Russia’s new foreign policy concept drafted by the Foreign Affairs Ministry for the first time mentions the notion of international information security. The policy posits that Russia “will take the necessary measures to ensure national and international information security and prevent threats to the political, economic, and public security of the state, which arise in information space.” The policy also includes measures to “fight terrorism and other criminal threats in the field of information and communication technologies, and prevent their use for military-political purposes that go against international law, including actions aimed at interfering in internal affairs and jeopardizing international peace, security, and stability.” Russia intends to “press for the drafting, under UN auspices, of an international code of conduct for information security” and facilitate in all manner possible “the development and strengthening of high legal and ethical norms for the safe use of information and communication technologies.”
The concept addresses both foreign and domestic policy issues that cannot be separated from each other in the modern world. Information security relates to the fight against crime and terrorism, military affairs, intelligence, and diplomacy. The new policy also addresses human rights and how those rights could be restricted to protect national security.
However, the Russian authorities see information confrontation as the biggest threat, along with the use of information and communication technologies for political purposes. This topic became a Russian priority after the so-called Arab Spring had exposed the mobilization potential of the Internet, or rather of social networking services like Twitter and Facebook. Although many commentators later came to the conclusion that social networks were not so much the cause of revolutions as a new weapon used by revolutionaries, Russia has grown more mindful and wary of this issue. The majority of Russian government and security service officials believe that the scenario for the Arab Spring was written in the West.
Today we can see two processes that are intertwined, but are moving in opposite directions. There is the growing technological openness of the state (prompted by the development of information and communication technologies, and their increasing penetration into new spheres of life) on the one hand, and the desire of the authorities to clamp down and control this area on the other.
On the domestic front, this trend has manifested itself in much broader authority given to law enforcement and security services to fight cyber crime (ranging from illegal content to attacks on government websites). In terms of foreign policy, Russia has stepped up diplomatic efforts to advance its views on how to act with and manage the Internet. These processes have been accompanied by the growing militarization of global cyberspace and by attempts to use it for espionage, especially for commercial purposes.
Almost all major forums from the UN, G8, and G20 to the OSCE, BRICS, and the annual security conference in Munich, have discussed the future of international information space. There may be different reasons for such increased attention to this issue, but they all have one thing in common – countries that have moved the farthest in this respect have also become the most vulnerable. While Russia is worried about the use of new technologies to wage information warfare and destabilize regimes, the U.S. is concerned about using the Internet for criminal, terrorist, and military purposes. Notably, until recently the U.S. did not recognize the threat of cyberspace militarization or the possibility of interstate conflicts in this field.
THE BUSH LEGACY
The U.S. was the first country to use cyber weapons. In his 2012 book Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, David Sanger, chief Washington correspondent for The New York Times and a Pulitzer Prize winning author, discusses the Stuxnet virus, which markedly slowed down Iran’s nuclear program. Sanger claims that in 2009 outgoing U.S. President George W. Bush asked newly elected president Barack Obama to maintain two secret programs that sanctioned the use of drones in Pakistan and developed cyber weapons to attack infrastructures in selected countries. Obama approved the idea of a cyber war and ordered the increased use of cyber weapons. This led to the creation of the Stuxnet virus and other initiatives.
Many Russian and Western experts think that the Flame virus – the most sophisticated cyber weapon to date according to the Kaspersky Laboratory – was created by the makers of Stuxnet. No details about this worm were available until last spring, even though it has been attacking facilities in Iran and other Middle Eastern countries since 2010 at least. Flame infects a computer via USB stick or through the local network, copies data, and sends the data to command servers. Not only does Flame steal information from files stored on the computer, but it also takes screenshots every 60 seconds. If an e-mail account or an ICQ client is running, snapshots are taken every 15 seconds. Flame can activate a built-in microphone via remote access and make a recording. Flame uses Wi-Fi and Bluetooth technologies to gather information from peripheral devices like mobile phones and notebooks.
However, it should be pointed out that some Western commentators believe the first interstate cyber war was in 2007, when Estonian government websites were attacked after a row over the relocation of a World War II monument to Soviet soldiers in Tallinn. The role of official Russian agencies in the attack was never proved. Actually, it later emerged that Internet traffic had been carried mostly through servers outside of Russia and even through Estonian infrastructure facilities.
Until recently, the U.S. has preferred to keep silent about the threat of using cyberspace for military purposes (while Russia has been talking about this since the end of the 1990s), but now it is preparing for cyber warfare more actively than other countries. In 2010, the U.S. became the first country to officially recognize cyberspace as a potential battlefield on par with land, sea or air. In 2011, the U.S. was the first country to develop an operational strategy for cyberspace, which allowed the U.S. to respond to computer attacks using all available resources, even nuclear weapons. The U.S. had outpaced other countries in creating a paramilitary structure for repelling virtual attacks known as U.S. Cyber Command, which is headed by General Keith Alexander. Initially, this division had a staff of around 1,000 employees, but last fall the Pentagon announced ambitious plans to recruit specialists, including former computer hackers. According to The Washington Post, the Command’s staff will grow almost five-fold.
At first, the U.S. flatly denied any plan concerning the design of offensive cyber weapons. The non-classified part of the Pentagon’s cyber strategy says that the U.S. military’s actions would be solely defensive in nature. However, in late 2011, Congress gave the go-ahead for the development of offensive cyber technologies. The first proof came to light last fall that the Pentagon had started taking practical steps towards this goal. The U.S. Air Force is now planning to buy malicious software that can disrupt or even destroy enemy computer networks and control centers. At the same time, the Defense Advanced Research Projects Agency (DARPA) announced a tender for an interactive map showing how well military infrastructure facilities in other countries are protected from U.S. cyber attacks.
In parallel, the U.S. and its NATO allies have started improving the security of their networks and critical infrastructure facilities. This work is far from completed. In October 2012, Defense Secretary Leon Panetta admitted that the effect from a major cyber attack on such facilities could compare to the 11 September 2001 terrorist attacks and lead to a “cyber-Pearl Harbor.” “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country,” Panetta warned.
CATCH UP AND RESTRAIN
Russia is cautious about the increased U.S. activity and believes such action is one of the main causes of the global cyber arms race. Several countries have lately created special cyber units within their armed forces (China, India, Israel, Great Britain, Iran, and Estonia).
Although its defensive and offensive capabilities in cyberspace clearly fall behind those of the U.S., Russia has lately redoubled its efforts in this field. In late December 2011, the Russian Defense Ministry presented a document on the activities of the Russian armed forces in information space, which classifies this space as a potential theater of war. In addition, Moscow has reserved the right to individual or collective self-defense using all available methods and means “during conflict escalation in information space.” In March 2012, the Russian authorities officially announced their intention to create a cyber command similar to that in the U.S. However, some sources say the command center has already been operating for at least a year and has about 150 employees. In January 2012, Russian President Vladimir Putin instructed the Federal Security Service to develop a national system for the forecasting and prevention of cyber attacks, and gave the agency broader authority to fight cybercrime.
The Russian Security Council and Foreign Affairs Ministry pay a great deal of attention to international information security. The Foreign Ministry created a new position with the rank of ambassador at large in March 2012 for a special coordinator to oversee the political use of information and communication technologies. Andrei Krutskikh, who had earlier worked as deputy director of the Department of New Challenges and Threats at the Foreign Ministry, was appointed to this post. The ministry may soon also create “an office for international information security in the Department of New Challenges and Threats,” which will deal exclusively with international information security issues.
One of the agency’s key tasks will be to advance initiatives mentioned in the Russian foreign policy concept that call for drafting an international code of conduct for Internet users and making sure it is adopted by the United Nations. Two documents were made public in 2011. On 12 September 2011, Russia, China, Tajikistan, and Uzbekistan presented at the UN General Assembly a joint draft international code of conduct for information security. Its authors called for fighting “the spread of information that inspires terrorism, separatism, and extremism, or that undermines political, economic, and social stability in other countries.” At a meeting of the security chiefs of 52 countries in Yekaterinburg two weeks later, another document was presented – a draft UN convention on international information security, prepared jointly by the Russian Security Council and the Foreign Affairs Ministry. The document describes in detail the principles for regulating the Internet in the face of military-political, criminal, and terrorist challenges.
The main threats addressed in the documents proposed by Russia include: “the use of information technology and means of storing and transferring information to engage in hostile activity and acts of aggression; purposefully destructive behavior in information space directed against critically important governmental structures of another country; the manipulation of the flow of information in the information space of other governments, disinformation, or the concealment of information with the goal of adversely affecting the psychological or spiritual state of society, or eroding traditional cultural, moral, ethical, and aesthetic values; and mass psychological campaigns carried out against the population of a state with the intent of destabilizing society.” The Russian government considers such actions elements of information warfare and insists that these activities be recognized as crimes against international peace and security.
Additionally, Russia insists that the principle of non-interference in information space be enshrined in the convention: “Each state party has the right to make sovereign norms and govern its information space according to its national laws.” Although the document says that states should protect the freedom of speech on the Internet and “may not restrict citizens’ access to information space,” the text contains an important proviso that governments may impose restrictions “for the protection of national and public security.”
In addition to the ban on the use of the Internet to interfere in other countries’ internal affairs and to overthrow regimes, Russia has also proposed prohibiting the militarization of information space, while giving national governments a free hand within their respective segments of the Internet. At the same time, Russia has emphasized that these documents are no more than a basis for further discussion – an “invitation to a dance,” so to speak.
A FOREBODING OF DISASTER
The U.S. and its NATO allies rejected Russia’s initiatives as an attempt by a weaker party to constrain a stronger one. The U.S. said the proposal to forbid nations from developing offensive cyber technologies was “unrealistic,” since traditional agreements (like the Nuclear Non-Proliferation Treaty) would not be very useful in cyberspace. U.S. officials described calls to extend the principle of sovereignty and non-interference in internal affairs to the World Wide Web as an attempt to impose censorship and state control over the Internet.
At the time, U.S. Secretary of State Hillary Clinton said: “Some governments use Internet governance issues as a cover for pushing an agenda that would justify restricting human rights online. They want to replace the current multi-stakeholder approach, which includes governments, the private sector, and citizens, and supports the free flow of information, in a single global network. In its place, they aim to impose a system cemented in a global code that expands control over Internet resources, institutions, and content, and centralizes that control in the hands of governments. In effect, the governments pushing this agenda want to create national barriers in cyberspace. This approach would be disastrous for Internet freedom. More government control will further constrict what people in repressive environments can do online. It would also be disastrous for the Internet as a whole.” Unlike Russia, the U.S. neither recognizes the notion of “national Internets” nor considers measures to penetrate censorship controls in other countries (including China) as interference in the internal affairs of a sovereign country. The U.S. insists that access to the Internet is a universal human right that cannot be restricted under any circumstances.
The U.S. also believes that there is no need for new agreements, since existing ones (such as the Budapest Convention on Cybercrime of 2001) can be adjusted to present-day realities. (Russia did not join the convention because it disagreed with a provision that allows the security services of one country to infiltrate the cyberspace of another country, thereby carrying out operations without notifying the local authorities.)
The fundamental contradiction between the West, which believes that cybercrime, espionage, and terrorism are the main threats in the modern world, and Russia, which is concerned primarily with information confrontation, is vividly manifested in terminology as well. Russia speaks of “international information security” and emphasizes political and ideological confrontation, while the U.S. prefers to use the term “cyber security” and focuses on the protection of computer networks and resources.
LAST CHANCE FOR A BREAKTHROUGH
The debate over cyber security has led to the emergence of two groups of countries that considerably disagree over the future of the Internet. One group includes the U.S. and its NATO allies; the other group is made up of Russia, China, Kazakhstan, Belarus, Armenia, Tajikistan, Iran, and a few other nations. Some experts have rushed to call the virtual conflict between the West and the East “Cold War 2.0.”
The most glaring disagreements in the debate came to light during a conference on international telecommunications in December 2012 in Dubai. Russia and its allies tried to limit the U.S. role in governing the Internet by delegating some of the powers from the U.S.-based non-governmental organization ICANN (which assigns domain names) to the United Nations and national governments. The U.S. and the European Union took Herculean efforts to counter the Russian initiative, saying its implementation would be disastrous. The standoff ended in a tie, with 89 countries signing a new version of the telecommunications treaty, which partly reflects Russia’s proposals, but 55 countries spoke up against it. De facto this means that the trench warfare will continue.
It is very unlikely that the sides will be able to bridge the gap in their positions and reach a new comprehensive international agreement any time soon. Nevertheless, Russia and the U.S. are continuing their dialogue. Although they have little hope of changing each other’s opinion, the two countries are trying to at least ward off the worst. In fact, it is very hard – in most cases impossible – to track down the source of an attack. For example, a Chinese hacker can sit in an Internet cafО in New Zealand and attack U.S. sites through Russian infrastructure. Since the U.S. and Russia have reserved the right to respond to cyber incidents like they were conventional acts of aggression, this kind of an incident could have catastrophic consequences. To avoid that, the two countries are trying to work out confidence-building measures that will include exchange of information and creation of special crisis hotlines in case of major cyber attacks. These are fundamentally important initiatives. If someone destroys a dam in the U.S. through cyber subversion and that strike causes many deaths, the Americans will not retaliate even if they trace the attack to Moscow. With a crisis hotline in place, the U.S. at least will have to ask for an explanation first.
Although beneficial to both sides, the talks are progressing with great difficulty and are becoming bogged down in the quagmire of ideological contradictions: one day the U.S. might demand that the text be amended to add a paragraph on human rights on the Internet; the next day Russia insists on the inviolability of national sovereignty and non-interference in internal affairs. Sometimes these disagreements bring the discussion to the point of absurdity. Presidents Putin and Obama could have signed a bilateral agreement on cooperation in cyberspace and confidence-building measures in June 2012 on the sidelines of the G20 Summit in Mexico, but never did because of just one word. To avoid a dilemma over which term to use – “international information security” or “cyber security” – the two countries agreed to a compromise: “security in the use of information and communication technologies.” However, at the last minute the U.S. demanded that the word “use” be removed, putting emphasis on physical protection of its computer systems. But this issue is of paramount importance to Russia, which believes that the point is not protecting computer networks and resources, but knowing who can use information and communication technologies, how, and with what aim (in other words, whether such technologies will be used for psychological warfare and propaganda or not). Consultations on the issue are continuing.
With U.S.-Russian relations in decline again, international information security seems to be one of the few areas where a breakthrough is still possible. But if the two countries fail to come to an agreement soon, cyberspace may turn from a uniting factor and a potential area for cooperation between Russia and the U.S. into an arena for confrontation.
