Cybersecurity and Deterrence

On Cooperating with Bad Actors in Cyberspace

By Herb Lin
Monday, July 17, 2017, 10:30 AM

In a July 11 posting, Paul Rosenzweig argued that cyber cooperation with bad actors is always a bad idea, specifically referring to the President’s incomprehensible idea to form with Russia “an impenetrable Cyber Security unit [with Russia] so that election hacking, & many other negative things, will be guarded.”

Regarding this particular proposal, I share Senator Lindsey Graham’s sentiment that “this idea was pretty close to the dumbest idea he had ever heard” and so count me in Paul's camp—the “impenetrable Cyber Security unit” for election hacking makes no sense at all.  But I don’t agree that it’s always a bad idea to cooperate with bad actors. 

For me, it depends on the particulars of the subject of cooperation. If it were always a bad idea to cooperate with bad actors, we would never reach agreements with adversaries. There would be no agreements on the laws of armed conflict, for example. No arms control agreements. No law of the sea.  So a more important question is, “What are the subjects, if any, on which cyber cooperation is not a bad idea?” 

Here are two possibilities.

  1. Vocabulary and concepts for cyber conflict. Regardless of whether we like Russia’s behavior in cyberspace, we do have to talk to them about it, if only to tell them the actions we want them to stop doing.  We also want to make statements to Russia about our own policies in cyberspace, and we want them to understand what we are saying.  Thus, it is helpful for both sides to come to terms on a language to communicate with each other, or at least to understand what each side means when they say “X.” As an example, we and Russia may not understand “deterrence” the same way, and yet the term “deterrence” plays a central and prominent role in U.S. policy documents.  As an example, the EastWest Institute of the United States and the Information Security Institute of Russia released in 2011 a joint Russian-American report to define critical terms for cyber and information security; this report sought to find agreed definitions for certain terms.  I would have preferred more elaboration on the report’s agreed definitions, but the report is a good example of possible cooperation on cyber issues that could be taken by Russian and the United States at governmental levels.  Another similar but more modest goal would be for each side to explicate its understanding of certain terms.
  2. Approaches to dealing with catalytic cyber conflict.  Catalytic conflict occurs when a third party tries to provoke two other parties (for example, the United States and Russia) into conflict.  In cyberspace, such action would entail attacking the United States and planting forensic information that points to Russian government involvement and contemporaneously attacking Russia and planting forensic information that points to U.S. government involvement.  If such an event were to occur, time would be of the essence and it would be helpful for the United States and Russia to have worked out with each other in advance procedures for communicating with each other and what kinds of information would be needed to bring clarity to the situation.  (Each side would also have had to work out for itself how, if at all, it could share such information under such circumstances.) 

What these topics have in common is that they are driven by self-interest, and do not presume moral equivalence between the two sides. That is, the United States has a self-interest in understanding what Russia means when it says X, and Russia has a self-interest in understanding what the United States mean when it says Y. Neither Russia nor the United States has an interest in being goaded into conflict by a third party. This shared self-interest is what differentiates cooperation on such issues from issues such as preserving the integrity of elections, a subject on which Russia has no interest, at least as far as the United States is concerned.

Could meetings with Russia on such topics compromise the U.S. cybersecurity posture?  If the U.S. team had members that believed in good Russian intentions, that Russia’s actions regarding the November 2016 U.S. election were benign, or that Russia had U.S. interests at heart, then such meetings could indeed compromise U.S. security.  But one would hope that all members of the U.S team would put American interests first and participate in such discussions with a clear-eyed view of who is on the other side of the table.