In October, the U.S. and Russia did what many thought was unthinkable: They jointly signed a cyber norms agreement. Submitted to the U.N. General Assembly, the three-page document outlined, for the first time, some general cyber principles on which the countries nominally agree.
The power of real diplomacy is not to be lost here—the Trump administration took a hammer to State Department expertise and ripped the rug out from under highly dedicated cyber diplomats who previously led these dialogues with Moscow. Bringing this engagement back is a significant accomplishment of the Biden White House. All that said, however, many ideological gaps persist in the US-Russia relationship, including on technology. It’s these points of divergence—in some cases, a radically different worldview—that will greatly shape how much cyber understanding and cooperation the states can pursue going forward.
Dated Oct. 8, the recently published U.N. submission was co-signed by the United States and Russia, plus 53 other countries. Some signatories are authoritarian countries, such as Eritrea (and obviously Russia), although many longstanding supporters of a more state-controlled internet, like China and Iran, did not put their names on the draft resolution.
Its content doesn’t read as earth-shattering; in line with decades of such U.N. proposals, the agreement focused on general principles, as captured in its lengthy title: “Developments in the field of information and telecommunications in the context of international security, and advancing responsible State behavior in the use of information and communications technologies.” Nonetheless, it’s a big deal. For decades (going back to a Russian document in 1998), the U.S. and Russia have firmly opposed each other’s U.N. cyber proposals. When a Russian resolution was successfully passed in December 2019, a former White House official and cyber negotiator described it to me as an “embarrassing and stunning defeat,” for it cemented an advance against global, open internet values. Reaching consensus even on the October document’s admittedly anodyne language—that all states should “promote the use of information and communications technologies for peaceful purposes”; that states should work to prevent conflict with those technologies; that uses of such technologies could undermine international stability and security—is an achievement.
Russia and the U.S. aren’t far apart on cybersecurity just because they view each other as adversaries or at least antagonists—it’s also because they have fundamentally different views here, down to the language they use. In the U.S., officials talk in the language of cybersecurity, a term generally used in the West in reference to the confidentiality, integrity, and availability (the so-called CIA triad) of systems, networks, and data. This word is also relatively synonymous with the term information security, hence phrases like information security conferences or information security professionals. Underpinning this verbiage is a conceptual distinction between data (1s and 0s that computers process) and information (content people can process). For example, when practitioners talk about filtering internet traffic for cybersecurity threats, they are referring to code and malware; those conversations typically exclude filtering for content, like with disinformation.
Moscow’s view is quite different. Information security is a bedrock concept in Russian cyber and internet policy (and, indeed, modern information strategy), but it’s used much more broadly. It encompasses what American policymakers would dub cybersecurity, like network defenses and encryption, but it also includes ideas of general political, social, and cultural stability in the information sphere. Effectively, information security includes everything from building up Russia’s cyber defenses to spreading Kremlin-manufactured disinformation to surveilling citizens’ internet activity to protect the Putin regime. Even in English, cyber or cyberspace is not a concept in Russian doctrine, and is generally only used by Russian officials in reference to Western thinking.
These differences matter when Washington and Moscow sit down at the negotiating table. While Russian officials understand that the United States uses the term cyber, Russian thinking does not seriously recognize the distinction between information and data. U.S. policy that pushes for less online censorship alongside more control of cybercriminal activity thus doesn’t neatly fit this worldview. Relatedly, the U.S. government rightfully will not recognize the Russian government’s definitions of cybercrime, where anything that violates the “information security” of the Putin regime—such as disseminating news that reflects poorly on the state—is considered an illegal offense. This has even been a problem in ongoing U.S.-Russia cyber negotiations. U.S. efforts to get Moscow to crack down on ransomware gangs in Russia have been met with classic what-about-ism tactics that falsely equate U.S. and Russian law. Of course Russia will extradite cybercriminals to the U.S., Putin told a state news agency in June—so long as the US extradites “cybercriminals” in the U.S. to Russia. Moscow effectively said the same in a U.N. cyber treaty introduced that same month. Given the Kremlin believes the U.S. government is interfering in Russian elections through U.S. media and internet platforms, it’s not hard to imagine Moscow accusing any number of U.S. journalists or social media executives of criminal behavior.
The friction doesn’t stop at terminology. Russia’s cyber ecosystem is composed of a complex web of state actors, individuals acting independently from the state, and many in the gray area in between—offensive cyber and information groups that are state-backed, state-directed, state-encouraged, or state-ignored. If Putin wanted to crack down on a particular cybercriminal gang, he absolutely could. Yet, contrary to popular Western perception, Putin does not control literally everything in Russia, and many cybercriminals do as they please so long as they attack foreign targets and don’t undermine the Kremlin’s objectives.
The state also depends on a web of criminal proxies and front organizations to spy on and launch other cyber and information operations against foreign targets. For instance, the Russian Federal Security Service (FSB) has been known to recruit cybercriminals to run operations by discovering them via online forums and criminal investigations into their activities. While the U.S. can pressure the Putin regime to do more against ransomware gangs, it must focus narrowly on particular kinds of operations against particular U.S. targets; handing Russian officials a list of dozens of sectors “off-limits” for all kinds of cyber operations risks going nowhere at all.
Putin also genuinely believes that Silicon Valley platforms are tools of Western subversion—and that the U.S. and other democracies are constantly interfering in Russia’s domestic political sphere and electoral processes by the nature of the global, open internet. Where democracies looked at the Arab Spring and imagined technology’s inherently democratizing force, the Kremlin saw American meddling and the internet’s threat to regime security. When Apple and Google wouldn’t delete opposition candidate Alexey Navalny’s app in September—which they ultimately did, after the Kremlin sent armed men to Google’s Moscow office and threatened company representatives on the ground—the Russian government cried U.S. election interference.
Russia’s 2016 Information Security Doctrine itself says: “Intelligence services of certain States are increasingly using information and psychological tools with a view to destabilizing the internal political and social situation in various regions across the world, undermining sovereignty and violating the territorial integrity of other States. Religious, ethnic, human rights organizations and other organizations, as well as separate groups of people, are involved in these activities and information technologies are extensively used towards this end.” American diplomats will be hard-pressed to get anywhere on election interference and internet repression issues without recognizing this ideological view—one in which the Russian government views all online mobilization as the work of enemy powers and cracks down on speech, assembly, and online activity in response.
All told, cybersecurity practitioners, policy wonks, and scholars constantly debate whether cyber norms that dictate “acceptable” behavior matter, and if so, how much. In this case, it’s easy to find phrases in the U.N. document that Moscow clearly doesn’t actually endorse, like “the importance of respect for human rights and fundamental freedoms in the use of information and communications technologies.” Other issues plague the U.S.-Russia cyber relationship, too, such as continued Russian disinformation and election interference operations. There’s also the question of whether U.S. Cyber Command, a military organization, should be going after a Russian cybercriminal group, especially one the White House says is likely not Kremlin-directed, even as it may enjoy the state’s tacit approval.
The Biden administration and its cyber negotiators have made a real achievement in getting agreement on this United Nations proposal, and that feat should be recognized. Yet when dealing with a government that has such an all-encompassing and conspiratorial view of information, the internet, and regime security, the U.S. will have a better chance at successful cyber negotiations by narrowing its discussions to focus on specific behaviors and specific targets—and specific costs for going after them.