Among these, cyber threat is the most advanced, complicated and ungoverned in the realm of interstate relations in view of technological advancement, lawlessness of cyberspace and widening scope of the arena (Rias Shad, 2018). Globalisation, a permanent and growing phenomenon today, allows the diffusion of new means of communication (NICT), making the Internet a prominent universal space accessible to all – or almost all. However, this space goes beyond national physical borders, but also beyond traditional legal borders, making its application difficult and with few precedents.
This new, elusive and uncontrollable domain therefore requires an articulation between the micro and macro levels of governance, and accentuates their respective dependence on digital and cyber security. The latter becomes all the more important as the fear of foreign interference in electoral processes grows, as well as the fear that a country’s sensitive data will be hacked and revealed to the public. For instance, Cambridge Analytica, a UK-based political consultancy, stole personal data of up to 87 million Facebook users to influence the 2016 U.S. Presidential elections and Brexit campaign (Riley, Frier & Baker, 2018). The scope of cyber threat increases as cyberspace remains largely unregulated and commissioning of cyber-crime is simple as well as inexpensive. Above all, cyber threats are incentivized by the technical challenge of identification of the responsible which can be concealed through the use of several networks (Rias Shad, ibid). Today, it is clear that a solution, if it exists, will involve international cooperation if the problem involves one or more states. This issue has recently come to the fore by invading relations between Russia and the United States, building up tensions that could well escalate into a new kind of conflict.
US cyber security against Russia is not a recent issue, as cyber has been a tool developed by the intelligence services of both countries for decades. The track record of so-called independent hacker groups from Russia on U.S. soil is extensive. The latest is the one acknowledged by the REvil group on 2 July: the takeover of the VSA remote management and control software of the company Kaseya (Fekih, 2021). One million systems have been infected by this attack according to the group, the virus infiltrating through an update on the system of Kayesa. A classic ransomware format, the hacker group is demanding $70 million to be able to give back access to data to their owners whose systems are out of order. The numbers vary depending on the version of Kayesa or REvil, but this could be the largest software attack in history. It is so severe that even schools in New Zealand have been affected, and up to 17 different countries could be affected. Joe Biden then “ordered the use of all resources” of the government to investigate the attack (ibid). Joe Biden once again called on Vladimir Putin in a telephone conversation on Friday 9 July to take action against “ransomware” attacks carried out from Russia, failing which the United States would have to take “the necessary measures” to defend itself (Le Monde, 2021). The American president, who had already raised his voice on this subject during his meeting with his Russian counterpart in June in Geneva, is under new pressure following the attack on the Kayesa company. This article will then analyse the challenges of cybersecurity in interstate relations before turning to a more specific Russo-American case study.
Cyber Threat in Interstate Relations
Cyberspace has become a prominent social phenomenon of the 21stcentury given its ubiquitous nature and ever-increasing role in all spheres of human life. Internet connects about half of the world’s population and, according to estimates, the number of devices connected to “Internet of Things” will increase from 15 billion in 2016 to 20 billion in 2020 (Nye, 2016). Governments and major organizations are building a “Cyber Westphalia” of bordered national jurisdictions, forming in pieces across nations. Furthermore, the world has entered into the era of ‘cybered conflict’ among states and non-state organizations (Demchak, 2016). According to Nazli Choucri, cyber space consists of physical infrastructures, logical constructs, blocks information content, and actors and users (Choucri, 2012). By extension, cyber politics refers to the process of human interactions in virtual space which determines who gets what, when, and how (ibid). The new space opened up by digital technology also gives states access to new military opportunities. Indeed, states can exploit cyberspace for propaganda, espionage, information operations, and strategic attacks on critical infrastructure. It appears, in other words, as a new field of action for states, just like air, land and sea. The most common cyber activity among the states is espionage for political, security and economic purposes. In the military arena, cyberspace would potentially prove a game changer as it is redefining the traditional concepts of strategic stability, strategic forces, deterrence, etc., not least among major powers (Riaz Shad, ibid).
One of the most serious forms this issue could take would be cyber attacks on computers between states involved in a conflictual relationship, which could be described as cyber war. Cyber war refers to “hostile actions in cyberspace that have effects that amplify or are equivalent to major kinetic violence” (Valeriano & Maness, 2014). Cyber war can also include non-state actors, be they individuals or more or less terrorist or activist groups. But here, it is extremely difficult to estimate the degree of independence of these actors in relation to the interest that their actions may generate for one side or the other. In many cases, Russian hacker groups claiming to be independent have more or less tenuous links to Putin’s government, but evidence is either lacking or remains hidden. But cyber war between states is most likely to occur in the context of rivalry, i.e. a “long-standing conflict with a persistent enemy” (Riaz Shad, ibid). This notion helps to contextualize the cyber war or conflict in the history of diplomatic, military, and socio-cultural interactions between states (ibid).
Following what we have just said, how it is organised a deterrence in cyberspace? Joseph Nye identifies four factors of cyber deterrence: retaliatory threat, denial by defense, fear of entanglement, and norms (Nye, ibid). First, it is technically difficult to identify the attacker and, given the horizontal distribution of cyber capabilities, the attack may come from unknown or unexpected sources. State can obviously undertake diplomatic, economic, military and even nuclear measures to dissuade enemies from launching cyber-attacks against them. But the problem is to know where or from whom the attack comes precisely. If the attack comes from an isolated group in a foreign country, deterrence quickly becomes impossible or futile. More importantly, the widespread belief that a state possesses offensive cyber capability and that it can use this capability against an enemy contributes directly and effectively to cyber deterrence (Nye, ibid). Denial as an instrument of deterrence relies on building cyber defences, although a foolproof cyber security is not possible. However, resilience discourages cyber-attacks as they do not serve the purpose despite spending time and resources (Riaz Shad, ibid). Entanglement must be understood through the interdependence and interconnectedness of states in cyber space. This complex landscape of interdependencies makes any state-to-state attack difficult, as the cost to the victim may be indirectly shared by the aggressor. Norms as an instrument of deterrence work by undermining the reputation and soft power of the attacker. Its effectiveness lies in naming and shaming of the violator (ibid). A state may either have more offensive or defensive capabilities: security officials and experts across the world believe that the US, Israel, Russia, China, and the UK possess offensive cyber capabilities and therefore, categorize them as the cyber superpowers (Blitz, 2013). Regarding defensive capabilities, a study conducted by Security and Defense Agenda, a Brussels-based think tank, has ranked Finland, Israel, Sweden, the US and the UK in descending order as the leading countries in terms of cyber defense (Miks, 2012).
However, cyber warfare remains hypothetical at present, but still poses a growing threat to interstate relations. While states have well-defined international rules and norms to govern their relations in the physical space, they do not yet have well-established rules of the game to regulate relations in cyberspace. In addition, as the “Internet of Things” is growing, the economic and political interests of using cyberspace somewhat overshadow the purely military use. A number of countries are believed to possess cyber-warfare capabilities while others, like Iran and North Korea, are pursuing the same. This gives substance to legitimate concerns about the malicious use of these new technologies in a context of tension, which can also lead to an accentuation of open conflicts through anonymous attacks.
US-Russia cyber security stakes
Former Director of National Intelligence James Clapper stated in 2015 that Russia was one of the top cyber threats that the United States faced today (Taylor, 2015). This is an allusion to their increased abilities and increased disdain towards the United State. The NATO and European Union have clarified their positions about Russia’s aggressive actions. We see from the Warsaw summit communiqués 5th article that the NATO’s vision about the cyber and hybrid war is the same as the military activity or terrorism (at least in the written or stated form) “The Alliance faces a range of security challenges and threats that originate both from the east and from the south; from state and non-state actors; from military forces and from terrorist, cyber, or hybrid attacks” (NATO, 2016). Despite this clear stance, there have been numerous attacks on member states since the 2016 summit.
In 2017, security researchers sounded the alarm about Russian hackers infiltrating and probing United States power companies; there was even evidence that the actors had direct access to an American utility’s control systems (Jamieson, 2018). On March 7 2017, WikiLeaks published a data trove containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools (Wired, 2017). More recently, we all remember the attack on the Colonial Pipeline which occurred on 7 May 2021 when the Colonial Pipeline, a US oil pipeline system that originates in Houston, Texas and transports fuel oil primarily to the south eastern US, suffered a ransomware cyber attack that forced the computerised equipment managing the pipeline to shut down. The attack prompted US lawmakers to call for stronger protections for critical US energy infrastructure against hacking, and President Joe Biden declared a state of emergency two days later. The U.S. in its national cyber defense strategy sends the message that it will no longer just defend itself when it is the target of the cyber attacks. It says that “all instruments of national power are available,” including military force, “both kinetic and cyber,” and calls for imposing, “swift, costly, and transparent consequences when malicious actors harm the United States or our partners” (NCSUSA, 2018).
According to Western official sources, circumstantial evidence regarding cyber-attacks against Estonia, Lithuania, Georgia and Kyrgyzstan during 2007-2009 unveiled Russian state-level involvement (Windrem, 2016). Moreover, they assert that following the 2014 Ukraine crisis, Moscow-backed cyber-operators have targeted not only Ukraine but also the US and European nations, including Germany, France and the Netherlands (ibid). While the US is mostly involved in manipulating information through clandestine means, Russia extends cyber-operations to “information warfare,” a term coined and used by Moscow in the context of cyber-attacks (Bohacek, 2016). The Russian “information warfare” comprises three objectives: collection of sensitive information through cyber operations, information propaganda to manipulate public opinion, and exploitation of information to undermine government authorities (ibid). According to Thomas Rid, political cyber-attacks can take place in three forms: sabotage, espionage and subversion (Rid, 2011). Sabotage aims to “weaken or destroy an economic or military system” in order to either complement a physical attack on the target country or prevent it from gaining an undesired advantage (Trueba de Buen, 2016). Cyber espionage involves access to computer networks to gain confidential information owned by a government or an organization. Subversion refers to defacement or DDoS (Distributed Denial of Service) attacks on official websites or media sources to undermine a particular authority. According to NATO’s former Supreme Allied Commander General Philip Breedlove, Russia has developed “the most amazing information warfare, “Blitzkrieg”, we have ever seen in the history of information warfare” (Buchanan & Sulmeyer, 2016). The US and Russia have been engaged in diplomacy on cyber security since 1998, but without a substantial outcome. The two sides signed a cyber-security agreement in June 2013 to establish communications and coordination links between concerned security agencies for addressing cyber threats to critical infrastructure. These developments impeded further progress on the agreement, although it remained in place and was reviewed by cyber security officials from the two countries in April 2016 (Riaz Shad, 2018). US-Russia cyber tensions, termed by some as “Cold War 2.0”, aggravated in the wake of a wide-ranging influence operation, attributed to Russia-backed hackers, against Democratic Party officials during the 2016US presidential election campaign (Ellyatt, 2016). Confidential material was collected through cyber intrusion into the computer networks of Democratic National Congress (DNC) and email accounts of its personnel in 2015-16. The impact of the leaks on swinging election in favour of Donald Trump remains inconclusive, particularly in view of other notable circumstantial factors such as Hillary Clinton’s email controversy linked with a private server and Trump’s populist appeal. US response to Russian meddling was shy and relatively small comparing to the seriousness of the attack. Obama’s initial response to Russian meddling comprised of three steps: further investigation into Moscow’s role and intent, to address vulnerabilities in the electoral system, and bipartisan congressional support for a statement against Russia (Miller, 2017).
Although concrete steps have also been taken by the state to strengthen cyber security (the legislation has been amended and the law defining US response to cyber attacks), there still are pressing issues. Despite the fact that the United States government has taken multiple steps to reinforce its cyber security, quotation from “National Cyber Security”: “The number of cyber attacks on the US is increasing daily” (Mikiashvili, 2019). US and Russia differ over three important dimensions of the cyber security, cybercrime, espionage and military. The US is majorly interested in controlling cybercrime, but Russia along with China emphasizes a comprehensive cyber security arrangement involving all dimensions (Riaz Shad, ibid). Richard Clarke, former US advisor on national security matters, and Robert K. Knake proposed an international treaty that bans cyber-attacks against civilian targets, while cyber-attacks against military targets and cyber espionage do not fall in its scope. It wants to maintain the supremacy it enjoys in “cyber war against military targets” and electronic spying but advocates an international treaty against cyber-attacks on civilian infrastructures, which have increasingly been digitalized in the US. This gulf between the two countries regarding cyberspace is an indication of the difficulty the two powers have in communicating in this area. US-Russia recent cyber tensions are a consequence of Moscow’s perceived involvement in non-lethal cyber operations against the US. Western security community believes that Russia has increasingly been involved in cyber operations against the US and European countries since the 2014 Ukraine crisis. Though both the US and Russia use cyberspace for espionage, the latter goes beyond. US-Russia cyber tensions are actually a reflection of deeper issues in their cyber relations. The US and Russia have been holding dialogue on cyber security for long, but they have failed to develop mutually-agreed cyber norms. Russian cyber intrusions across the Western world are being increasingly seen as part of modern military strategy, not just aimed at information warfare. Finally, because international rules regarding inter-state cyber relations as well as US-Russia bilateral cyber security agreement yet remain a remote possibility, cyber relations between the two countries are likely to remain complicated and strained (Riaz Shad, ibid).
At their summit in Switzerland, the two leaders had discussed the problem and agreed to continue the dialogue, with meetings between Russian and American cyber security experts. Joe Biden also threatened his counterpart with retaliation if red lines were crossed. Vladimir Putin had insisted that most cyber attacks in the world came from American space (Le Monde ibid). It is therefore essential that the dialogue between the two leaders be restored in a sustainable manner. They must agree on a new kind of non-aggression agreement in the cyber domain. It is imperative that these discussions lead to the pacification of Russian and American cyber space. It seems clear that international regulations need to evolve, including clarifying international humanitarian law. Can a cyber attack be considered an aggression, an attack on national integrity? And thus justify a military response in self-defence? The answer is undoubtedly no, but this aspect needs to be clarified, if not to motivate warlike actions by countries using this flaw as a pretext. In other words, tensions around cyber between the two countries need to be reduced, as this could spill over into a real conflict involving human lives.
Bibliography
Blitz, J. 2013 September 9. “UK becomes first state to admit to offensive cyber-attack capability,” Financial Times.
Bohacek, P. 2016 September 19. “Russia-US cyber tensions show the true threat of cyberwar,” Global Risk Insights. Available at: http://globalriskinsights.com/2016/09/russia-us-cyber-true-threat-cyberwar
Brandon Valeriano, B. & Maness, R. C. 2014. “Cyberwar andRivalry: The Dynamics of Cyber Conflict between Antagonists, 2001-2011,” Journal of Peace Research51 : 4.
Buchanan, B. & Sulmeyer, M. 2016. “Russia and Cyber Operations: Challenges and Opportunities for the next US Administration,” Carnegie Endowment for International Peace, Task Force White Paper, 2.
Choucri, N. 2012. Cyber politics in International Relations. Massachusetts: The MIT Press.
Clarke, R. & Knake, R. K. 2010. Cyber War: The Next Threat to National Security and What to Do About It, New York: Harper-Collins Publishers, 242.
Demchak, C. C. 2016. Uncivil and Post-Western Cyber Westphalia: Changing interstate power relations of the cybered age. The Cyber Defense Review, vol. 1, No. 1 (SPRING 2016), pp. 49-74.
Ellyatt, H. 2016 October 10. “‘Black Friday’ in US-Russia relations could unleash ‘cyber-skirmishes’ and more,” CNBC.
Fekih, S. 2021 July 6. Cyberattaque VSA : REvil réclame 70 millions de dollars de rançon à Kaseya. L’Usine Digitale. Available at : https://www.usine-digitale.fr/article/cyberattaque-vsa-revil-reclame-70-millions-de-dollars-de-rancon-a-kaseya.N1119079
Jamieson, K. H. 2018. Cyberwar: How Russian Hackers and Trolls Helped Elect a President What We Don’t, Can’t, and Do Know. Oxford University Press.
Le Monde. 2021 July 10. Joe Biden appelle Vladimir Poutine à agir contre les cyberattaques venues de Russie. Le Monde, International. Available at : https://www.lemonde.fr/international/article/2021/07/10/biden-appelle-poutine-a-agir-contre-les-cyberattaques-venues-de-russie_6087779_3210.html
Mikiashvili, S. 2019. U.S.-RUSSIA RELATIONS IN THE SPHERE OF CYBERSECURITY. International Black Sea University.
Miks, J. 2012 February 2. “Israel, China and Cyber Security,” The Diplomat.
Miller, G. 2017 June 23. Ellen Nakashima and Adam Entous, “Obama’s Secret Struggle to Punish Russia for Putin’s Election Assault,” The Washington Post.
National Cyber Strategy of the United States of America 2018.
North Atlantic Treaty Organization (NATO). 2016 July 8-9. Warsaw summit communique Issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Warsaw 8-9July 2016.
Nye, J. S. 2016. “Deterrence and Dissuasion in Cyberspace,” International Security41, 44.
Riaz Shad, M. 2018. Cyber Threat in Interstate Relations: Case of US-Russia Cyber Tensions. Policy Perspectives, Vol. 15, No. 2 (2018), pp. 41-55.
Rid, T. 2011. “Cyber War Will Not Take Place,” Journal of Strategic Studies35: 5.
Riley, M., Frier, S. & Baker, S. 2018 April 11. “Understanding the Facebook-Cambridge Analytica Story: Quick Take,” The Washington Post.
Taylor, G. 2015 February 26. “James Clapper, Intel Chief: Cyber Ranks Highest on Worldwide Threats to U.S.,” The Washington Times. Available at: http://www.washingtontimes.com/news/2015/feb/26/james-clapper-intel-chief-cy-ber-ranks-highest-worl/
Trueba de Buen, A. 2016. “The Role of Cyberspace in Interstate Tensions and Conflicts” MA diss., Leiden University.
Windrem, R. 2016 December 18. “Timeline: TenYears of Russian Cyber Attacks on Other Nations,” NBC News. Available at: http://www.nbcnews.com/storyline/hacking-in-america/timeline-ten-years-russian-cyber-attacks-other-nations-n697111
Wired. 2017. The Biggest Cybersecurity Disasters of 2017 So Far. URL: https://www.wired.com/story/2017-biggest-hacks-so-far/
By Mahmoud Refaat: The European Institute for International Law and International Relations.
