Imagine a bully who’s pounding your head against a wall. When you complain that it hurts and threaten to punch back, he offers to sign an international agreement against bullying. Meanwhile, he keeps pounding your head.
That’s a shorthand summary of the peculiar situation that has developed in the United Nations’ discussions about regulating cyberspace. The Russians are aggressively hacking U.S. and European political parties and infrastructure, according to U.S. intelligence reports. At the same time, they are pushing for international regulation of cyberspace — on their own terms.
Russian plans to offer new U.N. cyber-regulation pacts were floated last month by Anatoly Smirnov, a top computer scientist at the Moscow State Institute of International Relations, in an interview with Nezavisimaya Gazeta. He said Russia would soon introduce a cyber “code of conduct” and a pathway to a new cybercrime convention to replace one signed in Budapest in 2001.
It’s noteworthy that another faculty member of Smirnov’s university is Andrey Krutskikh, the top Kremlin adviser on cyber issues. At a private conference in Moscow in February 2016, Krutskikh said menacingly, “I’m warning you: We are at the verge of having ‘something’ in the information arena, which will allow us to talk to the Americans as equals.”
Russia’s tone on cyber matters, at once defiant and defensive, reflects Moscow’s claim that America shot first in the Internet wars and Russia is struggling to respond. For example, before quoting Smirnov, Nezavisimaya Gazeta cited a Wall Street Journal report that the Trump administration had decided to “loosen rules of engagement for U.S. cyberattacks.”
Russia is conducting a quiet lobbying campaign for its U.N. package. On Aug. 3, through the U.N. Office on Drugs and Crime, Russia invited an alliance of developing nations known as the Group of 77 (it’s actually 134 countries now) to Vienna on Sept. 11 and 12 to discuss “preventing and combatting cybercrime.” A European official said Russia has offered to pay airfares.
The first Russian U.N. resolution appears to be drawn largely from a Chinese-drafted “code of conduct” approved in 2015 by Russia, China and the other four members of the Shanghai Cooperation Organization. It features high-minded language about “the need to protect the Internet . . . from threats and vulnerabilities.” But it allows countries to muzzle information at home and restrict dissent.
The United States has negotiated intermittently with Russia and the United Nations on cyber issues, trying to build norms of behavior and confidence-building measures without compromising Internet freedom. The main forum since 2004 has been the United Nations’ Group of Governmental Experts (GGE). Over the years, it has applied the rules of war to cyber conflict, extended international law to cyberspace, and pledged that nations will protect “critical infrastructure” from cyberattack.
Yet after endorsing the 2015 GGE report that supposedly protected infrastructure, Russia this year allegedly conducted cyberattacks against U.S. and European nuclear power plants and water and electrical systems, according to the Department of Homeland Security.
American suspicion that Russia and China were playing a double game on cyber conflict led the State Department in June 2017 to criticize nations that “seem to want to walk back progress made in previous GGE reports.” The “Experts” dialogue has withered over the past year, and the Russians are now seeking U.N. General Assembly backing for their code of conduct.
Russia’s cybercrime initiative is a second leg of the effort to steer cyber-regulation Moscow’s way. Russia was the only major European country that didn’t sign the 2001 Budapest Convention, partly because it allowed foreign law enforcement officials to directly query Internet service providers. Since then, Russia has campaigned to replace Budapest with a Moscow-friendly alternative.
Russia has tailored its new cybercrime convention to fit its authoritarian needs. As I wrote last October, it includes 72 articles that experts say would allow countries to censor internal debate, without adding significant new measures to curb malicious cybercriminals. Rather than pitching this new convention directly, Russia may offer a blander U.N. proposal to study an update to Budapest, as a first wedge.
“We think we should have a continuing conversation at the U.N. about responsible state behavior in cyberspace,” including a resumption of the GGE expert talks, says a senior administration official. It’s been clear for years that the United States doesn’t want an arms-control approach that would mandate unverifiable and potentially counterproductive rules.
President Vladimir Putin touted his plan for a “working group” with the United States on cybersecurity at the Helsinki summit in July. President Trump has signaled enthusiasm in the past, but this time wiser heads apparently prevailed. Even this administration understands that, for now, allying with Moscow to combat cybercrime would be like hiring a burglar to protect the family jewels.