The US and Russian governments will reportedly set up a joint cyber security working group, according to Russian Minister of Foreign Affairs Sergey Lavrov.
The news comes after the highly-anticipated meeting Friday between US President Donald Trump and Russian President Vladimir Putin at the G-20 summit in Hamburg, Germany. According to Secretary of State Rex Tillerson, who was in the meeting, Trump opened the tête-à-tête by “raising the concerns of the American people regarding Russian interference in the 2016 election.” Tillerson told reporters that Putin denied, once again, that the Russians were involved in the hacking, but that the relationship between the two countries is “too important” to end the dialogue, so the two leaders agreed that cyber issues should continue to be discussed.
“That is why we’ve agreed to continue engagement and discussion around how do we secure a commitment that the Russian government has no intention of and will not interfere in our affairs in the future, nor the affairs of others, and how do we create a framework in which we have some capability to judge what is happening in the cyber world and who to hold accountable,” Tillerson said.
Lavrov told Russian state media that the leaders agreed to form the working group, though it is unclear what it would look like, how it would work, or its scope—thorny issues considering the role of the Russian government in the 2016 presidential election and the fact that it has become increasingly aggressive with offensive cyber operations in places like Ukraine.
White House Spokeswoman Sarah Huckabee Sanders did not respond to an email asking for more detail.
Several sources told Mother Jones on Friday that even if details of a joint working group are unclear, the concept is sound.
“It’s usually always better to be talking than not talking,” says Michael Sulmeyer, project director of the Belfer Center Cyber Security Project at the Harvard Kennedy School and a former cyber policy official in the Defense Department. “No matter how far apart we are, I’d rather have a way of talking with them and hearing about it and having some insight than having none at all. It may be two-faced, it may be duplicitous, who knows. But I’d rather have something in terms of a line of communication than nothing.”
Another former government official echoed that line of thinking on the proposed working group.
“My general reaction is that we should always be looking for better cooperation on security issues wherever we can have it,” says a former senior federal official who still works on cyber issues. “That said, trying to establish cooperation with a country that just oversaw a cyber attack on our electoral process is a little bit like allowing the fox to guard the henhouse.”
That point was common on Twitter after the news broke, including from Rep. Eric Walwell (D-CA), a member of the House Intelligence Committee, which is investigating Russian meddling and possible connections with the Trump campaign.
This is like giving the alarm code to the guys who just burglarized your home. Just make it easier for them next time. https://t.co/NsdZbV2KsI
— Rep. Eric Swalwell (@RepSwalwell) July 7, 2017
Dave Aitel, a former NSA research scientist who now runs his own information security firm, is dubious about the group’s chance for success. He tells Mother Jones that “it’s a good idea, but we’re super far apart on nearly every issue.” Aitel also notes that such divisions are not limited across borders; even within the US government there are major divisions when it comes to cyber-related policies and norms.
“Every single part of our cyber norms process is basically dead on arrival because we have no internal consensus, even within an agency,” Aitel says.
Sulmeyer notes this lack of coherent cyber norms is a real problem that plays out on the world stage. On June 23, for instance, a United Nations working group on cyber norms fell apart without agreement. But overcoming differences in cyber-related goals and norms shouldn’t actually be the goal, he says, of the proposed Russia-US working group.
“This is about modulating expectations,” he says. “This working group is not going to solve cyber security. That is not the right way to look at this.”
Sulmeyer says he’s “deeply skeptical” that the two nations will come to a place where they succeed in agreeing on a set of established cyber norms, but “there’s little to lose by” having the conversation.
“If you’re someone who says that what the Russians did during the run up to our election is such a flagrant foul that we can’t even talk to them and we shouldn’t deal with them at all, then this is not good,” he says. “If you’re someone who says yes, what they did is horrible and unacceptable and we should use this as an opportunity to continue to gain a better understanding of their thoughts on this—not to in any way capitulate or legitimize what they did—then maybe it’s not so bad. Then maybe it’s more of an open question.”