Peering into the Future of Sino-Russian Cyber Security Cooperation
Editor’s Note: This is the third article in a series on Sino-Russian defense cooperation organized by the Center for a New American Security. Be sure to read to the first and second articles in the series.
Beijing and Moscow have long wanted to control their domestic internets. Now they are working together to remake global cyberspace in their own image. The two launch widespread cyber operations that threaten U.S. interests, and they want to reshape the internet to reduce U.S. influence. Chinese hackers have mounted a long campaign to steal intellectual property, as well as military and political secrets, and are a growing threat to U.S. critical infrastructure. Russian hackers pose the threat of cyber espionage, influence operations, and attacks on the infrastructure of the United States and its allies. Moreover, China and Russia have over the past five years worked together to tighten controls on their domestic internet and promoted the idea of cyber sovereignty to diminish U.S. sway over the global governance of cyberspace.
Over the next decade, China and Russia are likely to continue close technical and diplomatic cooperation. Beijing now appears more willing to adopt information operations techniques historically associated with Russian actors to shape the narrative on the responsibility for and response to the COVID-19 pandemic, but the two sides are unlikely to coordinate on offensive cyber operations. To counter these efforts, policymakers should revitalize U.S. cyber diplomacy, providing an alternative framing to cyber sovereignty and building a coalition of like-minded partners to define and enforce norms of behavior in cyberspace.
Drivers of Cooperation
Both Moscow and Beijing perceive the open internet as a threat to domestic stability and regime legitimacy. The United States and its allies stress cyber security with a focus on the confidentiality, integrity, and assurance of data. In contrast, Russia, China, and their partners prefer the term “information security,” which includes not only protecting data but also controlling content and communication tools that may threaten regime stability. The International Code of Conduct for Information Security, for example, which representatives of China, Russia, Tajikistan, and Uzbekistan proposed to the U.N. secretary-general in 2011 and 2015, calls on states to curb the “dissemination of information which incites terrorism, secessionism, extremism, or undermines other countries’ political, economic and social stability.”
From the Clinton through the Trump administrations, the United States has pushed, with varying degrees of attention from senior decision-makers, a set of ideas and policies that became known as the “internet freedom” agenda. Washington argued that information should flow freely across the web and that people had the same rights online as they did off. U.S. policymakers argued that the open internet would drive innovation and economic growth. In support of these ideas, the United States funded the training of activists and the development of circumvention and anti-censorship software. Chinese and Russian analysts warned of hostile foreign powers using the internet for ideological subversion and to promote color revolutions. In opposition to this idea of cyberspace as an open, global platform, Chinese and Russian officials pushed the idea of cyber sovereignty and the right of all states to regulate the internet based on national interests.
In addition, while Washington has promoted a multi-stakeholder approach to internet governance driven by the private sector and technical experts, Moscow and Beijing have pushed a more “democratic” governance located at the United Nations. A multilateral approach located at the United Nations would prioritize the interests of governments over those of technology companies and civil society groups. It would also allow China and Russia to mobilize the votes of developing countries, many of which would also like to control the internet and the free flow of information.
In 2015, Chinese President Xi Jinping and Russian President Vladimir Putin signed an agreement “on cooperation in ensuring international information security.” While the Western press reported that the two sides had signed a nonaggression pact, it is more realistic to see the agreement as reflecting China and Russia’s shared threat perceptions. It also provided a framework for future cooperation on internet control (and did not, in fact, stop Moscow and Russia from hacking each other).
The agreement contains a long list of threats to domestic stability, and in the years after its signing, the majority of exchanges appear to be designed to share technologies, information, and processes on the control of the internet. In June 2019, for example, a Chinese delegation participated in the Russian International Conference on Information Security and discussed Russia’s network disconnection exercises. A month later a delegation from the Cyberspace Administration of China traveled to Moscow and met with Roscomnadzor, Russia’s federal executive body responsible for censorship in media and telecommunications; Yandex, the Russian internet giant; and Kaspersky Lab.
Over these years, Moscow has introduced a series of more internet-restrictive laws. Anti-terrorist legislation, known as the Yarovaya Law, required internet service providers, cellphone operators, and search engines and other web services to store all Russian traffic, including all private chat rooms, emails, and social network posts, for as long as six months at their own expense as of July 1, 2018. The Chinese telecom giant Huawei reportedly held talks with Bulat, the Russian telecom equipment manufacturer, to provide hardware to assist with storage. The Sovereign Internet Law, which came into force in November 2019, gives Russian authorities the ability to control data traffic and — in theory — shut Russia’s internet off from the rest of the world. The law requires telecom operators to install certain hardware, software, and Russian-origin equipment provided by Roscomnadzor to counter cyber threats, including deep packet inspection equipment, and helps create an internet infrastructure that looks more similar to China’s.
There has also been growing cooperation between Russia and China on 5G, the next generation of telecommunications networks. As Huawei has faced resistance in the United States, Australia, and some European countries, it has expanded its operations in Russia, growing research and development operations and signing cooperative agreements with Russian universities. Huawei signed a deal with telecom company MTS to develop 5G networks, and the two launched a 5G test zone in Moscow in October 2019. The company expects to quadruple its research and development personnel in Russia by 2024, bringing the total to 2,000 engineers. Huawei has also reportedly advertised to recruit engineers experienced in offensive skills such as vulnerability exploitation and penetration testing.
The 2015 bilateral agreement on cyberspace called for China and Russia to enhance “cooperation and coordination” on international information security. The two sides have promoted cyber sovereignty through the United Nations, International Telecommunications Union, Shanghai Cooperation Organization, and the BRICS group (Brazil, Russia, India, China, and South Africa).
Cooperation at the United Nations is important to both partners. A great deal of the action has occurred in the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security. Established in 2004, the group has convened five times since and has identified some shared norms for responsible behavior of states in cyberspace.
The United States hoped to use the 2016 to 2017 Group of Governmental Experts meeting to discuss specific applications of international law to cyberspace as well as the development of confidence building measures, not the identification of new norms. The group, however, failed to issue a consensus report, and divisions over the question of the applicability of the law of countermeasures and the inherent right of self-defense proved especially contentious. The Cuban representative publicly opposed these measures, arguing that they would lead to a militarization of cyberspace that would “legitimize … unilateral punitive force actions.” As Elaine Korzak argues, it is safe to assume that Russia and China shared this position (and perhaps promoted via Cuba) since they both have maintained similar views in the past.
In December 2019, member states approved a Russian-backed resolution that established a committee of experts to consider a new U.N. cyber crime treaty. Russia has long wanted to replace the Council of Europe’s Budapest Convention. The convention is the one international agreement subject to human rights safeguards that criminalizes computer crimes and prohibits illegal access, system interference, and intellectual property theft. Although 64 countries have now signed the treaty, including Argentina, Australia, Japan, Turkey, and the United States, Moscow has consistently argued that the convention is only a regional agreement. Russia has also claimed that it violates principles of state sovereignty and noninterference. In the run-up to the vote, U.S. officials warned that the proposal was an opportunity for Russia, China, and others to create U.N.-approved standards for controlling the flow of information, but large democracies such as Nigeria and India have found Moscow and China’s arguments on the need to fight cyber crime and terrorism convincing.
Despite shared threat perception and interests, there are limits to how closely the two sides will cooperate. Beijing and Moscow are likely to remain wary of the other’s cyber capabilities, and, given the strong connection of cyber capabilities to each country’s respective intelligence services, it is unlikely that the two sides would share offensive capabilities. This lack of exchange of offensive techniques seems to be mirrored by criminal and non-state hacking groups as well. Cyber security firms report little interchange or cooperation between Russian and Chinese criminal hackers. Defense will remain the primary focus of cooperation of the two sides.
Moreover, some of the defense will be directed at the other, despite the “nonaggression pact.” The public reporting from cyber security companies suggests that the two sides have continued hacking each other after signing the 2015 agreement. The Russian cyber security firm Kaspersky Lab, for example, saw Chinese hacking cases of Russian industries, including defense, nuclear, and aviation, nearly triple to 194 in the first seven months of 2016, from 72 in the whole of 2015.
Russia is also wary of the intelligence risks that dependence on Huawei equipment entails. The Russian leadership knows that it will bring vulnerabilities, but it hopes the partnership will speed the deployment of 5G in the country and tie Russian companies into Huawei’s supply chain. Similarly, Huawei’s buildout of 5G networks in Central Asia and Eastern Europe is likely to bring these areas under Beijing’s technological influence and cause tension with Moscow.
The long-term issue for Moscow is the technological asymmetry with China, especially in commercial information and communication technologies. There are no Russian companies with the global reach of the big Chinese firms, and these firms will help shape global technology developments and provide intelligence benefits to Beijing, not Moscow.
U.S. Policy Response
China and Russia are likely to continue to strengthen their technical exchanges on the control of the internet over the next five years. Recent diplomatic success at the United Nations will provide the base for future joint efforts to promote cyber sovereignty. Given the increasing complexity of operations in joint military exercises such as Tsentr, the Chinese and Russian militaries may also eventually engage in joint defensive cyber exercises.
In addition, Russian and Chinese information operations appear to be learning from each other. Previous Chinese online disinformation campaigns were focused on Hong Kong and Taiwan, political struggles the Chinese leadership considers internal issues. With the novel coronavirus pandemic, Chinese diplomats and state media accounts have become more divisive. They have linked to conspiracy websites arguing that the United States was the real source of COVID-19, and this messaging has been amplified by bots and fake accounts. Unnamed U.S. officials also told The New York Times that Chinese actors sent text messages warning of a lockdown designed to create panic, rather than spread pro-Beijing propaganda.
The United States has long argued that an open, global internet serves its political, economic, and diplomatic interests. Russian and Chinese cyber cooperation reinforces and accelerates the splintering of cyberspace into more controlled, national internets. To be sure, Moscow and Beijing are not the sole sources of fragmentation. Many countries are looking to data localization, filtering, and online content moderation to exert sovereignty over cyberspace. But their collaboration, and their increasing ability to use the United Nations to promote cyber sovereignty, provides diplomatic and political support to states that want to control and restrict online information. In addition, their technical cooperation demonstrates what is possible with filtering, blocking, and censorship. The Chinese in particular have been exporting the model through investment, business deals, and training local officials.
The United States does not have an obvious response on the technical side. Russia’s partnership with Huawei is in part driven by the breakdown of relations, and U.S. and E.U. economic sanctions on Russian companies. With those remaining in place, there is little alternative the United States can offer. There is the additional constraint, clearly demonstrated in Washington’s ineffective efforts to convince European friends and allies not to use Huawei for 5G networks, that the United States does not have an equipment manufacturer to compete with the Chinese telecom.
U.S. efforts should be focused on combating Chinese and Russian efforts to promote cyber sovereignty through the United Nations and other international organizations. This would require a rethinking of the U.S. “internet freedom” agenda and a re-engagement with international organizations. In the wake of the interference in the 2016 election, the United States and its allies have increasingly called for online content moderation and other controls on disinformation. While Washington might stress that these processes occur transparently and through the rule of law, they do not look dissimilar to Chinese and Russian calls for cyber sovereignty to third countries that face similar pressures.
There are tools Washington can rely on, though the State Department needs support. Former Secretary of State Rex Tillerson shut down the Office of the Coordinator for Cyber Issues, and then, a little before he was fired by the president, recommended the creation of a cyber bureau with an assistant secretary for cyberspace and digital economy. The Senate Foreign Relations Committee has supported the same idea through the Cyber Diplomacy Act. Even if a bureau is not created, cyber issues need more attention and resources from the top.
One forum worth engaging is the Freedom Online Coalition, a partnership of 30 governments that continues to meet and issue statements in support of an open internet. In addition, Congress remains engaged in the issue and in 2018 voted for $50 million in anti-censorship technology and other programs. The United States has been essentially reactive to Chinese and Russian efforts at the United Nations, warning others of the negative impact but providing no real alternative to countries seeking a response to online threats. Washington, along with its friends and allies, will not only have to promote new avenues of coordination and collaboration, but also have to contribute significant resources to capacity building. Any new strategy will, however, require acknowledging the link between U.S. domestic efforts to regulate content and cyber diplomacy. Washington should have a coherent argument for what it is trying to accomplish at home before it convinces others to fight for a free, open, and global internet.
Adam Segal is the Ira A. Lipman chair in emerging technologies and national security and director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations. His most recent book, The Hacked World Order: How Nations Fight, Trade, Maneuver, and Manipulate in the Digital Age, describes the increasingly contentious geopolitics of cyberspace.
Image: Russian Ministry of Defence