Primer: Capping off months of controversy, espionage claims and international intrigue, the U.S. government ban on Kaspersky Lab software has been signed into law. The ban, wedged into the Fiscal Year 2018 National Defense Authorization Act (NDAA), would preclude all federal computers and connected networks from using antivirus software made by the Russian cybersecurity firm.
The Kaspersky ban, which appears in Section 1634 of the 2018 NDAA, reads as follows:
“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—
(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.”
Last week, Kaspersky Lab announced that it would close its Washington, D.C. offices, which it stated were “no longer viable.”
Since the founding of the Shanghai Cooperation Organization in 2009, Russian and Chinese officials have frequently discussed joint cybersecurity initiatives. A relatively substantial degree of collaboration was formalized in the context of heightened Russo-Chinese cooperation in 2014 and 2015, with both countries signing an agreement that included cybersecurity cooperation provisions in May of last year. In the words of the agreement’s signatories, its purpose was to limit the use of informational technology designed “to interfere in the internal affairs of states; undermine sovereignty, political, economic and social stability; [and] disturb public order.”
This emphasis on digital sovereignty remains a central tenet of both countries’ cyber policies, even as cooperation on the issue has ebbed and flowed. The non-aggression elements of the 2015 agreement floundered in the implementation stage, in part due to ambiguous language but largely as a result of continued Chinese cyberespionage. This activity rose to unprecedented levels in 2016, with Russian cybersecurity company Kaspersky Labs reporting 194 Chinese cyberattacks in the first seven months of the year alone—compared to just 72 in 2015. These attacks targeted Russian government agencies, the defense and aerospace industries, and nuclear technology companies. And they’re probably underreported: A Kaspersky Labs spokesperson told Bloomberg that only around 10% of their corporate clients exchange data related to hacks with their security network. More here.
Russia Seeks to Build Alternative Internet
TJF: Numerous Russian sources report that efforts are underway to produce a new and independent internet that would align Russia more closely with the BRICS countries (Brazil, Russia, India China and South Africa) while giving Russian political authorities greater control over what they refer to as “digital sovereignty.” In late November, the RBK news agency reported on the proceedings of a recent meeting of the Security Council of the Russian Federation (SCRF), which underscored the national security threats posed by the increasing vulnerability of the global Internet (RBK, November 28). The publicly available SCRF website confirms that a high-level meeting on cyber security did take place, but it does not expand upon it in detail (Scrf.gov.ru, October 25). Russia’s state-managed propaganda mouthpiece RT, however, cited “members of the Security Council” as stating that “the increased capabilities of Western nations to conduct offensive operations in the informational space as well as the increased readiness to exercise these capabilities pose a serious threat to Russia’s security” (RT, November 28). RT also noted that President Vladimir Putin set August 1, 2018, as the deadline for creating an alternative to the Internet.
The creation of an alternative internet—which would allow the governments of Russia and the BRICS countries to control the addressing and routing of electronic communications within their territory—raises many complex questions. For one thing, the establishment of a disjointed and competitive sphere of cyberspace threatens to disrupt and potentially fragment the existing conventions of global Internet practice. Moreover, the creation a “counter-net” would necessitate the establishment of an alternative system of identification, addressing and routing information through a new information network operating in a new “domain name system,” a new DNS. The existing DNS is based on a unique number associated with each originating and terminating point for every Internet transmission, coded in the form of a packet of digital information. The idea of the “RU NET” has long been discussed in post-Communist countries. But until now, this idea has only referred to the Russian-language-speaking Internet activities originating from servers in Russia or in other post-Soviet countries where Russian is recognized as an official language—not to a separate internet architecture (APN, December 14, 2016).
The global Internet is already a network of networks, consisting of a broad common space but with some segmented spheres of activity. Gaining complete control over a specific domain in the cyber-sphere, however, would require gaining autonomy. Full control over the Internet (or any segment therein) could only be achieved by creating “the ability to set policies for naming, addressing and routing” transmissions (Milton Mueller, Will the Internet Fragment?, 2017, p. 22). That, in turn, would require establishing control over the domain name system.
Earlier attempts by Russian authorities to gain control over the digital sphere focused on taking charge of the physical hardware of the Internet, such as transmission facilities, and asserting authority over the places where data resides, particularly web servers. In 2014, Russia’s Ministry of Communications and Mass Media specified data localization requirements in the federal communications legislation (Federal Law No. 242) (Minsvyaz.ru, accessed December 13). The law requires data operators in Russia to store all personal data of citizens of the Russian Federation in databases located inside Russia. This legislation was further extended in December 2016 by a set of measures by President Putin to establish a “digital economy” in Russia (Kremlin.ru, December 1, 2016). The most recent Law on “Security of Critical Infrastructure” was passed in July 2017, and is scheduled to go into effect January 1, 2018 (Pravo.gov.ru, July 27).
In order to control the flow of information not in compliance with the legislation, the idea of blocking transmission through physical facilities located on the territory of the Russian Federation led to the establishment of a single register of websites, maintained by the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). In an effort to conduct this “filtering,” Roskomnadzor developed and implemented a so-called “blacklist” (Rkn.gov.ru, accessed December 13). But while the blacklist succeeded in blocking some websites it identified as unwanted, it also had the effect of blocking websites linked to those, effectively creating a self-censoring network. Roskomnadzor has now stepped back from this practice, correcting many of those problems of excessive blockage but has nonetheless reasserted the intention to more vigorously pursue the policing of websites (Rkn.gov.ru, December 8). Creating the establishment of a separate domain naming system goes considerably further than efforts to “filter” websites, even though Igor Shchyogolev, the staff member of the President’s Office assigned to mass communications, has insisted the idea is not to fragment the Internet (TASS, March 27, 2017)
The robustness of the current Internet naming conventions probably can be attributed to the fact that the Internet emerged in its early days more as a computer science experiment than as an effort to create a new format for global communication, commerce and governance. The identification of parties communicating on the Internet was established through naming protocols established for convenience and by convention, not for control. But the Internet grew so quickly that management responsibility was turned over to a new body, the Internet Corporation for Assigned Names and Numbers (ICANN), in September 1998, which, on October 1, 2016, was re-chartered as a fully independent, non-governmental organization.
The functions of ICANN quickly attracted international competition. Some governments sought to promote a government-centric framework for addressing and naming conventions, while other parties sought to maintain a multiple-stakeholders approach. The failure of the Russian government and others to prevail in winning greater control for states is what has led to Moscow’s intention to create a “counter-net.” The question of whether an autonomous and detachable “segment” of cyberspace could be fashioned by the Kremlin without resulting in self-imposed isolation is an issue with far-reaching implications.