Alex Grigsby is the assistant director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.
Earlier this month, Russian business daily Kommersant reported that the Kremlin proposed to cooperate with the United States to prevent "cyberattacks on critical infrastructure," and wanted to include language to that effect in a communiqué issued at the end of the Helsinki Summit.
Although the communiqué was never issued, it is at least the third time in two years that Russia has requested some form of cooperation with the United States on cyber issues. Last year at the G20 in Germany, Vladimir Putin proposed the creation of U.S.-Russia cyber working group, which President Trump famously called an "impenetrable Cyber Security unit." In December, BuzzFeed reported that Russia's deputy foreign minister had proposed an agreement whereby both countries would agree to not interfere in each others' domestic politics. U.S. officials rebuffed that offer.
So why has the United States rejected Russia's offers at collaboration? Three reasons come to mind.
First, U.S. officials are understandably skeptical of the sincerity of Moscow's overtures while it continues its reckless cyber operations against the United States. In the last twenty-four months, Russia compromised and doxed the Democratic Party, launched a chaotic ransomware attack, tried to infiltrate U.S. electrical utilities with tools similar to those used to cause blackouts in Ukraine in 2015 and 2016, owned over 500,000 consumer-grade routers, sustained an active measures campaign on social media, and compromised voter databases in at least two states. From Washington’s perspective, these actions go way beyond traditional peacetime intelligence gathering. Collecting intelligence about political parties' views on policy issues or the technology a utility uses is generally kosher among spies. Active measures against those parties and trying to find a utility's off switch is not.
Russia would respond that all of the above could have been avoided if the United States simply agreed to its proposals of non-interference in each others' internal affairs and cooperated to reduce threats against critical infrastructure. That raises the second reason for Washington's rejection of the Kremlin's proposals: Russia and the United States often talk past each other on cyber issues. As I wrote last year, both "fundamentally disagree on the nature of cyber conflict," which hampers their ability to agree to shared norms. A norm to not use cyber means to interfere in each others' domestic politics is not viable because it would be dependent on factors beyond the U.S. government's control. If the Kremlin already believes that the Panama Papers was a CIA plot to undermine Russia or that the White House has the ability to fire journalists, it is sure to blame the U.S. government for any future New York Times, Wall Street Journal, Washington Post, or similar investigation uncovering corruption or malfeasance in Putin's inner circle.
Third, the Kremlin's emphasis on getting President Trump's endorsement of a cyber agreement poses a particular optics problem for the United States. Any cyber agreement that he makes with his Russian counterpart would automatically be greeted with skepticism in light of Russia's 2016 election interference and the Mueller investigation. The proposed cyber working group in 2017 was quickly discarded after the idea was made public and Trump's subsequent tweet drew condemnation, ridicule, and derision. Nevertheless, Russia keeps aiming for a leaders' level agreement, hoping it can bypass an intransigent "deep state" in the United States bent on styming efforts at rapprochement, when quieter talks between working-level diplomats might yield greater success.
The United States and Russia recognize that despite their significant differences, they have to talk to each other to avoid uncontrolled escalation in cyberspace. That's why even after the 2014 Russian invasion of Ukraine, the United States kept meeting with Russian cyber experts despite having cut cooperation elsewhere. And the Kremlin reportedly used a dedicated hotline on cyber issues to raise concerns about malicious cyber activity emanating from the United States against the 2014 Sochi Olympics.
The most promising opportunity for U.S.-Russia cyber cooperation will come this fall at the United Nations. Russia will propose a resolution seeking the General Assembly's endorsement of a code of conduct for state activity in cyberspace. The text of the resolution has not been made public, but it is likely to be a combination of existing cyber norms the GGE agreed to in 2013 and 2015 and previous iterations of another code of conduct members of the Shanghai Cooperation Organization (SCO) proposed in 2011 and 2015. The inclusion of the SCO language will make the United States and like-minded countries balk given its negative human rights implications. Nevertheless, the proposed Russian resolution could probably be salvaged through negotiation that strips it of the SCO code's worst elements, keeps the consensus GGE language, and mandates the creation of a new GGE to pick up where the last one fell apart.
That outcome is far from an ideal scenario for either country. Russia and China have been drivers of the SCO's cyber work, and will want to see some form of UN endorsement of its efforts. The United States is unlikely to be enthused at the prospect of another GGE process when it would rather spend its time enforcing existing cyber norms instead of talking about creating new ones. Despite these misgivings, it is one of the few options that keeps Moscow and Washington at the bargaining table.