Article by Special Presidential Representative for international cooperation in information security Andrei Krutskikh
Article by Andrei Krutskikh, Ambassador at Large of the Russian Federation, Special Presidential Representative for international cooperation in information security, published in the Kommersant business daily on March 27, 2019
Against the backdrop of the habitual – even ritual – anti-Russia propaganda, some voices of reason have been heard lately among American experts. Of particular interest in this regard is the recent article by the Daily Beast titled "This Hotline Could Keep the U.S. and Russia from Cyberwar". No doubt, for the professionals who have closely followed the development of the situation this publication will hardly be an eye-opener. What is important is that the article openly admits that the absence of a depoliticized expert dialogue between Russia and the U.S. on international information security is not only a road to nowhere but also a dangerous course fraught with further misunderstanding and a risk of a large-scale conflict.
Those are not emotional conclusions, but rather plain facts cited by American security officials who have formerly worked or still work at the administration, overseeing the issues of cyber security, i.e. by those who know the situation on the ground and, by virtue of their occupation, are bound to be utterly pragmatic.
If security officials and the expert community in the U.S. actually share this opinion, this is the case when it is hard to argue with the colleagues, even though they are "on the other side of the fence".
Six years ago, in 2013, we managed to reach agreement on establishing a direct line of communication between Russia and the U.S. in the event of cyber incidents. Basically, the system was modelled on a similar mechanism that had been in place during the Cold War for dealing with traditional military incidents and enables a prompt information exchange at all levels from institutional to political.
Since its establishment, the communication channel has been used, and more than once. In fact, during the Obama administration, we maintained a vibrant dialogue on cyber issues both at the routine technical level and in the format of full-fledged consultations. Physical meetings of experts enabling them to engage in direct discussions on emerging issues were held. Even a special high-level bilateral working group was established under the Russian-American Presidential Commission.
As for the operation of the “hotlines”, the most vivid example is the address of the American side during the U.S. presidential campaign in autumn 2016, in which the U.S. expressed concerns over the intrusion into its electronic infrastructure. Our response was prompt as usual, and an exchange of the relevant technical information took place. Our National coordination center for computer incidents, which is in charge of the line, as early as last December, announced its readiness to reveal the content of the correspondence to general public, subject to consent of the American side. We sent the relevant proposal to Washington through diplomatic channels early this year. The response was in the negative.
The Russian Foreign Ministry's spokesperson offered an exhaustive explanation on the issue at her briefing last week. For my part, I can only add to this that our proposal to publish the above-mentioned correspondence was an unprecedented step, an example of true transparency, which our partners tend to invoke so often. Russia has nothing to fear – nor do we have anything to conceal. We are ready to open the correspondence for examination by the general public both in Russia and the U.S., the mass media, and experts, so that they could draw their own conclusions on what really happened. But at the moment, we cannot publish this data because of the refusal of the American side. The pretext for the refusal was the so-called "sensitivity" of the data. It is highly unlikely, however, that any information that is more "sensitive" for the U.S. than for Russia could be found there. Frankly speaking, this approach rather shows that they unsure of their position, since it would be much harder to disseminate information accusing Russia of "having a hand" in cyber intrusions if true facts were made public.
However this is not the end of this absurd story. We decided to directly address the US audience about the Moscow view on the situation around the “hotlines” and proposed a number of the leading US mass media to publish this article. We told them: we just give you “direct speech” and you comment on it in any way you like. If you don’t like our proposals, if you don’t believe us - put it on paper and let the readers judge.
First, these media showed the interest in the matter, asked us for the details, claimed that they were ready to publish the article. However, then they apparently got a stop light and refused, giving no explanation. They got cold feet maybe.
This is a matter of emotion while we want to be pragmatic. I once again agree with our U.S. colleagues (Michael Daniel, Chris Painter and Luke Dembosky), whose opinions were referred to in the article, that it is not enough just to set up emergency hotlines. For them to work effectively there should be a dialogue between those who maintain their day-to-day operation as well as a broader conversation on issues related to international information security.
Officials in Washington often say that, allegedly, there is "not enough trust" for this. The question is why would there be any trust if you keep avoiding any discussion on the matter? We have repeatedly proposed to hold bilateral consultations, but all our proposals have been rejected. At times things get absurd, as a year ago in Geneva, when the U.S. canceled a bilateral meeting two hours before it was supposed to begin, even though the delegations were already there. One might think that talking face to face seems so appalling to our partners that they would rather transmit their grievances through the media.
However, this issue is beyond routine politics, mutual poking or any subjective factors. Today, just as 50 years ago, we talk about preventing a cyberincident from escalating into a full-scale military conflict between Russia and the United States. If the established emergency “hotlines” bolstered with dialogue between experts stall for political reasons, we will face the risk of another Cuban Missile Crisis, only this time it will be triggered by information and communication technologies, not warheads, and events will unfold in a matter of minutes, leaving little time for both sides to make their decisions. It sounds like a science-fiction film, but actually it has long been our reality.
I want to believe that the U.S. recognizes this as well as Russia does. At least, the opinions expressed by the U.S. experts provide us with reasons for hope.
We also seek the same openness, democracy and constructive dialogue as we cooperate with the U.S. on cyber issues at multilateral fora. This year, two dedicated negotiating mechanisms are expected to be established to deal with international information security: the Open-ended Working Group (OEWG), which all the UN Member States can join, and the Group of Governmental Experts (GGE). It is interesting to note that even though the first one is being established on Russia's initiative, and the other, de jure, on America's; in fact, both groups were first proposed and sponsored by Russia, while Western countries were sceptical about the UN track and took every opportunity to criticise it. Nonetheless, the reality is that the UN will now have two groups working in parallel, and it is essential that we define today the principles of their interaction.
We do not believe that getting into "gladiator fights" on international information security is the right option to pursue at the UN. Russia, just like any other state, is interested in ensuring that these groups work in a complementary, non-adversarial, constructive and cooperative manner.
Out of common sense we suggest that it would be best to “share the burden”. According to this plan the OEWG is to focus on major political tasks concerning the majority of the international community: the rules of responsible behavior of states in the information space, confidence-building measures in this field, assistance to developing states and the future format for the negotiations on this matter (a standing committee of the UN General Assembly or Security Council, or some other option).
As for the GGE, it could in its turn address, as a matter of priority, an equally important, yet more specialized issue of applicability of the existing norms of international law to the information space.
Harmonization of efforts is the second pivotal principle of coexistence of the two groups. Their discussions should be non-politicized and pragmatic, and there should be complementarity rather than competition between their outcomes. The mandate of both the OEWG and the GGE demonstrate that the groups are to address an enormous set of issues, which can only be achieved with constructive engagement of all participants.
I would like to stress that back in November 2018, we offered such plan - a kind of programme of joint actions - to the United States. We suggested, as we had done many times before, that we should meet and discuss these matters. As before, we have not received any reply. There is not much time left before both groups set to work. We can only hope that our partners' common sense prevails and they will take advantage of this window of opportunity before it closes. We stand ready to engage in the dialogue.