Cyber détente and the Biden-Putin Summit: What this means for cyber relations between the USA and Russia
The relations between the USA and Russia have been fraught with tension for the better part of the last century, carrying into recent years through a new area of contention – cyberspace. Spanning from the famous Moonlight Maze hack of American government agencies in 1996, to the latest SolarWinds and Colonial Pipeline attacks, the two countries’ cyber relations have been steadily worsening.
US President Joe Biden and Russian President Vladimir Putin met in Geneva on 16 June, for what is touted to be a milestone in the relations between the two countries.
Monthly barometer of Cyber Detente
Every month, on the 16th, the day Biden & Putin met in Geneva in June 2021, we release a barometer indicating cyber detente developments for the previous month. You can see the evolution in cyber detente right here:
Issue #1 – 16th July 2021
It has been one month since Biden and Putin met at a much anticipated bilateral summit in Geneva, resulting in cyber detente between Russia and the USA. On the occasion of the first monthiversary of the summit, we bring an update on the state of cyber detente to your inbox. We plan to continue updating you on the topic once a month, symbolically on the 16th day of each month.
Issue #2 – 16th August 2021
Cyber detente continued with ups and downs after our first issue and even the dog days of summer didn’t slow down either administration: Russia submitted its draft convention on cybercrime, the Strategic Stability Dialogue kicked off in Geneva, and expert bilateral consultations continued.
Issue #3 – 16th September 2021
Our latest issue focuses on what Russia is doing to crack down on ransomware attackers (spoiler: not much), the most recent sanctions that the USA levied against Russia, and the accusations of US interference in Russian parliamentary elections.
Issue #4 – 16th October 2021
In the fourth edition of the Monthly Cyber Barometer, we cover the slow progress on cybercrime, continue our last edition’s coverage on the alleged US interference in Russian elections, and note the high-level politics at the UN and in the Indo-Pacific. This issue contains quite a few developments, but most of it can be stored under ‘to be continued...’
Issue #5 – 16th November 2021
Putting aside whether there was a ‘discernible decrease’ in Russian originated cyberattacks on US targets, the cyber detente between the USA and Russia held its ground this month. The bilateral expert dialogue was highly praised, a new Biden-Putin summit may be in the works, and both countries submitted a joint draft resolution on cybersecurity at the UN!
To anyone who is based in the USA, we wish you a happy critical infrastructure security and resilience month! If you're reading us in Geneva, consider joining us for our Security Tour of the Genevan digital policy landscape.
Issue #6 – 16th December 2021
We’ll be taking a bit of a detour from our usual form today. The showstopper of the month was definitely Biden-Putin’s virtual meeting. And because it’s been 6 months since the beginning of the cyber detente which started with the Biden-Putin Geneva summit, we’ll also take a look back at the developments in US-Russian cyber relations - both the positives and the negatives.
Also happening this December is the UN Open-ended working group (OEWG) on security of and in the use of information and communications technologies 2021–2025. Both Russia and the USA are attending discussions. Make sure you bookmark our OEWG page for timely updates and a summary of OEWG discussions, out early next week.
Issue #7 – 16th January 2022
The new year started at a fast pace as the Ukraine crisis dominated US-Russian relations.. We will see in the coming weeks and months if the last six months’ clear progress of the USA and Russia’s cyber detente continues, halts or even be reversed by the impact of the Ukraine crisis.
What is the future of bilateral cyber relations after the summit in Geneva?
There are good reasons to be optimistic. Cyber détente, most famously used during the Cold War to describe a period of relaxing tensions between the Soviet Union and the West, is a possible outcome.
We asked Mr Chris Painter, former Coordinator for Cyber Issues US State Department, and Ms Elena Chernenko, Special correspondent at the Kommersant daily newspaper in Moscow, to comment on the tensions, agenda, positions and expectations, and prospects of the meeting. They both agree that time is ripe for this dialogue, but expectations should be modest - yet possibly leading to détente on a longer term. Watch both interviews below.
We also discussed the future of cyber detente, monitored around the: prosecution of (some) cybercriminals and groups, dynamism of the bilateral expert dialogue and overall cooperation, and the impact of a cyber detente on other global policy processes. We were joined by Ambassador Asoke Mukerji, Former Permanent Representative of India to the UN in New York, Mr Chris Painter, former coordinator for cyber issues of the US State Department, Mr Oleg Shakirov, Consultant at PIR Center; Senior Expert at the Center for Advanced Governance, Dr Stephanie Borg Psaila, Director of Digital Policy, DiploFoundation. Watch the recording of the discussion below.
Head of Geneva Internet Platform (GIP) Dr Jovan Kurbalija gave three reasons for cyber optimism, and discussed the future of cyber détente in his op-eds:
The level of cooperation on a multilateral level is one of the most promising aspects. In September 2020, Russia showed goodwill by proposing measures that would help both countries restore cooperation in international information security. In recent months, the US administration also softened its rhetoric towards Russia. The two countries are now collaborating on the JBS cyberattack.
In spring 2021, both countries endorsed the UN Open-Ended Working Group (OEWG) report and the UN Group of Governmental Experts (GGE) report, both feats in multilateralism in their own right.
There are several other major multilateral cyber agreements which both countries endorsed, including final reports by the UN GGE and OEWG, and the Organization for Security and Co-operation in Europe (OSCE) agreements on confidence building measures.
What was on the two presidents’ agenda at the Biden-Putin summit?
The summit between US President Joe Biden and Russian President Vladimir Putin came almost three years after the Putin–Trump summit took place in Helsinki.
US President Biden has said prior to the meeting that Russia’s cyber aggression will be a big part of the conversation. The USA has blamed the Russian government for its attempts in 2016 to undermine the US presidential election, and its involvement in the SolarWinds attack. It has also indicated that Russian groups were to blame for the Microsoft cyberattack, Colonial Pipeline ransomware attack, the US Aid cyberattack, and the JBS cyberattack. Even if Russia is not the mastermind, the USA believes that the Russian government is responsible – and has the ability – to bring the recent spate of cyberattacks against the USA to a halt.
The visualisation below highlights the most significant cyber incidents between Russia and the USA, including cyberattacks the USA has publicly attributed to Russian government actors. We have also noted the instances in which the USA wasn’t the primary target of the cyberattacks, but has either been affected by them, or has nonetheless publicly attributed them to Russia.
The number of attacks have risen in the 21st century, particularly since 2010. With 2021 being the first year of Biden’s administration, and already having witnessed four major cyber incidents on US soil, the president’s inclusion of cybersecurity on the summit’s agenda is not a surprise.
The 2021 summit’s main breakthrough in the field of cybersecurity was the announced start of expert consultation on cybersecurity. As Biden remarked, the plan is to ‘task experts’ in both countries ‘to work on specific understandings about what’s off limits, and the follow up on specific cases’ that originated from Russia or the USA.
Biden proposed that ‘certain critical infrastructure should be off limits to attack, period, by cyber or any other means,’ and presented his Russian counterpart with a list of 16 US entities which are designated as critical infrastructure, such as energy and water systems.
There is also a possibility that cybersecurity issues will be on the agenda of the newly announced bilateral Strategic Stability Dialogue, a ‘mechanism that will lead to control of new, sophisticated weapons that are coming unseen now, that reduce the time of response, that raise the prospects of accidental war.’ However, that remained unclear after the summit.
Watch the two presidents give their remarks to the press below.
The evolution of USA-Russia cyber relations over the years
In 2013, the USA and Russia engaged in dialogue to reduce the dangers of cyberthreats. The agreement envisaged establishing a direct ‘cyber hotline’ between the White House and the Kremlin, an operational link between their computer emergency readiness teams (CERTs), and a bilateral working group to extend cooperation related to national security concerns. However, cooperation was frozen in 2014 due to the situation in Ukraine.
Meetings between US and Russian cybersecurity officials in Geneva in April 2016 focused on the work of the UN GGE and the OSCE confidence-building measures.
At the Helsinki summit in 2018, Trump and Putin raised the idea of a US-Russia joint Cybersecurity Task Force again, but it didn't take off, possibly because of Russia’s suspected interference in the US Presidential elections.
In September 2020, the Russian president invited the USA to restore cooperation on international information security, including:
- Resuming regular bilateral high-level dialogue
- Maintaining communication through Nuclear Risk Reduction Centres, CERTs, and high-level officials
- Brokering a bilateral agreement on preventing incidents in the information space which could look like the ‘Agreement on the Prevention of Incidents On and Over the High Seas between the USSR and USA’
- Mutually guaranteeing non-intervention into the internal affairs of one another, including electoral processes
- Global agreement on a political commitment of states on ‘no-first-strike with ICTs against each other’.
However, no response came from the White House.
Which national cybersecurity measures did the USA introduce in recent years?
The Biden administration has taken steps to update the US National Cyber Strategy by issuing the Interim National Security Guidance in March 2021. The document states that the USA is in a situation where ‘the alliances, institutions, agreements, and norms underwriting the international order the United States helped to establish are being tested', and the architecture of international cooperation needs to be done ‘together with allies and partners’, in contrast to previous cyber strategies. The USA also voiced its ambition to resume leadership roles in multilateral organisations.
Another action of the US administration this year was to issue the Executive Order on Improving the Nation's Cybersecurity, a direct response to cyberattacks. This executive order overhauls US national and federal cybersecurity defence by:
- Elevating the Cybersecurity and Infrastructure Security Agency (CISA) to become the federal cybersecurity authority
- Efforts to develop standards and guidelines for supply chain security
- Mandating building modernised digital infrastructure based on zero trust principles
- Operationalising data in cyberdefense
- Implementing a new collaboration model for the public–private sector to facilitate information-sharing and reduce risks
The Biden administration has now elevated investigations of ransomware attacks to a similar priority as terrorist attacks within the US Department of Justice (DOJ).
Which national cybersecurity measures did Russia introduce recently?
The Doctrine of Information Security of the Russian Federation from 2016, and the Strategy for the Development of the Information Society in the Russian Federation for 2017–2030 showed the Russian vision that warfare includes a tailored blend of armed attacks and non-military measures. The cyber aspect is just one part of a multidomain effort used to shape and influence the political course of a dispute.
Going back to the Biden–Putin summit in Geneva, it is also worth noting that Russia and Iran have signed an agreement on cybersecurity cooperation in January 2021 on coordinating their activities. This presumably includes intelligence sharing on US cyber activities, posing challenges to the US cybersecurity strategy.
Additionally, Russia has now updated its national security strategy to address new threats, which foresees the use of ‘forceful methods’, stating that Russia could take 'symmetric and asymmetric measures to thwart or avert unfriendly actions that threaten the sovereignty and territorial integrity of the Russian Federation'.
How do the US’ and Russia’s positions on cybersecurity issues compare?
The text below summarises the positions of the USA and Russia, based on UN discussions. More details continue further down.
- Are the reports 2010, 2013, 2015 GGE and corresponding UN Resolutions binding to and serve as a basis for the OEWG outcomes?
US position: Yes.
Russian position: No, GGE and OEWG are separate processes
- How should the institutional dialogue proceed?
US position: In the Programme of Action (PoA)
Russian position: In the new OEWG 2021-2025
- What is the role of the UN?
US position: OEWG should have a clear mandate for discussions
Russian position: Discussions should be held under UN auspices in general
- Does existing international law apply to cyberspace?
US position: Yes, there is a need to acknowledge the full breadth of relevant international law including international humanitarian law, human rights law, customary international law on the responsibilities of states for internationally wrongful acts.
Russian position: Yes, but international law needs adapting appropriately to the realities of cyber civilisation.
- Does international humanitarian law apply to cyberspace?
US position: Yes; reaffirmation of its applicability does not invite future conflict, but rather, reminds states of the great responsibility to respect and protect civilians in the event of armed conflict.
Russian position: Only in armed conflict.
- Does international humanitarian law apply to peace-time regimes?
US position: No specific statement.
Russian position: No, international humanitarian law and Art. 51 on the UN Charter do not apply in peace time, the majority of states do not yet recognize cyberattacks as armed attacks.
- Does human rights law apply to cyberspace?
US position: Yes, there is a 'need to acknowledge the full breadth of relevant international law including international humanitarian law, human rights law, customary international law on the responsibilities of states for internationally wrongful acts.'
Russian position: Outside of scope of GGE/OEWG.
- How do other non-binding norms apply?
US position: Non-binding norms are not ready for codification.
Russian position: No statement.
- Is there a need for a new legally binding instrument (treaty) on cyberspace?
US position: No. 'The United States does not believe a new international legal instrument is necessary. We also don't believe that pursuing such an instrument is the best way to address the immediate threats. [...] And we also align ourselves with the Republic of Korea's view that new legally binding obligations are unrealistic given the pace of technological development [...] we cannot support any language calling for new legally binding obligations. It's a controversial proposal. It is certainly not one that has any support in the US ever. Indeed that, for us, is a showstopper.'
Russian position: Yes. 'We proceed from the assumption that these practical aspects should be regulated by a specialized universal international legal instrument that would envisage criteria for how the existing norms of international law apply to the use of ICTs and would directly indicate the need for developing new norms. Time is ripe for such steps in regulating the use of ICTs under the current de facto “legal vacuum”.'
- How can attribution be defined?
US position: Law of state responsibility provides the standards for attributing acts, including cyber acts to states. 'States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a State exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the State assumes responsibility for the act, just as if official agents of the State itself had committed it. These rules are designed to ensure that States cannot hide behind putatively private actors to engage in conduct that is internationally wrongful. (…) I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law.'
Russian position: Through international mechanisms. 'We should avoid including in the text the concept of so-called political “attribution” of cyber attacks. We would like to underline that both the 2015 GGE report and the initial set of international rules, norms and principles of responsible States’ behaviour in information space approved by the UNGA resolution 73/27 in 2018 by the overwhelming majority of States, include a common provision that clearly indicates the need to support any accusations against States with appropriate technical evidence; all accusations must be substantiated.'
'While States must meet their international obligations regarding internationally wrongful acts attributable to them, the mere indication that an ICT-related misconduct originates from the certain territory cannot be sufficient in itself to attribute the activity to that State. Accusations of organising and implementing wrongful acts brought against States, if not substantiated with internationally acceptable evidence, may increase misunderstanding, increase tensions, and potentially lead to responses contrary to the international law.'
- Is there a right to self-defense and what constitutes self-defense?
US position: Yes. Retortion/countermeasures. 'The customary international law doctrine of countermeasures permits a State that is the victim of an internationally wrongful act of another State to take otherwise unlawful measures against the responsible State in order to cause that State to comply with its international obligations, for example, the obligation to cease its internationally wrongful act. Therefore, as a threshold matter, the availability of countermeasures to address malicious cyber activity requires a prior internationally wrongful act that is attributable to another State. As with all countermeasures, this puts the responding State in the position of potentially being held responsible for violating international law if it turns out that there wasn’t actually an internationally wrongful act that triggered the right to take countermeasures, or if the responding State made an inaccurate attribution determination. That is one reason why countermeasures should not be engaged in lightly. Additionally, under the law of countermeasures, measures undertaken in response to an internationally wrongful act performed in or through cyberspace that is attributable to a State must be directed only at the State responsible for the wrongful act and must meet the principles of necessity and proportionality, including the requirements that a countermeasure must be designed to cause the State to comply with its international obligations—for example, the obligation to cease its internationally wrongful act—and must cease as soon as the offending State begins complying with the obligations in question. The doctrine of countermeasures also generally requires the injured State to call upon the responsible State to comply with its international obligations before a countermeasure may be taken—in other words, the doctrine generally requires what I will call a “prior demand.” The sufficiency of a prior demand should be evaluated on a case-by-case basis in light of the particular circumstances of the situation at hand and the purpose of the requirement, which is to give the responsible State notice of the injured State’s claim and an opportunity to respond. I also should note that countermeasures taken in response to internationally wrongful cyber activities attributable to a State generally may take the form of cyber-based countermeasures or non-cyber-based countermeasures. That is a decision typically within the discretion of the responding State and will depend on the circumstances.'
Russian position: No. Russia questions application of Art. 51 of the UN Charter to cyberspace. 'But no one would interpret a cyber attack as an armed attack. So therefore, legally speaking. Article 51 of the U.N. charter is not applicable if a bank is being robbed. If if there is meddling in other people's election campaigns. Hospitals are being affected and disrupted, as was the case.'
- What is a cyber attack and can it qualify as an armed attack?
US position: An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information. (source: NIST)
Russian position: 'The majority of States do not yet recognize cyber attacks as a armed attack.' 'But no one would interpret a cyber attack as an armed attack.'
- What constitutes sovereignty in cyberspace?
US position: States conducting activities in cyberspace must take into account the sovereignty of other states, including outside the context of armed conflict. The physical infrastructure that supports the internet and cyber activities is generally located in sovereign territory and subject to the jurisdiction of the territorial state. Because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country. Whenever a state contemplates conducting activities in cyberspace, the sovereignty of other states needs to be considered.
Russian position: No specific statement.
- Is there an obligation to respect the sovereignty of other states?
US position: In certain circumstances, one State’s non-consensual cyber operation in another State’s territory could violate international law, even if it falls below the threshold of a use of force. This is a challenging area of the law that raises difficult questions. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions. Precisely when a non-consensual cyber operation violates the sovereignty of another State is a question lawyers within the U.S. government continue to study carefully, and it is one that ultimately will be resolved through the practice and opinio juris of States.
Russian position: No specific statement.
- What constitutes an obligation not to intervene into the internal affairs of other states?
US position: As an initial matter, remote cyber operations involving computers or other networked devices located on another state’s territory do not constitute a per se violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another state’s territory have no effects or de minimis effects. […] In certain circumstances, one state’s non-consensual cyber operation in another state’s territory could violate international law, even if it falls below the threshold of a use of force.
Russian position: No specific statement.
- Are specific confidence building measures (CBMs) recommendations necessary?
US position: Yes. 'The 2015 GGE report offers a prioritized set of cyber CBMs including key recommendations to develop points of contact, consultation mechanisms and transparency measures. To be useful, however, these recommendations must be implemented at minimum on a bilateral basis and preferably on a multilateral and eventually an international basis.'
Russian position: No.
- Should regional capacity building initiatives be involved in cybersecurity capacity building?
US position: Yes. Build up capacity on regional and international levels
Russian position: No. 'The central role of the UN in ensuring International Information System is not eroded by delegating excessive authority in this field to the regional bodies and organizations. The role of multi-stakeholder model is imposed, with special emphasis laid on the contribution of the private sector, business and academia to ensuring responsible States’ behavior in information space. At the same time, the draft ignores such issues as lack of regulation of the private sector activities in the field of ICTs, as well as the emerging challenge of monopolization of this market as one of the main threats to the development of peaceful and competitive ICT-sphere.'
Through the course of discussions within the UN GGE and OEWG processes, it is clear that in most cases, the positions of the USA and Russia lie on opposite sides of the spectrum.
The applicability of international law to cyberspace
Within the OEWG discussions on the applicability of international law, the USA reiterated that international law applies to cyberspace; including the UN Charter, international humanitarian law, human rights law, customary international law on the responsibilities of states for internationally wrongful acts.
While Russia agrees with the USA that international law applies to cyberspace, it also argues that it needs to be adapted. Russia has refrained from discussing international human rights law and international humanitarian law, claiming that these issues are outside of the scope of discussions within the UN GGE and OEWG processes.
The need for a new legally-binding instrument to regulate cyberspace?
Russia argues that cyberspace needs to be regulated by a specialised universal international legal instrument that would envisage criteria for how the existing norms of international law apply to the use of information and communication technologies (ICTs), and would directly indicate the need for developing new norms.
The USA, on the other hand, does not believe that pursuing such an instrument is the best way to address immediate threats given the pace of technological development.
Cyberattacks and the UN Charter
According to Russia, a cyberattack does not amount to an armed attack under Art. 51 of the UN Charter and therefore cannot trigger the right to self-defense. This is in contrast to the position of the USA which believes in the doctrine of countermeasures and retorsion.
How should cyberattacks be attributed?
On the attribution of cyberattacks, the USA sees the divulging of evidence as a policy choice on the national level, while Russia is calling for an international mechanism for attribution and demands that it is substantiated with internationally acceptable evidence.
Additionally, while the USA was vocal about the principles of state sovereignty in cyberspace, obligations to respect sovereignty, and non-intervention, Russia did not articulate its views about these issues within the UN forums.