Sunday, July 09, 2017

US-Russia cybersecurity talks: right script, wrong actors?

Should the US and Russia hold talks on cybersecurity? A lot of people are shouting "No!" and I think I understand why, but in my opinion that's the wrong answer, albeit for the right reasons. Just consider these two propositions:

A. The US and Russia should, bilaterally and globally, seek ways to deter cybercrime and reduce cyberconflict.

B. President Trump and President Putin should, bilaterally and globally, seek ways to deter cybercrime and reduce cyber-conflict.

I would argue that A is not only a good idea but has an aura of historical inevitability, while B is a very disquieting prospect. Why? Because I don't think the Trump administration understands how diplomatic negotiation works, not to mention the fact that Trump himself has openly disparaged many of the very people whose expertise and cooperation is needed to protect US interests during such negotiations.

In other words, I believe the US and Russia, and every other country, must work together to deter cybercrime and reduce cyber-conflict. That is the right script. That is the direction the world will take, if not now, then at some point in the future. But Trump and Putin are the wrong actors for this script; both lack the levels of credibility and legitimacy required to make meaningful progress.

"Good luck with that"

Of course, I am accustomed to hearing "Good luck with that" and "Ain't gonna happen" when I say to people "international cooperation and global treaties are the only way to make a serious dent in cybercrime and cyberconflict." But history tells me I am right, even if doesn't tell me how old I will be when that eventually proves to be true.

Consider the 27 treaties listed on the website of the Arms Control Association. They all started with someone putting forward objectives to which a lot of people said "good luck with that." And they all took a long time to realize their objectives. Some are still unattained. But I don't think anyone believes the world would be a better place without these treaties (I could be wrong, so tweet me @zcobb if you disagree).

To be clear, I am not equating nuclear and chemical weapons with cyber-weapons. The horrific effects of nuclear and chemical weapons are categorically different from the effects we have seen so far from malicious code. But weaponized code has the potential to cause massive, country-wide disruption, and be an enabler of, or catalyst for, even greater impacts.

While agreements to restrict the use of weapons technology always start out as a long shot, so to speak, there are always ground for hope. My confidence in this assertion is based on my own experience. I was just a young boy when, in November 1957, an article by the British writer J. B. Priestley titled "Britain and the Nuclear Bombs" made the case for unilateral nuclear disarmament.

Priestley wrote: "now that Britain has told the world she has the H-bomb she should announce as early as possible that she has done with it, that she proposes to reject, in all circumstances, nuclear warfare."

Bertrand Russell leads anti-nuclear march in London, Feb 1961Despite many voices declaiming "Good luck with that" the article helped inspire concerned individuals to start the Campaign for Nuclear Disarmament (CND): "an organization that advocates unilateral nuclear disarmament by the United Kingdom, international nuclear disarmament and tighter international arms regulation through agreements such as the Nuclear Non-Proliferation Treaty." (Wikipedia)

In less than six months, CND had joined with another pacifist group in a "ban the bomb" march. This was not an afternoon walk in the park protest, this was a serious, four-day, 52 mile march from London to the Atomic Weapons Research Establishment at Aldermaston. This became an annual protest joined by tens of thousands of people carrying the peace sign, a symbol that was created for the CND movement (in 1961, my mum and I joined about 150,000 other people for a day's worth of marching).

Why bother?

Did the CND and the Aldermaston March make a difference? I don't know. I do know that after the Cuban missile crisis in 1962, political and diplomatic efforts to constrain the spread and development of nuclear weapons accelerated. In 1963, a treaty was signed by the US, the Soviet Union, and the UK (known as the Partial Test Ban Treaty (PTBT) its full name is the Treaty Banning Nuclear Weapon Tests in the Atmosphere, in Outer Space and Under Water).

Sure, the PTBT was not a comprehensive treaty and it only banned testing, not development or production; but international agreements have progressed dramatically since then. Sure, there are still nuclear and chemical weapons out there; but there is an established international regime for limiting, monitoring, and constraining their development and deployment. Personally, I am glad that the early proponents of a treaty-based response to those weapons were not discouraged by people who were - quite understandably at the time - skeptical that any progress could ever be made

Today, it seems clear to me that addressing the problems of international cybercrime, cyberconflict, and government deployment of weaponized code requires international negotiation, even between governments who have profoundly different politics. After all, the capitalist imperialists of the US negotiated with the godless communists of the Soviet Union to reach numerous weaponry-related agreements, even before the Cold War ended.

The problem right now is that the US administration currently lacks the diplomatic chops for this type of negotiation, precisely because it is headed by someone who does not understand diplomacy. The president of the United States needs to understand this:
you can publicly condemn Russia for meddling in our elections while at the same time negotiate norms for future behavior, but doing one without the other will do the world no good at all.
In the hopes that there are some folks within the current administration who get this, I have provided - in my role as an eternal optimist - a handy starter list of reading materials. A nine-point bullet list of the basic argument should follow shortly (suitable for presidential briefings).

Resources, opinion, and discussion: