CGI Asks: Time for a U.S.-Russia Cybersecurity Pact?

January 17, 2016

In each installment of “CGI Asks,” a selection of experts respond to a question on the latest developments related to Russia and Eurasia.

In the wake of alleged Russian involvement in hacking the Democratic National Committee, we asked experts whether a U.S.-Russia cybersecurity agreement — similar to a Russia-China cyber pact reached in 2015 — could help deter future attacks. 


Tyson Barker, Senior Research Fellow,  Brandenburg Institute for Society and Security (Germany)


TysonRaw nerves following the DNC hack and intelligence community reports would make a U.S.-Russia cyber agreement tough. Congress, public opinion and even some within Trump’s administration will not allow anything less than a hard-nosed deal rooted in three key principles: flexibility, verification and clearly-framed costs for violation.

For an agreement to matter, Russia’s dalliances with plausible deniability in cyber – be it active measures to influence elections, cyber crime, or critical infrastructure infiltration – must be addressed. The administration must pressure Russia to join the Budapest Convention on Cybercrime as a condition of any agreement in order to begin to “drain the swamp” of cyber crime syndicates that attack U.S. interests from Russian soil. And it should require Russia to enforce the Council of Europe’s Convention 108 on treatment of personal data in order to better protect its people online.

The Internet is global, so a future agreement must be global too.

U.S. enforcement officials must remain vigilant regarding Russian compliance with any deal. Russia’s track record here is mixed. Its occupation of Crimea and aggression in Eastern Ukraine demonstrated a wanton disregard for the Budapest Memorandum and the Helsinki Final Act.  Its compliance with the INF Treaty and other arms agreements have also been called into question, particularly by Congressional Republicans. Congress will be hawks on compliance. The U.S. would need muscular verification tools for a deal to be accepted domestically.

A splashy agreement without fangs might not be worth the paper its written on. There would need to be a clearly delineated understanding of the consequences should aspects of the agreement be violated. These could range from sanctions and visa bans to access to U.S. financial markets and SWIFT, and ultimately to cyber and kinetic measures.

Should the Trump administration be more ambitious, the U.S. could pursue a broader cyber agreement addressing hack and leaks, attacks on critical infrastructure, corrupting big data, weaponizing the internet of things and artificial intelligence (AI). But for this type of arrangement to work, the U.S. and Russia are necessary but not sufficient players. Great powers like China, the EU and India, as well as the multi-stakeholder community of corporations, civil society, hackers and other non-state actors, would also need to be represented. Ultimately, the Internet is global. Future rules of the road to protect U.S. civilian and military assets online must be global too.

Tyson Barker served as Senior Advisor to the Assistant Secretary of State for European and Eurasian Affairs at the State Department in 2014 and 2015.

Pavel Sharikov, Director of the Center for Applied Research, Institute for U.S. and Canadian Studies (Russian Academy of Science)

PavelThe current crisis in U.S.-Russia relations takes place in unprecedented conditions. While a military conflict between Russia and the United States is highly unlikely,  both countries have begun to use other instruments of power — namely, information-related tools — to influence each other politically. Meanwhile, the alleged attempts of Russian intelligence to hack American democracy have become the substitute for ideological conflict in the new Cold War 2.0.

The most debated episode of recent U.S.-Russian confrontation is the hacking of the DNC during the U.S. presidential campaign. Although the U.S. intelligence report commissioned by the Obama administration didn’t provide concrete evidence that the Kremlin ordered the attack, it uncovered some critical problems that urgently need to be addressed.

First, the problem of attribution of cyberattacks: if a non-state actor executed the hacking, then U.S. sanctions against Russian officials fail to punish the real offender. Second, the inability of the international system to address cybercrimes: there is no international mechanism that provides the possibility to investigate, prosecute, prevent or punish individuals such as those who hacked the DNC server. Third, there is the problem of a proper retaliation: the response to a cyberattack would have to be asymmetric, and must remain within the cyber realm. The use of non-cyber tools could lead to further escalation, which may turn out to be very harmful.

The United States and Russia could start with an agreement not to target each other’s critical infrastructure.

All political disagreements aside, the leaders of Russia and the United States should recognize that the use of information tools against each other destabilizes a fragile equilibrium. The research community in Russia and in the United States should consider why the 2013 U.S.-Russia agreement to cooperate on information and communications technology (ICT) security did not prevent the recent hacking. If that agreement failed to provide a system for cooperation on cyber threats, then what might be another way of countering cyber threats? If cyber issues are going to be part of the Trump administration’s agenda, it would be safe to start with an agreement not to target each other’s critical infrastructure objects.

Pavel Sharikov is the author of Information Deterrence: Transformation of the Strategic Stability Paradigm (Russian International Affairs Council).

The Center on Global Interests provides an open forum for discussion. The views represented here are solely those of the author(s).