In Shift, U.S. Talks to Russia on Internet Security
New York Times: December 12, 2009. By JOHN MARKOFF and ANDREW E. KRAMER
The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace.
American and Russian officials have different interpretations of the talks so far, but the mere fact that the United States is participating represents a significant policy shift after years of rejecting Russia’s overtures. Officials familiar with the talks said the Obama administration realized that more nations were developing cyberweapons and that a new approach was needed to blunt an international arms race.
In the last two years, Internet-based attacks on government and corporate computer systems have multiplied to thousands a day. Hackers, usually never identified, have compromised Pentagon computers, stolen industrial secrets and temporarily jammed government and corporate Web sites. President Obama ordered a review of the nation’s Internet security in February and is preparing to name an official to coordinate national policy.
Last month, a delegation led by Gen. Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council and the former leader of the Russian equivalent of the National Security Agency, met in Washington with representatives from the National Security Council and the Departments of State, Defense and Homeland Security. Officials familiar with these talks said the two sides made progress in bridging divisions that had long separated the countries.
Indeed, two weeks later in Geneva, the United States agreed to discuss cyberwarfare and cybersecurity with representatives of the United Nations committee on disarmament and international security. The United States had previously insisted on addressing those matters in the committee on economic issues.
The Russians have held that the increasing challenges posed by military activities to civilian computer networks can be best dealt with by an international treaty, similar to treaties that have limited the spread of nuclear, chemical and biological weapons. The United States had resisted, arguing that it was impossible to draw a line between the commercial and military uses of software and hardware.
Now there is a thaw, said people familiar with the discussions.
“In the last months there are more signs of building better cooperation between the U.S. and Russia,” said Veni Markovski, a Washington-based adviser to Bulgaria’s Internet security chief and representative to Russia for the organization that assigns Internet domain names. “These are signs that show the dangers of cybercrime are too big to be neglected.”
Viktor V. Sokolov, deputy director of the Institute of Information Security in Moscow, a policy research group run by General Sherstyuk, said the Russian view was that the American position on Internet security had shifted perceptibly in recent months.
“There is movement,” he said. Before, bilateral negotiations were limited to the relevant Russian police agency, the Bureau of Special Technical Operations, the Internet division of the Ministry of Interior, and the F.B.I.
Mr. Sokolov characterized this new round of discussions as the opening of negotiations between Russia and the United States on a possible disarmament treaty for cyberspace, something Russia has long sought but the United States has resisted.
“The talks took place in a good atmosphere,” he said. “And they agreed to continue this process. There are positive movements.”
A State Department official, who was not authorized to speak about the talks and requested anonymity, disputed the Russian characterization of the American position. While the Russians have continued to focus on treaties that may restrict weapons development, the United States is hoping to use the talks to increase international cooperation in opposing Internet crime. Strengthening defenses against Internet criminals would also strengthen defenses against any military-directed cyberattacks, the United States maintains. An administration official said the United States was seeking common ground with the Russians.
The United Nations discussions are scheduled to resume in New York in January, and the two countries also plan to talk at an annual Russia-sponsored Internet security conference in Garmisch, Germany.
The American interest in reopening discussions shows that the Obama administration, even in absence of a designated Internet security chief, is breaking with the Bush administration, which declined to talk with Russia about issues related to military attacks using the Internet.
Many countries, including the United States, are developing weapons for use on computer networks that are ever more integral to the operations of everything from banks to electrical power systems to government offices. They include “logic bombs” that can be hidden in computers to halt them at crucial times or damage circuitry; “botnets” that can disable or spy on Web sites and networks; or microwave radiation devices that can burn out computer circuits miles away.
The Russians have focused on three related issues, according to American officials involved in the talks that are part of a broader thaw in American-Russian relations known as the "reset" that also include negotiations on a new nuclear disarmament treaty. In addition to continuing efforts to ban offensive cyberweapons, they have insisted on what they describe as an issue of sovereignty calling for a ban on “cyberterrorism.” American officials view the issue differently and describe this as a Russian effort to restrict “politically destabilizing speech.” The Russians have also rejected a portion of the Council of Europe Convention on Cybercrime that they assert violates their Constitution by permitting foreign law enforcement agencies to conduct Internet searches inside Russian borders.
In late October at a luncheon during a meeting on Security and Counter Terrorism at Moscow State University, General Sherstyuk told a group of American executives that the Russians would never sign the European Cybercrime Treaty as long as it contained the language permitting cross-border searches.