Pierre Morcos
The first test of the cyber redlines set by President Biden in his summit with President Putin arrived on July 2, when a Russia-based hacking group known as REvil employed a ransomware attack—the largest ever—against Miami-based software company Kaseya, affecting the operations of up to 2,000 companies globally. At their June summit in Geneva, President Biden pressured President Putin to rein in Russian criminal hacking groups following a spate of similar attacks against Colonial Pipeline and meat processor JBS (REvil also claimed responsibility for the JBS attack). The two leaders agreed to resume bilateral talks on cyber issues, and according to the White House, U.S. officials have already started expert-level talks with Russian counterparts.
The Biden administration has faced criticism for engaging the Kremlin in a cyber dialogue even as Russia fails to implement cyber agreements it has already signed on to under the auspices of the UN Group of Governmental Experts. However, lessons from a recent Franco-Russian dialogue on cyber issues suggest that bilateral engagement can help the United States fulfill useful goals, short of halting Russia-based cyberattacks.
A Brief History of (Failed) U.S.-Russia Cyber Diplomacy
The idea for a bilateral U.S.-Russia cyber dialogue is not a new one. In 2013, U.S. president Barack Obama and Russian president Vladimir Putin announced the formation of a working group on information and communications technology to deepen senior-level engagement on cyber issues and to develop concrete measures to address common threats. This effort resulted in the establishment of a hotline for the two sides to talk to each other in the event of a cybersecurity crisis, although in reality it was never used. However, in response to Russia’s annexation of Crimea in 2014, the bilateral dialogue was suspended, along with other modes of cooperation under the auspices of the Bilateral Presidential Commission.
U.S. and Russian officials reengaged in Geneva in April 2016 following a devastating December 2015 cyberattack against Ukraine’s power grid. U.S. officials privately attributed the attack to Russia and observers deemed it a first-of-its-kind attack on a civilian power grid. The goal of the meeting was to review the 2013 U.S.-Russia confidence-building measures. Once again, the talks were derailed: Russia’s efforts to interfere in the 2016 U.S. presidential election, which included an effort to dox Democratic National Committee servers, made engagement on cyber issues impossible. Over the next two years, a series of diplomatic outreaches from Russia were rebuffed by the United States after deciding that Russia had no intention to engage seriously on the matter.
The French Experience
In a bid for increased transparency and predictability with Russia following Russian interference in the 2017 French presidential elections, in 2018, France initiated several channels of dialogue with Moscow on cyber issues. For President Emmanuel Macron, cyber talks were one part of a larger endeavor to engage Russia politically when, in 2019, Macron announced a strategic bilateral dialogue with Russia to work toward an “agenda of trust and security.” This effort has also included bilateral consultations on strategic stability and regional and international crises, as well as specific discussions on Syria, Libya, or Iran.
After President Macron’s visit to Saint Petersburg in May 2018, both countries agreed to establish a confidential “ deconfliction line ” to discuss cyber incidents at the level of their national security chiefs (Russia’s security council secretary Nikolai Patrushev and France’s secretary general for defense and national security Claire Landais, then replaced by Stéphane Bouillon in 2020). Even though little is known publicly about this channel, Nikolai Patrushev reportedly met with his French counterpart in July 2018, September 2019, and February 2021 to discuss cybersecurity. France and Russia have also held broader diplomatic consultations on cyber since 2019 through an interagency dialogue led by their ambassadors for digital affairs (Andrei Krutskikh and Henri Verdier, respectively). These consultations took place for the first time in Moscow in November 2019 and then in September 2020. The meetings gathered officials from the ministries of foreign affairs, justice, defense, and home affairs, as well as the French national cybersecurity agency.
In engaging Russia on cyber issues, France has pursued multiple objectives outlined in its 2018 strategic review of cyber defense. First, France sees bilateral dialogue as a venue to address “the most destabilizing and dangerous actions” coming from Moscow. Like the United States, France sought to establish a deconfliction line to confidentially convey its concerns about cyberattacks originating in Russia, avoid misunderstanding, clarify redlines, and manage escalation in the event of a crisis. Second, sustained diplomatic contact on cyber issues provides an opportunity to better understand Russian cyber doctrine and to identify the relevant stakeholders in Moscow responsible for dealing with this complex issue. Finally, France has engaged with Russia on norms of responsible behavior in cyberspace. During the first session of the interagency dialogue, the French delegation notably presented the Paris Call for trust and security in cyberspace, touched upon the negotiations on cybersecurity at the United Nations (which ended in May), and explored areas of cooperation for the fight against cyber crime and the use of the internet for terrorist purposes.
However, France is under no illusion that dialogue with Russia is likely to meaningfully alter Russian destabilizing and aggressive behavior in cyberspace. As such, France has paired engagement with a more forceful approach to exposing Russian cyberattacks and imposing diplomatic costs on Moscow. Though at the national level France has not yet publicly attributed a cyberattack to Russia, Paris has gradually beefed up its cyber posture toward Moscow. While prioritizing confidential interactions with Moscow on these incidents to avoid any form of escalation, France has nonetheless attributed cyber operations to notoriously Russian-backed hacking groups. French officials blamed Turla for an attack targeting the French Ministry of Defense in January 2019 and Sandworm for a cyber campaign exploiting a French monitoring software called Centreon in February 2021. France has also played a leading role in the European Union’s adoption of a sanctions regime against perpetrators of cyberattacks. The first EU sanctions adopted against Russia and China in July 2020 included a travel ban and asset freezes on members of Russia’s military intelligence directorate. The European Union imposed other sanctions in October 2020 against Russian officials over a cyberattack targeting Germany’s Bundestag.
What Are the Lessons for the Biden Administration?
Although Franco-Russian talks on cybersecurity are recent, France’s experience offers lessons for the U.S. administration as it contemplates yet another cyber dialogue with Russia.
First, communication must be carefully controlled. For the Kremlin, high-level meetings with France were part substance and part public relations, offering an important opportunity to signal Russia’s status as an indispensable actor on the international scene and to seek to showcase a form of respectability. Moscow will seek to formalize—to the extent possible—any format of consultation and will attempt to control and leverage any public communication around the dialogue to its advantage. France resisted Russian attempts to formalize the cyber talks through an intergovernmental agreement, refrained from publicly acknowledging the Franco-Russian cyber deconfliction line, and insisted on codrafting the dialogue’s communiqué (as was the case in 2019 ; no communiqué was released after the last session in 2020 because of the growing tensions with Moscow following the poisoning of Alexei Navalny).
Second, cyber talks must bring all relevant stakeholders to the table. The Russian ministry of foreign affairs is the appropriate interlocutor for engaging Moscow on the diplomatic efforts to regulate cyberspace, notably at the United Nations. However, when it comes to discussing Russia’s offensive cyber actions or exploring potential cooperation on cyber crime, cyber talks with Moscow should necessarily include officials openly identified as being from the Russian Ministries of Defense, Internal Affairs (in particular the Federal Security Service), or Justice. Talks should also include representatives from the Russian Federation Security Council, which plays an overarching role in this field. France was therefore careful to conduct its diplomatic dialogue with Moscow in a large interagency format. Likewise, its deconfliction line was set directly at the level of the head of the Russian Federation Security Council.
Third, expectations should be kept realistic. Setting the bar too high in a cyber dialogue with Russia is a recipe for failure. At this stage, Russia has few incentives to make serious concessions given the anonymous nature of cyberattacks. Any cyber dialogue with Moscow should have well-tailored objectives. In the case of France, the cyber talks with Russia did not aim to fundamentally change Russia’s behavior but to better understand its strategy, convey France’s concerns, and explore potential areas of cooperation. Consultations with Moscow are by no means a blank check to Russia. They should go hand in hand with a comprehensive strategy aiming to protect against cyberattacks coming from Russia and clearly communicating redlines and expectations for responsible behavior.
Fourth, allies should be informed to the maximum extent possible. Even though cyber consultations with Moscow are necessarily confidential given the sensitive nature of the matter, a minimum transparency toward NATO allies is paramount to preserve the transatlantic cohesion on this issue. Such transparency could also prove helpful for European allies that also have cybersecurity consultations with Russia, as is the case for Germany. France, for instance, briefed its EU partners and NATO allies after each session of its diplomatic dialogue with Moscow.
A Bumpy Road Ahead
Of course, Washington will have its own challenges to overcome that are specific to the U.S.‑Russia context.
For one, the political sensitivity of the issue is significantly higher in the United States than in France. The U.S. national security community viewed the SolarWinds attack orchestrated by Russian intelligence as so broadly scoped as to be almost “ indiscriminate.” Taken together with a recent spate of ransomware attacks targeting critical U.S. infrastructure (conducted by criminal networks inside Russia, but for which Moscow bears some responsibility), the political risks of engaging with Moscow on cyber are significant for the United States. Further complicating engagement is a widely shared belief that cyberattacks of Russian origin will only continue. This is in part because Russia at first perceived its cyber capabilities defensively—as a response to perceived U.S. interference in Russian internal affairs—and now sees it as an immense opportunity to damage its main opponent. Against this backdrop of mutual suspicion, a bilateral cyber dialogue is on fragile footing and could easily be derailed by now-ongoing political turbulence in the relationship.
Second, a U.S.-Russia cyber dialogue must be deconflicted from a parallel U.S-Russia strategic stability dialogue that will include a cyber dimension. While cyber should certainly be on the table at a strategic stability dialogue—for example, the two sides should agree not to use cyber weapons against nuclear command and control centers—strategic stability should not feature prominently in a separate cyber dialogue with Russia. This is because there is greater political buy-in for a strategic stability dialogue and an imperative to insulate and prioritize these talks; by contrast, a cyber dialogue with Russia is more prone to collapse. Strategic stability talks must not be derailed by the political fallout of a failed cyber dialogue.
Country-specific differences notwithstanding, the lesson the United States can learn from France is that a dialogue with Russia on cyber issues can fulfill goals short of halting Russian cyber misconduct. Such a discrete and frank dialogue provides an important forum to be more specific about standards of attribution and redlines, to identify and build relationships with the relevant officials overseeing cyber in Russia, and to manage cyberspace escalation in the event of a crisis.
No comments:
Post a Comment