When US President Joe Biden and his Russian counterpart, Vladimir Putin, held their first summit in Geneva last month, cyber weapons played a larger role on the agenda than the nuclear kind. Clearly the world has changed since the Cold War but what, if anything, did Biden accomplish? For more than two decades, Russia has proposed a UN cyber treaty. But the US regards such a pact as unverifiable. Unlike nuclear weapons, the purpose of which is in no doubt, the difference between a cyber weapon and other computer code can depend simply on the programmer’s intent. Instead of a treaty, therefore, Russia, the US and 13 other states agreed to a set of voluntary norms, outlined by UN-sponsored groups of governmental experts, prohibiting attacks on each other’s civilian infrastructure and not barring wrongful acts staged from their territory. Although these norms were reaffirmed at the UN this past spring, skeptics note that shortly after it agreed to a 2015 report, Russia attacked Ukraine’s power grid and interfered in the 2016 US presidential election. Unlike the US, which established a Cyber Command (USCYBERCOM) in 2010, Russia has never formally admitted to having offensive cyber capabilities. Both countries penetrate each other’s networks to gather intelligence but it is sometimes difficult to draw a line between espionage and preparing the battlefield. That is why the US complained this year about the Russian attack on American firm SolarWinds, which is said to have infected at least nine major government agencies and more than 100 significant corporations. Even if formal arms control treaties are unworkable, it may still be possible to set limits on certain types of civilian targets and to negotiate rough rules of the road. For example, despite deep ideological differences, in 1972 the US and the Soviet Union negotiated an Incidents at Sea Agreement to limit naval behavior that might lead to dangerous escalation. Espionage is not against international law, and an agreement to ban it would not be credible. Nonetheless, the US and Russia might negotiate limits to their behavior regarding the extent (if not the existence) of their cyber spying. Or they might agree to set limits on their intervention in each other’s domestic political processes. Even if there is no agreement on precise definitions, they could exchange unilateral statements about areas of self-restraint and establish a regular consultative process to contain conflict. This seems to have been the approach explored by Biden in Geneva. According to press accounts, the US president handed Putin a list of 16 types of critical infrastructure — including energy, health, information technology, financial services, chemicals and communications — that he said “should be off limits to attack, period.” In one sense, this was not new. The list of what Americans regard as critical infrastructure has long been posted on the website of the US Cybersecurity and Infrastructure Security Agency. But it is different when one head of state hands such a list to another. After the meeting, Biden disclosed that he asked Putin how he would feel if Russian pipelines were taken out by ransomware, as the US Colonial Pipeline was in May by criminals operating from Russia. This would be very costly for the Russian economy, which depends heavily on pipelines to export its natural gas. The Americans did not attribute the ransomware attack on Colonial to the Russian government, but US experts have noted that criminal gangs in Russia seem to operate with impunity so long as they do not attack Russian targets. During his press conference after the summit, Biden said: “I pointed out to (Putin) that we have significant cyber capability. And he knows it. He doesn’t know exactly what it is but it’s significant. And if, in fact, they violate these basic norms, we will respond with cyber. He knows.” In other words, Biden was implying a deterrent threat if Russia continues to violate the voluntary norms prohibiting attacks on civilian infrastructure and the use of its territory for harmful purposes. Putin is smart and he certainly heard the message, but whether Russian behavior will improve depends on Biden’s credibility. Drawing red lines can be tricky. Some critics worry that by specifying what needs to be protected, Biden might have implied that other areas are fair game. Moreover, red lines must be enforced to be effective. The critics argue that the focus of the warning should have been on the amount of damage caused, not where or how it is done. To use an analogy, one does not order the host of a party to turn off all their music; you warn them that if the noise becomes intolerably loud you will call the police. How Putin interprets Biden’s message remains to be seen in the months to come, but the two presidents did agree to establish a cyber working group that could try to define “tolerable” limits. The US will need to unilaterally state the norms it pledges to stand by. When Russia crosses one of those lines, Washington will have to be prepared to respond with targeted retaliation, such as emptying the bank accounts of some privileged oligarchs, releasing embarrassing information, or disrupting Russian networks. Unlike the US, which established a Cyber Command in 2010, Russia has never formally admitted to having offensive cyber capabilities. Joseph S. Nye, Jr. USCYBERCOM’s strategy of forward defense and persistent engagement can be useful for deterrence, but it must be accompanied by a process of quiet communication. Criminal groups often act as state proxies to varying degrees, and the US will have to make clear that providing a haven for cyber criminals will lead to retaliation. And because the rules of the road will never be perfect, they must be accompanied by a regular consultative process that establishes a framework for warning and negotiation. Whether Biden succeeded in launching such a process in Geneva, or whether Russian and American cyber relations will remain at their normal bad level, may well become clearer in the coming months. Joseph S. Nye, Jr. is a professor at Harvard University and author of “Do Morals Matter? Presidents and Foreign Policy from FDR to Trump.” Copyright: Project Syndicate Disclaimer: Views expressed by writers in this section are their own and do not necessarily reflect Arab News" point-of-view