Small Wars Journal

The U.S. and Russia talk about cyber-security. Be careful

On December 12, the New York Times reported that the U.S. and Russian governments are talking about cyber security. In a significant change from the Bush administration's position on this issue, the Obama team has agreed to shift the context of cyber security negotiations from an economic and criminal law focus to more of an arms control focus. According to the New York Times article, "the United States agreed to discuss cyberwarfare and cybersecurity with representatives of the United Nations committee on disarmament and international security. The United States had previously insisted on addressing those matters in the committee on economic issues."

With a major exposure to telecommunications and computer technology both in its economy and with its military operations, the U.S. has a notable vulnerability to cyber attack and thus a great interest in cyber security. If some form of international cooperation can provide a low-cost path to greater cyber security for the U.S., it makes sense to explore this option. On this level, talks with Russia could make sense.

But it is important to be careful. According to the New York Times article, the Russian negotiating position emphasizes an international ban on offensive cyber weapons. The Russian position also seeks to protect Russia's sovereignty regarding criminal investigations of cyber activity in its territory. For its part, the U.S. seems to seek greater international cooperation on investigating and defending against cyber crimes.

The thousands of daily cyber attacks on U.S. military and infrastructure systems come from all over the world but with a substantial portion either originating or routed through Russian and Chinese sources. Naturally the Russian and Chinese governments disclaim any responsibility for these attacks. An international arms control-type treaty banning offensive cyber weapons would include only nation-states as signatories. Such a treaty wouldn't seem to help the U.S. with its current cyber defense problems. But it would take away the U.S. government's ability to use a declared offensive capability as a deterrent or as a war-fighting tool in a future campaign.

What covert relationship, if any, do the Russian and Chinese cyber attackers have with their governments? Are these cyber warriors just computer hobbyists acting alone? Or are they clandestine cut-outs implementing government policy? Would a structure of clandestine cut-outs be a way for nation-states to sign up for the international ban on offensive cyber weapons and simultaneously circumvent the ban through the use of non-state proxies? For legal and cultural reasons, the U.S. government would seem to have a more difficult time executing such a duplicitous policy, with an asymmetrical disadvantage the result.

The U.S. emphasis on international criminal cooperation gets at the key issue from the U.S. perspective, namely, will governments be held responsible for the cyber activity that originates from inside their borders? Computers located in Russia, China, and elsewhere bombard U.S. systems. U.S. officials complain to their foreign counterparts and receive a shrug in response. Is this unwillingness to take responsibility due to the governments' technical inability to stop the attacks? Or is it an element of their national security strategies?

It is good that the U.S. and Russia are talking about cyber defense (when will the Chinese government show up?). But it seems as if the two sides have very different interests. That should hardly be a surprise.


Chuck Chappell

Tue, 12/15/2009 - 9:20am

I take it Mr. Haddock's queries about government involvement in Chinese and Russian cyberattacks are rhetorical. The FSB's connection to the "Russian Business Network" and other "private sector" cybercrime/cyberwar networks and loose associations are well known. This gives their cyberwar efforts a "plausibly deniable" swarming efficacy our tightly constrained cyberwarriors cannot match under a democratic, rule-of-law system, so of course the Russians want to ensure we do not devote the assets to a centralized cyber attack capability that they then cannot hope to match, and hence lose their advantage. But, of course, whatever the Russians can do well, the Chinese will do better...


Mon, 12/14/2009 - 8:30pm

Cyberwar should be no different to any other form of war, operational environment or weapon system. The US should be building an offensive cyber capability and that is the one thing that nations like Russia and China, and organisations like AG, really fear. At the moment there is no glbal policeman in cyberspace and nor do they want one.

Just as a nation must be in some part responsible for a physical attack launched from its borders, so it should be responsible for other forms of attack. This keep an element of self-interest in restraining those of its citizens who might be tempted - with or without tacit government sanction. That some of these governments do sanction these attacks is pretty much a given: noting Chain's strangehold hold on the internet in China, it beggars belief that hackers can simply bypass those controls and do what they want - unless it suits the Chinese government.

Rock on, 1st Brigade Cyber Team....!