You probably felt much safer after President Trump tweeted Sunday that he and Vladimir Putin had agreed to form an “impenetrable Cyber Security unit” to protect us from future computer intrusions. With Russia helping to oversee cybersecurity for our next election cycle, what could possibly go wrong?
Trump appears to have developed some misgivings about the supposed agreement (or at least the reaction to it), tweeting later Sunday that just because he and Putin “discussed a Cyber Security unit doesn’t mean I think it can happen. It can’t-but a ceasefire can,& did!”
Whenever people advertise their cybersecurity product/service/team/unit/company as “impenetrable,” it’s a good sign that you should run away as fast as possible when they offer you a contract. Arguably, whenever someone tries to tamper with your elections or target voting software vendors and local election officials, that’s also a good sign that you should run away as fast as possible when they propose a cybersecurity partnership. Actually, don’t run. Shut off your smartphone, set up two-factor authentication, and don’t click on any links in your email.
In fairness, it’s unclear who proposed the partnership or how seriously the proposal was intended given Trump’s later claim that it can’t happen. Perhaps it was one of those offhand pleasantries that neither party ever plans to follow through on—like when you run into an old, not-very-close acquaintance on the street and say, “We should get brunch some time and catch up!” even though both of you know you’ll never actually do it, just because it sounds friendlier than “Have a nice life.”
Truly, this would be the best possible tone in which to propose such an alliance. “We should form an impenetrable cybersecurity unit!” “Yes, totally! I’ll email you sometime!” I even understand why that would seem friendlier to all concerned than, well, pretty much any other conversation about cybersecurity that Trump and Putin could possibly have had.
If, however, the joint U.S.-Russia impenetrable unit was a real plan to enmesh Russia more deeply in U.S. cybersecurity efforts, then perhaps Trump changed his mind in light of the roughly 1,000 fox-guarding-the-henhouse Twitter jokes that followed its announcement. Sen. Marco Rubio tweeted Sunday, “Partnering with Putin on a ‘Cyber Security Unit’ is akin to partnering with Assad on a ‘Chemical Weapons Unit’.” Matthew Yglesias went with: “Al Capone & I discussed forming an impenetrable tax evasion unit.” Former Secretary of Defense Ash Carter compared it to “the guy who robbed your house proposing a working group on burglary.”
In case it hasn’t already been made clear to you, it is a stupefyingly bad idea to partner with Vladimir Putin on trying to defend against cyberthreats. If anything, opening our networks to Russian “assistance” and jointly planning our defensive strategies would only make U.S. cyberinfrastructure more vulnerable to attacks from Russia (not that it needs the help).
An international partnership on cybersecurity can mean many things—it can mean mutual assistance with enforcement and criminal investigations, or sharing threat information and intelligence, or jointly developing software that can be used to target adversaries’ computer systems, or even jointly developing tools and techniques that can be used to detect and mitigate threats. An “impenetrable” unit hints most closely at the last of these functions—a defensive joint effort in which the two countries share not just intelligence but also technical expertise and controls to protect their systems against intruders. But people who help design and implement your defenses then know an awful lot about the way your systems work and how, precisely, they are protected. Possibly, they’re even writing code and giving it to you to download on your computers to help make them more impenetrable. And if that code also created backdoors on every computer it was installed on so that Russia had easy access to control those systems, who would be surprised?
International cybersecurity partnerships are usually a good thing. The United States should (and does) work with international allies like Canada, the United Kingdom, France, Germany, South Korea, Australia, and Israel to help strengthen its computer security and enlist help. But to form any kind of meaningful international cybersecurity partnership, two countries have to be able to agree what they’re trying to protect against. If two countries have totally different visions of what a “secure Internet” looks like, then they’re not going to be able to work together to achieve it.
And Russia and the United States have never had compatible ideas about what cybersecurity means—even before the 2016 elections. For instance, the FBI’s most wanted cybercriminal is a man named Evgeniy Mikhailovich Bogachev who for years operated an enormous botnet that he used to steal more than $100 million. Bogachev lives in Anapa, Russia, owns property in Krasnodar, Russia, enjoys boating on the Black Sea—and has never been arrested by Russian authorities. Not only that, but the New York Times reported earlier this year that the Russian government actually relies on Bogachev to provide it with useful intelligence about the victims of his thefts and files from their infected computers. It’s hard to see how two countries could ever get on the same page when it comes to cracking down on cybercrime while one is offering a $3 million reward for any information leading to the arrest of a man who is currently acting as a sort of informal government contractor and consultant in the other.
Bogachev’s story offers a hint of what it might mean if the two countries did try to work together. To form a joint unit (much less an impenetrable one) that does anything beyond offer Russia an up-close look at our cyber defense operations, the two countries would have to reach some kind of consensus on what constitutes cybercrime and cybercriminals. Ideally, that might mean Russian authorities coming around to view someone like Bogachev, who distributes malware and uses it to steal money, as a cybercriminal—but there’s no reason to think they would suddenly have such a change of heart. Alternatively, it could mean the United States deciding to come around to Russia’s perspective and deciding to collect intelligence from cybercriminals rather than arrest them. Russia has used that strategy to great effect—it offers the ability to gather lots of stolen information while still distancing the government from its provenance and, of course, officially condemning cybercrime.
A cybersecurity partnership with Russia would inevitably make the United States weaker. It would make our computer systems weaker by providing information and access about our network infrastructure. It would make our definition of cybercrime weaker by forcing us to collude with a country that harbors some of the most reprehensible cybercriminals in the world. It would make our defensive posture weaker by signaling to other countries that they are free to do what they like to U.S. computers. After all, the only consequences they are likely to face are invitations to please come help us protect ourselves.
This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.