On December 12, the New York Times reported that the U.S. and Russian governments are talking about cyber security. In a significant change from the Bush administration's position on this issue, the Obama team has agreed to shift the context of cyber security negotiations from an economic and criminal law focus to more of an arms control focus. According to the New York Times article, "the United States agreed to discuss cyberwarfare and cybersecurity with representatives of the United Nations committee on disarmament and international security. The United States had previously insisted on addressing those matters in the committee on economic issues."
With a major exposure to telecommunications and computer technology both in its economy and with its military operations, the U.S. has a notable vulnerability to cyber attack and thus a great interest in cyber security. If some form of international cooperation can provide a low-cost path to greater cyber security for the U.S., it makes sense to explore this option. On this level, talks with Russia could make sense.
But it is important to be careful. According to the New York Times article, the Russian negotiating position emphasizes an international ban on offensive cyber weapons. The Russian position also seeks to protect Russia's sovereignty regarding criminal investigations of cyber activity in its territory. For its part, the U.S. seems to seek greater international cooperation on investigating and defending against cyber crimes.
The thousands of daily cyber attacks on U.S. military and infrastructure systems come from all over the world but with a substantial portion either originating or routed through Russian and Chinese sources. Naturally the Russian and Chinese governments disclaim any responsibility for these attacks. An international arms control-type treaty banning offensive cyber weapons would include only nation-states as signatories. Such a treaty wouldn't seem to help the U.S. with its current cyber defense problems. But it would take away the U.S. government's ability to use a declared offensive capability as a deterrent or as a war-fighting tool in a future campaign.
What covert relationship, if any, do the Russian and Chinese cyber attackers have with their governments? Are these cyber warriors just computer hobbyists acting alone? Or are they clandestine cut-outs implementing government policy? Would a structure of clandestine cut-outs be a way for nation-states to sign up for the international ban on offensive cyber weapons and simultaneously circumvent the ban through the use of non-state proxies? For legal and cultural reasons, the U.S. government would seem to have a more difficult time executing such a duplicitous policy, with an asymmetrical disadvantage the result.
The U.S. emphasis on international criminal cooperation gets at the key issue from the U.S. perspective, namely, will governments be held responsible for the cyber activity that originates from inside their borders? Computers located in Russia, China, and elsewhere bombard U.S. systems. U.S. officials complain to their foreign counterparts and receive a shrug in response. Is this unwillingness to take responsibility due to the governments' technical inability to stop the attacks? Or is it an element of their national security strategies?
It is good that the U.S. and Russia are talking about cyber defense (when will the Chinese government show up?). But it seems as if the two sides have very different interests. That should hardly be a surprise.