The U.S. and Russia announced the completion of a joint cybersecurity agreement, two years in the making, intended to promote international peace and security and improve cyber relations between the two countries. The agreement, however, amounts to little more than a piece of paper, as such policies will scarcely improve U.S. cybersecurity.
In a joint statement, the White House outlined confidence-building measures that would increase transparency and improve relations between the two countries. In addition to creating a cyber “hotline” to facilitate communication and “reduce the risk of misperception,” the agreement announced the formation of a bilateral working group. The group will focus on the threat from cyber-attacks to international security, consider emerging threats, and will act to coordinate a collaborative response.
Although sharing some basic information on cybersecurity threats is beneficial, a cybersecurity working group and other cooperative activities promise more than they can deliver. For example, instead of getting Russia to work with the U.S., President Obama’s appeasement-based “reset with Russia” has failed to resolve disagreements over Syria’s civil war and Iran’s nuclear program. Furthermore, Russia actively engages in Internet censorship, and aggressively shuts down websites the Russian government believes are “harmful.” The implementation of a cyber-working group provides Russia with access to U.S. cyber defense plans, while ignoring and legitimizing Russia’s bad cyber behavior.
After all, in 2007 Russia was accused of launching a cyberwar on its neighbor Estonia, with whom Russia was having a diplomatic dispute. A similar situation occurred before the 2008 Russian invasion of Georgia, when the Georgian government became the victim of an organized cyber-attack. Experts are unclear as to whether the Russian government orchestrated the attacks, or merely assisted and allowed them to occur. The attacks may have originated from the Russian Business Network, a cyber-crime syndicate. The network is reportedly responsible for facilitating hacking operations against the U.S. and stealing billions of dollars through cyber scams and phishing operations.
Cyber theft has reached epic proportions in recent years. According to a recently released IP Commission Report, the American economy loses approximately $300 billion to intellectual property theft each year. The sheer scale of cyber-attacks on American companies, and the corresponding loss of vital information, has raised the issue to a critical national security concern. Moreover, Russia has a record of being unwilling to pursue cyber-crime and property-theft violations that originate within its borders. Particularly, due to the lack of rule of law and criminal business connections to government, no legal action is taken against organizations such as the Russian Business Network for cyber security violations.
International cyber-engagement by the U.S. government is critical to a successful cybersecurity strategy, and together with allied nations, the U.S. should seek to deter bad cyber actors by raising the cost of malicious cyber behavior. Instead of naively cooperating with these actors, such as Russia, the U.S. should internationally name and shame the offenders. Additionally, the U.S. should create diplomatic and legal penalties for those companies and foreign officials who use stolen information or intellectual property.
The U.S. must not engage in military or national security cooperation, such as the cybersecurity working group, with a country that would use such collaboration to further their attacks against the U.S. Instead, the Administration and Congress should implement a responsible and effective international cybersecurity policy that defends U.S. national security and actively confronts countries that harm U.S. companies and interests.
Elizabeth Simson is currently a member of the Young Leaders Program at The Heritage Foundation. For more information on interning at Heritage, please click here.