On June 16, President Biden met with the press following the summit with Russian President Vladimir Putin that included discussions focused on cybersecurity. Biden in his remarks specifically noted that he provided Putin with “a list … [of] 16 specific entities; 16 defined as critical infrastructure under U.S. policy, from the energy sector to our water systems” that are “off limits to attack.” Additionally, Biden and Putin agreed that the U.S. and Russia would initiate a series of expert consultations to move toward more tangible outcomes related to cybersecurity.
But U.S.-Russia cyber consultations should start more narrowly. Specifically, a potential pathway for making more meaningful progress on a bilateral basis is to focus on sector-specific agreements. The financial services sector is an area where the U.S. and Russia have some shared interests, which could serve as a springboard for more fruitful cooperation on other issues. In particular, the experts should build on existing state practice around cyber operations against the financial sector to achieve explicit agreement to refrain from cyber operations that risk destabilizing the international financial system.
What Counts as Critical Infrastructure or a Cyberattack?
Biden’s statement to Putin that 16 U.S. critical infrastructure sectors should be off limits to cyberattacks raises two unanswered questions: What counts as critical infrastructure, and what counts as an attack?
Definitions of critical infrastructure are wide ranging and ambiguous, diluting the meaning of the term. The 16 critical infrastructure sectors Biden conveyed as being off limits to cyberattacks are broadly defined in Executive Order 13636. The Obama administration issued the order in 2013 and also created a subcategory—Section 9 entities—for those deemed particularly important for public health, national security or economic security. The specific entities that fall under a Section 9 designation have not been made public.
However, critical infrastructure, even as defined in the executive order, is sometimes determined circumstantially or post hoc. The U.S. election infrastructure, for instance, was not designated as critical infrastructure until January 2017—after the 2016 Russian election interference—when it was defined as being a subsector under the “government facilities” sector, one of the executive order’s 16 critical infrastructure sectors. Absent clear criteria for inclusion versus exclusion from a critical infrastructure (or, especially, Section 9) designation, the term itself inevitably comes to mean everything and, thus, little from a deterrence and norms perspective. Therefore, an implicit warning to Putin to refrain from attacking 16 ambiguously defined sectors likely does little to clarify the U.S. position on what constitutes appropriate behavior in cyberspace.
Moreover, the U.S. government has been inconsistent in how it describes adversary activity in cyberspace, and why and when certain actions rise to the level of a cyberattack. One recent example is the SolarWinds hack. SolarWinds generated heated and unresolved debate among experts and policymakers about how to categorize the incident and whether it was a cyberattack (despite the absence of disruptive or destructive effects), cyber espionage or something else. The Biden administration seems to have settled on describing SolarWinds as a different and unacceptable form of espionage, given its scale, scope, targeting of the private sector, and potential for disruptive effects. Despite the prolific and diverse set of activities that take place in cyberspace, important questions remain unanswered. For instance, cyber espionage is generally accepted as a regrettable but necessary part of statecraft, but is there a threshold at which certain forms of cyber espionage become unacceptable? Are all forms of cyberattack equal? Is there a difference between acceptable behavior in peacetime versus on a battlefield?
Some observers might argue that there is nothing wrong with this ambiguity. A clearer definition of what is off limits might invite aggression against areas outside of that scope, a stronger red line could encourage transgressions that take place just below it, and distilling what is off limits could take offensive options off the table for the United States as well.
While there is sometimes value in strategic ambiguity, the empirical record in cyberspace suggests that, so far, it hasn’t paid clear dividends for the United States. Ambiguity has not deterred malicious cyber behavior that falls below a use-of-force threshold, and few if any sectors of the U.S. economy have been spared. Moreover, absent powerful players like the United States accepting some restraint on their activities, there is little hope for developing meaningful international norms of behavior in cyberspace. Particularly when it comes to cyberattacks against the financial sector, an important part of U.S. critical infrastructure, the United States has far more to lose than it stands to gain from attacking adversary financial institutions.
Approaching Norms From a Sector-by-Sector Perspective
U.S.-Russia expert consultations should more clearly outline the issues and topics to be discussed. One way to do so is to take a sector-specific approach. Some sectors have unique attributes and challenges that are not easily generalizable, and there are some sectors in which even adversaries have overlapping interests. Focusing dialogue around issues where there are greater prospects for cooperation could lay the groundwork for making progress in areas where there is less obvious overlap.
Sector-specific approaches are becoming more common. Within the United States, for instance, the U.S. Cyberspace Solarium Commission’s March 2020 report explicitly calls for the U.S. government to take a “sector-by-sector approach to norms implementation.” At an international level, both the March 2021 final report of the United Nations Open Ended Working Group (UN OEWG) and the May 2021 final report of the United Nations Group of Governmental Experts (UN GGE) refer to specific sectors of critical infrastructure. The coronavirus pandemic provides one recent example of a sector-specific approach. The pandemic served as a focal point for sector-specific norms to gain traction in the UN GGE report, in terms of reinforcing both the centrality of information and communications technologies in general during the pandemic and the importance of protecting the health care and medical sector against malicious cyber activities.
Financial Services as a Test Case for Sector-Specific Norms
One fruitful starting point for expert consultations is to focus on garnering agreement about acceptable cyber behavior affecting the financial sector. The financial sector is inherently international. For instance, the U.S. energy and water sectors are largely owned and operated by American companies within the physical boundaries of the United States. The U.S. financial sector, by contrast, has operations around the world and therefore has global interests, is regulated by a variety of domestic and international bodies, and is highly sensitive to actions that take place in other parts of the international system.
Moreover, both the United States and Russia share a fundamental interest in the stability of the global financial system. This is distinct from what Biden described as the “mutual self-interest” between the United States and Russia to avoid cyberattacks against, for example, their respective energy sectors. The implicit threat of symmetrical retaliation (like Biden’s comment to Putin about a hypothetical ransomware attack against Russian oil fields) does create a common cause to avoid that negative outcome. However, that is categorically different from a shared interest that stems from the interdependence that is inherent in some global critical infrastructures, like financial services. Both the U.S. and Russian financial sectors (and, in turn, their respective economies) depend on the effective and reliable functioning of the overall international financial system—where the United States, importantly, is a preponderant actor.
That said, this interdependence has also been leveraged by both parties to their respective advantage (though this should not be construed as equating the two countries’ approaches). For instance, the Russian government permits criminal organizations to carry out cyber-enabled financial crimes and other cyberattacks, such as ransomware, which pose threats to the global and U.S. financial sectors. And the U.S. government has used its position within the global financial system to impose costs against Russia, particularly through economic sanctions. Yet, it is precisely Russia’s dependence on U.S. financial markets and institutions, which the United States leverages for its own foreign policy goals, that creates this mutual—even if precarious—shared interest in global financial stability.
In the context of this overlapping interest, some norms have already emerged. As described in the Carnegie Endowment for International Peace’s November 2020 report on protecting the financial system from cyber threats, states have generally avoided using offensive cyber capabilities to target the integrity of financial data. The exceptions to the emergent norm prove the rule. Across the known cyber incidents involving financial institutions tracked by Carnegie, there have been only a handful of cyberattacks affecting data integrity, which were perpetrated by North Korea—the one state that has perhaps the smallest stake in global financial stability. This does not mean that the financial sector has been immune to malicious cyber activity. On the contrary, the sector faces growing threats from disruptive attacks, ransomware attacks and cyber theft.
U.S. and Russian representatives should focus the efforts of expert consultations on financial-sector-specific norm development by taking advantage of the emergent state practice in cyberspace regarding the financial sector; recent consensus through the UN GGE and OEWG processes about critical infrastructure and financial services; and, for now, the basic interest the U.S. and Russia share in the stability and integrity of the global financial system.
A significant, tangible objective of these consultations would be to move from an implicit norm grounded in state practice toward an explicit agreement by both sides to refrain from cyberattacks affecting the integrity of the financial system. For instance, an immediate unilateral measure that the Biden administration could take to clarify the U.S. position on this issue would be to clearly reject recent suggestions that the U.S. should respond to the latest Russia-linked ransomware attack by wiping out the bank accounts of Russian oligarchs.
A bilateral agreement on cyberattacks against financial integrity would be an important first step that could help build confidence to make progress on other, more challenging areas that affect the financial sector, such as collaboration around reigning in cyber-enabled financial crime. Yet, even for this issue, there are opportunities to make progress if expert consultations begin with a more narrowly defined policy problem. For example, rather than tackling the threat of ransomware targeting critical infrastructure in general—which a Putin spokesperson recently stated could be on the agenda—initial consultations should hone in on ransomware attacks against the financial sector. In this more circumscribed context, clarifying a state’s obligations to address ransomware perpetrated by criminal organizations that operate within a state’s borders, particularly how states might share information to enable responses to and prosecution of cyber criminals, would reflect significant progress. These efforts could also serve as a springboard for addressing challenges in other critical infrastructure sectors.