This was my final paper for my Cyber and Security class at George Washington University, submitted in May 2019.

Introduction

The current state of Russia-U.S. relations are marked by high levels of distrust. Tensions have been especially high in the past three years – both countries have imposed economic sanctions on the other, disseminated propaganda, and exchanged accusations in the international arena. The situation is unpredictable, and the rising tensions have spread across all issues between the United States and Russia, including cyber security.[1]  Securing information infrastructure has become a critical element of Russian-U.S. security relations. As much as U.S. officials have expressed concerns about Russian-sponsored cyber-activities, Russia is equally concerned about U.S. military intentions in the cyber domain.[2] The United States is particular concerned with threats to technology, infrastructure, and economic wellbeing. Russia, on the other hand, is concerned about activities that threaten interference in Russian sovereign affairs. It is clear that common interests are at stake, but establishing trust and confidence between these rivals in order to make any level of cooperation work. Establishing confidence-building measures (CBMs) in cyberspace between the United States and Russia would help increase international stability and reduce the risk of conflict stemming from the use of cyberspace. This paper will address what confidence-building measures are and what they entail, previous examples of CBMs between the United States and Russia, will provide ideas for potential CBMs, and will also address concerns about establishing CBMs between the two rivals.

What are confidence-building measures?

Confidence-building measures, also known as “transparency and confidence building measures” or “confidence, transparency, and security-building measures” are defined as,

An instrument of international politics, negotiated by and applied between States…[that] aim to prevent the outbreak of an (international) armed conflict by miscalculation or misperception of the risks and by the consequent inappropriate escalation of a crisis situation, by establishing practical measures and processes of (preventive) crisis management between states.[3]

These measures have three goals: transparency, cooperation, and stability.

• Transparency measures focus on fostering a better mutual understanding of national military capabilities and activities. These measures can include crisis management instruments (e.g. effective crisis communication channels), and notifying military movements via diplomatic channels.
• Cooperation measures can include exchanging documents (such as military doctrines), conducting join military exercises, exchanging observers, military delegations’ visits, and developing a common understanding of key definitions.
• Stability measures foster predictability of military activities by limiting them, and through stabilizing the military balance.[4]

The idea of confidence-building measures was first developed during the Cold War in order to prevent an accidental nuclear launch, and have now been expanded upon to be utilized in the cyber domain. Due to the nature of the Internet, the scope of potential consequences of malicious cyber activities, such as espionage and cyber crime, could quickly and easily escalate out of control. Additionally, the potency, low cost, and potential deniability of these attacks makes them particularly counterproductive to building trust between actors.[5]

The objective of confidence-building measures is “to prevent outbreak of war and escalation in a crisis; increase trust so as to avoid escalation; enhance early warning and predictability; and modify and transform or improve relations between states.” [6] Examples of CBMs including information exchange measures, observation and verification measures, and military constraint measures. They can be formal or informal, unilateral, bilateral, or multilateral, military or political, and can be state-to-state or nongovernmental.[7] If effective confidence-building measures are implemented, they can have several critical benefits for the international cyber arena, including:

• Help countries counter the threat of cybercrime
• Promote international consistency in cyber security approaches
• Minimize misunderstandings that fuel distrust and exacerbate tensions between states
• Ensure the safety and stability of cyberspace by reducing the risk of cyber war breaking out.[8]

Without confidence-building measures, distrust and militarization will be fueled in the cyberspace, which only increases the potential of a cyber arms race. It is important to recognize that it is people – not technology – that shape governments’ political, diplomatic, and military choices in cyberspace. At the heart of this decision-making is trust and understanding.[9] Nicholas explains that the reason why building understanding and trust is so complicated in the cyberspace is because so many systems that are labeled as cyber defense also have cyber offense capabilities. When a state invests in cyber security measures to defend itself, its rivals might see that defense building instead as a growth in offensive capabilities and a potential sign of gearing up for conflict. A very human response to seeing that build-up would be for a rival state to build up one’s own defenses and potentially even increase one’s retaliatory capabilities.[10] This, in turn, could also be misinterpreted as gearing up towards conflict. Thus, “escalation spreads, trust evaporates, and distrust balloons, leaving cyberspace akin to a powder keg that’s ready to explode.”[11]

Previous examples of United States-Russia cooperation on CBMs

In June 2013, President Obama and President Putin announced the creation of the Working Group on Threats to and in the Use of ICTs in the Context of International Security, under the U.S.-Russia Bilateral Presidential Commission. This working group was established to enhance transparency and confidence between the United States and Russia in the cyber domain. [12]^, [13] The inaugural bilateral meeting of the working group addressed the implementation of a series of bilateral confidence-building measures that were intended to “promote transparency and enhance strategic stability by reducing tensions caused by threats to and in the use of ICTs [information and communications technologies.]”[14] These CBMs included:

• Links between Computer Emergency Response Teams: This CBM involved the sharing of threat indicators between the U.S. Computer Emergency Readiness Team (US-CERT) and its counterpart in Russia in order to facilitate the exchange of practical technical information on cyber security risks to critical systems. These authorities would exchange technical information regarding malware or other malicious software that originated from either state in order to aid in the preemptive mitigation of threats. This exchange was intended to expand the volume of technical cyber security information available to both the United States and Russia.[15]
• Exchange of Notifications through the Nuclear Risk Reduction Centers: This proposed CBM involved utilizing and expanding the Nuclear Risk Reduction Center (NRRC) links that were established between the United States and the then-Soviet Union in 1987 in order to ensure a secure and reliable line of communication between the two countries regarding cyber security incidents of national concern. The new use of this system would have allowed for both parties to make inquiries between parties if necessary in order to reduce the risk of misperception and preemptive escalation from ICT security incidents. [16]
• White House-Kremlin Direct Communications Line: The White House and the Kremlin authorized a direct secure voice communications line that would have been integrated into the already existing Direct Secure Communication System (hotline). This line would have been between the U.S. Cybersecurity Coordinator and the Russian Deputy Secretary of the Security Council, and would have been used in the event that a cyber security crisis was to emerge.[17]

The United States suspended its participation in the Bilateral Commission in 2014, following Russia’s invasion of Ukraine. However, it is important to note that these CBMs were set in place, and that despite the fact that relations between the two countries have been frosty as of late, establishing effective CBMs with another world power and rival is certainly possible. [18]

Transparency CBMs

The main objective of transparency measures in the process of establishing confidence-building measures is to improve stability and predictability. In the case of the United States and Russia, both countries have low levels of transparency, predictability, and confidence regarding their cyber operations and state actions. Small, initial steps could be taken in order to set a baseline for future transparency measures. These can include publishing a cyber security strategy that is publicly available, complete with aims, intentions, internal structures, and budgetary allocations.[19] The United States published its National Cyber Strategy late last year. Although it is rather broad in its policies and does not include any budgetary allocations, the release of the Strategy is a good first step. Russia has not publicly published its cyber security strategy. In the event that both parties publicly release their cyber strategies, this could lead to open ended consultations and dialogues on national policies, budgets, strategies, doctrines, and processes for offensive cyber operations, as well as transparency on potential “red lines” and circumstances where a party might consider conducting an offensive cyber operation.[20] Another initial measure that could be implemented is a declared military doctrine, including command/control structure on the use of cyber tools in times of conflict.[21] Knowing who controls the particular cyber structures and the use of certain cyber tools in both countries will make the other side aware of each other’s capabilities.

One critical set of transparency CBMs are those that are focused around crisis management. Cyberspace today reflects the actions of a variety of actors, including governments, corporations, and individuals. A cyber crisis, in this instance, would refer to a “politico-military crisis involving risks to computation and networking underpinning national security or major components of national economies.”[22] While few analysts believe that pure cyber conflicts are possible or doubt that cyber crises are not embedded within broader politico-military disputes, distinguishing the cyber dimensions of crises is important because the technical aspects of interactions in cyberspace brings about new expertise, actors, organizational forms, and compressed time scales – all of which require different responses than a politico-military crisis that takes place outside of the cyber arena. Improving crisis management measures would deter states from conducting illegal cyber operations and would help prevent a cyber confrontation from leading to war.[23]

An example of such a policy that is focused on crisis management is the alignment of cyber crisis response teams. Cyber crisis response teams around the world often have difficulty communicating with each other due to the different organizational structures and functional roles these teams play in countries across the world. This CBM ensures that cyber crisis response teams can “identify, access, and exchange data with their functional counterparts” in order to manage the political, military, and economic aspects of cyber crises.[24] This CBM would focus on developing interstate contacts between functional counterparts in the United States and Russia (in this case, the U.S. Computer Emergency Readiness Team (US-CERT) and its equivalent in Russia), and would allow for the right people to communicate quickly to share situational awareness whether they are direct or indirect parties to the crisis. [25] As mentioned above, an idea similar to this one was proposed in the 2013 Working Group on Threats to and in the Use of ICTs in the Context of International Security.

A second example of a crisis management-centered CBM is the establishment of a cyber hotline initiative. As stated above, this has already been proposed between the United States and Russia. In the event of a cyber crisis, secure and reliable communication is essential to manage and de-escalate a crisis, and avoid future miscalculation.[26] Setting up a hotline between the national command authorities of the United States and Russia would establish a secure and resilient communication hotline that can function both during and in the aftermath of a cyber crisis. [27] Seeing as this idea has been proposed before through utilizing an already-existing hotline mechanism, this hotline should be inexpensive and relatively quick to set up.

Another potential area to explore for transparency measures is the idea of establishing joint simulation exercises of cyber attacks between the United States and Russia. These exercises can take place between American Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) and the Russian equivalents. Although this particular measure may not seem as plausible compared to the other measures proposed in this paper, especially given the frosty tensions between the United States and Russia, it should not be deemed as completely impossible. It is true that both the United States and Russia have developed robust cyber warfare doctrines. Russia’s doctrine has given Russia the capability to disrupt the information infrastructure of its enemies, disrupt financial markets and civilian and military communications capabilities. The secrecy of these capabilities has so far precluded any cooperation.[28] However, both countries agree that some of the cyber methods both countries use are not necessarily different to those that cyber criminals and cyber terrorists use. It is these illicit actors that are the main threats to the critical infrastructure of both countries. [29] Mutual exchanges of information during joint exercises would increase the resilience of both parties as they work to strengthen their critical infrastructure. In regards to the issue of secrecy, initial exchanges could be limited to just unclassified information, which could then be followed later on by more concrete bilateral exchanges on specific mutual threats, such as safeguarding critical infrastructure from cyber attacks.[30] Full transparency in terms of information warfare capabilities does not have to be required, nor would it be necessary to exchange classified information.[31] This could help resolve initial concerns.

Cooperation CBMs

Cooperation CBMs rely on adapting and applying existing norms and mechanisms to issues pertaining to cyberspace.[32] One critical area that Russia and the United States can cooperate on in terms of CBMs is through measures to hinder cybercrime. Cybercrime is arguably the most persistent threat in cyberspace between the United States and Russia. Cooperation between Russia and the United States in this field has been sporadic, while the number of Russian cybercriminal networks has only grown over the years.[33] As McConnell et al explains,

Both governments must take action to decrease the scale and quantity of  cyber incidents. Russia and the United States should cooperate on investigating and prosecuting these incidents, as well as on sharing information. Episodes such as the DNC hacking should be subject to such type of cooperation. Russian and American law enforcement agencies should work out the mechanisms of joint investigation of cyber incidents, prosecution of cyber criminals, assisting each other in damage control, and share information about international cyberthreats. [34]

There are several potential areas of cooperation between Moscow and Washington on issues related to cybercrime. The U.S. should encourage Russia’s inclusion in programs that combat types of online crime that Russia has publicly advocated for increased cooperation, such as child pornography and drug trafficking.[35] Additionally, the U.S. should work to strengthen its bilateral law enforcement cooperation on cyber issues. Van Epps argues that Russia would be willing to do this and already has before, as Moscow and Washington cooperated significantly in the aftermath of the Boston Marathon bombings in 2013. This kind of cooperation, Van Epps claims, would improve interactions between Russia and the United States, as it would allow them to keep with their Mutual Legal Assistance Treaty, agreed upon in 1999.[36]

Another example of one of these policies is establishing collaboration between Russia and the United States is launching joint investigations into major cyber incidents. The Atlantic Council models this CBM after the Joint Investigation Group that examined the attack against South Korea’s ship, the Cheonan.[37] This Joint Investigation Group was essentially a multinational committee with experts in different fields who came together to determine the cause of the sinking of the Cheonan, and it was through this group that it was determined that North Korea was behind the incident. In the event of a major cyber incident, it is imperative to determine who was responsible for the incident as quickly as possible in order to maintain stability and avoid further escalation. According to Healey et al, “This CBM would establish a mechanism to form an ad hoc group of technical experts following a major incident to conduct an international investigation into all evidence and determine which nations or nonstate actors were responsible. Such evidence would include all technical data as well as other pertinent information that could aid the investigation.”[38]  This CBM would establish of an inter-agency working group on a state-to-state level that would consist of individuals with a wide range of expertise and diverse technical and political background in order to ensure that each incident can be addressed effectively. In the event that both parties are in favor of forming such a group, it could be implemented inexpensively and in a relatively short period of time.[39]

Another potential area of cooperation between the United States and Russia would be adopting shared Public Key Infrastructure (PKI) standards. As Van Epps defines it, “PKI is a technical concept that uses a “digital electronic signature” to verify the integrity of data and the identity of the sender during an exchange of electronic information.”[40] PKI is a vital strategy in combating cyber crime such as identity them, because it lifts the veil of anonymity (i.e. the “attribution problem”) in the digital sphere.[41] Apart from spare private sector cooperation in the finance and electronic logistic service sector, there has been very little cooperation in the field of PKI between the United States and Russia. Russia has pushed for closer cooperation in the field for several years now; however, the United States has often hesitated due to fears that progress in PKI might be used by Russian authorities to clamp down on dissidents of the regime. [42] The Federal Security Service (FSB) of the Russian Federation and the U.S. Federal Bureau of Investigation (FBI) could start off discussions towards cooperation by holding initial discussions on PKI, focusing on ways to achieve a level of interoperability between the Russian block cipher and the United States’ DES (Data Encryption Standards) system, in order to identify weaknesses that cyber criminals could exploit. [43] These discussions would also include identifying the desired exchange of information, as well as a joint risk assessment of particular sectors in order to determine in which sectors closer cooperation is the most mutually beneficial. [44]

Stability CBMs

There are several stability-centered CBMs that Russia and the United States could develop together. One of the most important potential stability CBM would be the creation of a new cyber treaty between the United States and Russia – one that focuses on cyber arms control. In contemplating a cyber treaty such as the one proposed above with a rival country like Russia, traditional arms control negotiations provide an excellent example to go off of.[45] Preventative arms control agreements, such as the Outer Space Treaty (OST), Biological Weapons Convention (BWC), and the Chemical Weapons Convention (CWC), have banned whole classes of threats and weapons. The CWC has often been cited as a potential model for cyber arms control.[46] These agreements gave the international arena elaborate verification and confidence building measures, which greatly enhanced security, because they established protocols and venues for dialogues among leaders and experts whenever things went awry.[47] While these are all multilateral agreements, a bilateral agreement could be set in place between Russia and the United States in order to contain the development and spread of cyber weapons. According to Robert G. Papp, a former naval officer and former director of the Center for Cyber Intelligence at the Central Intelligence Agency, even a cyber treaty of a limited duration between the United States and Russia would represent a significant step forward.[48] Although current domestic tensions in the United States, as well as the recent demise of the INF treaty, do not necessarily offer the best environment for negotiations, laying the initial groundwork now is critical to move forward.

Another example of a stability-based CBM is one that limits the indiscriminate and mass compromise of a supply chain. States will not be willing to ascribe to a CBM that limits cyber espionage, as most states largely agree that espionage is acceptable under international law.[49] However, Borghard and Lonergan write that the mass targeting of a supply chain can be destabilizing, especially in the event that there are concerns that intrusions into a supply chain represent preparations for a cyber attack rather than just espionage.[50] Beyond just national security concerns, there are broader implications for international trade if states perceive the need to resists market forces and only purchase software and hardware domestically or from a trusted ally.[51] While capable cyber powers will inevitably continue to try to disrupt the supply chain to gain access to adversaries, limiting mass (as opposed to tailored) operations through a specific CBM could enhance stability between cyber rivals such as the United States and Russia.[52]

A third example of a stability-based CBM would be to declare neutrality status for critical infrastructure and entities. Critical infrastructure is the lifeline of states, which is why they are often considered to be prime targets, as well as objects of intense tensions following a cyber attack.[53] International humanitarian law today protects a wide range of persons and objects during armed conflicts, including civilians not directly participating in hostilities, medical and religious personnel, and civilian objectives.[54] Under said laws, these persons and structures cannot be the object of an attack. Neutrality, in the context of international law, is defined as “the formal position taken by a state that is not participating in an armed conflict or that does not want to become involved.” [55] This status gives the state specific rights and duties, including the right to stand away from the conflict, as well as the duty of impartiality. Drawing upon these two concepts, this CBM would give protected status to critical cyber entities, including personnel and organizations, in the event of an armed cyber conflict.[56] Discussions could be held between the United States and Russia to determine protected status for critical entities, including assets, personnel, and security structures, would address the challenges that come from the use of cyberspace, dual use infrastructure, interconnectivity, and interdependencies of the Internet.[57] On a state-to-state level, an inter-agency working group could be established in order for both states to come to a common understanding on what would be defined as critical cyber infrastructure. It would also be useful to feed this discussion through the United Nations or the OSCE, which has experience in formulating CBMs and reaching agreements between states for measures like this.[58]

Potential obstacles to implementing CBMs between the United States and Russia

Due to the characteristics of the Internet, several obstacles and challenges are in the way regarding the full effectiveness of CBMs. Firstly, there is a significant amount of anonymity in cyberspace, which could inhibit the effectiveness of the United States and Russia establishing an effective political commitment. According to Ziolkowski,

The possibility of conducting covert governmental cyber operations seems as potentially minimising the political risk of States to an extreme, and therefore increasing the risk of misperception and improper response to malicious cyber activities. Indeed, despite all political endeavours, and  against the background of technological possibilities to act anonymously in the Internet, States can retain a high degree of deniability with regard to their cyber activities.[59]

Furthermore, because states often carry out their activities and intentions in the cyberspace with high levels of secrecy, this could lead to transparency measures being less effective overall.[60] With that being said, however, governments do recognize that the secretive nature of cyber operations and the difficulties of signaling in cyberspace can be destabilizing over time, increasing tensions as well as the risk of inadvertent conflict.[61] Therefore, even though it is impossible to completely eliminate the incentives to conduct covert cyber operations, CBMs that facilitate dialogues between states – especially cyber rivals such as the United States and Russia – can mitigate the potentially destabilizing effects of a critical attack on the cyber domain.[62]

Another critical issue that is specific to negotiating CBMs with Russia is the sheer question of whether Russia is a potential partner to be trusted. At the 2017 G20 in Germany, President Vladimir Putin proposed the creation of a U.S.-Russia cyber working group. A few months later, it was reported that Russia’s deputy foreign minister had proposed an agreement where both countries would agree to not interfere in each other’s domestic politics.[63] U.S. officials rejected the offer, most likely because they are understandably skeptical about the sincerity of Moscow’s offer, especially as they continue malicious cyber operations against the United States.[64] Between 2016 and 2018, Russia compromised the Democratic Party, launched a chaotic ransomware attack, tried to infiltrate the U.S. electrical grid using similar cyber tools that they used to cause blackouts in Ukraine in 2015 and 2016, sustained an active propaganda and fake news campaign on social media, and compromised voter databases in at least two U.S. states.[65] Even though levels of trust between these two rivals are relatively low at the moment, both the United States and Russia recognize that despite their differences, they do have to come together to talk to each other in order to avoid uncontrolled escalation in cyberspace. Coming to the table now to establish confidence-building measures, even though tensions are high, is crucial in order to prevent a potentially catastrophic crisis in the future.[66] Establishing these CBMs is an ambitious – but not entirely unthinkable – goal.

Conclusion

Given the current state of affairs between Russia and the United States, it remains to be seen whether genuine and effective cooperation is even possible right now. For some leaders in both Russia and the United States, the relationship between the two rivals is particularly confrontational, given Russia’s offensive threat and the United States’ defensive countermeasures.[67] However, leaders in both countries also recognize that the cyber dimension is a particularly complex arena – one that is constantly developing and changing. These persistent changes bring about new opportunities for mistakes, misperceptions, and miscalculations. Establishing effective confidence-building measures can play an important role in cyber risk reduction between Russia and the United States.

 

 

Works Cited

 

Borghard, Erica D., and Shawn W. Lonergan. “Confidence Building Measures for the Cyber Domain.” Strategic Studies Quarterly 12, no. 3 (Fall 2018): 10-49.

 

Gady, Franz-Stefan, and Greg Austin. “Russia, The United States, And Cyber Diplomacy: Opening the Doors.” East West Institute, 2010, 1-19.

 

Grisgby, Alex. “Russia Wants a Deal with the United States on Cyber Issues. Why Does Washington Keep Saying No?” Council on Foreign Relations, August 27, 2018.

 

Healey, Jason, John C. Mallery, Klara Tothova Jordan, and Nathaniel V. Youd. “CONFIDENCE-BUILDING MEASURES IN CYBERSPACE: A MULTISTAKEHOLDER APPROACH FOR STABILITY AND SECURITY.” Atlantic Council: Brent Scowcroft Center on International Security, November 2014, 1-19.

 

McConnell, Bruce W., Pavel Sharikov, and Maria Smekalova. “Policy Brief: Suggestions on Russia-U.S. Cooperation in Cybersecurity.” East West Institute, no. 11 (May 2017): 2-12.

 

NATO Cooperative Cyber Defence Centre of Excellence. Confidence Building Measures for Cyberspace – Legal Implications. By Dr. Katharina Ziolkowski. 2013. 5-93.

 

Nicholas, Paul. “What Are Confidence Building Measures (CBMs) and How Can They Improve Cybersecurity?” Microsoft (blog), June 29, 2017.

 

Organization for Security and Co-Operation in Europe. Transnational Threats Department. The Role of OSCE Confidence -Building Measures in Addressing Cyber/ICT Security Challenges to Critical Infrastructure. 2018. 1-19.

 

Papp, Robert G. “Kennan Cable No. 41: A Cyber Treaty With Russia.” Wilson Center, March 29, 2019.

 

Sharikov, Pasha. “Policy Brief: Cybersecurity in Russian-U.S. Relations.” Center for International and Security Studies at Maryland, April 2013, 1-6.

 

Stauffacher, Daniel, and Camino Kavanagh. “Cyber Policy Process Brief: Confidence Building Measures and International Cyber Security.” ICT4Peace Foundation, 2013, 3-21.

 

The White House. Office of the Press Secretary. “FACT SHEET: U.S.-Russian Cooperation on Information and Communications Technology Security.” Press release, June 17, 2013.

 

The White House. Office of the Press Secretary. “Joint Statement on the Inaugural Meeting of the U.S.-Russia Bilateral Presidential Commission Working Group on Threats to and in the Use of Information and Communication Technologies (ICTs) in the Context of International Security.” Press release, November 22, 2013.

 

The Cyber Index: International Security Trends and Realities. New York, NY: United Nations Institute for Disarmament Research, 2013.

 

Van Epps, Geoff. “Common Ground: U.S. and NATO Engagement with Russia in the Cyber Domain.” Partnership for Peace Consortium of Defense Academies and Security Studies Institutes 12, no. 4 (Fall 2013): 15-50.

[1] McConnell, Bruce W., Pavel Sharikov, and Maria Smekalova. “Policy Brief: Suggestions on Russia-U.S. Cooperation in Cybersecurity.” East West Institute, no. 11 (May 2017): 2-12.

[2] Sharikov, Pasha. “Policy Brief: Cybersecurity in Russian-U.S. Relations.” Center for International and Security Studies at Maryland, April 2013, 1-6., 2.

[3]  NATO Cooperative Cyber Defence Centre of Excellence. Confidence Building Measures for Cyberspace – Legal Implications. By Dr. Katharina Ziolkowski. 2013. 5-93., 12.

[4] Ibid, 12.

[5] Healey, Jason, John C. Mallery, Klara Tothova Jordan, and Nathaniel V. Youd. “CONFIDENCE-BUILDING MEASURES IN CYBERSPACE: A MULTISTAKEHOLDER APPROACH FOR STABILITY AND SECURITY.” Atlantic Council: Brent Scowcroft Center on International Security, November 2014, 1-19., 5

[6] Stauffacher, Daniel, and Camino Kavanagh. “Cyber Policy Process Brief: Confidence Building Measures and International Cyber Security.” ICT4Peace Foundation, 2013, 3-21., 3.

[7] Healey et. al., 1.

[8] Nicholas, Paul. “What Are Confidence Building Measures (CBMs) and How Can They Improve Cybersecurity?” Microsoft (blog), June 29, 2017.

[9] Ibid, n.p.

[10] Ibid, n.p.

[11] Ibid, n.p.

[12] The White House. Office of the Press Secretary. “FACT SHEET: U.S.-Russian Cooperation on Information and Communications Technology Security.” Press release, June 17, 2013.

[13] The White House. Office of the Press Secretary. “Joint Statement on the Inaugural Meeting of the U.S.-Russia Bilateral Presidential Commission Working Group on Threats to and in the Use of Information and Communication Technologies (ICTs) in the Context of International Security.” Press release, November 22, 2013.

[14] Ibid, n.p.

[15] Ibid, n.p.

[16] Ibid, n.p.

[17] Ibid, n.p.

[18] Borghard, Erica D., and Shawn W. Lonergan. “Confidence Building Measures for the Cyber Domain.” Strategic Studies Quarterly 12, no. 3 (Fall 2018): 10-49., 31.

[19] Stauffacher et al, 7.

[20] Ibid, 7-8

[21] Ibid, 8

[22] Healey et al, 7.

[23] Ibid, Executive Summary.

[24] Ibid, 7.

[25] Ibid, 7

[26] Ibid, 9

[27] Ibid, 9.

[28] Gady, Franz-Stefan, and Greg Austin. “Russia, The United States, And Cyber Diplomacy: Opening the Doors.” East West Institute, 2010, 1-19., 17.

[29] Ibid, 17

[30] Ibid, 17

[31] Ibid, 17

[32] Ibid, Executive Summary.

[33] Van Epps, Geoff. “Common Ground: U.S. and NATO Engagement with Russia in the Cyber Domain.” Partnership for Peace Consortium of Defense Academies and Security Studies Institutes 12, no. 4 (Fall 2013): 15-50., 37.

[34] McConnell et al, 7.

[35] Van Epps, 47.

[36] Ibid, 47-8.

[37] Healey et al., 4.

[38] Ibid, 4.

[39] Ibid, 4

[40] Van Epps, 48.

[41] McConnell et al, 10.

[42] Ibid, 10.

[43] Ibid, 11

[44] Ibid, 12.

[45] Papp, Robert G. “Kennan Cable No. 41: A Cyber Treaty With Russia.” Wilson Center, March 29, 2019., n.p.

[46] The Cyber Index: International Security Trends and Realities. New York, NY: United Nations Institute for Disarmament Research, 2013., 135.

[47] Papp, n.p.

[48] Ibid, n.p.

[49] Borghard and Lonergan, 33

[50] Ibid, 33.

[51] Ibid, 33

[52] Ibid, 33-34

[53] Organization for Security and Co-Operation in Europe. Transnational Threats Department. The Role of OSCE Confidence -Building Measures in Addressing Cyber/ICT Security Challenges to Critical Infrastructure. 2018. 1-19., 3.

[54] Healey et al, 14.

[55] Ibid, 15.

[56] Ibid, 15

[57] Ibid, 13

[58] Healey et al., 15.

[59] Ziolkowski, 30.

[60] Ibid, 30

[61] Borghard and Lonergan, 16

[62] Ibid, 16

[63] Grisgby, Alex. “Russia Wants a Deal with the United States on Cyber Issues. Why Does Washington Keep Saying No?” Council on Foreign Relations, August 27, 2018., n.p.

[64] Ibid, n.p.

[65] Ibid, n.p.

[66] Papp, n.p.

[67] Gady and Austin, 19.