By Ellen Nakashima, Joseph Marks
Russia and the United States - along with 23 other countries - recently reaffirmed that states should not hack each other's critical infrastructure in peacetime or shelter cyber criminals who conduct attacks on other countries.
But Russia, which was among the states originally agreeing to the norms at the United Nations, has violated them repeatedly over the years. Experts are skeptical those violations will halt unless the United States and its allies impose far more serious consequences.
President Joe Biden is on an eight-day trip to Europe that will culminate in a meeting with Russian President Vladimir Putin on Wednesday. He will raise issues of cybersecurity, including his concern that Moscow is harboring hackers who have carried out damaging ransomware attacks against some of the United States' most critical sectors. An attack last month led to a days-long shutdown of the country's largest refined fuel pipeline, followed by an attack that disrupted the world's largest meat processor.
"Ransomware attacks against critical infrastructure are of an even higher order of magnitude of concern for us," national security adviser Jake Sullivan said Wednesday. "We do not judge that the Russian government has been behind these recent ransomware attacks, but we do judge that actors in Russia have. And we believe that Russia can take and must take steps to deal with it."
The question now is whether Russia, and other countries such as China, which affirmed the cyber norms in May, can or will be held accountable.
White House officials have downplayed expectations from the summit given the tense relationship between Washington and Moscow.
Current and former officials say the global norms provide a foundation for accountability by explaining the bounds of acceptable conduct in cyberspace and by creating an expectation of good behavior.
"It certainly seems that states want others to behave well in cyberspace, and there are some key states that just aren't. So you have to do something about it," said Michele Markoff, the State Department's acting coordinator for cyber issues, who worked on successive United Nations norms agreements - including the one concluded last month.
Christopher Painter, who was the State Department's top cyber official in the Obama administration, put it this way: "These norms have moral force, and if a country signs up to them, there's a political commitment and an expectation that they'll be observed. And other countries should hold them accountable when they're not."
The guidelines were hammered out by the U.N. Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace. They reaffirmed a seminal 2015 agreement that, besides establishing the strictures against attacking critical infrastructure and enabling malicious activity in one's territory, made clear that states "should take reasonable steps to ensure the integrity of the supply chain" of hardware and software that make up computer networks. In March, the 2015 norms were endorsed by all 193 members of the United Nations.
There are some activities the norms do not cover, such as traditional espionage conducted by the world's spy agencies.
Nonetheless, countries that abide by the norms can band together to punish countries that break them, using sanctions and other tools, analysts say. They can also nudge developing nations that have signed onto the norms to follow the Western model of behavior rather than the Russian or Chinese ones, they say.
"If you look at the history of diplomacy, many things that start out as nonbinding become customary behavior over time," Markoff said.
But - and skeptics say this is a major failing - the norms are nonbinding.
"None of these states - China, Russia, Iran, North Korea - seem to have any intention to follow them," said Dmitri Alperovitch a cybersecurity expert and executive chairman of the Silverado Policy Accelerator think tank. "And unless you hold these countries accountable, having nonbinding norms doesn't fundamentally change our security situation."
Russia has repeatedly said it does not conduct cyber attacks against other countries and has rebuffed accusations that Russia-based hackers were behind last month's ransomware attacks on the Colonial Pipeline and JBS, the meat supplier.
"I do hope that people would realize that there hasn't been any malicious Russian activity whatsoever," Putin said at a recent economic forum in St. Petersburg. "I heard something about the meat plant. It's sheer nonsense. We all understand it's just ridiculous. A pipeline? It's equally absurd."
Despite Moscow's disavowals, Western governments have repeatedly found it responsible for malicious conduct.
The United States, Britain and others in 2018 officially blamed Russia for the NotPetya cyber worm unleashed the previous year against Ukraine, which then spread across the world. The Trump administration called it "the most destructive and costly cyber-attack in history."
The Justice Department in October secured the indictment of six Russian military spies in connection with malicious hacks, including knocking out the power in three regions in Ukraine in December 2015 and in Kyiv the following December.
Those actions violated one U.N. norm or another, analysts said, whether by disrupting electric power to the public or, as in the case of NotPetya, launching malware that disabled computers in important sectors, such as Ukrainian hospitals, the global shipping company Maersk and U.S. pharmaceutical Merck.
James Lewis, a cyber policy expert at the Center for Strategic and International Studies who was an adviser to the U.N. group, says Russia has ignored its political commitment. But, he said, "the target here is the global audience."
"The goal is to build consensus among developing countries like Brazil and Indonesia so that they will support actions against violators. The norms don't talk about how to hold countries accountable," Lewis said. "That's the next step."
Europe has begun to take action against states that harm others in cyberspace. Last July, for instance, the European Union imposed the first sanctions for malicious hacking, targeting four Russian military cyber spies and two Chinese nationals linked to the government, among others. The Russians sought to compromise the Organization for the Prohibition of Chemical Weapons, which was probing the use of chemical weapons in Syria by the government of Bashar Assad, Russia's ally. The Chinese were sanctioned for a long-running industrial espionage campaign known as Cloud Hopper, which was enabled by hacking the global software service supply chain.
In announcing the sanctions, E.U. foreign policy chief Josep Borrell called on member states to "continue to" support the 2015 guidelines.
Former officials said some activities that may not violate a norm, such as traditional espionage, can nonetheless be punished. In April, the Biden administration imposed sanctions on Russia in response to its SolarWinds compromises of nine federal agencies and about 100 companies. It was an espionage campaign, so it was not covered by the norms, but its scale, officials said, raised concerns that it could become disruptive.
"We don't have to sit on our hands even if it's espionage," Painter said. "It's not covered by the norms, but at the same time, just as in the physical world, we've ejected diplomats and arrested spies."
As a companion to the norms, the State Department led the development of a cyber deterrence "playbook," laying out the consequences that could be most effective against each of the United States' main cyber adversaries. They include coordinated "naming and shaming," economic sanctions, indictments and the exposure of cyber tools to undercut their utility.
That's a good step, but punishments should be linked to violations, Painter said. "It's better if you call out the norm - the rule of the road - that's violated when you take action," he said. "That makes it clear to the wrongdoer and to others that these norms are more than words on paper. These are expectations that we're going to enforce."
The Washington Post