The White House’s plan to avoid a cyber arms race between the U.S. and Russia will include the introduction of some basic shared norms to define what is and isn’t appropriate. But an absence of trust appears to be derailing those efforts, experts say.
Amid escalating fears of a vulnerable and digitally dependent presidential election, President Barack Obama traveled to Hangzhou, China, over the weekend for the G20 Summit. At an event attended by the world’s most powerful leaders, Obama engaged in a private, closed door meeting with his Russian counterpart, Vladimir Putin — as many believe the parties responsible for a series of recent cyber attacks against U.S. targets reside within his jurisdiction.
Policy experts said these negotiations likely centered on the potential drafting of behaviors that would help guide what’s allowed and restricted with regard to future military operations conducted in cyberspace.
“The fundamental problem is that there are no internationally recognized norms of behavior amongst states for action in cyberspace and these will generally only develop when there is a sufficient quorum of powerful states that see it as in their interest to do so,” Ewan Lawson, a senior research fellow for military influence at the Royal United Services Institute, told Cyberscoop.
In Lawson’s opinion, this past weekend’s G20 did not meet that bar.
Last year, the U.S. and China found common ground in a cyber agreement, drawing a well-recognized red line at economic espionage between the two countries. Evidence has since suggested that this diplomatic measure was successful in curbing some malicious behavior. It remains unclear, however, whether Russia would be willing to engage in any similar agreement.
“The Russians have been angling for a treaty on cyber weapons for years, and there’s a lot of skepticism that such a treaty could be verifiable,” said Herbert Lin, senior research scholar for cyber policy and security at Stanford University and a member of the White House’s Commission on Enhancing National Cybersecurity.
“We would worry about Russian cheating on this one a lot, and we would be right to do so,” Lin added.
Obama took the podium shortly after his meeting with Putin to broadly address the discussion, explaining that a lack of trust between the two nations stands over any and all bilateral agreements.
“We have had problems with cyber intrusions from Russia in the past, from other countries in the past. We’re moving into a new era here where a number of countries have significant capacities and frankly, we have more capacity than anybody both offensively and defensively,” Obama said, “our goal in the cyber arena … is not to duplicate a cycle of escalation that we saw in other arms races in the past, but rather to institute some norms.”
A set stage
Days before the international summit, Putin set the stage for his eventual conversation with Obama during a Bloomberg news interview. The Russian president answered several questions, ranging from Russia’s alleged involvement in a data breach at the Democratic National Committee to challenges evident in accurate attribution for cyber attacks.
“Listen, does it even matter who hacked this data? The important thing is the content that was given to the public,” Putin, referencing the DNC hack, told Bloomberg’s John Micklethwait. “It is an extremely difficult thing to check if not an impossible thing to check. At any rate, we do not do this at the state level.”
Though the denial is unsurprising, the Russian leader’s use of language — dependent on the translation — is interesting, said Lawson and Center for International Strategic Studies’ James Lewis, a cybersecurity policy expert.
“Maybe inadvertently, [Putin] says that the important thing was that the information was given to the public. He wants to point back to the DNC material, not who did it,” said Lewis, “his disdain for the U.S and for Clinton is what comes through the remarks. The intent is to manipulate.”
To carefully include the “on a state level” clause, Lawson noted from Putin’s remarks, gives Russia some level of plausible deniability given some actions may not have been directed by state structures but instead by groups otherwise affiliated with the regime.
“It is possible that some of this activity is more akin to privateering in an earlier era with non-state groups being given tools and a broad mandate to disrupt,” Lawson said.
Until now, the White House has chosen not to publicly attribute the DNC hack, or any other recent intrusion, back to Russia. An ongoing FBI investigation continues on the matter.