March 20, 2019

Establishing Cyber Sovereignty – Russia Follows China’s Example

In early March 2018 there were mass demonstrations in several Russian cities.

The crowds were protesting at the latest in a series of measures to control the use of the Internet within its borders.1 The ‘digital sovereignty bill’, which was approved by the Russian parliament in February 2019, has been described as nationalising the country’s internet, known as the Runet. When enforced, this would enable it to be isolated from the global internet and so function as a separate internal network. This would result in traffic with both its source and destination in Russia not being routed outside the country where it may be vulnerable to interception. It would also provide a degree of resilience against cyberattack from a foreign power and could afford protection from some malware. For example, the Wannacry ransomware that affected an estimated 230 000 computers worldwide in 2017 attempted communication with an Internet domain before encrypting files.2 Inhibiting this communication nationally would have effectively mitigated the malware across the country.3

To be able to function as an independent network, the Runet would require its own Domain Name System (DNS). This translates host names such as a web site addresses or device identifiers into numerical IP addresses used by networking components to direct traffic to its destination. It would also require every point at which data enters the country to be under the control of the state.  In addition to the fixed infrastructure, this would have to include cross border mobile and satellite connections to ensure that the integrity of the network was maintained. As well as being able to close international connections, this also would enable traffic to be monitored and, if necessary, filtered. This has naturally raised concerns with those within Russia who oppose any curbs on Internet freedom and object to more control and monitoring of their online activities.4 It would also be a setback to those who see the Internet as joining the high seas, Antarctica, the atmosphere, and space as global commons.5 These are defined variously as those areas that do not fall within the jurisdiction of any one particular country and to which all nations have equal access.6 For NATO nations, who have accused Russia of being responsible for a number of cyberattacks, the introduction of increased filtering and control at its borders will be a concern.7 Russian state intelligence organisations have been regularly accused of interfering with the internal affairs of other countries. This attribution has in part been due to the ability to trace the origin of the activity back to its source. The requirement to pass through state-controlled entry points may inhibit this activity and reduce the effectiveness of tracing the origin of malicious cyber activity against the west.

Russia’s campaign to control its cyber borders mirrors the ‘great firewall of China’ that restricts the viewing habits of the largest population of Internet users in the world.  Focused on censorship, a range of techniques are employed to prevent citizens from reading or posting anything that the government deems threatening. To do this, access to the Internet is provided only through government licensed service providers, which employs IP blocking, DNS highjacking, and keyword inspection and filtering.8 However, although Russia and China are criticised for implementing strong borders around their national networks, it could also be argued that these actions represent a maturing of the cyber domain. Used initially to link academic institutions, it evolved to be used for entertainment and commerce and is now regarded as integral to a nation’s critical national infrastructure. As such, its resilience and efficient operation is vital to a nation’s security and economic wellbeing.9

In 2016 NATO recognised cyberspace as a domain of operations in which it must defend itself as effectively as it does in the air, on land and at sea.10 Although this announcement was regarded as an acknowledgement that cyberspace is of equal importance to the physical domains, its legal standing is still developing. Whereas international land, sea and air borders are recognised by the international community through the United Nations as defining the limits of sovereign territory, this is not the case with cyberspace. Although it is accepted that nations have the right to control movement within and across borders, this issue becomes more problematic in cyberspace where boundaries are not defined.  Thus, conventions exist for the movement of people between countries, ships through territorial seas and aircraft in national airspace, but not so for information in cyberspace. Attempts have been made to address this issue by the NATO affiliated Cooperative Cyber Defence Centre of Excellence (CCDCOE), located in Tallinn, Estonia. Their Tallinn Manual 2.0 dedicates its first chapter to addressing sovereignty in cyberspace, which aligns with how it is defined in the other domains.11 However, as the Tallinn Manual only represents the opinion of a range of experts in the field, it has no formal legal standing. Sovereignty as a concept itself is a complex subject of debate by International Relation theorists but can be described as centralising authority and policing functions in a territorially based bureaucratic structure.12 Although this is what China and Russia are exercising with information in cyberspace it is at odds with other nations. The US, for example have a specific policy of promoting the free flow of information across borders.13 This is because it is seen as a means by which to promote its model of democracy and encourage freedom of expression.

Although their actions may be motivated by a desire to increase state control, it could be argued that Russia is joining China in establishing national sovereignty in cyberspace. People, aircraft and ships crossing borders are already managed according to national laws, so perhaps it is justifiable that information should also be subject to similar controls. As the technology that comprises the Internet has matured and developed, so the amount and type of content that can be accessed continues to grow. When made freely available, this has significant power to influence and inform. It is therefore not surprising that countries that have a history of supressing free speech should be at the forefront of controlling information at their borders. Although greater control of the Internet and its content will be an anathema to many in the west, it may prove advantageous to Russia. Greater monitoring increases the detection of malicious activity and so may also improve their ability to resist cyberattacks.  If Russia’s efforts to establish cyber-sovereignty proves effective in increasing the resilience of its infrastructure, western nations may also start to reconsider their own open border policy.

 

The views, thoughts, and opinions expressed in the article belong solely to the author, and do not necessarily reflect the opinions or views of the ICDS.

______

1 Short, E. (2019). New Russian internet restrictions decried as online ‘iron curtain’. Available: https://www.siliconrepublic.com/enterprise/russia-protests-internet-restrictions. Last accessed 14 March 2009

2 Palmer, D. (2018). WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack? Available: https://www.zdnet.com/article/wannacry-ransomware-crisis-one-year-on-are-we-ready-for-the-next-global-cyber-attack/. Last accessed 13 March 2019.

3 Miller, J and Mainor, D. (2017). WannaCry Ransomware Campaign: Threat Details and Risk Management. Available: https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html. Last accessed 19 March 2019.

4 Matamoros, C and Davlashyan, N. (2019). Runet: Russia wants to ‘nationalise the internet’ but what does it mean. Available: https://www.euronews.com/2019/02/12/new-russian-internet-bill-just-another-layer-of-censorship-says-tech-expert. Last accessed 15 March 2019.

5 Stang, G. (2013). Global commons: Between cooperation and competition. Available: https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief_17.pdf. Last accessed 15 March 2019.

6 UN System Task Team. (2013). Global governance and governance of the global partnership for development beyond 2015. Available: http://www.un.org/en/development/desa/policy/untaskteam_undf/thinkpieces/24_thinkpiece_global_governance.pdf. Last accessed 15 March 2019.

7 European Union Institute for Strategic Studies. (2018). Hacks, Leaks and Disruptions – Russian Cyber Strategies. Available: https://www.iss.europa.eu/sites/default/files/EUISSFiles/CP_148.pdf. Last accessed 15 March 2019.

8 OpenDemocracy. (2013). The Great Firewall of China. Available: https://www.opendemocracy.net/en/great-firewall-of-china/. Last accessed 15 March 2019.

9 CPNI. (2019). Critical National Infrastructure. Available: https://www.cpni.gov.uk/critical-national-infrastructure-0. Last accessed 15 March 2019.

10 NATO. (2018). Cyber defence. Available: https://www.nato.int/cps/en/natohq/topics_78170.htm#. Last accessed 16 March 2019.

11 Schmitt, M (2017). Tallinn Manual 2.0 on the international law applicable to cyber operations. Cambridge: Cambridge University Press. p11-29.

12 Thomson, J. (1995). State Sovereignty in International Relations: Bridging the gap between theory and empirical research. International Studies Quarterly. 39, p213-233.

13 National Telecommunications and Information Administration. (2019). Internet Policy. Available: https://www.ntia.doc.gov/category/internet-policy. Last accessed 16 March 2019.