Moscow’s invasion of Ukraine has raised the risk of a global cyber war — and turned Russia into even more of a pariah at summits to secure the world’s digital infrastructure.
Russia’s destabilizing cyberattacks are the elephant in the room as the Kremlin’s diplomats attend international meetings about keeping hackers out of critical computer systems like those powering hospitals and power plants. With Moscow constantly looking for ways to sabotage Ukraine’s power grid and threatening more far-reaching actions, other nations’ cyber diplomats aren’t going out of their way to welcome their Russian colleagues warmly.
“People put an empty chair on either side of the Russians and don’t sit next to them,” Nathaniel Fick, the U.S. ambassador at large for cyberspace and digital policy, said in an interview in his State Department office.
And the Russian diplomats appear to be reading the room: “At coffee breaks, they take their coffee sitting in front of their microphones when everybody else is milling around at tables. They grab their lunch and sit alone,” Fick said. “The isolation is palpable.”
The frosty situation gives the world even less visibility into Russian cyber operations at a time when it is launching repeated digital strikes in Ukraine — and leaves Moscow less beholden than ever to international pressure to crack down on gangs of cybercriminals based in Russia.
Fick, who is two months into his job as the first Senate-confirmed top U.S. cyber diplomat, spoke to POLITICO about the tenor of international negotiations on cybersecurity, his thoughts on when NATO might invoke the all-members-to-the-defense-of-one Article 5 over a cyberattack, and how the war in Ukraine has strengthened international cyber efforts.
Tensions between Russia and the rest of the international community were on display during a recent meeting of cybersecurity diplomats in Vienna at the Organization for Security and Cooperation in Europe. The Russian delegation was barely tolerated, Fick said. And it went beyond just not welcoming them to the lunch table.
When Russian officials at the conference questioned the finding by the U.S. and allied nations that Iran was behind a massive campaign of cyberattacks on Albania, Fick and his colleagues quickly shot them down.
“That was something that we pushed back on and said, ‘You can’t challenge the attribution [to Iran]. This is a technical body, and that attribution was an empirical technical attribution,’” Fick recalled. Iran is not an OSCE member, so its diplomats were not present at the conference.
Russian relations with the global community on cyber issues were always tenuous, given the numerous criminal hacking groups that operate with impunity there. But the Biden administration has engaged with Russia in recent years in an attempt to persuade Moscow to go after those groups and was making some limited progress prior to the invasion of Ukraine. Now, Fick said, Moscow’s position in diplomatic settings has plummeted to new lows.
Fick described the state of cyber relations between the U.S. and Russia as making “statements in each other’s presence.”
He stressed, however, that despite Russia’s isolation, diplomacy is an essential tool that should never be taken off the table.
“It’s good that they’re in the room, because the alternative is worse,” Fick said.
The flurry of cyber diplomacy comes after nearly a year of warfare in Ukraine, where Moscow’s brutal invasion has provoked a global outcry. The war has included cyberattacks against Ukrainian government websites, energy infrastructure and satellites. And such cyberattacks could get worse as winter sets in.
For now, though, Fick isn’t planning to hold one-on-one talks with his Russian counterpart to calm tensions in cyberspace. “Whether we are involved in direct discussions is … not my decision,” he said, given the broader political realities.
On the flip side, the Ukraine war has improved cyber coordination between the U.S. and its NATO allies, Fick said. At a recent NATO cybersecurity conference in Rome, the alliance’s members made progress toward commitments to help each other defend against cyberattacks. Those pledges, which will be announced soon, could include assistance with investigation of hacks and technologies to remotely disable drones being used in combat.
“They’re specific, they’re concrete, they’re actually deployable today,” Fick said of the pledges. “It’s not just, ‘Oh, we’re gonna stand with you.’”
It helps that Ukraine, while not a NATO member, was admitted this year as a contributing participant to NATO’s Cooperative Cyber Defense Centre of Excellence, a consortium that researches and tests better ways to combat hacks and exchange threat intelligence within NATO and beyond. Next week, the group is set to hold its annual exercise simulating a massive cyberattack. The exercise will involve more than 1,000 people from 30 different countries, adding to NATO’s cyber preparedness.
This type of cooperation is key in part because of the danger that Russia could intensify its cyberattacks against both Ukraine and its allies — forcing NATO to consider invoking Article 5 and triggering a war over an attack in the digital space. This year, Albania considered calling for NATO to invoke Article 5 over Iranian cyberattacks on Albanian government websites and other networks critical to providing civilian services.
But Albania’s Article 5 deliberations exposed a serious problem facing NATO: The allies haven’t decided how serious a cyberattack needs to be to trigger the activation of a collective defense operation.
Asked where he’d draw the line, Fick cited an old adage: “You know it when you see it.”
A cyberattack on a hospital that leads to the death of “all the babies in the NICU” would clearly qualify, Fick said, given the combination of loss of life and serious damage to critical infrastructure. “There are things that are broadly recognized within the framework of just-war theory,” Fick said, referring to a doctrine of moral justifications for the use of force.
“I suspect we would have broad agreement that they are triggering events,” he said.
But low-level mischief, such as website defacements by patriotic hacktivists, clearly wouldn’t qualify. “NATO’s not going to war over the manipulation of websites,” Fick said.
But what about everything in between, including destructive “wiper” and file-encryption attacks like the ones that Iran launched against Albania? NATO still hasn’t decided, and neither has the Biden administration. “There’s a lot of room for human judgment,” Fick said. “The alliance is very serious about getting clarity on that, and defining it and spending time around the table discussing it.”
NATO’s decision will need to represent “a durable consensus” of its members — in other words, a threshold that everyone abides by even in the middle of a crisis.
“A durable consensus doesn’t happen fast, even across 30 like-minded allies,” Fick said. “There are national populations that get a vote and different political parties that come and go in different places.”
As Fick’s schedule makes clear, NATO isn’t alone in prioritizing securing critical systems against cyberattacks. Since taking office in late September following unanimous Senate confirmation, Fick has attended international tech and cyber summits across the U.S., Europe and Asia, and he plans to participate in the Internet Governance Forum in Ethiopia next week, followed by an Organisation for Economic Co-operation and Development digital economy conference in the Canary Islands shortly before Christmas.
The meetings, along with the conflict in Ukraine, have only reinforced Fick’s belief in diplomacy being a critical tool for strengthening global cybersecurity in the years to come.
“The fundamental reason I’m here, waking up early and wearing a suit and not seeing my kids, is because I have an in-my-guts conviction in the value of diplomacy,” said Fick, a former Marine Corps officer. “I believe that we have to use diplomatic means as the tool of first resort in the United States. We have to. And that’s true in technology, too.”