Feb. 19, 2019
Much has been made of the Russian initiative to wall off its internet (the RUnet) from the global internet. Last week the Russian lower house of parliament debated the first round of a bill designed to turn this hope into a reality. In this Internet Realities Analysis, we unpack what the draft law really says, how it fits with accompanying policies—like the national Domain Name System (DNS) proposal—and what all this means for western policymakers and the global internet realities. We also include a direct translation of the explanatory note submitted by the bill’s proposers, which explains their purported motive for pushing the bill.
Russia has previously discussed building a domestic internet with the capacity to separate from the global one, but via a draft law, the Russian parliament is now apparently moving to make this notion of a domestic Russian internet a reality. According to Meduza, all political parties in Russia’s state Duma opposed the legislation “except for United Russia [President Putin’s party], which has a super-majority in parliament.” The bill is currently in the process of being amended before a second reading in the parliament. If it’s passed, it will then proceed to the upper house of the legislature—the Federation Council—before being sent to President Vladimir Putin’s desk for a signature. To test the practicality of some of the stipulations in the law, Russia plans to disconnect briefly from the global internet on April 1. This all comes amidst Russian governmental plans to route up to 95% of Russian internet traffic domestically by 2020 (article in Russian) and to spin up a national Domain Name System.
Putting aside, for a moment, the possibility that this could all just be a very elaborate April Fools’ Day prank (the test is scheduled for April 1), the Russian scheme is not without precedent. In China, the Golden Shield Project—also known as the Great Firewall—similarly allots legal powers to the government to not only shut the internet down, but also to alter the way packets are routed, as well as what types of information can legally flow over the internet.
Below, we overview what is and is not in the Russian law itself. Then, we analyze the explicit and ulterior motives for its passage, and the extent to which the U.S. and our partners should care. We also include, at the bottom, a full unofficial translation of the law’s explanatory note.
What’s in the Law?
The law, which is actually (another) amendment to the 2003 Federal Law on Communications, technically serves two primary purposes.
First, it pulls “traffic exchange points” under the jurisdiction of the law. This year’s proposed amendments define traffic exchange points as the “communications facilities” that “connect… and pass traffic between communication networks of telecommunications operators”—essentially what we refer to as Internet Exchange Points, or IXPs. The amendments set out that traffic exchange points must comply with orders from and share information with the Federal Service for the Supervision of Communications, Information Technology, and Mass Media—better known as Roskomnadzor, or Roskom. Traffic exchange point operators must also comply with requests from Roskomnadzor that they adjust their routing and develop the capacity to resolve domain names using the—as of yet incomplete—Russian national domain name system (DNS).
The second function of the law is to provide Roskomnadzor with authorities to centralize management over the Russian internet in cases where the “integrity, stability, and security” of the Russian internet is threatened. The law sets out that Roskomnadzor will establish the “procedure, terms and technical conditions for the instillation of technical means” for “countering threats,” as well as the requirements for the use of this technology. Roskomnadzor can then carry out the “centralized management” of the internet by managing these “technical means” of “countering threats” or by sending “binding instructions to telecom operators, network operators, and other persons having an autonomous system number.” In addition, Roskomnadzor will be given authorities to block illegal information resources using this same technology, even when not acting as the centralized manager of the internet. Currently, Roskomnadzor issues orders to telecoms to block undesirable information. The new authority and accompanying technology could allow Roskomnadzor to institute a national firewall similar to the Golden Shield in China.
A big part of this new suite of technology—the “technical means” referred to in the law—will be the national DNS, which the law notes is not yet fully functional but is undergoing creation by Roskomnadzor. Roskomnadzor will also serve as the registrar for the DNS. Any entity that resolves domain names in Russia will have to function in accordance with orders from Roskomnadzor. Although not explicit in the law, the legal requirements for those who route internet traffic to possess the capacity to route traffic domestically allow Russia to viably test—as it will on April 1—completely disconnecting from the outside internet.
What’s not in the Law?
Quite a bit.
First, how will (or can) Roskomnadzor do this technically? In order to carry out the scheme to disconnect the RUnet from the global internet with minimal disruption, Russia will need to duplicate critical elements of the global internet within Russia. Since 2016, the Russian government has been working on designing a system that keeps 95% of Russian internet traffic within Russian borders. The national Domain Name System could play an important role in enabling this shift.
In theory, a comprehensive national DNS would be a step towards keeping routing local, as the DNS queries sent when typing URLs into a browser wouldn’t need to leave the country. However, the DNS server then needs to send a request to a server hosting the website content the user is trying to retrieve. Chances are this will mean pinging a server outside of Russia, unless all web content the Russian state deems legal is also stored on servers within the country. Localizing all prospective content—that is to say storing all the content that someone in Russia would potentially like to access while in Russia on servers in Russia—is a steep challenge, but may be more feasible in Russia than elsewhere, where the content the government wants people to access is relatively narrow, largely Russian language already, and produced by people in Russia.
If (and it’s a big if) Russia is able to create a national DNS and localize content, creating an autonomous internet—that is to say, one that is capable of fully functioning when disconnected from the global network—becomes a matter of either (a) physically cutting off access to the outside internet (literally cutting wires) or (b) cutting off access to the outside internet by manipulating routing protocols. IXPs are the physical buildings that house interconnection infrastructure and facilitate traffic flowing to the right places. Thus, Roskomnadzor’s ability to dictate the actions of IXPs is crucial in the latter scenario, as it will be in a position to order them to alter routing (e.g., through changes to their Border Gateway Protocol configuration), null traffic coming in and out, and reroute requests that would’ve left the country to local servers.
Second, what is the procedure through which Roskomnadzor would exercise the authorities, and when are they activated? While this consideration is perhaps less relevant in a country like Russia where the executive branch of government holds a great deal of power, it’s nonetheless an interesting consideration. According to comments from an individual with knowledge of the drafting process, a new “monitoring center” will be created, which, according to the bill, will be the entity that triggers centralized management. Where this center will be housed and the circumstances under which it will activate the authorities are undefined, leaving the question of when Roskomnadzor can act under these new authorities largely opaque.
Finally, what, exactly, constitutes a threat to the Russian internet? According to Russian cybersecurity and information security doctrines, cyber threats are not limited to just attacks on computer networks, as the U.S. and our partners might define them, but also include things like online content that pose a threat to the stability of the state. There is realistically little reason to assume that the threats referenced herein would be any different, though according to RBC.ru (article in Russian), someone familiar with the drafting of the law claims that a list of threats to the Russian internet exists, even though the list is “closed.”
Why this law? Why now?
According to the an explanatory note that accompanied the draft law, the law—and by association, the internet isolation test—are necessary responses to the United States’ “aggressive” 2018 cybersecurity strategy. The fact that the U.S. has “unprovenly” accused Russia of hacking operations against the United States “frankly” declares the need for “punishment.”
The reasoning for the law offered in the explanatory note—an “aggressive” American cybersecurity strategy that threatens to bring down Russia’s entire domestic internet—is not likely the only motive. Under President Putin, the Russian state has repeatedly used “cybersecurity” as top cover for passing restrictive internet laws at home and pushing authoritarian internet norms in the international arena. Censorship, pervasive surveillance, and traffic throttling—slowing access to or spiking access costs for certain sites—are all characteristic of this approach.
Cyber insecurity does, of course, provide a compelling reason to continually reassess trust in the internet. In addition to the malicious code flowing across the global net, justifications for such reassessment also include the vulnerability of some internet protocols, like the Border Gateway Protocol that routes global internet traffic, to manipulation. Large-scale Distributed Denial of Service (DDoS) attacks are also a growing threat, as millions of insecure Internet of Things devices can be easily hijacked at scale and used to flood internet traffic to a particular web service.
Indeed, according to the same RBC.ru source as cited above, a potential, massive DDoS attack is one “real threat from the outside” that would trigger Roskomnadzor’s new authorities. As Justin previously wrote, the Russian state views the internet with suspicion. It enables access to undesirable information, coalition building, and anti-regime speech. Vladimir Putin has referred to it as a CIA project. It follows, therefore, that the internet must be tightly controlled, and by the Russian state. However, as the primary champion of a global and open internet—at least rhetorically—it is hard to see the U.S. moving to shut out an entire people from the internet, even as we move into an era of great power competition.
Nonetheless, the claim that the state must do more to “secure” the internet isn’t unique to Russia, either. More countries are temporarily isolating (“blacking out”) the internet within their borders due to unrest and other political events. China has, for the better part of two decades, exercised strict control over content domestically. Iran has a relatively isolated Halal net, when it needs to. North Korea has just one physical entry point to the global network and controls that access strictly.
Even in more liberal countries, governments have sought to preserve an in extremis legal authority to exercise control over the internet. To compare these policies would represent a grasp for false equivalence and ignore the broader context—like the respect for rule of law, norms and laws about freedom of speech and basic human rights, and limits on executive power. The broader legal context in which these new internet changes sit matters.
Nonetheless, concerns over cyber attacks and influence campaigns have led governments to reconsider what free and open means in the context of governance of the internet, leading to the construction of national-level programs to identify and filter out malicious traffic as it enters the country. For example, a 2012 Executive Order in the U.S. further codified the legal powers of the Office of the President of the United States to order a shutdown of the internet in the U.S. in extremis—colloquially referred to as the internet kill switch. The U.K. government has also implemented programs aimed at filtering data rather than content, in an effort to strengthen its ability to protect its citizens from cyber attacks. The key distinction between these programs and the new Russian program or the Chinese great firewall lies in the former’s narrow definition of maliciousness or threat and restrictions on the arbitrary exercises of power through adequate rule of law.
Furthermore, it is unclear the extent to which the proposed legal changes will actually allow the Russian state to ensure greater cybersecurity. And the weak foundation of cybersecurity motivations for the law have not escaped the few Russian policymakers opposing the bill. According to Sergei Ivanov, of the opposition Liberal Democratic Party (via Bloomberg):
It has nothing to do with protecting the Russian internet from being shut off from abroad. You know how the Chinese internet works—there is a list of banned websites that you can’t access from China and a list of key words you can’t search for. This is what you want?
Ivanov’s statement is probably not far from the truth. For years, Russia has looked enviously upon its southeastern neighbor’s ability to monitor and control information flows domestically. Now, it has the legal authority—and is working on the technology—to do so itself.
Should the U.S. and our partners be concerned?
Yes and no. A global and open internet is strongly in the interest of the people who use it. It’s a major economic booster, allows checks on governments through practices like microblogging and confidential whistleblowing, and heightens global information-sharing. It’s also, as we’ve argued in the past, strongly in the interest of democracies to maintain the openness (at least as far as content is concerned) of the internet. And the United States and its democratic allies have long done so, promoting a global and open internet through government strategies and international agreements.
The challenge here is that “global internet” and “open internet” aren’t necessarily the best descriptors for what exists now. Rather, what we’d like to think of as the global and open internet is instead a series of connected networks, over which states—and sometimes companies—exert varying degrees of control.
What should primarily concern the United States, therefore, is how this law, and this disconnection test, could push the global network further away from an open information environment, especially in places where it’s not already relatively closed off. The likes of China, Iran, Russia, Turkey, the UAE, and many other authoritarian countries have taken a clear stance on the internet: they want to tightly restrict it, exercising technical and physical controls that consolidate power and prevent politically undesirable speech and assembly. Others—U.S., U.K., the E.U. bloc, Israel, and Japan, to name several—have clearly opposed this model of the internet, pushing, as discussed, a global and open approach. Many countries still have not decided.
It’s in the countries of this third group where the global competition over internet governance truly takes place, and viable models for configuring and governing the internet—like Russia’s model for internet control—are powerfully persuasive tools in that context. What should worry the U.S. and our partners is that the model for sovereign control over the internet seems to be pulling ahead in the global push-pull for the internet. This is in part because of the strong marketing campaign by the likes of Russia and China that paints the internet as a source of insecurity and instability, rather than a source of greater freedom and prosperity. But it’s also in part due to our inability to counter that narrative with models that manage instability and insecurity, while maintaining an open content environment.
Full translation of the explanatory note accompanying the law
The draft federal law "On Amendments to Certain Legislative Acts of the Russian Federation" was prepared taking into account the aggressive nature of the US National Cybersecurity Strategy adopted in 2018. The document, signed by the President of the USA, proclaims the principle of "maintaining peace by force". Russia is directly and unprovenly accused of hacker attacks, and the strategy frankly states the punishment: "Russia, Iran, and North Korea conducted reckless cyber attacks that harmed American and international businesses and our allies and partners without paying costs likely to deter future cyber aggression."
Under these conditions, protective measures are necessary for ensuring the long term and stable functioning of the Internet in Russia, increasing the reliability of Russian internet resources.
The bill provides the following provisions:
The necessary rules for routing traffic are determined and control over compliance with them is organized. This creates an opportunity to minimize the need to transfer data exchanged between Russian users abroad.
Cross-border communication lines and IXPs are defined. Their owners [and] telecom operators are required to ensure the possibility of centralized control over traffic, in the event of a threat.
It is possible to install technical equipment on telecom networks that determine the [original] source of traffic. Technical tools will have to be able to limit access to [internet] resources with prohibited information not only by [blocking] network addresses, but also by prohibiting the passage of passing traffic.
The infrastructure to ensure the operability of the Russian Internet in the case of Russian telecom operators’ failure to connect to foreign root servers is being created.
It [the law] introduces the need for regular exercises of government authorities, telecom operators, and owners of technological networks to identify threats and develop measures to restore the Russian Internet segment.
The Government of the Russian Federation determines the centralized response to threats to the operability of the Internet and public communications networks through the Center for Monitoring and Management. Response measures will be determined over the course of the monitoring and operation of the technical elements of the public communication network, among other things.