Most key elements of the deal, which could be final in several weeks, are settled, said U.S. officials familiar with the talks.
The secure channel would be a milestone in the effort to ensure that misperceptions in cyberspace — where it is difficult to know who is behind a digital attack or even whether a computer disruption is the result of deliberate action — do not escalate to full hostilities, say U.S. officials and experts from both countries.
The talks reflect the increasing importance of cyber-activities as points of potential conflict between nations. The Obama administration has warned with growing urgency in recent months that a cyberattack could undermine systems that provide water, power or other critical services to Americans.
The agreement would be the first between the United States and another country seeking to lessen the danger of conflict in cyberspace, and it would include other measures to improve communication and transparency. It would be, officials and experts note, an initial step toward making cyberspace more stable.
“Both the U.S. and Russia are committed to tackling common cybersecurity threats while at the same time reducing the chances [that] a misunderstood incident could negatively affect our relationship,” White House spokeswoman Caitlin Hayden said.
Said Russian Embassy spokesman Yevgeniy Khorishko: “We feel that these confidence-building measures are important to preventing conflicts.”
The pact would be a positive development, in contrast to a generally downbeat U.S. assessment of Russian actions in cyberspace. An intelligence agency report last fall singled out Russia and China as aggressive perpetrators of cyber-espionage against economic targets. Russian organized-crime groups have been active for years in the cyber-theft of consumers’ credit card information and other data.
The agreement would not address those issues, or political differences in the extent to which governments can or should control speech on the Internet. At a conference in Germany this week, Russia pressed its campaign for a binding United Nations treaty on “information security” that would endorse the concept of a governmental role in controlling expression online. The United States opposes that effort.
Talks between the United States and the Chinese over cybersecurity are proceeding at a slower pace, officials say. American officials say the Chinese have not agreed with the U.S. position that the law of armed conflict, which requires the use of proportional force and the minimization of harm against civilians, applies to cyberspace.
The Russians accept that position, easing potential conflict on that point. Experts also note that the Russians and the Americans have had decades of experience negotiating nuclear and other strategic matters.
With computer terminals at the State Department and the Russian Ministry of Defense that are staffed 24 hours a day, the Nuclear Risk Reduction Center allows electronic messages to be quickly translated and directed to key officials. Each government, for instance, could alert the other before it test-fired an intercontinental ballistic missile so that the launch would not be mistaken as the first salvo in a nuclear war.
The nuclear center supports more than a dozen bilateral and multilateral treaties and agreements with up to 50 countries and in six languages. The treaties also deal with troop movements and major military exercises.
In the case of a cyber-incident, the channel of communication could be activated if either side detects what appears to be hostile activity from the other’s territory, officials said.
The channel would be used only if the malicious cyber-activity is of “such substantial concern that it could be perceived as threatening national security,” said an administration official who described the emerging agreement on the condition of anonymity because the talks are not final. “So this is not to be used every day.”
The Russians requested a phone-based hotline between the Kremlin and the White House exclusively for cyber-incidents, the official said. That would be distinct from the nuclear hotline.
Though often depicted in popular culture as red telephone, the nuclear hotline started as a Teletype machine and was later replaced by a computerized system, a defense official said. The hotline, used for crisis communications between heads of state, is not part of the Nuclear Risk Reduction Center.
The pending agreement has grown out of high-level cybersecurity talks in Moscow in February 2011 and a follow-up last June in Washington to establish confidence-building measures to prevent cyber-conflict.
Vice President Biden said in November that talks between the United States and Russia were intended to “build cooperation and to set up lines of communication in the event of an alarming incident.”
The negotiators agreed on two other measures, including an exchange of position papers, which has been completed. The United States gave the Russians the Pentagon’s strategy for cyberspace before it was published last July. In December, the Russians delivered a Ministry of Defense paper on the “information space” that affirmed that the law of armed conflict applies in cyberspace, although the Russians have said more rules may be needed.
The other measure would set up an ongoing exchange of basic, unclassified data on malicious cyber-activity between the Department of Homeland Security’s U.S. Computer Emergency Readiness Team and its counterpart in Russia.
“It’s a very good approach in bilateral relations to decrease tensions,” said Andrey Kulpin, an adviser on international cooperation at the Institute of Information Security Issues at Lomonosov Moscow State University. If either side sees what appears to be a cyberattack from the other, he said,“we have a direct line to discuss that and to have a clear vision that this is not from Russia or the United States.”