US-Russia Cyber-Security Unit: Future Reality or Pipe Dream
Section 1. Introduction
On 9th of July 2017, the President of the United States, Donald Trump, published the following tweet: “Putin & I discussed forming an impenetrable Cyber-security unit so that election hacking, & many other negative things, will be guarded.” One day later, President Trump published a tweet which poured cold water over the enthusiastic idea about an “impenetrable Cyber-security Unit.” More specifically, the tweet stated: “The fact that President Putin and I discussed a cyber-security unit doesn’t mean I think it can happen. It can’t-but a ceasefire can, & did!”
Trump’s tweet about the creation of a U.S.-Russia cyber-security unit raises an interesting question. Why does a president who would like to diminish U.S. support for the United Nations, abandon the U.S. commitments under the Paris Climate Change accord, and cut the U.S. development assistance, considers the establishment of a cyber partnership with Russia? The answer can be found in the words of Daniel Hamilton who states that Trump “has demonstrated a highly improvisational and situational approach that could inject a risky unpredictability into relations with friends and foes alike.“
The creation of such a U.S.-Russia cyber-security unit would become a precedent in the current diplomatic relationships between the two world powers and bring a significant change in the global cyber warfare landscape. In this article, we discuss the benefits (Section 2) and the risks (Section 3) of a U.S.-Russia cyber-security unit. Next, we examine two main problems hindering the establishment of such a unit, namely, lack of oversight (Section 4) and differences in legal concepts (Section 5). At the end of the article, a conclusion is drawn (Section 6).
Section 2. Benefits
Despite its controversy, the U.S.-Russia cyber-security unit may allow both parties to exchange intelligence regarding cyber threats, thus significantly decreasing the current cyber risks. Such intelligence may include, for instance, intelligence from the deep and dark Web, open source intelligence (OSINT), Human Intelligence (HUMINT), and social media intelligence (SOCMINT). The exchanged information can allow U.S. and Russia to identify and eliminate current cyber threats.
While the exchange of cyber-security intelligence, in general, may harm the national interests of the sharing parties, the exchange of certain types of cyber-security intelligence is seen to be harmless. For example, both parties may benefit without significant risks from making publicly available cyber threat information allowing the global community to avoid ransomware attacks or malicious initiatives targeting the healthcare sector.
Section 3. Risks
The main risk associated with the U.S.-Russia cyber-security partnership is that one of the parties may use the collected information against the other. In this regard, Adam Schiff, the vice chairman of the U.S. House Intelligence Committee, stated that such a partnership “would be akin to inviting the North Koreans to participate in a commission on non-proliferation — it tacitly adopts the fiction that the Russians are a constructive partner on the subject instead of the worst actor on the world stage.“
While it is unlikely that U.S. and Russia would directly violate a potential cyber partnership agreement, either party may hide its hacking activities by outsourcing them to third parties operating outside of the government (also known as “cyber proxies”). Such outsourcing activities may be permitted by the so-called gentlemen agreement between the state and hacking organizations. The agreement may serve as an umbrella under which hacking organizations will operate undisturbed by the government. Alex McGeorge, the director of a company specializing in nation-state cyber threats, argues that the Russian intelligence agency has already concluded a gentlemen agreement with the hacking community, which can be described as follows: “Do whatever you want, so long as it doesn’t hurt Russia.“
An example of such a gentlemen agreement is the treatment of the FBI’s most wanted cybercriminal Evgeniy Mikhailovich Bogachev who lives openly in a large apartment near the shore in the Russian resort town Anapa. The New York Times reported that Mr. Bogachev owns a yacht and enjoys sailing despite the fact that the FBI offers a reward of up to USD 3 million leading to his arrest and/or conviction. The malicious program GameOver Zeus that was created by a hacker group including Mr. Bogachev caused financial losses amounting to more than $100 million about a decade ago. The same group is believed to engage in a ransomware attack against a U.S. police station. The attackers succeeded to persuade the police officers to pay a ransom to retrieve their data.
Although some cybersecurity threat intelligence experts, such as Paulo Shakarian, the CEO of the security firm CYR3CON, suspect that U.S. – Russia cyber-security partnership would benefit Russia disproportionally because Russia may act in a malicious way, it should be noted that the U.S. National Security Agency (NSA) is also often criticized for unreasonably harming the interests of the U.S. and the global community. For instance, NSA invested significant human and financial resources in secretly developing the exploit EternalBlue. The exploit was leaked by the hacking group Shadow Brokers. Later, EternalBlue was used by criminals to create the unprecedented ransomware WanaCrypt0r 2.0, which harmed more than 230.000 computers in 150 countries.
Section 4. Lack of oversight
Every bilateral intelligence collaboration requires each party to find a balance between two opposing interests, namely, keeping and sharing intelligence. As Warren Tucker, the former director of the New Zealand Security Intelligence Service states: “Given the inherently secretive character of secret intelligence, there is immediately a tension between the need to maintain the secret, on the one hand, and sharing the secret – or operating in a more open and collaborative manner – on the other.“
The only way to ensure the fairness of intelligence collaboration is to allow each party to oversee the intelligence gathering activities of the other party. This can ensure that the intelligence is: (i) not collected by using torture or other unlawful methods; (ii) reliable; (iii) not modified by the collecting party; and (iv) collected in accordance with the agreement providing for bilateral intelligence collaboration. Furthermore, oversight mechanisms increase the efficiency of intelligence collaborations. According to Geoffrey Weller (professor of International Studies at the University of Northern British Columbia), such mechanisms increase “staff morale, client satisfaction, and general efficiency. In addition, greater oversight has probably improved the image of the agencies with the public and improved their effectiveness and relevance, and thereby their image, within the government itself.“
Given the political tension between U.S. and Russia caused by (i) the different views on the Russian military intervention in Syria, (ii) the crisis in Ukraine, and (iii) Russia’s annexation of Crimea, it is highly unlikely that either party will allow the other party to oversee intelligence gathering activities. The U.S. President Donald Trump admitted that US relations with Russia “may be at an all-time low.”
Section 5. Differences in legal concepts
For a U.S.-Russia cyber-security partnership to work, the parties should clearly define essential concepts related to the cyber-warfare, such as “cyber threats,” “cyber-crime,” and “cyber-security intelligence.” The harmonization of terms, treatments, and penalties may be a challenge since the two countries perceive cyber threats in different ways. In Russia, hacking offenses are regarded as minor infractions. Computer hacking was legal until 1997 when Russia accepted its new Criminal Code. Under the Criminal Code, unauthorized access to information stored on computing devices is punished with (i) a deprivation of liberty for a term of up to two years, (ii) a fine of 200-500 minimum wages, and (iii) a corrective labor for a term of six to twelve months. In comparison, according to a U.S. governmental website, U.S. penalties for computer hacking range from “from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).”
U.S. and Russia can overcome the differences in their legal concepts by using precise definitions in the future cyber-security partnership agreement. However, the negotiation of such definitions can be problematic due to the negotiating parties’ different approaches towards cyber-security. More specifically, Russia perceives information which may threaten the state as a critical security concern. To illustrate, “Section III. Major Information Threats of the Information Security Doctrine of the Russian Federation” published on 5th of December 2016 states: “there is a trend among foreign media to publish an increasing number of materials containing biased assessments of State policy of the Russian Federation.” In contrast, U.S. defends the principle of uncontrolled exchange of digital information which can be limited only on the basis of legal grounds. By immunizing some types of websites from responsibility/liability for content posted on them by third parties, Section 230 of the Communications Decency Act transforms the U.S. in a bastion of free speech. It is worth mentioning that even court judgments declaring the existence of defamation cannot oblige such websites to remove content published by third parties.
Section 6. Conclusion
At present, the discussion about the U.S.-Russia cybersecurity unit is accepted rather one-sidedly. Russia is depicted as a partner who cannot be trusted and, therefore, the creation of the U.S.-Russia cyber-security unit was declared to be a disadvantageous idea. However, looking from a broader perspective, both benefits and risks can be identified in relation to the creation of such a unit.
While a U.S. – Russia cyber-security unit may never be formed, the idea behind it has some merit. More particularly, the two countries can establish a cyber-security unit which will make publicly available cyber threats intelligence that can benefit the global community. Thus, the U.S. and Russia will help each other with reducing the impact of global cyber threats, such as WanaCrypt0r 2.0, which affected both U.S. and Russian organizations, including, FedEx Corporation (a U.S. delivery services company), the Ministry of Internal Affairs of the Russian Federation, and Russian Railways.
However, such a unit can indeed pose substantial national security risks. The prospective partners need to overcome at least two challenges, namely, creating a system for overseeing the partnership and agreeing on common legal concepts.
- Kasimov, S., ‘Трамп готовит союз с Россией’, SV Pressa, 21 December 2016. Available at http://svpressa.ru/politic/article/163021.
- Borger, J., Luhn, A., ‘Donald Trump says US relations with Russia ‘may be at all-time low’, The Guardian, 13 April 2017. Available at https://www.theguardian.com/us-news/2017/apr/12/us-russia-relations-tillerson-moscow-press-conference.
- Chinn, D., Walters, R., ‘Why US-Russia Cyber Cooperation Is So Problematic’, Daily Signal, 21 March 2017. Available at http://dailysignal.com/2017/03/21/why-us-russia-cyber-cooperation-is-so-problematic.
- Dimov, D., Juzenaite, R., ‘The Most Hacker-Active Countries – Part 2’, InfoSec Institute, 11 August 2015. Available at https://resources.infosecinstitute.com/the-most-hacker-active-countries-part-ii.
- ‘Doctrine of Information Security of the Russian Federation’, The Ministry of Foreign Affairs of the Russian Federation, 5 December 2016. Available at http://www.mid.ru/en/foreign_policy/official_documents/-/asset_publisher/CptICkB6BZ29/content/id/2563163.
- Giles, K., ‘Russia’s Public Stance on Cyberspace Issues’, NATO CCD COE Publications, 2012. Available at https://ccdcoe.org/publications/2012proceedings/2_1_Giles_RussiasPublicStanceOnCyberInformationWarfare.pdf.
- Hamilton, D., S., ‘Trump’s Jacksonian Foreign Policy and its Implications for European Security’, Swedish Institute of International Affairs, 2017. Available at https://www.ui.se/globalassets/butiken/ui-brief/2017/hamilton-ui–brief.-05-23.pdf.
- King, L., ‘Trump’s plan to create a cybersecurity partnership with Putin draws ridicule from within his own party’, Los Angeles Times, 9 July 2017. Available at http://www.latimes.com/politics/la-na-pol-trump-russia-20170709-story.html.
- Kravets, D., ‘Wait, what? Trump proposed a joint “cyber-security unit” with Russia’, Ars Technica, 10 July 2017. Available at https://arstechnica.com/tech-policy/2017/07/wait-what-trump-proposed-a-joint-cyber-security-unit-with-russia.
- McGruddy, J., ‘Multilateral Intelligence Collaboration and International Oversight’, Journal of Strategic Security, Number 5 Volume 6, No. 3, Fall 2013. Available at http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1317&context=jss.
- Merica, D., ‘Trump won’t refute Putin, floats joint cybersecurity team’, CNN, 10 July 2017. Available at http://edition.cnn.com/2017/07/09/politics/trump-russia-putin-cyber-security/index.html.
- Reinhart, C., ‘Penalties for computer hacking’, Connecticut General Assembly, 28 June 2013. Available at https://www.cga.ct.gov/2012/rpt/2012-R-0254.htm.
- Schwirtz, M., Goldstein, J., ‘Russian Espionage Piggybacks on a Cybercriminal’s Hacking’, The New York Times, 12 March 2017. Available at https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html.
- Sheth, S., ‘This implicates us in their propaganda: The US just made a striking concession to the Kremlin’, Business Insider, 9 July 2017. Available at http://uk.businessinsider.com/trump-putin-meeting-experts-cybersecurity-election-hacking-2017-7?r=US&IR=T.
- Sottek, T.C., ‘Some questions about the impenetrable Trump / Putin ‘Cyber-security unit’, The Verge, 9 July 2017. Available at https://www.theverge.com/2017/7/9/15944002/trump-putin-impenetrable-cyber.
- ‘The Latest: Trump backs off cybersecurity unit with Russia’, SF Gate, 10 July 2017. Available at http://www.sfgate.com/news/politics/article/The-Latest-Tillerson-says-US-expected-Putin-s-11275710.php.
- Volff, J., ‘Exactly How Stupid of an Idea Is a U.S.-Russia Cybersecurity Unit?’, Slate, 10 July 2017. Available at http://www.slate.com/articles/technology/future_tense/2017/07/why_a_u_s_russia_cybersecurity_unit_is_such_a_stupid_idea.html.
Zuckerman, J., ‘Beyond the Border: U.S. and Canada Expand Partnership in Trade and Security’, The Heritage Foundation, 17 June 2013. Available at http://www.heritage.org/global-politics/report/beyond-the-border-us-and-canada-expand-partnership-trade-and-security.
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.