MS Risk Blog

Possible Consequences of the Recently Enacted Russian Internet Law

Posted on in Uncategorized title_rule

The Russian “sovereign internet” law that took effect on November 1 gives the Russian government the possibility to switch off internet connections within Russia from external traffic “in an emergency”. What constitutes one is up to its government. There are two important aspects of this law: cyber security and surveillance.

Let us first deal with the cyber aspect. Russia claims that the law is only meant to be a protective measure in response to the US’ introduction of more aggressive cyber security policies. It aims to reduce reliance on foreign services by requiring internet service providers to install network equipment using deep packet inspection (DPI) which is capable of identifying the source of traffic and filter content. A back-up domain name system (DNS) will come into operation in order for Russia’s own domestic internet to continue functioning. Internet service providers will have to disconnect from foreign servers and rely on this DNS instead. In this way, it will have a back-up internet when it shuts itself off from the global web.

The parallel web run solely on Russian internet servers is meant to enable Russia to combat incoming cyber-attacks and to preserve their own domestic network if the West decide to cut the country off from the world wide web. These are certainly some of the secondary benefits of the law. However, a security expert said that this law signifies that Russia is preparing to protect itself from the consequences of launching cyber-attacks. Russia knows that if it undertakes a cyber-attack there is no guarantee that it won’t damage their own economy and systems. By pre-emptively cutting itself from the internet, it can avoid the blowback effect its attacks would have on its own internet.

The second aspect of this law is that it is part of a global trend to try to take control over the internet. These measures, including website blocking and mass surveillance, are in practice much better at monitoring and controlling the country’s own population than they are at fighting foreign interference. This suggests that the law will have greatest effect on freedom of expression rights. In addition, Russia cannot completely cut itself off from the internet if it wants to maintain contact with foreign entities for purposes such as trading. It therefore seems unlikely that Russia would go so far as cutting itself off as long as it wants to maintain business relations. Again, that suggests that the law might be used for the purposes of monitoring Russia’s citizens rather than for cyber protection as the country claims.

That said, it is also true that as a state becomes more dependent on the internet for its infrastructure, it becomes more vulnerable to attacks. Russia knows this well as it has become involved in two of the most direct examples of what we generally describe as cyberwarfare, involving Estonia and Georgia. According to a security expert, in the event that a war breaks out between Russia and NATO it is likely that Russia would be quick to cut its internet off from external traffic. Russia’s internet traffic, like many other countries’, is routed through US exchange points. The fear was that Russia relied too heavily on the US for their internet access. The law intends to solve this by requiring implementation of technical measures that will re-route it through national exchange points instead.

Tech analysists have questioned whether this will actually work in practice. The law does seem to have a feature that is common in laws relating to the internet – that it will be very hard to implement in practice. Russia also has a “pretty poor track record” of technical implementation when trying to impose its national security ideas on the internet. Increasing their cyber defence has been on the Russian government’s agenda for years. This process only accelerated after the 2008 war with Georgia where Russia’s armed forces’ performance in the information domain was criticised. However, back in 2012 internet platforms and service providers said they couldn’t do what the current law requires. It simply wouldn’t work with the internet because it relies on free flow of information across the borders.

But on the other hand, Russia has come a long way since then. It has been practicing and trying to get the technical measures in place for a sufficient number of years now. One thing Russia has been working on is technical measures that can clamp down sources and means of communication that it dislikes. The other thing the country has been doing is to conduct trial runs of the so-called internet kill switch. These were overseen by the country’s telecom watchdog Roskomnadzor, which regulates the internet. Roskomnadzor also began installing the equipment required by the law in September 2019.

The enactment of this law tells the rest of the world that Russia can survive, and even thrive, in complete isolation.  This may be particularly concerning for NATO after Colonel Jaak Tarien’s, the chief of NATO Cooperative Cyber Defence Centre, commented on December 4 that it has been slow in its response to the threat of cyber-attacks. “Unless it is a real war, NATO moves at NATO’s pace”, he said ahead of the NATO leaders gathering in London to discuss issues related to cyber security. Still, the law will most likely not have any immediate dramatic effect. The country does not yet have a switch it can simply flick when it suddenly wants to do something.

As such the actual effects this law will have is difficult to predict. However, instead of deterring other countries from launching cyber-attacks against Russia, the enactment of this law may actually encourage them to increase their own cyber abilities. Meanwhile its effects in relation to increased censorship and surveillance could encourage more protests like the ones that took place when the law was first signed.