Cyber Transparency and the Restoration of U.S.-Russian Strategic Stability

Lights, camera, cyber!

Russia’s full-scale invasion of Ukraine in 2022 has brought the risk of nuclear escalation back to the forefront of popular fears and policy concerns. With the onset of renewed great power competition between the United States and the Russian Federation over the last 20 years, strategic stability between these nations has suffered a catastrophic degradation and is now at its most perilous position since the end of the Cold War. This has been exacerbated by both Russia’s and America’s acquisition of advanced offensive cyber capabilities. These novel cyber weapons are creating more ambiguity, eroding trust and transparency, and have fundamentally redefined the state of strategic relations between the world’s two nuclear superpowers. These developments in the cyber domain are directly challenging key tenets of strategic stability, such as second-strike integrity and mutually assured destruction.

How can the world’s leading nuclear superpowers step back from such a precipice, especially in the present circumstances? Diplomatic engagement on strategic stability with the Russian Federation can help diminish the specter of nuclear escalation and conflict. Specifically, the United States and Russia could draw from the long and successful history of implementing confidence and security-building measures within the nuclear sphere to address the current crisis within the cyber domain.

 

 

Novel Offensive Cyber Weapons and the Strategic Relationship

The 1990 U.S.-Soviet Joint Statement on Nuclear and Space Arms and Further Enhancing Strategic Stability defines strategic stability as a “strategic relationship that eliminates the incentives for a first nuclear strike.” Unfortunately, the principles that U.S.-Russian strategic stability has been based upon — mutually assured destruction and second-strike integrity — have been undermined by a multitude of factors, of which the collapse of arms control is only one. One of the main drivers of the collapse of strategic stability has been the erosion of the bilateral arms control infrastructure, which the United States and the Soviet Union built over multiple decades. Though numerical and technical nuclear parity certainly comprises a key pillar of strategic stability, it is constructivist mechanisms — such as arms control treaties and agreements — that foster trust, maintain transparency of intention, and prevent needless nuclear arms races, thereby preserving the strategic relationship.

After the U.S. unilateral withdrawal from the Anti-Ballistic Missile Treaty and the deployment of U.S. missile defense systems in central and eastern Europe — and the associated Russian violations of the Intermediate-Range Nuclear Forces Treaty — the world has been witness to an increasingly brittle state of strategic stability between the United States and Russia. As a result, industrialized warfare rages in Europe today, while the last pillar of nuclear arms control — the New Strategic Arms Reduction Treaty — hangs on a thread. Novel offensive capabilities, such as those in the cyber domain, add another layer of ambiguity and complexity to a situation already on the precipice of nuclear war.

There are two significant cyber capabilities that are currently exerting negative influence upon strategic stability because they can negate the integrity of a nation’s nuclear second strike integrity and thereby undermine mutually assured destruction. The possibility of nuclear response to a debilitating cyber attack on critical infrastructure as described in the U.S. 2018 Nuclear Posture Review — as well as similar policies within Russia and China — demonstrates the growing influence of cyber weapons on the nuclear domain and shed light on the degree that the cyber sphere is complicating long-held notions of strategic stability. Given that mutually assured destruction and second-strike integrity have been a cornerstone of the U.S.-Russian strategic relationship for decades, their degradation has vastly increased ambiguity and further destabilized overall strategic stability. Though developments in the cyber domain are not the principal driver of the collapse of strategic stability, these new offensive capabilities are worsening tensions and increasing real and perceived vulnerabilities. Given these developments, the Nuclear Threat Initiative has argued that the risk of nuclear weapon use on the European continent is the highest it has been since the Cold War.

The first capability is designed to interfere with an adversary’s nuclear command, control, and communications systems, while targeting the delivery systems themselves via supply chain cyber disruptions. As mentioned previously, this capability directly targets the surety of nuclear second-strike capabilities, which is highly destabilizing for the mutually assured destruction principle and stability. The second destabilizing offensive cyber capability is one designed to disrupt — whether temporarily or catastrophically — an adversary’s critical infrastructure, such as power grids, water distribution plants, and communications, as well as other systems upon which advanced societies rely.

Both capabilities have created strategic ambiguity and are complicating traditional, long-held notions of deterrence, transparency, and adversary intent. Though there is an argument that strategic ambiguity can lead to caution and restraint by a nuclear power due to a lack of knowledge on adversarial capability and intent, Thomas Schelling got it right in 1966 when he wrote of the criticality of properly communicating and understanding intent and capabilities in order to preserve effective deterrence. Nuclear deterrence — given the advent of modern cyber weapons — is transforming from a space that was long defined by parity, stability, predictability, and mutual vulnerability into one defined primarily by obscurity, unknowns, and an erosion of trust. Multiple arms control experts, to include Alexey Arbatov of the Carnegie Endowment for International Peace, have argued that such cyber weapons are inherently destabilizing and that bilateral U.S.-Russian cyber confidence-building measures should be adopted to prevent further nuclear escalation. Confidence-building measures that were created and employed during the Cold War to reduce the risk of nuclear escalation could potentially serve as a guide toward application of such measures into the cyber realm.

In 1967, U.S. Secretary of Defense Robert McNamara described the inherent risk of engaging in a nuclear arms race with the Soviet Union and labeled such an endeavor as “foolish and futile.” Such an arms race is just as dangerous and ineffective today as it was in 1967. McNamara’s speech helped to jump-start strategic arms control negotiations, which would ultimately yield nearly a dozen treaties and decades of strategic dialogue between the United States and Russia. This robust history of cooperation and arms control legacy creates a rich pool of knowledge and expertise that can serve as inspiration for a modern, cyber-oriented bilateral confidence-building measure agreement between the United States and Russia. Modern confidence-building measures trace their history back to the détente era and the Helsinki Final Act of 1975, which included a set of measures that were designed to facilitate the strengthening of trust and transparency between the East and West — thereby reducing the risk of nuclear escalation and upholding stability. Such confidence-building measures helped lead to further arms control agreements and ultimately served as the building blocks for decades of strategic stability and dialogue.

Adapting Nuclear Measures to the Cyber Domain

One of the most effective confidence-building measures employed during the Cold War to reduce nuclear risk was information exchange between nations. This is one of the types of measures that is most suited for use in a bilateral cyber agreement that would further the building of trust and reduce ambiguity in the strategic relationship. If, in nuclear-related confidence-building agreements, the information exchange consisted of sharing data related to deployed nuclear delivery mechanisms and other technical data related to nuclear stockpiles, cyber confidence-building agreements would envision the exchange of information related to the cyber policies, intentions, and capabilities of each country. If designed and employed correctly, such an exchange could enable a new level of trust and dialogue that could serve the aim of preventing incidents and escalation. It is noteworthy that such a precedent does indeed exist between the United States and Russia.

In 2013, the U.S.-Russian Bilateral Presidential Commission established a set of bilateral provisions relating to cyberspace. The provisions were geared toward crisis stability and preventing escalation involving the use of information and communication technologies. The provisions provided for the constant exchange of cyber threat data, usage of the Nuclear Risk Reduction Center for cyber security incident inquiries, as well as the establishment of a direct line between the White House cyber security coordinator and the Kremlin’s deputy secretary of the security council within the direct secure communications system. These provisions are an incredible example of how Cold War–era mechanisms designed to manage nuclear escalation can be applied to modern cyberspace — given that the Nuclear Risk Reduction Center and direct secure communications system were first created to manage nuclear crises amid the Cold War. The United States and Russia could build upon this experience and cooperation in future negotiations, as well as look to other multilateral institutions for guidance and expertise in crafting novel cyber confidence-building measures.

In addition to the precedent of U.S.-Russian cooperation in the cyber sphere, there is also a history of multilateral cyber confidence-building measure agreements under the auspices of the U.N. General Assembly that are geared toward strengthening stability and preventing crises. In the 2015 agreement by the assembly, which was based upon the recommendations of the U.N. Group of Governmental Experts, there were provisions that stipulated the exchange of information for cyber-related incidents, as well as the voluntary exchange of national views concerning critical infrastructure vulnerabilities. Such normative multilateral precedents of cyber confidence-building measures — coupled with the track record of nuclear-related measures that successfully prevented nuclear incidents and escalation over decades — illustrate the high degree of applicability of confidence-building measures into cyberspace and indicate their likely success in restoring strategic stability.

Specifically, the United States and Russia could focus their efforts on crisis prevention and stability measures that are geared toward the creation of mechanisms that facilitate consultations aimed at reducing misperceptions, escalation, and tensions that could arise from cyber incidents. Additionally, parties could exchange information concerning their national cyber organizations, policies, and strategy. The exchange of threat actor information, information on command and control for offensive cyber operations, as well as mutual declarations on the non-targeting of nuclear command and control systems, could foster mutual understanding and restore each nation’s confidence in the integrity of their second strike. Creation of a comprehensive bilateral confidence-building measure agreement that builds upon the normative success of the U.N., as well as factors in the dynamically changing geostrategic situation for both nations, should become the primary goal within the framework of U.S.-Russian strategic stability talks moving forward.

Strategic Détente      

Political will in both Moscow and Washington will be necessary to make progress toward restoring transparency in cyberspace that is critical to rebuilding the strategic relationship. With no end in sight to the Russo-Ukrainian War, it is hard to imagine any viable path forward for a novel bilateral cyber confidence-building measure agreement. This is especially true, given that recent cyber operations during the conflict have only served to worsen the escalatory spiral. However, as history shows us, technological advances and novel offensive capabilities — especially when possessed in parity — can often create an impetus for change and solutions.

With the New Strategic Arms Reduction Treaty set to expire in 2026 — and the current U.S. administration offering strategic stability talks with no conditions — there is clearly expressed political will from the West in continuing negotiations on the strategic relationship. Given Russia’s constructivist views on the purpose of arms control, which are primarily concerned with furthering their status on the world stage and using it as leverage in other areas of the bilateral relationship, Russia has thus far ruled out strategic stability talks as long as the United States continues its support of Ukraine.

Given the state of affairs and both nations’ positions, an inevitable negotiated settlement to the Ukraine conflict could be the ideal moment to pursue a novel cyber confidence-building measure agreement as part of a broader agreement that could also see the New Strategic Arms Reduction Treaty extended beyond 2026. Russia will be eager to ensure its constructivist status as a guarantor of global stability and the nuclear order is upheld in the aftermath of the war in Ukraine. Russian leadership has also expressed its interest in the past of including cyber and space provisions into future arms control agreements. Simultaneously, the United States will be keen to restore strategic stability after a prolonged period of increased nuclear escalation, as well as lower the risk of any incidents with Russia should the relationship with China further deteriorate.

The United States is confronting changed geostrategic realities and multiple crises around the globe. Blazing a new path forward toward restoring cyber transparency through the application of confidence-building measures could do more than rehabilitate the U.S.-Russian strategic relationship — it could serve as a symbol of responsible world governance at a time when the globe is in a high degree of conflict and upheaval. This could set a precedent for potential follow-on negotiations with China, should the nation ever choose to join arms control negotiations. Should China refrain from participation, a comprehensive U.S.-Russian cyber arms control agreement could lay the groundwork for a 21st-century détente, which could be crucial should America find itself in a future existential battle with China. Just as détente and its associated measures defused tension and prevented nuclear escalation in the Cold War, such an approach could potentially yield much fruit for American foreign policy and the Asia pivot in the decades to come.

 

 

Hunter Behrens is a captain in the U.S. Air Force assigned to the national security affairs department at the Naval Postgraduate School and a former Russian interpreter for the Defense Threat Reduction Agency. He can be contacted via LinkedIn.

Image: United States Space Command