The Fletcher School Convenes a Panel of Cyber Experts to Discuss Russian Cyber Policy and Security

By Alex Avaneszadeh, MALD 2023 Candidate, The Fletcher School

On October 14, 2021, the Russia and Eurasia Program at The Fletcher School hosted a panel discussion titled “Understanding Russia’s Cyber Policy.” Featuring representation from both U.S. and Russian perspectives, the panel included three speakers who provided their analyses on Russia’s strategy around cyberspace governance, cyberinfrastructure security, and the implications of Russian cyber activities on the United States.

While Russia is known to host the launching of offensive cyber attacks, the country also seeks to expand the rules of cyber conduct at the international level. Elena Chernenko, special correspondent at the Kommersant daily newspaper, outlined Russia’s international engagement on cyber regulation. Oleg Shakirov, a consultant at PIR Center focusing on cyber security, discussed Russian public policy and private technology firm initiatives on cyber defense and monitoring. Finally, Josephine Wolff, associate professor of cybersecurity policy at The Fletcher School, highlighted the United States’ perception of and concerns about cyber activity coming out of Russia, as well as its role in international cyber regulation.

Chernenko noted, “Russia did not have its own Edward Snowden, so the things that we know about Russia’s cyberspace…we know [only] the official position.” She explained that Russia’s cyber operations have been more elusive than the United States, yet Russia has been trying to propose frameworks at the UN level to regulate cyberspace activities. Chernenko pointed out that Russia does not accept the Budapest Convention framework, which allows for cross border operations in another country’s cyberspace. Russia’s rejection of the convention creates insecurity and it has thus initiated alternative forums for cyber regulation, such as the Open-Ended Working Group at the UN and an intergovernmental cyber cooperation document with the United States in 2013. U.S.-Russia cyber cooperation froze at the outset of the Ukraine conflict.

Echoing Chernenko’s point about Russia’s hesitancy in allowing cross-border cyber activities, Shakirov said, “There is this feeling that there are so many ransomware attacks in the United States and no similar attacks in Russia.”

He continued, “Russia is simply not as vocal as the United States is regarding publicizing its cyber issues,” even though “more than half of the attacks come from the U.S., and [Russia] reports this to the U.S. and United Nations Security Council.”

Shakirov also explained that Russia has been pressuring Twitter in some instances due to “content…considered to be problematic,” with Twitter acceding to Russia’s demands,

 and “slowed down access to Twitter for some Russian users.” Russian state regulation of global digital platforms signals state insecurity around its cyber infrastructure.

Russian private technology companies also cooperate with public institutions such as TASS state media and “pledge to work on mechanisms to identify false information…exchange best practices, and create transparency,” Shakirov said, which shows there is fear of both international and domestic cyber crimes.

Shifting to the U.S. perspective on Russia’s cyber activities, Wolff stated, “The United States at this moment is very concerned about ransomware and ransomware attacks originating from Russia.” However, it is important to note that the attacks originating from Russia may not necessarily originate from the Russian government itself.

Wolff emphasized that the United States views Russia’s cyber strategy as being in “close connection to criminal or organized crime groups,” and condoned the government for “passing information from those attacks for espionage purposes.” In contrast to Chernenko, Wolff argued that the United States is pushing for stricter regulation on cyber activities based on its concerns around Russian ransomware, whereas Russia has been more willing to exercise its capabilities. Wolff further explained that the current attitudes of Russia and the United States on cyber activity regulation were the opposite before 2004, when Russia was pushing for stronger constraints on cyber capabilities.

“What exists now are two parallel processes de facto dominated respectively by Russia and the United States,” Wolff said, referring to the UN Open-Ended Working Group and the Global Group of Experts.

The speakers signaled that both Russia and the United States desire to regulate cyberspace, but to do so on their own terms via their parallel formats. Russia seeks to avoid international provisions allowing cross-border cyber activities, yet is under suspicion of launching and condoning cyber attacks against the United States. Shakirov stated these may simply be a reaction to attacks coming from the United States, which are not widely publicized to the extent that the United States publicizes attacks committed by Russia. This could explain the U.S.’ apparent commitment to stricter international regulations. As Russia, the United States, and other major powers remain in different stages of cyber capability development, cyber regulation will likely remain contentious for years to come.