Last month's Colonial Pipeline hack shows the urgency of US-Russia cybersecurity negotiations.
As he started his European tour this week, which culminates in a summit in Geneva with Vladimir Putin, President Joe Biden said he wants a stable, predictable relationship with Russia. Moscow has been echoing that sentiment. Although each side has a different understanding of what those qualifiers mean and expectations for the meeting are very low, the hacks on SolarWinds and Colonial Pipeline demonstrate that cyberspace is the most glaring threat to stability and predictability.
In early spring of 1985, when Ronald Reagan and Soviet leader Mikhail Gorbachev had their first meeting in that Swiss city, expectations were also low. The Soviet downing of a Korean commercial airliner in 1983 and Reagan’s not-off-mic comment in 1984 about outlawing and bombing the USSR clearly indicated just how tense relations were.
The upcoming Biden-Putin summit provides an opportunity to begin discussing a framework for an Internet version of the most significant U.S.-Russian cooperation to date: the product of work done at the Geneva and, later, Reykjavik summits: The Intermediate Range Nuclear Forces (INF) treaty signed by Reagan and Gorbachev in 1987.
Reagan adopted the Russian phrase “Trust but Verify” and developed respect for a Soviet leader whose ideology he loathed. Gorbachev vanquished internal foes to ensure successful treaty implementation. The result was thought to be impossible: military intelligence officers inspected the opposing countries’ missile storage and launch facilities. Another thirty inspectors from each side took up residence at the gate of their former enemy’s most secret rocket-motor manufacturing facility.
The idea of on-site inspection had been discussed for years, but no one believed both sides could push the boundaries of sovereignty and counter-intelligence concerns to make it work. But INF did work. All 2,693 short and intermediate range nuclear missiles were destroyed and mutual trust established. The treaty ushered in two decades of bilateral cooperation, including the Cooperative Threat Reduction program, which secured and eliminated strategic and chemical weapons across the former Soviet Union.
Critics, no doubt, will regard applying the arms control approach to cyber security as naïve, impractical, and even dangerous. But it’s worth remembering that big problems require bold solutions. And the incentive is clear: hackers threaten governments, the private sector and individuals, electric grids, transportation and energy facilities, defense installations and intellectual property. A tit-for-tat response to an attack may well escalate into armed conflict.
A cyber treaty is certain to be based on little trust, with lots to verify. Technological challenges, however, can be overcome. Both sides have extensive experience in monitoring public communications. From Solzhenitsyn’s days in a “sharashka” (scientific labor camp) developing decoding technology for Stalin, to the now ubiquitous SORM (an abbreviation for “network eavesdropping”) boxes attached by security services to the equipment of every telco and internet provider in the country, Russian officials know who is doing what to whom.
American systems are more poetically nicknamed: PRISM, MYSTIC, Carnivore, Boundless Informant. Government agencies conduct packet sniffing and people snooping—at home to benefit local law enforcement and abroad to spy on friends and enemies, counter ISIS and track monsters like Bin Laden.
What if each side allows the other to install such systems on the global Internet Exchange Points (IXPs) on their territory and let loose the algorithms and other tools necessary to identify botnets, hackers and disinformation campaigns?
A monitoring center staffed by experts from both countries could be established with anomalies and threats displayed in real time. The UN could supply neutral inspectors and arbitrate disputes. The treaty should provide protocols for deterring and punishing bad actors.
As with INF, the devil will be in the details. Thousands of IXPs will have to be monitored. Though many Russians and Americans understand that their digital privacy has already been compromised, meta-anonymity could be maintained to protect individuals.
A cyber treaty could also help both countries combat drug trafficking, terrorism and child pornography.
The advantages of a don’t trust, do verify “cyber-INF” seem clear. But do our leaders have the political will to go forward? Without in any way minimizing the obstacles, we believe there are reasons for cautious optimism. In 2015, Russia and China agreed not to conduct cyberattacks against each other that would “disturb public order” or “interfere with the internal affairs of the state.” In September 2020, President Putin proposed a cyber agreement with the United States. President Biden seems cautiously open to seeking out commonalities, without, of course, the unrequited bromance his predecessor had with Putin.
There’s no time to lose. A digital iron curtain is descending. Russia continues to turn the screws on internet freedom and is examining ways to isolate itself from the WWW, while pressing foreign content providers to submit to local rules about appropriate content and come on shore with their customer data – or face fines, restrictions and eventual blocking.
Should our leaders find the courage to create a monitorable digital peace, perhaps they’ll be willing to turn their attention to the other urgent problems of the 21st century – climate change, terrorism, inequality, pandemics and unchecked artificial intelligence.
The aphorism Robert Kennedy “borrowed” from George Bernard Shaw seems appropriate for addressing the prospects of a substantive cyber treaty. “Some men see things as they are and ask, ‘Why?’ I dream things that never were and ask, ’Why not?’"