcoming Key Challenges: Public Perception, Attack Vectors, and the Problem of Attribution

Perhaps the greatest challenge facing U.S. dealmakers is one of optics, given Russia has facilitated, encouraged, and itself conducted attacks unabated against U.S. national and private sector interests, most notoriously during the run-up to the 2016 federal election. Seen in this light, a treaty is an affront to the public and policymakers alike; it diminishes the former’s perception of American geopolitical dominance while the latter doubts Russia would abide.

The public will not be easily convinced of the truth that for every Russian-sponsored or facilitated cyberattack against the United States, equivalent U.S.-sponsored or facilitated attacks occur against Russian interests or those of other U.S. adversaries. Often more so. Indeed, there is much evidence to suggest that the United States, through its near monopolization of transnational communications channels, and the vast power of institutions like the National Security Agency, conduct cyber intelligence collection efforts, influence operations, and cyberattacks of far greater scale and frequency than those conducted by Russia.

The second group, policymakers, likely need only be reminded that the arc of cyber evolution points towards a growing comparative disadvantage for the United States towards Russia and other adversaries who do not have and are not likely to have the same intertwining of domestic and national cyber networks and systems. In short, whether Russia will abide by the terms or not, it is in the United States’ best interest to seek agreement and cooperation where it can. It is the best way for the United States to curb devastating Russian-sponsored attacks and aggressive cyber operations.

Another substantial challenge, and one Simon Van Hoeve and I discussed at length in “Offensive Shifts, Offensive Policies: Cybersecurity Trends in the Government-Private Sector Relationship,” is the difficulty of bifurcating national and private sector capabilities and responsibilities in the cyber domain. While there are not many scenarios in conventional arms treaties where such a blurring would occur—which is to say one would be hard-pressed to think, for example, of tank squadrons as being private sector assets outside the realm of state control—in the cyber domain the problem is real; Cyber weapons of devastating capability are relatively easy to conceptualize, require little to no raw material and a minimum of readily available finished goods to produce, and are cheap to operate.