US-Russia Cyber Talks?

This has been rumoured for a while:

The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace.

American and Russian officials have different interpretations of the talks so far, but the mere fact that the United States is participating represents a significant policy shift after years of rejecting Russia’s overtures. Officials familiar with the talks said the Obama administration realized that more nations were developing cyberweapons and that a new approach was needed to blunt an international arms race.

On Nov. 12, a delegation led by Gen. Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council and the former leader of the Russian equivalent of the National Security Agency, flew to Washington and met with representatives from the National Security Council, State Department, Department of Defense and the Department of Homeland Security. Officials familiar with these talks said the two sides made progress in bridging divisions that had long separated the countries.

Indeed, two weeks later in Geneva, the United States agreed to discuss cyberwarfare and cybersecurity with representatives of the United Nations committee on disarmament and international security. The United States had previously insisted on addressing those issues in the committee on economic issues.

Read the rest at the New York Times.

Past Russian overtures have often been interpreted as a tacit admission of US cyber superiority, and have been rejected on a number of grounds, not least of which has been a lack of trust in either Russian actions or intentions. The irony is that whilst cybersecurity collaboration in its broadest sense may well benefit both countries, the cyberwar element of these talks, i.e. cyber arms limitation, etc, is almost a non-starter, even if it might sound warm and fluffy. It’s nice to agree not to launch cyberattacks at one another but it won’t stop states (and, more to the point, non-state actors) from developing and testing capabilities. It’s already happening, and a nice treaty to prevent their development, transfer and use is unlikely to change that situation much. Prohibitions on first use are worthless unless backed up by international law and even then might have to be shored up by military action. And who would stand up to the US, China, Russia, should they decide to strike first anyway?

I’m not against the principles outlined, I just wonder at their efficacy. I’d rather spend time and money on improving information and network security than turning cyber into another Cold War showdown.

Update: Jeff makes the point that without improved law enforcement co-operation, the whole thing’s worthless anyway.