Moscow´S Digital Offensive: Building Sovereignty in Cyberspace
Total Page:16
File Type:pdf, Size:1020Kb
TECHNOLOGY AND SECURITY POLICY Moscow's Digital Offensive – Building Sovereignty in Cyberspace Carolina Vendil Pallin and Mattias Hjelm Summary • Russia is pursuing a long-term policy that aims to build its cyber sovereignty. • The law on a “sovereign internet” appeared in 2019, but the concrete plans were evident in 2014 and present among the security services as long-term aspirations even further back. • The goals are strategic – to escape what Russia sees as U.S. dominance in the cyber sphere and to increase control over information flows within the “Russian segment of the internet”. • Russia has built up a capability to perform cyber operations over at least two decades, from relying on “mercenary” hackers and crude distributed denial of service attacks (DDoS) to employing its own specialists and utilising advanced malware. • Russia’s current bid for an international treaty on information security goes back to the late 1990s. • Moscow aims to achieve a high degree of coordination for this policy across different government ministries, agencies and services as well as with parliament and the leading Russian internet companies. Building sovereignty in cyberspace 1 What the West perceives as a Russian digital offensive left for Russian authorities was always to hammer out so- stems to a considerable degree from a deep-seated sense mething approaching a territorially defined information of insecurity in Moscow – both of being under attack and space and claim Russian sovereignty. Russia has also deve- of lagging behind technologically. Russia’s intelligence and loped its capability to conduct cyber operations and step security community, moreover, has been keenly aware of by step built a coalition of likeminded countries around how the global internet infrastructure setup affects the its bid on how to frame international information security. intelligence balance of power. These concerns intensified after the Snowden leak exposed how advantageous the U.S. Russia does not have a cyber portfolio and its allies’ position is when it comes to passive intelli- Anyone looking for a distinct cyber strategy in Russian gence-gathering over the internet.2 official security documents will be disappointed. The From these basic premises for Russia’s cyber strategy upper house of parliament, the Federation Council, follows the conclusion that the policy it pursues is long-term, drafted a cyber strategy in 2011, but the Federal Security coordinated and, therefore, difficult to influence. Service (FSB) opposed this initiative. No separate Russian Information is potentially an existential security threat cyber strategy was to exist, only an information security in what Moscow designates as “a Russian segment of the doctrine combining technical and psychological aspects. internet”. This view dominated early within the military Consequently, there is no separate government authority and security community inside Russia, but for many years dealing exclusively with cyber affairs, no military cyber the digital sphere in Russia remained relatively free. The domain and no cyber portfolio when the Russian govern- Russian political leadership initially brought national mass ment is involved in international talks: instead, there is an media, especially television, under control, but largely information space, an information security doctrine and neglected the internet as a catalyst for political protest and a Russian position on international information security. unrest. This changed with the Arab Spring and the demon- Cybersecurity and cyber operations are an integrated strations in Moscow in 2011–2012. From that point, the part of the larger Russian concepts of information security Russian government directed its attention towards not just and information operations.3 This is an important caveat strengthening but also enforcing legislation and other mea- when one embarks on any attempt to analyse Russia’s sures that would also allow it to control information on the position on cyber. Often the debate becomes blurred and internet. This, however, proved a far from easy task. Absent at times even misleading. When Russia talks of internatio- the possibility of controlling the global internet, the option nal information security, it incorporates the need to protect FOI Memo: 7521 April 2021 Project no: B12527 Approved by: Anders Norén its own information space not only against hacker attacks over Ukraine, a new round of sanctions increased con- but also against content that is illegal in Russia. This illegal cerns in Moscow about Russia’s dependence on the global content can be child pornography or terrorist propaganda, internet infrastructure. There had been no threats or even but it can also be political opposition websites or blackli- hints about cutting Russia off from this infrastructure. In- sted reporting by human rights activists. Russia internatio- side Russia’s political system, however, forces that had been nally promotes this position with vigour and consistency, championing measures to create a so-called “ internet kill as do China and a number of other authoritarian countries switch”, since the late 1990s, and the drafting of the 2000 that have similar policy goals and cooperate with Russia Information Security Doctrine,4 seized on the opportunity within, for example, the United Nations (see below). to further this agenda. At a national Security Council me- In practice, however, Russia determines that it also eting on 1 October 2014, Vladimir Putin outlined many needs to divide the concept of information security into of the main themes that would dominate the 2016 In- technical information security and psychological informa- formation Security Doctrine. He especially mentioned tion security. This is certainly the case when Russia designs the need for Russia to build a ‘sovereign internet’ that, measures to develop its own technology as well as processes if necessary, would be independent of the global internet for countering information and communications techno- infrastructure. logy (ICT) threats. For example, there is an ambitious and This proved easier said than done. Only in 2019 did prioritised national project on “Digital Economy” and draft legislation appear. At that point, the idea had become within it a sub-programme on “Digital Security”, as well as both to create a kill switch and to introduce additional an elaborate system for detecting, countering and elimina- means for sifting and blocking unwanted content traffic ting ICT threats. It is also clear that Russia has developed on Russian territory. This signified that all internet pro- its capability to engage in cyber operations (see below). viders on Russian territory would be obligated to install In Russia’s Information Security Doctrine, the equipment by 2021 to block what the government defines prioritised goals can be divided into four main areas: as illegal information from reaching internet users. The 1. to protect critical information infrastructure; law also introduces stricter government control over inter- 2. to reduce the country’s dependence on imported net infrastructure – most importantly concerning inter- technologies, including hardware, electronic com- net exchange points, cables that cross its national borders ponents and software; and routing rules. The government agency for supervising 3. to control content in what Russia sees as its national communication and media, Roskomnadzor, will play a key segment of the internet; role in supervising which routes internet traffic should take 4. to promote its view of information security inside Russia. A centre under Roskomnadzor will take over internationally. and direct traffic on Russian territory in case of an emer- For obvious reasons, the doctrine only lists threats to gency or threat. In addition to this, Russia intends to make Russian information security and the measures planned sure it has the necessary infrastructure for its internet to to counter these. However, there is ample evidence that function even when operators are unable or unwilling to Russia also engages in offensive measures. The most -ob connect to the global internet infrastructure; this would vious example is the increased incidence of cyber opera- be a Russian ‘domain name system’, with DNS servers on tions attributed to Russia, but Russia also has a plan on Russian soil. Government authorities are also obliged to how to shape the global digital landscape more to its taste conduct cyber exercises each year. 5 and then, not least, in its immediate neighbourhood. And, Somewhat ironically, Russia’s broad definition of infor- again, the focus is on shaping the information space as a mation security and its ambition to control content has whole to Russia’s advantage. Digital measures are only a led it to focus on the technical aspects, the cyber aspects. part of this overall goal. The law on a sovereign internet was not a sudden whim but rather a step further in Russia’s long-term strategy to Russia’s sovereign internet increase control and surveillance. This now takes place Russia’s illegal annexation of Crimea resulted in condem- through everything from registries of forbidden websites, nation and sanctions from the U.S. and the European so-called blacklists, and laws making it mandatory to store Union. With the downing of the Malaysian airliner MH17 user data on Russian soil, to demands on companies such FOI — 2 — Tel: +46 8 5550 3000 Swedish Defence Research Agency www.foi.se SE-164 90 Stockholm as Yandex to hand over encryption