Establishing Cybersecurity Norms in Engaging Russia by Jack Korcuska

Jack Korcuska is a freshman at Tufts University.

Photo: President Obama tours the National Cybersecurity and Communications Integration Center in Arlington, Virginia in January, 2015.

Both the U.S. and Russia –and indeed many countries around the world– recognize the cyber realm as an emerging front that they can use to advance their respective national interests. As is the case with any recently emerged tool or weapon, concerns have arisen in the international community not only about what cyber allows us to do, but also about what the “rules” are for it. The core of this second concern is that, since cyber is a new tool, there are few “rules of the road” surrounding what is acceptable for a nation to do with cyber, be it attacks on infrastructure or theft of information. In part due to the lack of rules, it poses unique dangers that other security areas, like nuclear weapons, may not. If this uncertainty is resolved, global security would be greatly improved.

How then, can “rules of the road” be established in a way that promotes the U.S.’s interests and global security? Many people’s first instinct for establishing rules is turning to international organizations for regulation and agreements. Many experts talk about the work done by diplomats in navigating the nuclear arena, and how regulation of cybersecurity can come about in a similar way.[1] While some comparisons can be made here, since nuclear weapons were the newest way a state could project power before cyber, international organizations cannot regulate cyber at this stage. When even basic cyber regulation was proposed as a UN resolution in 2017, “the group almost fell apart.”[2] Political thinkers like Robert Keohane described international organizations as avenues for resolving disputes civilly, and while that may be useful in mitigating the anarchy of the international realm, the capabilities and ambitions of the U.S. and Russia (not to mention China), and their desires to leverage this new tool, makes the conflict much more than a manageable dispute.[3] That doesn’t mean that cyber won’t ever be successfully regulated, but it does mean that right now more organic norms need to be established.

The U.S. has extensive capabilities for cyber-attacks, but has been comparatively reluctant to deploy them, in part due to the lack of norms, which sets the ground for potential international backlash and unpredictable retribution. Yet, to ultimately establish the organic norms we seek in a new international arena, that arena has to be engaged with in the first place.[4] Further, if the U.S. properly engages with cyber, it will have greater ability to influence the development of cybersecurity norms, and that can be used that to promote international security and American interests.

However, the U.S. shouldn’t wantonly leverage cyber wherever it can. We don’t want a war, cyber or otherwise, so how do we engage with this new tool productively?

The first step is to double down on gathering intelligence about potential Russian backed cyber-attacks not only on American assets, but on assets around the world. Engaging more than just when it affects us allows us to participate more often and have more opportunities to establish and influence the cybersecurity norms as they grow. If we can reliably link potential cyber-attacks with Russia (or any other rival actor for that matter), Cyber Command can develop proportional responses to these attacks, and issue declarations and guarantees that if a target we had established an interest in were to be attacked, there would be a response by the United States. If an attack were to happen despite such a declaration, the proportional response that Cyber Command developed would be deployed. Such a strategy would allow the U.S. to productively engage with cyber in a way that would develop norms around it, and permit the U.S. to more easily line the norms up with its interests and future global security.

The crucial part of this is the collection of reliable intelligence about potential cyber-attacks. That is of course much easier said than done. Nevertheless, it’s worth emphasizing the importance of knowing which potential cyberattacks are linked with which groups, and which groups are linked with which governments. If we fail to do that, we cannot reliably launch a proportional response of our own. This prevents us from achieving what should be our ultimate goal: productively engaging the cyber realm. 

[1] Albright, Madeileine, Carnegie Corporation. “U.S.-Russia Relations: Quest for Stability.” U.S.-Russia Relations: Quest for Stability,

Robert Levgold. Ibid.,

 [2] Chernenko, Elena. Ibid., 

[3] Keohane, Robert O. “International Institutions: Can Interdependence Work?” Foreign Policy, no. 110, 1998, p. 82., doi:10.2307/1149278.

[4] Current, Amanda. Tufts ALLIES. “Speaker Series on Cyber Policy and U.S.-China relations.”