Russia’s cyber-meddling in the 2016 U.S. presidential election has been accompanied by what U.S. and European experts describe as a worrisome Kremlin campaign to rewrite the rules for global cyberspace.
A draft of a Russian proposal for a new “United Nations Convention on Cooperation in Combating Information Crimes” was recently shown to me by a security expert who obtained a copy. The 54-page document includes 72 proposed articles, covering collection of Internet traffic by authorities, “codes of conduct” for cyberspace and “joint investigation” of malicious activity. The language sounds bureaucratic and harmless, but experts say that if adopted, it would allow Russia to squeeze cyberspace even more.
The Kremlin’s proposed convention would enhance the ability of Russia and other authoritarian nations to control communication within their countries, and to gain access to communications in other countries, according to several leading U.S. cyber experts. They described the latest draft as part of Moscow’s push over the past decade to shape the legal architecture of what Russian strategists like to call the “information space.”
The proposal was floated by the Kremlin early this year, and outlined in an April 4 article in Kommersant. The Moscow daily reported that the Russian Foreign Ministry had described the convention as an “innovative” and “universal” attempt to replace the 2001 Budapest Convention, which has been signed by the United States and 55 other countries but rejected by Russia. Kommersant said “Russian authorities saw a threat to the sovereignty of the country” in the Budapest pact.
Russia’s bid to rewrite global rules through the United Nations was matched by a personal pitch on cyber-cooperation in July from President Vladimir Putin to President Trump at the Group of 20 summit in Hamburg. Putin “vehemently denied” to Trump that Russia had interfered in the U.S. election, Trump said in a tweet. Trump then floated a mystifying proposal: “Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded and safe.”
Trump’s suggestion that America join Russia in cyberdefense provoked an uproar in the United States. One Twitter commentator wrote: “This is like the FBI asking the Mafia to form an anti-crime unit together.”
The White House quickly backtracked after Trump’s tweet. Homeland security adviser Tom Bossert told reporters on July 14: “I don’t believe that the U.S. and Russia have come to that point yet in cyberspace. And until we do, we wouldn’t have the conversation about partnership.”
Many U.S. cyber experts share Bossert’s view that although any formal treaty or partnership with Moscow now is unwise, quiet confidence-building discussions might be useful. Those could include military-to-military or technical contacts to explore how to avoid catastrophic cyber-events that might cripple strategic systems or pose systemic risk.
U.S. and Russian officials had maintained such a dialogue to explore norms for the Internet, but so far it has been a dead end. The Russians were led by Andrey Krutskikh, a foreign ministry official who is Putin’s cyber adviser; and on the U.S. side, by Christopher Painter, who was White House cyber chief under President Barack Obama and then cyber coordinator at the State Department, a post he left this year.
These contacts are sensible, but they have withered as U.S.-Russia relations have deteriorated. A high-level working group stopped meeting after Russia invaded Ukraine in 2014. A U.N.-sponsored Group of Governmental Experts on Information Security broke up in June after failing to reach consensus on measures for improving information security. Putin’s bilateral proposal at Hamburg quickly disappeared after Trump’s premature endorsement.
The Russians, meanwhile, continue their campaign to regulate cyberspace on their terms, by mobilizing allies to support their alternative to the Budapest convention; Moscow’s biggest complaint is that the Budapest framework, in Article 32 (b), allows the owners of data to control its use, rather than governments. Moscow wants state control of information.
Russia got some global support for its effort at a September gathering in Xiamen, China, of the so-called BRICS countries: Brazil, Russia, India, China and South Africa. In their formal declaration, the countries “recognize the need for a universal regulatory binding instrument on combatting the criminal use of ICTs [information and communications technologies] under the UN auspices.” The countries “acknowledge the initiative” of Russia in seeking such a binding pact.
If the events of the past year have taught us anything, it’s that Russia views information as a decisive political weapon and wants to control this potential battle space. The global regulatory side of this contest gets little attention, but it could help determine whether open information flows survive in the age of the autocrats.
Read more here: