Cyber operations have become the most active domain of US-Russia strategic competition, operating below the threshold of armed conflict but above routine espionage. Both nations maintain persistent access to each other’s critical infrastructure — energy grids, financial systems, telecommunications networks, and government networks — creating a condition of mutual vulnerability that parallels nuclear deterrence but lacks its institutional framework.
Capability Assessment
Russia’s cyber capabilities are distributed across multiple state actors. The GRU (military intelligence) operates Units 26165 and 74455, responsible for some of the most significant cyber operations attributed to Russia. The SVR (foreign intelligence) conducts espionage-focused operations, as demonstrated by the SolarWinds compromise. The FSB maintains domestic surveillance capabilities with external reach.
American cyber capabilities, concentrated in US Cyber Command and the National Security Agency, are widely assessed as the world’s most sophisticated. The shift to “persistent engagement” and “defend forward” doctrines under General Paul Nakasone marked a transition from reactive defense to proactive disruption of adversary operations.
Escalation Framework
The implicit rules governing US-Russia cyber competition have developed through practice rather than negotiation. Several observable patterns suggest the outlines of an unwritten code of conduct. Intelligence collection against government networks is treated as routine espionage — objectionable but not escalatory. Operations targeting critical infrastructure (energy, water, financial systems) carry higher escalation risk. Destructive attacks against civilian infrastructure represent a red line that neither side has conclusively crossed.
The Deterrence Problem
Nuclear deterrence benefits from clear doctrine, observable capabilities, and decades of theoretical development. Cyber deterrence operates under conditions of ambiguity. Attribution, while improving, remains imperfect. Capability assessments are uncertain because the most sophisticated operations are by definition undetected. And the relationship between cyber operations and kinetic military action remains theoretically underdeveloped.
The concept of “cyber norms” — international rules of the road for state behavior in cyberspace — has been discussed in UN forums since 2004 but has produced only non-binding recommendations. Russia and the United States have fundamentally different views on internet governance, information sovereignty, and the applicability of existing international law to cyberspace.
Risk Assessment
The greatest risk lies not in deliberate escalation but in miscalculation. A cyber operation that accidentally causes cascading failures in critical infrastructure could trigger a crisis that neither side intended. The absence of established crisis communication channels for cyber incidents increases this risk. While the Biden-era establishment of a bilateral cyber hotline was a positive step, its operational effectiveness in a crisis scenario remains untested.