US-Russia cybersecurity talks: right script, wrong actors?
Should the US and Russia hold talks on cybersecurity? In July of 2017, a lot of Americans shouted “No!” when US Secretary of State Rex Tillerson said that the two countries were contemplating working together “to better understand how to deal with these cyber threats.” I can understand why people are voicing objections to this idea, but it is not, in my opinion, an inherently bad idea. Indeed, I would argue it’s a case of good idea, bad timing—and/or actors.
Consider these two propositions:
A. President Trump and President Putin should, bilaterally and globally, seek ways to deter cybercrime and reduce cyberconflict
B. The US and Russia should, bilaterally and globally, seek ways to deter cybercrime and reduce cyberconflict.
Like a lot of my fellow Americans, I would argue that proposition A is a very disquieting prospect. Why? Because, during its first year in office, the Trump administration has shown little understanding of how diplomatic negotiation works (not to mention the fact that Trump himself has openly disparaged many of the people whose expertise and cooperation would be required in order to protect US interests during such negotiations).
On the other hand, proposition B not only strikes me as a good idea, but it also has an aura of historical inevitability. I believe that the US and Russia, and every other country, must work together to deter cybercrime and reduce cyberconflict. That is the right script, and that is the path that the world will take, if not now, then at some point in the future. But Trump and Putin are the wrong actors for this script; both lack the levels of credibility and legitimacy required to make meaningful progress.
As you might imagine, when I say to people “international cooperation and global treaties are the only way to make a serious dent in cybercrime and cyberconflict,” the response is often “Good luck with that” or “Ain’t gonna happen” or even less eloquent words to the same effect. But history tells me I am right, even if doesn’t tell me how old I will be when that eventually proves to be true.
Consider the 27 treaties listed on the website of the Arms Control Association. They all started with someone putting forward objectives that were openly disparaged or dismissed as unattainable. I freely admit that some of those objectives took a long time to attain and some of those treaties are not working as well as they need to. But I don’t think anyone believes the world would be a better place without these treaties. (Of course, I could be wrong, so tweet me @zcobb if you think arms control treaties have been a waste of time and effort).
To be clear, I am not equating nuclear and chemical weapons with cyber-weapons. The horrific effects of nuclear and chemical weapons are categorically different from the effects thus far seen from malicious code. But weaponized code has the potential to cause massive, country-wide disruption, and be an enabler of, or catalyst for, even greater impacts. If you think I am exaggerating, may I respectfully suggest you read the 2018 Chatham House report titled: Cybersecurity of Nuclear Weapons Systems: Threats, Vulnerabilities and Consequence.
While agreements to restrict the use of weapons technology always start out as a long shot, so to speak, there are always grounds for hope. My confidence in this assertion is based on my own experience. I grew up in England, which came within range of Soviet nuclear strike capability well before the continental US.
In November 1957, an article by the British writer J. B. Priestley titled “Britain and the Nuclear Bombs” made the case for unilateral nuclear disarmament. Priestley wrote: “now that Britain has told the world she has the H-bomb she should announce as early as possible that she has done with it, that she proposes to reject, in all circumstances, nuclear warfare.”
Despite many voices declaiming “Good luck with that” the article helped inspire concerned individuals to start the Campaign for Nuclear Disarmament (CND) to advocate for “unilateral nuclear disarmament by the United Kingdom, international nuclear disarmament and tighter international arms regulation through agreements such as the Nuclear Non-Proliferation Treaty.” (Wikipedia)
In less than six months, CND had joined with another pacifist group in a “ban the bomb” march. This was not a leisurely walk in the park protest, this was a serious, four-day, 52 mile march from London to the Atomic Weapons Research Establishment at Aldermaston. This became an annual protest joined by tens of thousands of people carrying the peace sign, a symbol that was created for the CND movement. (In 1961, my mother took me with her to join 150,000 other people for a day’s worth of marching.)
How much did the CND and the Aldermaston March influence public policy on nuclear weapons? I don’t know. What I do know is that after the Cuban missile crisis in 1962, political and diplomatic efforts to constrain the spread and development of nuclear weapons accelerated. In 1963, a treaty known as the Partial Test Ban Treaty (PTBT) was signed by the US, the Soviet Union, and the UK (the full name is the Treaty Banning Nuclear Weapon Tests in the Atmosphere, in Outer Space and Under Water).
While the PTBT was not a comprehensive treaty and it only banned testing, not development or production, international agreements have progressed dramatically since then. Yes, there are still nuclear and chemical weapons out there; but there is an established international regime for limiting, monitoring, and constraining their development and deployment.
Personally, I am glad that the early proponents of a treaty-based response to those weapons were not discouraged by people who were — quite understandably at the time — skeptical that any progress could ever be made.
After three decades spent researching the security of digital systems, it seems clear to me that what is required to address the problems of international cybercrime, cyberconflict, and government deployment of weaponized code, is international negotiation, even between governments and countries that have profoundly different politics. Remember, the capitalist imperialists of the US negotiated with the godless communists of the Soviet Union to reach numerous weaponry-related agreements, even before the Cold War ended.
I do recognize that there is a practical problem with this approach right now: the current US administration would appear to lack the diplomatic chops for this type of negotiation (or chopped those who had them?). There are several possible reasons for this. The administration may be headed by someone who does not understand diplomacy and is in denial about the Russian cyberattack on US elections in 2016.
Update, February 13, 2018: “We cannot confront this threat, which is a serious one, with a whole-of-government response when the leader of the government continues to deny that it exists” — Senator Angus King (I-Maine).
Update, February 17, 2018: “”We would love to have a cyber dialogue when Russia is sincere about curtailing its sophisticated form of espionage” — National Security Adviser H.R. McMaster.
In the hopes that there are some folks within the current administration who would like to participate in the inevitable diplomatic initiative to negotiate cyber treaties, I have provided — in my role as an eternal optimist — a handy starter list of reading materials.
- Arms Control Association list of treaties and agreements:
https://www.armscontrol.org/treaties - GCSC: the Global Commission Stability in Cyberspace:
https://cyberstability.org/ - “Can the Helsinki Process of the 1970s be a Source of Inspiration to Enhance Stability in Cyberspace?” GCSC Thought Piece Prepared by Wolfgang Kleinwächter:
https://cyberstability.org/research/thought-piece-towards-a-holistic-approach-for-internet-related-public-policy-making/ - Towards a Cyber-Security Treaty
https://www.justsecurity.org/32268/cyber-security-treaty/ - NATO CCD COE’s INCYDER (International Cyber Developments Review) lists legal and policy documents adopted by international organisations active in cyber security
https://ccdcoe.org/incyder.html - The need for a Digital Geneva Convention:
https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/ - Microsoft President Urges Nuclear-Like Limits On Cyberweapons:
http://www.npr.org/sections/alltechconsidered/2017/05/16/528555400/microsofts-president-reflects-on-cyberattack-helping-pirates-and-the-nsa - Research around government use of malware:
https://www.welivesecurity.com/2014/08/01/malware-called-malicious-reason-risks-weaponizing-code/ - “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack”
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/ - “WannaCry and the Challenge of International Cooperation in Cyberspace”:
https://thewire.in/148177/wannacry-and-the-challenge-of-international-cooperation-in-cyberspace/ - Why a global cybersecurity Geneva convention is not going to happen https://www.cyberscoop.com/microsoft-cyber-geneva-contention-dave-aitel-vulnerabilities/
- What the Digital Geneva Conventions mean for the future of humanitarian action
http://www.unhcr.org/innovation/digital-geneva-conventions-mean-future-humanitarian-action/ - “After WannaCrypt, Putin backs Microsoft warnings on government-made exploits”:
https://www.gcio.asia/gcio/security/after-wannacrypt-putin-backs-microsoft-warnings-on-government-made-exploits/ - “Why do we need ‘accidental heroes’ to deal with global cyber-attacks”:
https://www.theguardian.com/commentisfree/2017/may/20/cyber-attack-ransomware-microsoft-tech-giants-are-only-winners - “Microsoft’s radical idea for dishing out cyberblame”:
https://nakedsecurity.sophos.com/2017/06/13/microsofts-radical-idea-for-dishing-out-cyberblame/ - The only way to stop another WannaCry is with regulations https://www.engadget.com/2017/07/08/cybersecurity-regulations-wannacry/
- Report by UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security
http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174 - International code of conduct for information security
http://www.un.org/ga/search/view_doc.asp?symbol=A/69/723
Originally published at scobbs.blogspot.com on July 9, 2017.
