Will Biden’s red lines change Russia’s behaviour in cyberspace?

When US President Joe Biden and Russian President Vladimir Putin held their first summit in Geneva last month, cyber weapons played a larger role on the agenda than the nuclear kind. Clearly the world has changed since the Cold War, but what, if anything, did Biden accomplish?

For more than two decades, Russia has proposed a United Nations cyber treaty. But the United States regarded such a pact as unverifiable. Unlike nuclear weapons, the difference between a cyber weapon and other computer code can depend simply on the programmer’s intent.

Instead of a treaty, Russia, the US and 13 other states agreed to voluntary norms, outlined by UN-sponsored groups of governmental experts, prohibiting attacks on each other’s civilian infrastructure and barring states from knowingly allowing wrongful acts to be staged from their territory. Although these norms were reaffirmed at the UN this past spring, sceptics note that shortly after it agreed to a 2015 report, Russia attacked Ukraine’s power grid and interfered in the 2016 US presidential election.

Unlike the US, which established a Cyber Command (USCYBERCOM) in 2010, Russia has never formally admitted to having offensive cyber capabilities. Both countries penetrate each other’s networks to gather intelligence, but it is sometimes difficult to draw a line between espionage and preparing the battlefield. That is why the US complained earlier this year about the Russian attack on the American firm SolarWinds, which is said to have infected at least nine major government agencies and more than a hundred significant corporations.

Even if formal arms control treaties are unworkable, it may still be possible to set limits on certain types of civilian targets and to negotiate rough rules of the road. For example, despite deep ideological differences, in 1972 the US and the Soviet Union negotiated an ‘incidents at sea’ agreement to limit naval behaviour that might lead to dangerous escalation.

Espionage isn’t against international law, and an agreement to ban it wouldn’t be credible. Nonetheless, the US and Russia might negotiate limits to their behaviour regarding the extent (not the existence) of their cyber spying. Or they might agree to set limits on their intervention in each other’s domestic political processes. Even if there’s no agreement on precise definitions, they could exchange unilateral statements about areas of self-restraint and establish a regular consultative process to contain conflict.

This seems to have been the approach explored by Biden in Geneva. According to press accounts, he handed Putin a list of 16 areas of critical infrastructure—including energy, health, information technology, financial services, chemicals and communications—that he said ‘should be off limits to attack, period’.

In one sense, this wasn’t new. The list of what Americans regard as critical infrastructure has long been posted on the website of the US Cybersecurity and Infrastructure Security Agency. But it’s different when one head of state hands a list to another.

After the meeting, Biden disclosed that he had asked Putin how he would feel if Russian pipelines were taken out by ransomware, as the US Colonial Pipeline was in May by criminals operating from Russia. That would be very costly for Russia’s economy, which depends heavily on pipelines to export its natural gas. The Americans didn’t attribute the ransomware attack on Colonial to the Russian government, but US experts have noted that criminal gangs in Russia seem to operate with impunity so long as they don’t attack Russian targets.

In his press conference after the summit, Biden said: ‘I pointed out to him that we have significant cyber capability. And he knows it. He doesn’t know exactly what it is, but it’s significant. And if, in fact, they violate these basic norms, we will respond with cyber. He knows.’ In other words, Biden was implying a deterrent threat if Russia continued to violate the voluntary norms prohibiting attacks on civilian infrastructure and use of its territory for harmful purposes. Putin is smart, and he certainly heard the message, but whether Russian behaviour will improve depends on Biden’s credibility.

Drawing red lines can be tricky. Some critics worry that by specifying what needed to be protected, Biden might have implied that other areas were fair game. Moreover, red lines must be enforced to be effective. The critics argue that the focus of the warning should have been on the amount of damage done, not where or how it is done.

By analogy, one doesn’t tell a party host to turn off all their music; you warn them that if the noise becomes intolerably loud, you will call the police. How Putin interprets Biden’s message remains to be seen in the months to come, but the two presidents did agree to establish a cyber working group that could try to define the limits of ‘tolerable’.

The US will need to state unilaterally the norms that it pledges to stand by. When Russia crosses such a line, America will have to be prepared with targeted retaliation, such as emptying the bank accounts of some privileged oligarchs, releasing embarrassing information or disrupting Russian networks. USCYBERCOM’s strategy of forward defence and persistent engagement can be useful for deterrence, but it must be accompanied by a process of quiet communication.

Criminal groups often act as state proxies in varying degrees, and the US will have to make clear that acting as a haven for cybercriminals will lead to retaliation. And because the rules of the road will never be perfect, they must be accompanied by a regular consultative process that establishes a framework for warning and negotiation. Whether Biden succeeded in launching such a process in Geneva, or whether Russian and American cyber relations will remain their bad normal, may well become clearer in the coming months.