Russian Newspaper Kommersant Interviews Special Representative Krutskikh on UN GGE Cyber Arrangements

What follows is a rough translation of an interview Russian daily Kommersant conducted with Andrei Krutskikh, special representative of the Russian President for international cooperation in the field of information security and envoy of the Russian Foreign Ministry. He speaks about recent successes in the UN Group of Government Experts (GGE) regarding agreement on "the conditions of confrontation and sanctions" and potential areas for cooperation in cyberspace between the U.S. and Russia. The interview provides a rare window into the Russian perspective on principles for conduct in cyberspace:  

The UN Group of Governmental Experts for the first time been able to agree on the need for rules of conduct of states in the information space. The report, compiled by experts from 20 countries, including Russia, there is a first set of such rules: Do not blame each other indiscriminately in cyberattacks, not to attack critical infrastructure of other countries, not to insert malicious bookmark in IT-products. A member of the special representative of Russian President for international cooperation in the field of information security, special envoy of the Russian Foreign Ministry Andrei Krutskikh told the "Kommersant" HELEN CHERNENKO as Russia and the United States manage to find common ground in the context of political confrontation. 

- What is the significance of the last report of the UN Group of Governmental Experts?

- This is the third report of the Group of Governmental Experts (GGE), and, although the first two documents were extremely important that its significance simply revolutionary. For the first time it failed to agree on a position 20 states (among them apart from Russia were the US, China and developing countries) on a very sensitive and important issue of the applicability of international law in the field of information. Russia and China, along with other SCO countries have long pointed to the need for the rules of responsible behavior of states in the information space, but previously the Western partners are not very eager to talk about it. In the report it is discussed for the first time in such a systematic and non-confrontational manner.

Leading kiberderzhavy world first agreed to limit its actions in the information space. This follows from the report of the UN Group of Governmental Experts on international information security at the disposal of "b". In accordance with the agreements kibertehnologii States undertake to use exclusively for peaceful purposes: among other things, they will not attack the critical infrastructure of each other (nuclear power plants, banks) and to insert "bookmarks" in IT-production, but will fight attempts by hackers to carry out sabotage their territory. However, as long as these rules are only voluntary. In the future, Russia hopes to make them mandatory.

- Why do we need such rules?

- It's like in the case of road traffic: the monstrous disaster happen, but without the basic rules of conduct of the order on the road would not be at all. In 2011, Russia together with a number of other SCO member states put forward a first draft of "Rules of conduct in the field of international information security." In the West, he was criticized.

In January this year, the SCO countries have revised version of the rules as an official UN document. The new version of the emphasis was on human rights, freedom of access, the principle of capacity building in developing countries. At the same time, we immediately said that this document - not the ultimate truth, and the basis for further negotiations. Nevertheless, the West again with more suspicious of our initiative, seeing in it a veiled attempt to impose censorship on the Internet and increase state control of the Internet. Although nothing like this in this document do not.

- Allow you to argue. I think that some of the provisions of the draft regulations of the SCO can be precisely and interpreted.

- It's like reading it. The method of reading between the lines is often used in diplomacy - it allows you to pluck some of the veil. On the other hand, it often leads to that people domyslivat what is not. Eliminate doubt be in the process of discussion to which we invited our colleagues and by presenting the draft regulations on behalf of the SCO member states.

During the last meeting of the GGE, the discussion finally took place: steel nominated mutually acceptable wording of the rules, and the goal was set to continue this work in the next year in order to present its results at the 72nd session of the UN General Assembly in 2017.

- So it will be rules, principles or standards?

- The Russian side has gone on non-standard diplomatic move, offering - for the sake of compromise - to write a report in all three terms. What is the difference which term to use? About the wine is judged by the drink, not a bottle, which he poured. In this case the main thing - the content of the document. Western partners are very wary of any new regulatory measures, they fear that it will be fetters on the freedom of activity in the information space. On their insistence, the report says that the proposed rules of responsible conduct are voluntary and are not legally binding.

- This does not diminish the significance of the document?

- This is nothing terrible. We see this report as the beginning of a process. When the international community matures, the rules can be made legally binding. Until then, they will have the status of a moral obligation.

- US diplomats say that the report - the victory of US diplomacy.

- All 20 representatives of member countries of the GGE contributed to the achievement of results. It was a team effort. As for the particularly Americans, they really were largely the driving force in the preparation of the relevant sections of this report, although we are part of the discussion process is often the first to put forward the idea of particular policy. But the document was formed largely due to structural flexibility shown by the US expert, and I'm not going to deny that.

- Given the current confrontation between Russia and the United States, it does not work there so that if the Americans win something, then we lost?

- We do not see this process as a zero sum game. If someone gets something, it does not mean that the other must lose. We worked as partners. Everyone understands that in the field of information and communication technologies (ICT) and the common threat, they cross-border. These threats can only be tackled together.

Americans have made proposals on the structure of the document, expressed specific ideas on the content sections. Russia together with other countries of the SCO and BRICS need to promote the idea of ommunity awareness of threats in the information space and the priority of the topic in terms of national and global security. With these building blocks, many of which are laid in the course of previous meetings of the GGE, the group's work does not become a tug of war, and was based on a joint focus on results. All countries have the opportunity to bring to the discussion of his vision of a set of rules. And every proposal was discussed in a constructive manner.

But I will not hide, the search for compromise was not easy. US group represents an experienced diplomat Michel Markoff - a difficult and steep negotiator, perfectly owns theme.  Naturally, I and other colleagues did not hesitate to defend the rights of taking care of the most complete reflection of their national positions, it is normal. The main thing is that we were all set up to draw up the report, under which could be signed by representatives of 20 countries. And it happened.

- It is surprising, because the US and Russia in recent years little as possible to agree ...

- The fact that we were able to agree on the conditions of confrontation and sanctions, makes the report even more important. It is a strong political signal that the relationship (between Russia and USA) is not hopeless, that we can agree and take joint and collective diplomatic efforts.

- In your opinion, what is most important from the fact of what has been agreed?

- In my view, the key is the fact that the report reflects the position of Russia and its partners in the SCO and BRICS, the main thing - not to legalize and regulate conflicts in the information space, and to prevent the use of ICT in military-political purposes. This is the first fundamentally important point.

Secondly, the report states that can not be indiscriminately accuse each other of cyber attacks, as it often happens today. According to the group, unilateral declarations that a State may be involved in illegal activities in the information field, enough to ascribe this malicious activity that state. The charges of organizing and carrying out cyber attacks must be proven. This eliminates the possibility of indiscriminate attraction to the responsibility for the attack, allegedly committed in the information space, as in the case of the introduction of US sanctions against North Korea in response to the hacking servers film company Sony Pictures (starring comedy about the attempt on Kim Jong Un) .

Third, the report repeatedly stresses that ICT should be used exclusively for peaceful purposes. This means that actions such as disabling using the computer worm Stuxnet Iran's nuclear facilities industry, becoming an outlaw. At least is the moral law. (According to the book "Confront and conceal: Obama's secret war and unexpected use of American power," columnist The New York Times, Pulitzer Prize winner David Sanger, Stuxnet was created by the United States and Israel).

Fourthly, the report for the first time declared illegal and harmful activity on the implementation of bookmarks in the IT-products. This item was included in the document on Russia's initiative.

Finally, the Group reaffirmed the sovereign right of States to dispose of information and communication infrastructure in their territory and to determine their policy on international information security. In addition, the document includes key recommendations to increase international cooperation in the field of international information security, noted the importance of confidence-building measures to overcome the "digital divide". Includes the study of ways to increase the volume of technical assistance, capacity to respond to incidents involving the use of ICT, the acceleration of the transfer of appropriate knowledge and technology - especially for developing countries.

- And what about the principle of non-interference in the internal affairs of States, so important for Russia?

- It is also in the report. It lists all the basic principles of the UN Charter, and expressly states that all of them, including the principles of respect for sovereignty and non-interference, are fully applicable to the field of information.

- What will happen now with this report?

- Report of the UN Secretary-General transmitted for presentation at the 70 th session of the UN General Assembly.  But, as recorded in the report of standards developed by consensus within the UN mechanism, we can assume that they already have the character of existing UN recommendations.

However, to put an end to this issue is premature. In truth, we are at the beginning of the discussion about the norms and rules of behavior in the information space. This year, the group considered the topic as a first approximation - along with other important aspects of international information security. But the development of codes of conduct - it is not some abstract "high politics", it is an urgent need for all states concerned to protect itself and its citizens against cyber attacks, cyber espionage and other cyber threats. This question deserves to be considered separately and more closely. The report is the possibility of convening a new expert group, and if this idea will approve the General Assembly of the fall, the next meeting of this group will take place in 2016. The issue of standards would be her major. We hope that these negotiations will be developed more detailed document, which will then be submitted to the UN General Assembly in a resolution.

- But the UN General Assembly resolutions are not binding, too. Will Russia at some point to insist on UN Security Council resolutions on relevant standards?

- Do not be afraid to reveal the strategic plan of Russia in this regard. All three of the report of the GGE, as well as bilateral Russian-Chinese and Russian-American agreements in the field of information security, as well as other bilateral and regional agreements, including within the OSCE and ASEAN, Russia sees as a "small steps to the big goal."

- What?

- Ideally, Russia would have preferred a legally binding international convention under the auspices of the United Nations on providing global information security. But we understand that this document some of our western partners have not yet matured. Nevertheless, on the basic rules of conduct to be agreed today.

- Yet it is not clear - why? It somehow works ...

- The key word in your question - "somehow". And it works just as bad. Let me remind statistics given by President Vladimir Putin at a meeting of the FSB board in March this year: in 2014 the official sites and information systems of the Russian government was committed 74 million cyber attacks. And it's not a world record. During our talks in Beijing and at the White House on both sides cited evidence that the US and China takes almost a million cyber attacks on each other in a week. What is this if not check kiberuyazvimost? If such be found the way, the consequences could be unpredictable.

If you believe the UK government estimates, today only due to hacker attacks from the global economy each year is taken from $ 500 billion to $ 1 trillion. This information resources critical infrastructure (financial industry, medical sector, facilities energy and transport sectors, and so on. N.) Remain very vulnerable. If we agree on certain rules that can and cannot, it increases the safety and the citizens and businesses, and the state.

- But hackers do not care about the rules established by the states ...

- Hackers do not live in an isolated world. They live in the states. A report of the GGE contains an important provision that States are responsible for everything that happens in their information environment and is based on their territory. Therefore, the state should not encourage activities of hacking groups, as was the case when the head of the National Security Agency (NSA), the United States actually called American hackers to kiberkaperstvu. GGE recommendations rests with the State responsible for ensuring that it is struggling with illegal use of ICTs within their national sovereignty - not encourage such actions and not to use them for their own purposes, and to make efforts to prevent them.

- So it turns out that in 2007 the Russian authorities would be if such rules already exist, are required to prevent an attack on kiber aktivistov Estonian Internet resources after the scandal with the "Bronze Soldier"?

- The question of the attack on Estonian websites very delicate: the fact that prove the involvement of official agencies to the Russian attack anybody and could not, and then it was found that most of the traffic was through servers outside the territorial borders of Russia - according to these same Estonian experts, 80% of the attacks were carried out with the United States.

- The attacks are often carried out with the activation servers that are located in third countries ...

- According to the new report of the GGE continue to use the information infrastructure of third countries (intermediaries) for computer sabotage reprehensible. This was also the Russian proposal.

- According to US media reports, Russia and several other members of the GGE blocked the idea of the United States to make a provision in the report that the 51th article of the UN Charter (which guarantees the state the right to self-defense in the event that it carried out an armed attack) applies to cyberspace. Is it so?

- The freezing of someone's initiatives were not discussed. Was he that built all the negotiators found a compromise in the report said that all the articles of the UN Charter are applicable to the information space, which implies and 51th article. In this regard, I cannot mention the great merit of the Estonian delegate Marina Kaljurand (July 15, she headed the Foreign Ministry Estonia). She did not reproach in special sympathies for Russia, but it was set in a very constructive and serious discussion. Through her wisdom it was invited important compromise, and at the critical moment of negotiations.

- A dispute over which was conducted?

- In Article 51 of the UN Charter refers to "armed attack". But in today's world there is no general representation of what is meant by "armed attack" in relation to the use of ICTs. And if we did not hesitate to write that the 51th article of the UN Charter is applicable to the field of ICT, it will give a strong opportunity for countries to use any hacker attack as a pretext for a retaliatory use of force, that is war.

After all, the United States back in 2010 the first officially recognized the potential of cyberspace in the same battlefield as land, sea and air. And in 2011 they were the first to develop a national strategy of action in cyberspace, reserves the right to respond to Washington's computer sabotage by all available means, including the use of nuclear weapons. And if now unequivocally "bless" referring to the 51th article of the UN Charter, it turns out that strong kiberderzhavy be able to accuse any other country in the implementation of a cyber attack, qualifying it - with no legal basis - as an "armed attack" in accordance with their national interpretations and cause "retaliatory" strike, and not necessarily only cyber means.

In view of emerging risks in this regard, we and several other countries were against the isolation of the 51st article. As a compromise, we agreed on a statement that all the provisions of the UN Charter are applicable to cyberspace. At the same time, the report emphasizes that the international community needs to agree on the key terms and concepts in the use of ICT. This includes such things as "armed attack".