Taming the cyber wild west
24 Jun 2021|

During the Cold War, summit meetings between the United States and the Soviet Union were often dominated by agreements to set limits on nuclear weapons and the systems built to deliver them. The US and Russia still discuss these topics, but at their recent meeting in Geneva, US President Joe Biden and Russian President Vladimir Putin focused in no small part on how to regulate behaviour in a different realm: cyberspace. The stakes are every bit as high.

It’s not hard to see why. Cyberspace and the internet are central to the workings of modern economies, societies, political systems, militaries and just about everything else, which makes digital infrastructure a tempting target for those seeking to cause extraordinary disruption and damage at minimal cost.

Moreover, states and non-state actors can carry out cyberattacks with a high degree of deniability, which adds to the temptation to develop and use these capabilities. We know when and from where a missile is launched, but it can take a long time to discover that a cyberattack has occurred and figuring out who’s responsible can take even longer. Such a slow and uncertain attribution process can render the threat of retaliation, which is at the heart of deterrence, beyond reach.

What put this issue squarely on the agenda of the Biden–Putin meeting is that Russia has grown increasingly aggressive in cyberspace, whether by creating false accounts on social media to influence American politics or by gaining access to critical infrastructure, such as power plants. Reinforcing the issue’s salience is the reality that Russia is not alone: China reportedly gained access in 2015 to 22 million US government personnel files—which included information that could have helped it determine who was or is working for the US intelligence community.

Likewise, in 2014, North Korea attacked Sony (and compromised all sorts of private communications) in an effort to block distribution of a satirical film that depicted the assassination of the country’s leader. This all adds up to a latter-day Wild West, with many armed people operating in a space governed by few laws or sheriffs to enforce them.

Traditionally, the US has favoured a largely unstructured internet—‘open, interoperable, secure, and reliable’, according to a policy set a decade ago—in order to promote the free flow of ideas and information. But US enthusiasm for such an internet is waning as foes exploit this openness to undermine its democracy and steal intellectual property important to the functioning and comparative advantage of its economy.

The question—easier to pose than to answer—is where to draw lines and how to get others to accept them. For one thing, the US is not without its contradictions, as it, too, carries out espionage in cyberspace (think of it as the modern equivalent of steaming open envelopes to read someone else’s mail) and reportedly, along with Israel, installed malware to sabotage Iran’s nuclear weapons program. So, any ban on activities in cyberspace would presumably be partial.

One promising idea would be to follow up on what Biden and Putin discussed, namely, to ban the targeting of critical infrastructure, including but not limited to dams, oil and gas production facilities, electrical grids, healthcare facilities, nuclear power plants and nuclear weapons command and control systems, airports, and major factories. Cyber capability can become a weapon of mass destruction when such important sites are compromised.

Even with such an agreement, verifying compliance could prove impossible, so the US would also want to introduce a degree of deterrence to ensure that parties to such a pledge honour it. Deterrence could involve the declared willingness to carry out symmetrical responses: if you target or attack our critical infrastructure, we will do the same to yours. Deterrence could also be asymmetrical: if you target or attack our facilities, we will sanction you or target your interests elsewhere.

Any such agreement would also need to be buttressed by unilateral action, given the stakes and the reality that other agreements (such as China’s 2015 pledge not to steal intellectual property) have been violated. For example, the US would want to take steps to reduce the vulnerability of its high-value systems.

It would also be necessary to declare or negotiate that claims of ignorance or denials of government involvement in aggressive cyber activity, such as when Putin said his government had nothing to do with Russian ransomware attacks, will not be accepted. The analogy here is to terrorism: in the wake of the 9/11 attacks, the US made clear that it would not distinguish between terrorist groups or governments that provided them support or sanctuary. Russia would therefore be held accountable for the actions of groups acting from its territory. Insisting on accountability should increase Russia’s incentive to rein in such behaviour.

Over time, a US–Russia pact could serve as a model that could be joined by China, Europe and others. If it were extended to China, prohibitions on the theft of intellectual property (and penalties for violating the ban) could be added. None of this adds up to disarmament, but it is the cyber equivalent of arms control, which is as good a place to start as any.