Call Me, Maybe: New US-Russia Cybersecurity Initiatives

At the G-8 meeting in Northern Ireland, the United States and Russia made efforts to improve bilateral relations, and these efforts include new initiatives on cybersecurity that mean, according to the White House, the US and Russia “now are leading the way in extending traditional transparency and confidence-building measures to reduce the mutual danger we face from cyber threats.” These initiatives involve:

1. Deeper engagement through senior-level dialogue. Through the existing US-Russia Presidential Bilateral Commission, the two countries are establishing a new working group tasked with assessing emerging threats to information and communication technologies (ICTs) and proposing joint responses to such threats.

2. ICT confidence-building measures. The US and Russia agreed to implement new confidence-building measures (CBMs) “designed to increase transparency and reduce the possibility that a misunderstood cyber incident could create instability or a crisis in our bilateral relationship.” The CBMs seek to strengthen US-Russian relations in cyberspace, expand a shared understanding of cyber threats that appear to originate in each other’s territories, and prevent escalation of cybersecurity incidents. The CBMs adopted are:

– Links and information exchanges between the US and Russian computer emergency readiness teams (CERTs) to increase information sharing between the two countries on “technical information about malware or other malicious threats” in order to facilitate “proactive mitigation of threats.”

– Exchange of cybersecurity notifications that will permit communications and “formal inquiries about cybersecurity incidents of national concern.” Such information exchanges and inquiries will flow through the existing Nuclear Risk Reduction Center, established in 1987 between the US and the former USSR, in order to facilitate reduction of “misperception and escalation from ICT security incidents.”

– Direct cyber hotline between the White House and the Kremlin to provide a secure means to “manage a crisis situation arising from an ICT security incident.” The direct cyber hotline will be integrated into the existing Direct Secure Communication System the two countries maintain.

The White House also indicated that, in order to “create predictability and understanding in the political military environment, both the U.S. and Russian militaries have shared unclassified ICT strategies and other relevant studies with one another. These kinds of exchanges are important to ensuring that as we develop defense policy in this dynamic domain, we do so with a full understanding of one another’s perspectives.”

These steps by the US and Russia are important for cybersecurity because the two countries are applying approaches used in arms control contexts (e.g., CBMs and “hotline” communications) to cybersecurity challenges. This strategy dovetails with needs emphasized in cybersecurity policy–the need for better “situational awareness” and transparency through increased information exchange and for stronger, more effective cooperation among key countries through functional collaboration at the technical level and political interactions among high-level officials.

Although based on long-standing arms control strategies, their application to cybersecurity will develop its own features given the differences between addressing cyber threats and, say, preventing nuclear war. In arms control contexts, CBMs have, at best, a mixed record, so we should not expect “iCBMs” to be a panacea for cybersecurity problems experienced nationally or internationally. The US-Russian initiatives do not restrain, for example, cyber espionage or development of more powerful military cyber capabilities or resolve disagreements the US and Russia have over broader cyberspace issues, such as Internet governance and “Internet freedom.” But the US-Russia initiatives provide a test case for understanding whether legacy strategies from arms control, such as CBMs and hotlines, can contribute to stabilizing geo-cyber politics.