Less than 24 hours after US President Donald Trump and Russian President Vladimir Putin issued a joint proclamation that Washington and Moscow should “de-escalate” cyber activities in cyberspace, Russia is plowing ahead with cyber espionage activities.
On May 7, Reuters reported that Russian spy agencies conducted cyber surveillance in a Washington suburb. On May 9, Konstantin Kosachev, the head of the international affairs committee in the State Duma, told Interfax that “Russian intelligence penetrated the computer systems of some U.S. businesses.” Kosachev alleged that the cyber spying was as the result of human intelligence gathering but denied having any proof of this.
These allegations make strategic sense as long as the Kremlin can justify it. After the 2014 agreement on de-escalation in the Ukraine, Russia rejoined the Global Network Initiative (GNI), a global initiative created by John Kerry and Russia’s Sergey Lavrov to curb cyberspying and other forms of cyber espionage. This agreement between two of the world’s most powerful government entities—and world powers in general—should have sent a powerful message to Russia and other authoritarian governments that the world had finally decided to take action against foreign espionage. Instead, the day after Russia reentered the GNI, President Putin and President Trump issued a joint statement promising Washington and Moscow to “de-escalate” cyber activities.
However, the Trump Administration’s “decoupling” of its relationship with Russia on the cyber front after a point like de-escalation is illogical. This de-escalation of the cyber domain is about as disconnected from reality as the American-Russian relationship itself.
The public and political discussions have stopped talking about de-escalation in the cyber domain. The economy has started building cyber capabilities once again. The U.S. government has built a cyber team—the Cyber Command—along with a Cyber Security Operations Center at Fort Meade. The nation’s most active defense contractor, Raytheon, employs about 40 cyber defense experts spread across its 2,000 subcontractors and 40,000 employees and is building a cyber ecosystem in close to 40 countries around the world. The cyber domain is central to everything the United States does from an economic and security perspective.
Last year, Defense Intelligence Agency director Robert Cardillo argued that offensive cyber capabilities are a response to perceived gaps in the operational domain, rather than the job of the president, not simply to intimidate. In February, Mattis tweeted, “Only a nation that values the potential of cyberspace can — and must — remain committed to a world free of state-sponsored destructive offensive capabilities in cyberspace.”
But the order Trump issued is less than perfect. The order outlines six targets for sanctions: “cyber attackers that disrupt critical infrastructure or cause financial loss to U.S. government and critical sector companies; cyber operations that compromise intellectual property or result in significant economic or financial harm to United States businesses or government entities; cyber operations that inflict significant injury to U.S. citizens or the U.S. economy; cyber operations that cause serious injury to key assets of a critical sector or harm the national security of the United States; and cyber operations that cause serious injury to U.S. national and economic interests.” These targets include foreign governments, which sounds like a relatively small number. But these are the specific targets, not the targets themselves. Rather than fighting an attack from elsewhere, the US government would be targeting entities within the United States.
In all other ways, the Magnitsky Act wasn’t signed by Donald Trump. To put it a different way, while the order Trump signed is distasteful and unhelpful, it isn’t all that different from the annexes that Russian intelligence agencies place on computer systems for each other (including the United States) as a way of hiring hackers to find vulnerabilities in those systems.
The framework of the order is nice and everyone can agree on a few broad issues, but the order lacks definition. It’s difficult to know how it will affect transactions. Will the President decide not to sign deals in the cyberspace domain if there’s a link to the Russia annexes? Will the targets of the order’s sanctions even know they are included in the list? Will the U.S. economy keep growing if the sanctions force a $100 million transaction? And what if the Trump Administration decides to sanction rather than publicly say that the list is outdated—or that the administration doesn’t even know what these sanctions are going to be?
Now that the dispute over sanctions has been settled, it’s