Strings Attached: Talking about Russia's agenda for laws in cyberspace
Russia's longstanding proposals for "information security" agreements may sound cooperative, but they conceal a Trojan horse - a push to legitimize censorship, silence dissent, and bind others to rules it won’t follow.
International dialogue on cybersecurity and "information security", especially with Russia (given that it seems like they might have an issue with cybercriminals acting out of their backyard, but I'm sure that it's a coincidence) might seem like a chance for cooperation, but history and current geopolitics suggest caution.
Over the past few decades, Moscow has repeatedly pushed for international agreements, ostensibly to curb cyber threats - yet these proposals often conceal aims that serve Russia's strategic interests at the expense of others. I know that this is going to come as a shock for those of you who have paid attention to Russian actions in the past years.
But it's exactly this historical precedent, Russia's long track record with such initiatives, and the fundamental East-West divide in defining "information security", that should make Western policymakers extremely skeptical of any overtures by Moscow in regards to regulating cyberspace.
In the following paragraphs I want to examine the issues with regulating cyberspace in cooperation with Russia, showing that agreements on Moscow's terms could legitimize authoritarian control over information and bind others without truly constraining Russia.
I'll explore how autocratic regimes have used disarmament talks for self-interest in the past (and yes, there will be the mandatory reference to Nazi Germany and the period of Appeasement), how Russia's cyber treaty proposals since the 1990s harbor hidden obstacles, why Russia's definition of "information security" is incompatible with the West's concept of cybersecurity, and how accepting Russia's framing could undermine free speech and empower hypocrisy.
I will also touch on the long-running debate over applying existing international law to cyberspace versus creating new rules - and how Russia exploits that ambiguity (or at least tries to use the threat of a "Wild West in cyberspace" to coerce others) - as well as the U.S. preference for flexible norms instead of binding treaties.
Finally, I will talk about Russia's success in partnering with China on information security, and why they were able to come to agreements when "the West" was unable to (in short it's because of the true intent behind these initiatives, controlling online discourse and quashing dissent).
As usual I have to preface the content of this post with a warning: I'm neither an expert on international law, or law in general, nor on policy making. I'm approaching this topic as an, at least somewhat, technical person. Which means that I encourage you to take everything I say with a grain of salt. I'm very much happy to receive feedback and criticism. Please feel free to reach out to me.
We've been here before - historical precedent
While the saying "History doesn't repeat, but it rhymes." has been overused, I have to admit that it's very fitting here. History shows that autocratic regimes often use arms control and disarmament proposals as tools of strategic manipulation rather than good-faith efforts at peace.
A stark example comes from the 1930s, which leads us to the mentioning of Nazi Germany I promised above. Nazi Germany participated in the Geneva disarmament conference only to issue self-serving demands.
Adolf Hitler's government insisted that other countries completely disarm to Germany's level, which had its armed forces severely cut down after the end of the First World War. Their argument was the inequality in conventional armed forces between Germany and its European neighbors was an unbearable threat to their national sovereignty.
While other countries, specifically France, were generally willing to talk about disarmament they argued that security must precede disarmament and called for security guarantees and the establishment of an international police force before it would reduce its own forces.
Ultimately the conference ended in a deadlock and with Germany walking away from all proposals and further discussions while claiming the right to rearm - ultimately walking away from the conference and the League of Nations altogether, ostensibly blaming the other countries and their refusal to meet German demands.
In reality, the disarmament overture had been a ploy to justify German rearmament, not a genuine commitment to collective security. But this wasn't the only case of abusing arms control for strategic purposes.
After the end of the Second World War, a similar dynamic played out with the Soviet Union's approach to nuclear arms control. In 1946, the United States proposed the Baruch Plan for international control of atomic weapons, which included inspections and phased disarmament.
The Soviets flatly rejected this plan. Instead, Moscow countered with its own proposal to ban nuclear weapons entirely. However, the Soviet proposal didn't include any verification measures, whereas the Baruch Plan would have included stringent ones. The United States, rightly, recognized this as a tactic to strip America of its atomic advantage while at the same time avoiding any real accountability for the Soviet Union to do the same.
These two episodes might not be enough to defend the argument I'm making against academic rigor, but illustrate a pattern nonetheless: authoritarian powers may champion lofty-sounding disarmament or arms-control initiatives, but often embed conditions that tilt the playing field in their favor or lack the transparency needed for true cooperation.
Such historical precedents sound a cautionary note for any "disarmament" approach to cyberspace. Just as autocrats and dictatorial regimes have misused disarmament conferences to advance strategic aims in the past, we must ask whether modern authoritarian powers – specifically, for this post, Russia – are trying to do the same under the banner of "information security" agreements.
It's been a long way, without with you my friend "friend"
The currently ongoing discussions between the United Nations Open-ended Working Group on Cyber and other actors, such as (once again) Russia, aren't the first attempts at finding common legal ground. By far not.
Russia has been on a persistent campaign since the mid-1990s to establish international rules for cyberspace, with the Russian leadership regularly complaining about Western counterparts lack of willingness to compromise in order to find solutions.
Yet, as you might have guessed, there's a reason for that. A closer look at Russian proposals reveal that these initiatives have consistently included obvious aspects and hidden obstacles that would very much favor Moscow's interests.
As early as 1998, Russia introduced a draft resolution at the United Nations titled "Developments in the field of information and telecommunications in the context of international security". Russian officials argued it was needed to prevent misuse of information technology and develop international law regimes to ensure stability.
On first glance, on the surface, this sounded cooperative. However, many other countries perceived the proposal as disingenuous from the start. A journalist, Tom Gjelten, observed at the time:
The idea of a cyber-arms accord has been interpreted in some countries as justifying expanded governmental control over the Internet.
To put it bluntly: the Russian initiative was seen as a potential Trojan horse for state censorship and control, rather than a straightforward cybersecurity measure. This rather negative reaction didn't deter Moscow even the tiniest bit.
Over the following decades, Moscow repeatedly floated international "information security" agreements, each packed with terms that were aligned with its own strategic goals. For example, Russia (often together with China, Iran or other countries that could rightfully be described as "not quite the democratic type") proposed an "International Code of Conduct for Information Security" at the United Nations twice, once in 2011 and once in 2015. Among other things this code called on states to curb the dissemination of information that could "undermine other countries' political, economic and social stability".
If you're thinking to yourself "Wait a minute .. that does sound like an attempt to give states the possibility to act against any opinion that's critical of the state?" then yes, you're absolutely right. By equating the spread of certain information with security threats, the proposal would legitimize crackdowns on free expression.
Notably, the code also urged states to cooperate against content inciting terrorism or extremism, but bundled legitimate concerns with sweeping categories like anything that could "incite secessionism" or "undermine stability". These broad terms align neatly with the Kremlin's interest in suppressing dissent and controlling narratives (for instance, labeling pro-democracy activism or inconvenient journalism as "extremism" or a threat to stability).
Western democracies, with their protections for free speech, clearly could not accept such provisions without violating their own principles, a fact Moscow surely recognized. The inclusion of these, for lack of a better word, "poisonous pills" all but guaranteed that Russian-backed proposals would stall or be watered down, but it also allowed Russia to posture as seeking peace while blaming the West for "failing" to reach agreements.
This pattern - lofty titles and appeals to cooperation, hiding clauses that advance Moscow's censorship or strategic freedom, and generally being an ass-hat on the international stage - has characterized Russia's approach to cyber agreements since the 90s. The continuity throughout the years suggests that Russia's true aim is not mutual cyber peace, but shaping international rules to legitimize its own tactics and constrain its adversaries.
This word does not mean what you think it means
Even if Russia would be truly interested in achieving international peace and prosperity in "cyberspace", which they are not, there's a fundamental disconnect, a foundational difference in terminology.
When Western experts talk about "cybersecurity", they typically mean protecting computer systems, networks, and data from unauthorized access or attack. It’s a technical focus - keeping malicious code out, keeping services running, guarding confidentiality and integrity of information and so on and so forth. In contrast, Russia uses a far broader concept of "information security", one that goes well beyond technical issues into the realm of content and speech.
For Moscow, controlling the information space is as important as securing networks. An article by War on the Rocks sums it up better than I could:
The United States and its allies stress cybersecurity with a focus on the confidentiality, integrity, and availability of data. In contrast, Russia, China, and their partners prefer the term ‘information security,’ which includes not only protecting data but also controlling content and communication tools that may threaten regime stability.”
In practice, this means the Kremlin sees a tweet or YouTube video that inspires anti-government protests as just as dangerous as a piece of malware, if perhaps not more so. Russian cyber doctrine treats "information-psychological" impacts (influence on public opinion, propaganda, unrest, ..) as part of the same continuum as hacks and viruses. Thus, Russia’s Information Security Doctrine and related strategies conflate internal censorship and external cyber defense.
This divergence in definitions leads to talking past each other in international forums, deliberately or otherwise. Western negotiators aiming to curb cyber warfare or criminal hacking find that Russia keeps steering the conversation toward content control and "information sovereignty".
For example, if the U.S. proposes an accord not to attack each other’s critical infrastructure, Russia counters with a proposal not to "destabilize the internal socio-political situation" of other states via information, a clause so broad it could cover media articles or social media posts easily. Western governments see protecting free expression as a non-negotiable value, whereas Russia's priority is shielding its regime from what it calls harmful information. Indeed, Russian and Chinese representatives have explicitly sought international endorsement to "prevent the use of information to undermine political stability".
To put it simply and bluntly, Moscow's concept of "security" in cyberspace includes securing its government against ideas it dislikes. This fundamental mismatch is a major reason why engaging on Russia's terms is perilous: any agreement using Russia's definitions would inherently drag free speech and open internet principles into what is supposed to be about cybersecurity. It’s a Trojan horse scenario - a "cybersecurity" treaty that, in fact, mandates political information controls.
The Risk of Adopting a Trojan Horse Russia's Terms
Accepting such a Trojan horse by signing onto an international agreement that has been framed by Russia's rather expansive notion of information security would come with severe consequences.
First, the West would be obligating themselves to enforce restrictions on online content that mirror Russian practices and preferences. For instance, Russia's proposals commonly insist on outlawing the dissemination of information that "endangers societal stability" or "interferes in internal affairs". Agreeing to such language could compel democracies to try to police speech on their soil that Russia deems offensive or subversive, such as anti-Putin commentary or support for democracy movements, in order to remain compliant.
This isn't a hypothetical concern. An analysis of one of the most recent Russian draft cyber treaties noted that while the draft made passing reference to human rights, it "merely elaborates on the freedom of expression and calls for the possibility of it being restricted for national security, public order and moral reasons".
The obvious and serious implications aside, the mentioning of "moral reasons" in this context made me physically sigh, but at the same time I immediately had to think of a classic:
In other words, Russia's idea of including free speech, free expression, is mainly to underscore conditions under which that freedom can be curbed.
The way the Internet has changed since it first became a thing, and continues to change, would suffice for another dozens of articles easily. But it's, among other things, precisely why we should strive to not make things worse. Adopting these definitions internationally could slowly erode the norms of a free and open internet, effectively exporting Russia's censorship regime to other countries by way of treaty obligation.
At the same time however, there is little reason to believe that Russia itself would abide by the spirit of any such agreement in good faith. Against the backdrop of the full-scale Russian invasion of Ukraine that's probably the textbook definition of an understatement. But even if we ignore this thing that can't be ignored, Moscow has a well-documented history of signing or proclaiming high-minded principles internationally, only to flout them in practice. One need only recall Russia’s violation of the 1994 Budapest Memorandum security assurances by invading Ukraine, to cite the current most obvious example, even though it's in an admittedly different domain.
In the cyber arena, Russia's behavior already blatantly contradicts the rules it claims to seek. For example, even as it calls for non-interference and state sovereignty online, Russia engages in relentless cyber-espionage, election meddling, and disinformation campaigns against other states. A somewhat recent Russian concept paper at the UN stressed the "inadmissibility" of using propaganda or political influence to interfere in other nations’ affairs - a completely surreal position given Russia's countless cyber operations against neighbors like Ukraine as well as the West, and brazen online "trolling" aimed at pretty much everyone.
This gap between word and deed suggests any treaty would be applied selectively. Russia would likely demand other signatories crack down on content hostile to Russia (for instance, by shutting down websites of exiled dissidents or banning online support for certain opposition causes) under the banner of the treaty, while Russia itself would continue its own cyber activities, claiming they don't fall under the treaty's definitions or simply denying them outright.
The result would be a one-sided arrangement: open societies tying themselves in knots to comply, as authoritarian regimes exploit loopholes. Furthermore, some Russian proposals include verification or enforcement mechanisms that sound even-handed but could be gamed to Moscow’s advantage. For instance, the aforementioned Russian draft convention suggests creating mechanisms to de-anonymize internet users in the name of security.
In practice, that would legitimize domestic surveillance and unmasking of online critics, a tool Russia would eagerly use to hunt down dissidents, while democratic states would find such powers constrained by their own privacy laws. The danger is that Russia's preferred rules would normalize practices antithetical to liberal democracies, forcing those societies to choose between violating their values or being accused of breaking an international agreement.
In short, accepting Russia's definitions and treaty terms on information security could mean trading away core liberties for the mirage of "security". Meanwhile, Russia's track record implies it would happily impose obligations on others without truly constraining itself. Such an outcome would reward bad behavior and leave the open Internet far less open and "unregulated through regulation". Speaking of regulation ..
Do we even need all of this paperwork?
A recurring point of contention and a favorite ambiguity that Russia exploits is the question whether existing international law applies to state behavior in cyberspace, or whether we need entirely new "cyber laws" - despite Western experts and governments having argued firmly and continuously that the same international law that governs the conduct of states elsewhere also applies in cyberspace.
This opinion is reflected in a landmark report by the United Nations, which was released in 2013 after years of debate, stating that "international law, and in particular the United Nations charter, is applicable" to cyberspace.
This means principles like state sovereignty, the illegality of aggression, and human rights obligations all still bind countries, even when their actions involve computers and networks rather than tanks or missiles.
From the Western perspective, there is no "lawless void". The challenge is clarifying how to interpret existing law for new technology, not throwing the rule book out and writing a completely new one from scratch. Many nations reaffirmed this view in subsequent UN discussions. For example, in the latest Open-Ended Working Group on cybersecurity, countries including Sweden, South Korea, Colombia, Austria, the United States and others stressed that there are no fundamental gaps in current international law, only the need for further clarification and adherence.
You are not going to believe this, but: Russia has long taken the opposite stance. Moscow insists that the unique nature of the information space leaves it essentially outside the scope of today's international law, thereby necessitating a special new legal regime.
This claim of a legal vacuum is convenient for several reasons. For one, as long as there is no binding cyber treaty (which Russia knows is a distant prospect), it can suggest that no laws clearly restrain its cyber operations. That is a handy talking point whenever Russia is called out for hacking or online meddling. Indeed, Russian officials often respond to accusations of cyberattacks by noting the lack of "agreed definitions" or binding rules that would make such actions unequivocally illegal.
By casting doubt on the applicability of existing law, Russia seeks to undercut Western efforts to hold it accountable under norms of responsible state behavior. It's a strategy of exploiting ambiguity: if the world can't agree whether a cyber intrusion violates international law, Russia can continue its activities and shrug off criticism as a matter of "different interpretations".
Moreover, pushing for a new treaty allows Russia to reopen settled principles and reshape them to its liking. For instance, whereas current international law strongly protects freedom of expression (per the Universal Declaration of Human Rights and other treaties), a new cyber treaty drafted under Russia’s influence could carve out broad exceptions for content deemed a security threat, as I wrote in earlier paragraphs.
All the while, the process of negotiating such a treaty would likely drag on for years, during which time Russia could continue to claim it is operating in a legal gray zone, if it admits to conducting any specific cyber operation at all.
When consensus faltered in a UN expert group in 2017 - due to disagreements that were, reportedly, mainly pushed by Russia and other autocratic states, over how international law applies to cyberspace - at least one commentator lamented that cyberspace would "remain a Wild West with no sheriff in sight".
That breakdown was not accidental, instead it reflected deliberate resistance by Russia and its allies to formally acknowledging that things like the law of armed conflict apply to cyber operations. The longer the question stays unresolved, the longer Russia can argue that might makes right in the cyber domain until new rules are in place.
This is precisely why many Western experts insist we do not need an expansive new treaty. They worry it would become an exercise in delaying action and creating loopholes, rather than strengthening accountability.
In short, the West says "the law covers cyber - let’s follow it", while Russia says "cyber is beyond current law – let’s negotiate new rules (and until then, anything goes)". That fundamental divergence makes productive engagement exceedingly difficult.
Norms are (kind of) binding, bindings aren't
The divide over laws versus existing norms and realities is part of a broader contrast in how the West (specifically the United States) approach cybersecurity governance compared to Russia.
It has generally favored developing voluntary norms of responsible state behavior and confidence-building measures, rather than immediately seeking a hard treaty. For example, the U.S. and dozens of other nations have endorsed a set of 11 norms outlined by the UN in 2015, non-binding guidelines such as a norm against attacking another country's critical infrastructure in peacetime, or a norm to assist nations that are victim to cyberattacks on their territory.
The logic behind the norms-based approach is that it's more flexible and faster. States can agree on basic expectations without the heavy process of ratifying a treaty, and these norms can adapt as technology evolves. Crucially, these norms explicitly complement existing international law, meaning they fill in practical details while assuming the legal fundamentals are already in force.
The West in general (and the United States specifically) has also emphasized multi-stakeholder cooperation, working not just government-to-government, but involving tech companies, academia, and civil society in bolstering cybersecurity - something a traditional state-centric treaty might not accommodate.
Russia, on the other hand, has persistently dismissed voluntary norms as inadequate. From Moscow; s perspective, only a legally binding international agreement will do. On the face of it, this insistence on binding law might seem like a principled stance. Enforceable rules do sound like a sane choice.
But in practice, Russia's push for a treaty is driven by the advantages it would gain in the process. A negotiated treaty would allow Moscow to insert the kinds of broad clauses on information control discussed earlier, and to demand "security guarantees" in cyberspace much as one would in an arms control pact .. you know, the kind of security guarantees Moscow has been violating consistently for quite literally decades now.
Furthermore, reaching a global treaty with teeth is exceedingly hard, likely being a multi-year endeavor, if achievable at all. For context, even relatively straightforward cyber agreements (like the Budapest Convention on cybercrime) took years and still doesn't have universal buy-in. Which is an indicator that a comprehensive cyber warfare or information security treaty would be orders of magnitude more complex.
And Russia knows this. During that drawn-out period, Russia could continue pushing its agenda and possibly freeze progress on interim measures. In fact, Russia's latest proposal at the UN seeks to make a new treaty process the sole forum on international information security from 2025 onward, effectively sidelining the ongoing norms work.
The West's wariness of a treaty also stems from mistrust of verification and enforcement with a player like Russia, given the aforementioned history of compliance issues. Simply put, the U.S. and others do not believe Moscow would honor a binding agreement in spirit, so a voluntary framework with peer pressure and public attribution of bad behavior is seen as more practical.
The clash boils down to a norms-based order vs. a treaty-based order for cyberspace. Engaging with Russia by negotiating a treaty means playing on Russia's preferred field - where legal language can be lobbied over endlessly and progress stalls. Meanwhile, reinforcing voluntary norms and existing law is playing on the West's field, emphasizing behavioral expectations and accountability that are harder for Russia to hijack.
Given this contrast, more and more Western policymakers and legal experts conclude that entering a binding pact with Russia on cyber issues right now is a fool's errand. It would likely yield a document full of ambiguities and concessions to authoritarian priorities, while providing a false sense of security. The norms-first strategy isn’t perfect or entirely enforceable, but at least it doesn’t legitimize repression or tie our hands. And it very much does not mean that we're bound to live in a digital "Wild West" ..
It's only the Wild West because Russia states make it so
The specter of a chaotic, lawless cyberspace if calls for new international rules go unheeded is an excellent scarecrow Russia can (ab)use. Because it serves to heighten urgency and paints Russia as the responsible actor trying to bring order.
Moscow very much leans into this narrative, warning that without a robust treaty, countries will ramp up offensive cyber capabilities with abandon, cyber conflicts will escalate unpredictably, and no one will be safe. It’s a none-too-subtle form of diplomatic brinkmanship: make a deal on our terms, or face anarchy. The implied message is that Russia too will behave as ruthlessly as it must in this lawless environment, until rules are in place.
The irony .. well, kind of irony, because it's such an expected thing at this point that there is not very much irony left .. is that Russia has been a major contributor to the very instability it decries. One could reasonably argue that cyberspace feels like the Wild West in part because of actions by Russia and similar autocratic states - massive ransomware outbreaks that caused global collateral damage, state-backed hacker groups meddling in foreign elections and infrastructure, and wholesale disinformation campaigns sowing chaos.
It's a classic trope. After playing arsonist, the Kremlin is now volunteering to play firefighter - but only if it’s given the fire chief’s hat. This puts other nations in a bind: accept Russia's brand of law and order (which may be little more than a protection racket), or watch as the "Wild West" scenario continues. As I mentioned at the very beginning of this post, I'm not a lawyer or legal professional of any kind. But that does indeed smell suspiciously like extortion.
At the same time the Russian analogy of "no sheriff being in town" is very much flawed, because it solely rests on the assumption that there truly is no sheriff in town. Reasonable countries don’t actually view cyberspace as utterly lawless; as discussed, they believe international law and norms do apply, even if enforcement is tricky.
However, the line can resonate with an exasperated public and business community hit by wave after wave of cyberattacks. Russia capitalizes on that fatigue by saying, essentially that "Yeah, we know this is bad, but like .. _we_ wanted to solve this problem, we wanted to make rules of the road (as long as we were allowed to drive on the sidewalk), but the evil West is irresponsible and refuses to cooperate!".
The risk here is of a self-fulfilling prophecy. If the international community buys into the notion that cyberspace is a free-for-all until a treaty emerges, countries like Russia can use that interim to push the envelope further, claiming any criticism is moot absent explicit law.
Meanwhile, the prolonged treaty haggling would delay more immediate confidence-building steps. By repeatedly invoking the threat of a digitally anarchic world, Russia aims to strong-arm others into negotiating - but succumbing to that without addressing Russia's own behavior would reward extortionate tactics.
A more prudent approach would be to continue to aggressively call Russia's bluff: emphasize that there are laws and norms now - it’s the adherence that's lacking - and that responsible nations will work to enforce those (through sanctions, indictments of cybercriminals, diplomatic pressure, ..) so long as malign actors exploit the space.
In effect, the way to tame the Wild West is to enforce the sheriff's badges we already have, not to sign a dubious new pact with the very outlaw stirring up trouble. Until Russia demonstrates through actions, not just words, that it is willing to behave within the current rules, engaging on a new law is dangerously naive at best.
Authoritarian Alliance aka "That's what friends are for!"
By looking at the laws and partnerships Russia was able to achieve when it comes to "cyberspace" you can clearly see what Moscow truly seeks in "information security" agreements - their cooperation with China is a great example.
Frustrated with Western resistance, Moscow has found a willing ally in Beijing to pursue a shared vision of state-controlled cyberspace. The two great-ish powers have inked bilateral accords squarely focused on controlling online information and mutual support in fending off internal dissent.
A significant moment came in May 2015, when Vladimir Putin and Xi Jinping signed an agreement "on cooperation in ensuring international information security". Some (mostly Western) reports mischaracterized it as a simple non-aggression pact, promising not to hack each others systems and networks, but in reality it wasn't that, it was much broader - and far more aligned with censorship and domestic security goals.
The text provided a framework for joint efforts to combat the use of technology to "undermine socio-political regimes", essentially a pledge to help each other police the internet and suppress unwanted ideas. It enumerated threats to domestic stability and called for cooperation in countering them.
Funnily (in the worst possible sense of the word) enough, nothing in it actually prevented Russia or China from continuing offensive cyber espionage against others (or each other). Instead, the agreement formalized collaboration on things like "internet control" technologies and strategies.
In the years since, Russia and China have deepened this rather Orwellian collaboration. They regularly hold high-level meetings to exchange best practices on monitoring and filtering online content. Leaked documents from 2017 and 2019 which were obtained by RFE/RL reveal that officials from China's Cyberspace Administration and Russia's Roskomnadzor (the agency in charge of, among other things, Russia’s internet censorship) met behind closed doors to share "methods and tactics for monitoring dissent and controlling the Internet".
This included discussions on how to block certain information more effectively and how to track citizens' online activities. After one such meeting, the head of Roskomnadzor reported to Russia's Federal Security Service (FSB) with enthusiasm, urging "expediting joint efforts with China to improve the blocking of information" and highlighting the need for an "exchange of experience at the level of technical specialists".
In plain terms, the two regimes were comparing notes on censorship tools (e.g. China’s Great Firewall techniques and Russia’s SORM) and on identifying and cracking down on online dissenters.
This Sino-Russian convergence has also played out on the international stage. Both countries promote the principle of "cyber sovereignty", the idea that each state should have absolute authority over its domestic internet segment, with no outside interference. They have pushed this concept in U.N. forums and through groups like the Shanghai Cooperation Organisation, even submitting joint proposals to enshrine it globally.
The message is clear: information and internet governance should be subject to state control, not universal rights. In 2019, Putin and Xi declared a "comprehensive strategic partnership" that put information and cyberspace governance front and center, vowing to work together to promote a global order reflecting their values. Part of this strategic partnership involves mutual support: for instance, Russia can count on China to back its narratives in international debates (and vice versa) - recently evident as Chinese officials echoed Russian disinformation about bioweapons labs and other utter horseshit talking points, and Russia echoed China’s calls for "respecting national internet rights".
All of this shows, once again, that Russia's priority is not reducing cyber threats at large, but rather curbing the threat of free information to authoritarian stability. When Russia finds partners who share its mindset, the resulting agreements focus overwhelmingly on content control, surveillance, and regime security, not on stopping cyberattacks or cybercrime.
In its cooperation with China, Russia is essentially building an alternate model of cyber governance antithetical to the open Internet. The success of these efforts (from their perspective) emboldens Russia to seek the same outcomes globally. It wants the imprimatur of international law on what it’s already doing with China: carving cyberspace into national fiefdoms where governments can clamp down on digital expression under the guise of security and even collaborate to nab each other's political dissidents if they flee online.
Unless one is prepared to adopt a Beijing-Moscow style approach to the internet, which most democracies are hopefully not, it's wiser to keep such efforts at arm's length. Instead, democratic nations should continue to uphold that existing international law (including human rights law) applies and work among themselves to set norms that authoritarian regimes will eventually feel pressure to follow or at least respect.
TL;DR: Yeah, just .. don't.
At the end of each of these deliberations things circle back to a simple, uncomfortable reality: when a government with a track record of info-authoritarianism and cyber aggression seeks a grand new deal for "information security", wise policymakers should remember that if it sounds too good to be true, it probably is.
Russia’s overtures in the cyber domain promise stability and peace, but as I've outlined above they come loaded with perilous strings attached. Historically, autocrats have twisted arms-control initiatives to serve as smoke screens for their own ambitions – and both Moscow's historic and modern-day proposals fit that mold.
The Kremlin's vision of information security is fundamentally incompatible with the open, global internet that has enabled unprecedented freedom of expression and innovation. To accept Russian terms would be to legitimize state censorship, erode privacy via mandated "de-anonymization", and hamstring the very democratic values that cybersecurity is meant to protect.
As much as I loathe the fact that it's necessary to continue diplomatic conversations even with states that behave like Russia is during currently, none of the things I wrote about in this post are to suggest that dialogue with Russia is wholly pointless, or that the status quo regarding the legal situation of "cyberspace" is acceptable.
International engagement is needed to reduce the risks of cyber conflict spiraling out of control. However, any engagement must be clear-eyed. It should focus on narrow, concrete measures - for instance, establishing crisis communication channels to prevent miscalculation, or cooperating on truly mutual interests like combating purely criminal hackers - rather than sweeping treaties that hand Moscow the keys to define the rules.
The existing international legal framework, if vigorously affirmed and enforced, provides a baseline to judge state cyber actions. Rather than negotiating away our principles in a doubtful bargain, we should double down on attributing and penalizing violations of norms (such as election interference or attacks on civilian infrastructure) under today's law. Over time, such enforcement can build customary practice that hardens into accepted international norms. I have to admit that I'm having a hard time believing that we will manage to become better at enforcing the existing laws in the short term, given the inability of the European Union to even come together and properly condemn Russian offensive computer network operations in most cases. But I try to keep my hopes up.
Contrasting to a focus on narrow, concrete measures, engaging with Russia on its repeated calls for new cyber laws or an "information security"convention would likely bog down in endless debates over terminology (What exactly is extremist content? Who defines political stability threats? Why the fuck are your investigators not cooperating on clear-cut criminal cases .. sorry, I'm getting carried away again.) and in the interim, distract from holding bad actors accountable.
It would also risk splitting the international community: indeed, Russia has already succeeded in getting authoritarian-leaning states on board with its approach, while liberal democracies resist - a treaty process could create a false dichotomy of "pro-security (censorship) treaty" vs "anti-security" nations. This is a trap we should avoid. The free world can acknowledge the need for cyber stability without endorsing Russia’s repressive blueprint.
In order to finally get to a conclusion, engaging with Moscow on legislation and agreements for information security is unwise because the price of agreement is far too high. The historical playbook of autocratic manipulation, Russia's own stealth agenda embedded in proposals, the incompatible definitions of security, and the likely one-sided compliance all point to a lose-lose outcome for the West.
The safer course is to maintain a united front that existing laws apply in cyberspace, champion voluntary norms that reflect open society values, and reinforce alliances with partners to deter and respond to cyber threats.
Yes, that means living with a bit of Wild West in the short term, but it beats signing away our principles for a false promise of order. As Russia and China build their censored "cyber-hemisphere", the West must hold the line on a different vision. One where security is achieved without silencing society.
Engaging on Russia's terms would only validate the wrong vision and embolden those who see the free flow of information as the enemy. It's a gamble not worth taking, and one that people who have significantly more political sway than I have will hopefully recognize as the strategic dead end that it is.