RuNet lockdown
Is the Duma just posturing, or is a Great Firewall of Russia possible?
As more and more economic, social and political activities have moved online, the question of state sovereignty over the Internet has become a key concern for governments, companies and activists around the world. The paradigm of territorial sovereignty was simple: State A controls Land A, State B controls Land B, these states draw a line and call it a border. The laws of State A apply in Land A and vice versa. This statist vision of sovereignty is at odds with a traditional conceptualization of the internet, typically portrayed as a great border-smashing information superhighway.
This ideal has always chaffed with Russia’s sovereignist outlook, and Moscow has been deeply skeptical of the internet both before and after the fall of the Soviet Union. President Vladimir Putin and the former intelligence officers forming his inner circle have viewed the internet at best as a tool for diffusing the state’s narrative to a broad audience and at worst as an American conspiracy to undermine Russian sovereignty. Russian investigative journalists Irina Borogan and Anton Soldatov note that “Vladimir Putin is certain that all things in the world — including the Internet — exist with a hierarchical vertical structure … the Internet must have someone controlling it at the top”. Since Putin’s return to the Kremlin in 2012, this “someone” controlling the Russian internet has increasingly been the federal security services.
The Russian State Duma — the lower house of parliament — has adopted the final version of their “Internet isolation” legislation, approved by the Federation Council — the upper house — on April 23. Ostensibly, this law is designed to allow Roskomnadzor, the federal internet regulator, to cut off the entire RuNet in the event of “a rainy day”, meaning a massive attempt to compromise either access to or state sovereignty over the Russian Internet. The law essentially gives the regulator the ability to compel all Internet service providers (ISPs) to impose controls on all traffic coming in and out of Russia, outlining how the RuNet might function in isolation from the global web. Basically, Moscow would take direct control over all the connection points between the RuNet and the outside world.
The law’s curious lack of detail on what exactly it is designed to defend against begs a number of questions:
- What threat is this law meant to address?
- Why now?
- What direct impact on Russian internet governance will the law have?
- Is a China-like isolation within Russian authorities’ technical capabilities?
Let’s address these all in order.
What threat is this law meant to address?
Despite a detailed action plan for authorities in the event of…well, some grave event, the isolation law does not specify what this actual zero-day event would be. No specific threats are mentioned as a justification for the new regulation, nor are any risks identified to be mitigated. This will thus be up to the Prime Minister’s office, as it rolls out directives and guidelines for Russian industry actors. Overall, the law can best be understood as a type of sovereignty grab for the Kremlin, a mix between security posturing and continuation of the trend of increased government control over the information space.
Why now?
Moscow’s desire for digital sovereignty is not new. The Kremlin has long expressed a desire for a greater territorialisation of the internet. Examples include Putin’s push for the .рф top-level domain at ICANN, and the BRICS cable, an ill-fated attempt to build a separate internet for Russia, Brazil, India, China, and South Africa following Edward Snowden’s 2013 revelations about the global breadth of American SIGINT operations.
Governments often also engage in what we’ll call reflexive threat projection: the types of tools they themselves use against their geopolitical adversaries can influence their own threat perception. The kind of massive Denial o Service (DoS) attack this law could be aimed at preventing bears a remarkable resemblance to the 2007 cyberattack on Estonia — attributed to Russia, however Moscow maintains its innocence — in which a massive Distributed DoS (DDoS) attack used a botnet to shut down Estonia’s internet and related services for over 24 hours. Disconnecting an entire country’s internet from the outside world, as proposed in the Duma’s new law, would stop a botnet attack, at least in that services reliant on domestic connections would continue to be available.
In the end, the State Duma is likely reacting both to pressure for increased control from federal regulators and the general political climate in Russia. A series of protests have hit major urban centers in Russia, including one in March against the Internet isolation bill. More importantly, discontent, largely fueled by economic and administrative largesse, has spread out of politically-engaged and young urban centers and into the provinces, traditional strongholds for Putin and United Russia.
What direct impact on Russian internet governance will the law have?
In the short term, the law’s provisions increase Roskomnadzor’s control over the RuNet in two notable ways: controlling traffic exchange points and top-level domains.
Russian ISPs will be required by law to install hardware provided by Roskomnadzor allowing the regulators to cut Internet traffic. This hardware-based regulation and surveillance has precedent in Russia in SORM, an FSB program inherited from the KGB that uses boxes installed with ISPs to collect data for deep packet inspection.
One of the law’s peculiarities is in how it assigns liability for service disruptions. Should consumers experience service outages for banks and telecoms, as is expected, the law does not assign any liability whatsoever. It explicitly states that ISPs cannot be held legally responsible by clients, but Senators and Duma members also rejected a proposal to refer customer complaints to Roskomnadzor itself.
Roskomnadzor’s additional power grab in this law comes in the form of top-level domains. In 2010, Russia received authorization from international internet regulators to create the cyrillic domain .рф (used by the Kremlin for президент.рф). This domain, along with .ru and .su, will now be formed under a non-profit entity controlled by Roskomnadzor. This means that the regulator will now be considered the owner of these domains’ databases by ICANN and IANA, the international organizations responsible for distributing addresses and domains.
Beyond these measures and legal ambiguity, the law remains vague on the types of threats it imagines would motivate Roskomnadzor to invoke its most disruptive measures.
Is a China-like isolation within Russian authorities’ technical capabilities?
Maybe, maybe not. The law itself is rather scant on details for implementation, and describes measures in aqueous terms: using “technical means” to “counter threats” without specifying said “means” or “threats”. This is consistent with previous internet legislation, such as the Telegram ban which has been described as so poorly drafted that it’s practically “unenforceable”.
The law’s execution will determine its technical enforceability. Reporting from Meduza indicates that while the law dictates that Roskomnadzor will provide ISPs with “devices” to “counter foreign threats”, and that these devices will be mandatory and free of charge to ISPs, the law does not detail exactly what these devices will do. The only capability defined is that they allow federal authorities to cut off the RuNet from foreign attempts to disrupt internet services in Russia. China’s Great Firewall consists of technical controls allowing authorities to define the type of traffic permitted and to block everything else at the point of connection between Chinese ISPs and the rest of the world. Russia’s approach, given its state goals, may go further, providing devices that allow authorities to fully sever the RuNet’s connection to the rest of the web.
Jackson Webster is a Paris-based cybersecurity consultant and tech policy aficionado.
