Much of the debate around espionage campaigns like SolarWinds and ransomware lands at this conclusion: the United States needs to develop some kind of understanding with Russia about a country's rights and obligations in cyberspace. That's often presented in terms of Russia not caring or the United States not bringing out a big enough stick to induce negotiations.
But what if there was a diplomatic agreement to be had? Harvard's Belfer Center on Friday published a unique paper where U.S. and Russian researchers separately explained their nation's perspective on a potential negotiation, what both sides actually want, and what would benefit both sides. That paper featured Lauren Zabierek, director of the Belfer Center's cybersecurity program, Christie Lawrence and Miles Neumann representing America and Pavel Sharikov of the Russian Academy of Sciences' Institute for U.S. and Canadian Studies representing Russia.
SC spoke to Zabierek about some of the less discussed factors that prevent an agreement between the United States and Russia.
The paper is conducted in a really interesting format where the U.S. and Russian perspectives were written and researched seperately, providing a more complete look at how differing world views emerge. How did this come about?
So the thinking behind the project actually stemmed from something called the Elbe Group, which is a dialogue between retired senior military and intelligence officials on the Russian side and the US side. That's been in existence for about 10 years, and it's typically been focused on issues like nuclear security and things like that. They decided that they were going to focus on cybersecurity for the October 2019 meeting. I was actually able to participate in that — I was the first woman to participate in the dialogues, the discussions themselves, which was pretty wild. Coming out of that meeting, a project at Belfer called the Russia Matters project approached me at the cyber project and asked "Hey, what if we did a paper exploring if should there be rules of the road in cyber with Russia?" Coming out of that meeting, it was clear that there were some areas where there was some convergence but it was still clear that we're still very, very far apart.
How so?
Maybe this is a little bit of naïveté, but I don't think I realized that Russia has never admitted or acknowledged that they have any sort of offensive cyber capabilities. Every time we accuse them of meddling in our elections, or of the Solar Winds breach, and they say "No, no, it wasn't us." My first thought would be, "Well, of course, they're going to say that because it was their intelligence arm." But the difference is the United States is very overt in their military cyber capabilities. We were overt when Cyber Command was elevated, we have cyber doctrine out, we talk publicly about CyberCom a lot. But they don't do that. They don't admit, or acknowledge, any sort of offensive cyber capability. And that, to me, was really interesting. Because, if you're trying to work with a nation that doesn't acknowledge that, then how do you get into a dialogue?
Of course, you have just the different views on the internet and how it should be approached, which then I think gets into the whole discussion on cybercrime. They see the internet as something they should have more state control over, and this is what Pavel writes in his piece – control over the narrative and control over dissidents. The United States and the West are very concerned about that from a human rights perspective. Whereas from our perspective, when we talk about cybercrime, we're talking about ransomware and material-driven cybercrime. So again, there's just this chasm there that we have to bridge, and part of that is constructing a definition, agreeing to the definition, and trying to go from there. I just think this paper demonstrates how far apart we really are in a lot of those areas.
Pavel, the Russian author was really concerned about kinetic escalation. We think the more pressing concern right now is reckless malware targeting critical infrastructure, and spreading. We are both subject and vulnerable to these attacks emanating out of different areas. And so that creates a compelling need on both sides for us to want to enter into some sort of agreement that at least focuses on these very, very specific things for our collective safety.
Obviously, this has been an ongoing concern we've never been able to see eye-to-eye on. So, what gets in the way of reaching a bilateral agreement between the United States and Russia?
Well, especially on our side, as our paper suggests, there's a lot of fatigue around Russia right now, especially after everything that has happened. But really the key difference is between a country that overtly talks about their cyber capabilities through the military and a country that doesn't. Again, how do you even start that dialogue? So, there's a lot of steps between now and any sort of potential agreement. And chief among them are going to be aligning interests, creating some sort of signal that we're both serious about this, and also, you know, taking a look internally and ensuring that the message isn't politicized and is really just focused on protecting our country and our national security.
When people talk about developing norms in cyberspace, there's often a question of whether we start by making an agreement and then enforcing the agreement, or enforcing red lines to establish the rules. Is this going to be a situation where we enforce before we agree?
I think that it goes to the crux of one of the issues as well. I think when you go into a bilateral agreement, you're talking about mutual enforcement and also mutual verification, which, as we know, in cyber is very hard. It's not like you just walk into a facility and count weapons, right? And so then you get into the whole question of attribution.
I'm calling for an international standards body, not a body to do attribution internationally, but something to actually develop common standards by which organizations can then adhere to when they're doing their attribution.
From a business perspective — for a company who sees what has happened at Colonial Pipeline or JBS, realizes they will continue to be a target of espionage and ransomware, but also know they don't have any voice in the geopolitics — what's the best outcome they can hope for?
Ideally, there would be a way that you could say, hey, this operation is ongoing, it's got hallmarks of this actor that we've seen before, and eventually, the Russian government would say, got it, we'll shut it down. It's not only a level of communication, it's also an infrastructure in place to have that communication. It's people that know each other to have communication, it's the acceptance of the basic attribution, and then it's the trust that it's going to be shut down.