The recent ransomware attacks on the U.S. gas and meat industries have sparked renewed conversations about the possibility of an international cyber agreement that would set the ground rules for what is and isn’t permissible, and spell out sanctions for violators.
In the latest sign of the U.S.-Russia cyber tensions, the National Security Agency and other government security branches issued a joint advisory Thursday on how Russia’s military intelligence has been trying to break into government and private computer networks for the past two years.
The statement did not cite specific hacks, though it provided pages of technical details, noting, for example, that the attackers often sought to go through Microsoft’s cloud services to reach an intended target.
The timing of the U.S. government advisory was also seen as noteworthy. It came just two weeks after President Biden held a summit with Russian leader Vladimir Putin in Geneva, warning the Russian leader the U.S. would respond to future hacks, especially those directed at “critical infrastructure.”
As shown by the attack on Colonial Pipeline that shut down a major East Coast oil distribution network, the U.S. and other countries have a compelling interest in containing such a threat, says Glenn Altschuler, a professor of American Studies at Cornell University.
“We’re talking about the possibility of taking out power grids, water systems, hospital services.
Altschuler thinks such an agreement — at least a bilateral version of it between the U.S. and Russia — could be loosely modeled on Cold War arms agreements.
Such discussions have been kicking around for years, but many cyber experts remain deeply skeptical that such an agreement could be reached, let alone enforced.
The first big challenge would be simply getting everyone to agree to the rules. Russia, China, Iran and North Korea have all been blamed for significant hacks against the U.S., and analysts say those countries see cyber strikes as cheap, effective and easy to deny.
It’s not even clear if such countries would be willing to actually agree to terms, because cyber attacks for them are “really useful in their geopolitical positioning,” April Falcon Doss, a former National Security Agency official who now heads a technology program at Georgetown’s law school.
Compared to the arms agreements between the U.S. and Soviet Union, a cyber treaty would be extremely difficult to monitor and enforce. That’s because the production, development and stockpiling of nuclear, biological and chemical weapons is fundamentally different from the ephemeral nature of cyber weapons, says Doss.
“If the question is whether or not a signatory to a nuclear arms control treaty is building up their nuclear stockpile, there will almost certainly be some evidence, factory production, storage of nuclear weapons,” she says. “There will be satellite imagery or there will be on the ground reports.”
Tests of nuclear weapons or ballistic missiles, such as those carried out by North Korea in recent years, are also relatively simple to monitor compared to the challenge of keeping an eye on the dark corners of the Internet to track down new cyber weapons, Doss says.
“Detecting their development is much harder because you don’t have big stockpiles of missiles sitting around and there’s nothing that’s visible in that sense,” she says.
Thomas Graham, a U.S.-Russia expert at the Council on Foreign Relations, says any analogy to a Cold War-style arms agreement would be tenuous.
“We’re dealing with computer code. So this is radically different from some nuclear weapons,” he tells NPR.
Cyber treaties have been tried
The Budapest Convention on Cybercrime, currently the only binding international agreement governing cyber crimes and hacking, dates to the early 2000s. It aims to increase cooperation, harmonize national laws dealing with hacking and improve techniques for investigating cyber crimes. While Washington has signed on, Moscow, Beijing, Pyongyang and Tehran have not.
In 2015, when Barack Obama was president, the U.S. and China reached a cyber agreement declaring that neither side would “conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.”
The Trump administration criticized the deal, which has been widely seen as ineffective.
Priscilla Moriuchi, a former National Security Agency official, calls the U.S.-China deal “a great experiment” that “failed for a number of reasons.”
While at the NSA, Moriuchi’s job was to monitor Chinese compliance. She said her view is that “the Chinese government never really complied with the agreement.”
Cyber spying is a separate category
Meanwhile, it’s important to distinguish between electronic snooping and other types of cyber activity, such as the theft of intellectual property, and attacks that cause physical damage, like shutting down an electrical grid.
“[Cyber] spying is unlikely to go away,” Doss says. “No nation is going to want to give up that ability.”
So, where does that leave things? Is there a way to limit the damage done by hacking without a formal treaty?
At the recent summit in Geneva between Biden and Putin, the U.S. leader presented Putin with a list of 16 areas of critical infrastructure — from energy to water — that the U.S. considers off limits.
“[If] in fact they violate these basic norms, we will respond,” Biden said.
U.S. officials say Putin has used cyber for his own political purposes and has shown little interest in curbing Russia-based ransomware attacks that prove disruptive to the West. Still, the Russian leader said after the summit that the two sides could “begin consultations” over cybersecurity issues.
A set of such norms would be more obtainable that any sort of formal treaty, Moriuchi says.
She says the only way to establish that kind of norm is outlining clear red lines — and imposing consequences if lines are crossed.