Imagine a bully who’s pounding your head against a wall. When you complain that it hurts and threaten to punch back, he offers to sign an international agreement against bullying. Meanwhile, he keeps pounding your head.
That’s a shorthand summary of the peculiar situation that has developed in UN discussions about regulating cyberspace. The Russians are aggressively hacking US and European political parties and infrastructure, according to US intelligence reports. At the same time, they are pushing for international regulation of cyberspace -- on their own terms.
Russian plans to offer new UN cyber regulation pacts were floated last month by Anatoly Smirnov, a top computer scientist at Moscow State Institute of International Relations, in an interview with Nezavisimaya Gazeta. He said Russia would soon introduce a cyber “code of conduct,” and a pathway to a new cybercrime convention to replace one signed in Budapest in 2001.
It’s noteworthy that another faculty member of Smirnov’s university is Andrey Krutskikh, the top Kremlin adviser on cyber issues. At a private conference in Moscow in February 2016, Krutskikh said menacingly, “I’m warning you: We are at the verge of having ‘something’ in the information arena, which will allow us to talk to the Americans as equals.”
Russia’s tone on cyber matters, at once defiant and defensive, reflects Moscow’s claim that America shot first in the internet wars and Russia is struggling to respond. For example, before quoting Smirnov, Nezavisimaya Gazeta cited a Wall Street Journal report that the Trump administration had decided to “loosen rules of engagement for US cyberattacks.”
Russia is conducting a quiet lobbying campaign for its UN package. On Aug. 3, through the UN Office on Drugs and Crime, Russia invited an alliance of developing nations known as the Group of 77 (it’s actually 134 countries now) to Vienna from Sept. 11-12 to discuss “preventing and combating cybercrime.” A European official said Russia has offered to pay airfares.
The first Russian UN resolution appears to be drawn largely from a Chinese-drafted “code of conduct” approved in 2015 by Russia, China and the other four members of the Shanghai Cooperation Organization. It features high-minded language about “the need to protect the internet ... from threats and vulnerabilities.” But it allows countries to muzzle information at home and restrict dissent.
The US has negotiated intermittently with Russia and the UN on cyber issues, trying to build norms of behavior and confidence-building measures without compromising internet freedom. The main forum since 2004 has been the UN’s so-called Group of Governmental Experts. Over the years, it has applied the rules of war to cyber conflict, extended international law to cyberspace, and pledged that nations will protect “critical infrastructure” from cyberattack.
Yet after endorsing the 2015 GGE report that supposedly protected infrastructure, Russia this year allegedly conducted cyberattacks against American and European nuclear power plants and water and electric systems, according to the Department of Homeland Security.
American suspicion that Russia and China were playing a double game on cyber led the State Department in June 2017 to criticize nations that “seem to want to walk back progress made in previous GGE reports.” The “Experts” dialogue has withered over the past year, and the Russians are now seeking UN General Assembly backing for their code of conduct.
Russia’s cybercrime initiative is a second leg of the effort to steer cyber-regulation Moscow’s way. Russia was the only major European country that didn’t sign the 2001 Budapest Convention, partly because it allowed foreign law-enforcement officials to directly query internet service providers. Since then, Russia has campaigned to replace Budapest with a Moscow-friendly alternative.
Russia has tailored its new cybercrime convention to fit its authoritarian needs. As I wrote last October, it includes 72 articles that experts say would allow countries to censor internal debate, without adding significant new measures to curb malicious cybercriminals. Rather than pitching this new convention directly, Russia may offer a blander UN proposal to study an update to Budapest, as a first wedge.
“We think we should have a continuing conversation at the UN about responsible state behavior in cyberspace,” including a resumption of the GGE expert talks, says a senior administration official. It’s been clear for years that the US doesn’t want an arms-control approach that would mandate unverifiable and potentially counterproductive rules.
President Vladimir Putin touted his plan for a “working group” with America on cybersecurity at the Helsinki summit in July. President Trump has signaled enthusiasm in the past, but this time wiser heads apparently prevailed. Even this administration understands that, for now, allying with Moscow to combat cybercrime would be like hiring a burglar to protect the family jewels.
David Ignatius can be reached via Twitter: @IgnatiusPost. -- Ed.
(Washington Post Writers Group)