Which leads to the greatest challenge of all: attribution. If indeed the distinction between the private and public sector is blurred in the cyber arena, it follows that tying a particular cyber activity to a state actor instead of a private sector actor is a challenge. With few modern exceptions, it has not been hard to attribute military maneuvers to states: no one had to worry that the tank squadron might be beneficially owned and controlled by a group of patriotic teenagers coordinating the attack from their parent’s basement. The solution to attribution lies, if anywhere, in a comprehensive treaty supported by a form of joint operations where deconfliction is managed in real-time and longer-term remedies are conceptualized and codified, likely, perhaps in technical ways specific to the cyber domain, such as for example effects-based restrictions.
There is a path forward to a cybersecurity treaty between the United States and Russia. Pitfalls and foggy patches abound, but with a “going-in view” set of first principles that are fair and realistic, with an honest broker third party to assist, prepared with applicable treaty precedence, and with a short list of achievable near-term outcome, a deal has every opportunity to succeed.
And we should want a deal to succeed. As the United States moves to re-establish and re-engage on the world’s stage, Russia should loom large on its agenda. The country post-Putin will be fraught with risk. We need practical opportunities to deepen our connections with and positively influence the Russia of the future. A cybersecurity treaty is one such opportunity.
Tom Robertson is the CEO of Continental Currency Exchange, Canada’s oldest and largest bureau de change, and the founding partner of IDF, a strategic risk consultancy. His work on cybersecurity has been published by the Canadian Global Affairs Institute, the Canadian Broadcasting Corporation, and First Monday.