What’s off-limits to cyberattacks? The U.S. – Russia Summit in Geneva in context
It is cyberpeace and not cyber capabilities that should drive what is off-limits, according to the CyperPeace Institute
Meeting in person in Geneva on 16 June, President Biden and President Putin had cybersecurity top of the agenda. Alongside commitments to restore diplomatic relations, it was a summit to set red lines for cyberspace. Recent ransomware attacks against essential services in the United States, from healthcare to oil supplies, have disrupted critical functions, affecting thousands of citizens. The issue is global. The numbers are indeed staggering worldwide, as are the diverse groups of victims hit by criminals and the new levels of vulnerability of critical infrastructure.
The U.S. countering of ransomware targeting critical infrastructure has recently been coupled with an international commitment to investigate and prosecute malicious cyber activity and address State harbouring of cyber criminals. Coming out of the Summit, President Biden indicated that all 16 critical infrastructure sectors protected in the U.S. should be off-limits, including chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, water and waste systems. With the increased frequency of disruptions against various sectors, the question of the cumulative impact of these attacks at societal level is important. In a recent NATO statement, following the Brussels meeting attended by President Biden, with regard to the challenge of cyber threats it is stated that the ‘Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack’.
Russia has been in the spotlight for allowing criminal groups to operate with impunity and using their infrastructure for state-related interests. The G7 Communique from 13 June said that Russia needed to “identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cyber crimes”. President Putin denied Russian responsibility for recent attacks and pointed to the U.S. as “the biggest offender”. At the Geneva summit, President Biden reinforced that cyber capabilities can be used in retaliation should no action be taken to stop such attacks. That is bad news for cyberpeace, as both trends, of harbouring criminals and of retaliation, undermine the stability of cyberspace.
Ensuring that cybersecurity was high on the agenda of the Presidents is a welcome step towards addressing the recent tensions, but it is cyberpeace, laws and norms and not cyber capabilities that should drive what is off-limits. Protecting human security, dignity and equity is as imperative in the digital world as it is in the offline world. Choosing Geneva as the venue for the Presidential discussion was a stark reminder that the long-standing achievements for international peace are building blocks for extending protections in cyberspace. International law and norms, as discussed in the recent United Nations OEWG and GGE reports, apply to cyber operations and need to guide responses to harmful activities against critical infrastructure. All States, including Russia and the U.S., must commit to norms of responsible behaviour.
A global commitment to de-escalation of dangerous tensions in cyberspace depends on agreeing on the red lines. To clarify their stances for cyber activities, the Russian and American Presidents agreed to set up a working group to develop specific understandings for cyberspace and follow-up on specific cases. Extending the strategic dialogue to cyber challenges is a first key step to ensuring cyberpeace and predictable relations in cyberspace.
For the very first time, the United Nations Security Council also has on its agenda the threats posed by emerging technology to international peace and security and the question of cyber stability, at the initiative of Estonia. The Council will hold a high-level event on cybersecurity on 29 June. As permanent members of the Security Council, the U.S. and Russia can lead by example in opening a new chapter towards achieving cyberpeace.