The recent ransomware attacks on the U.S. gas and meat industries have sparked renewed conversations about the possibility of an international cyber agreement that would set the ground rules for what is and isn't permissible, and spell out sanctions for violators.
In the latest sign of the U.S.-Russia cyber tensions, the National Security Agency and other government security branches issued a joint advisory Thursday on how Russia's military intelligence has been trying to break into government and private computer networks for the past two years.
The statement did not cite specific hacks, though it provided pages of technical details, noting, for example, that the attackers often sought to go through Microsoft's cloud services to reach an intended target.
The timing of the U.S. government advisory was also seen as noteworthy. It came just two weeks after President Biden held a summit with Russian leader Vladimir Putin in Geneva, warning the Russian leader the U.S. would respond to future hacks, especially those directed at "critical infrastructure."
As shown by the attack on Colonial Pipeline that shut down a major East Coast oil distribution network, the U.S. and other countries have a compelling interest in containing such a threat, says Glenn Altschuler, a professor of American Studies at Cornell University.
"We're talking about the possibility of taking out power grids, water systems, hospital services," he tells NPR.
Altschuler thinks such an agreement — at least a bilateral version of it between the U.S. and Russia — could be loosely modeled on Cold War arms agreements.
Such discussions have been kicking around for years, but many cyber experts remain deeply skeptical that such an agreement could be reached, let alone enforced.
Cyber strikes are low-cost and high-reward
The first big challenge would be simply getting everyone to agree to the rules. Russia, China, Iran and North Korea have all been blamed for significant hacks against the U.S., and analysts say those countries see cyber strikes as cheap, effective and easy to deny.
It's not even clear if such countries would be willing to actually agree to terms, because cyber attacks for them are "really useful in their geopolitical positioning," April Falcon Doss, a former National Security Agency official who now heads a technology program at Georgetown's law school, tells NPR.
Compared to the arms agreements between the U.S. and Soviet Union, a cyber treaty would be extremely difficult to monitor and enforce. That's because the production, development and stockpiling of nuclear, biological and chemical weapons is fundamentally different from the ephemeral nature of cyber weapons, says Doss.
"If the question is whether or not a signatory to a nuclear arms control treaty is building up their nuclear stockpile, there will almost certainly be some evidence, factory production, storage of nuclear weapons," she says. "There will be satellite imagery or there will be on the ground reports."
Tests of nuclear weapons or ballistic missiles, such as those carried out by North Korea in recent years, are also relatively simple to monitor compared to the challenge of keeping an eye on the dark corners of the Internet to track down new cyber weapons, Doss says.
"Detecting their development is much harder because you don't have big stockpiles of missiles sitting around and there's nothing that's visible in that sense," she says.
Thomas Graham, a U.S.-Russia expert at the Council on Foreign Relations, says any analogy to a Cold War-style arms agreement would be tenuous.
"We're dealing with computer code. So this is radically different from some nuclear weapons," he tells NPR.
Cyber treaties have been tried
The Budapest Convention on Cybercrime, currently the only binding international agreement governing cyber crimes and hacking, dates to the early 2000s. It aims to increase cooperation, harmonize national laws dealing with hacking and improve techniques for investigating cyber crimes. While Washington has signed on, Moscow, Beijing, Pyongyang and Tehran have not.
In 2015, when Barack Obama was president, the U.S. and China reached a cyber agreement declaring that neither side would "conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage."
Priscilla Moriuchi, a former National Security Agency official, calls the U.S.-China deal "a great experiment" that "failed for a number of reasons."
While at the NSA, Moriuchi's job was to monitor Chinese compliance. In an email to NPR, she said her view is that "the Chinese government never really complied with the agreement."
Meanwhile, China, Russia, North Korea and particularly Iran have reasons to be just as suspicious of the U.S. and its allies. What many consider the most successful cyber attack ever — the 2010 Stuxnet worm that targeted Iranian nuclear centrifuges — has been attributed to the U.S. and Israel, though neither country has ever officially acknowledged it.
Moving from state actors to criminals
Recent hacks, including the one against Colonial Pipeline, the major gasoline supplier, and JBS, the world's largest meat producer, were blamed on Russian criminal gangs, not the Russian government itself.
This activity by non-state actors makes the problem of "attribution" that much more difficult, says Graham. "There's also the possibility of false flag operations, because people can disguise the IP addresses," he says.
Cornell's Altschuler says while Cold War arms agreements might not be a perfect prototype, they could at least provide a framework for a cyber treaty.
Instead of inspectors on the ground to guarantee the destruction of nuclear weapons, such a cyber treaty might ensure compliance via remote monitors, he says.
"It would also have to include limiting the monitoring to international cyber traffic and it would have to have protection for privacy so that in most instances, metadata could not be converted into an investigation of an individual," Altschuler says. But he acknowledges that "all of those things are complicated, extremely difficult to work out."
Robert G. Papp, a former director of the Center for Cyber Intelligence at the Central Intelligence Agency, has also called for a cyber agreement with Russia. "It is in our national interest to negotiate some limits to this activity to reduce these threats and the human and financial resources needed to address them," he writes.
Cyber spying is a separate category
Meanwhile, it's important to distinguish between electronic snooping and other types of cyber activity, such as the theft of intellectual property, and attacks that cause physical damage, like shutting down an electrical grid.
"[Cyber] spying is unlikely to go away," Doss says. "No nation is going to want to give up that ability."
So, where does that leave things? Is there a way to limit the damage done by hacking without a formal treaty?
At the recent summit in Geneva between Biden and Putin, the U.S. leader presented Putin with a list of 16 areas of critical infrastructure — from energy to water — that the U.S. considers off limits.
"[If] in fact they violate these basic norms, we will respond," Biden said.
U.S. officials say Putin has used cyber for his own political purposes and has shown little interest in curbing Russia-based ransomware attacks that prove disruptive to the West. Still, the Russian leader said after the summit that the two sides could "begin consultations" over cybersecurity issues.
A set of such norms would be more obtainable that any sort of formal treaty, Moriuchi says.
She says the only way to establish that kind of norm is outlining clear red lines — and imposing consequences if lines are crossed.