Authors: Alexander Tabachnik and Lev Topor*

Cyber warfare is becoming more prominent and frequent than ever before in the international arena. Struggle for hegemony, influence and power pushes international actors, mainly states, into developing their cyber capabilities to spy, sabotage and influence other actors. Globalization and the proliferation of knowledge, know-how, expertise and technology in general have made cyber warfare relatively cheap and easy to execute in comparison with conventional warfare. In fact, international law regarding cyber warfare, specifically the lack of it, as well as newly emerging norms between states, have made cyber warfare especially lucrative. That is, since there are no biding norms or laws regarding cyber operations, and since it is extremely difficult to attribute a cyber attack with a real attacker, traditional military or economic punishment is difficult to justify. This makes deterrence slow, blunt and ineffective.

In this article, we seek to discuss the importance of the Russian cyber domain and its position in the international struggle for power, influence and national security. Specifically, we argue that Russia’s cyber domain acts as a barrier from foreign cyber operations, especially since the West has escalated its operations against Russia in recent years. We also argue that in the field of national security and national interests within the cybersphere, Russia has an advantage over other powers such as the United States or the United Kingdom. Further, we elaborate and discuss the structure, vulnerabilities and importance of cyberspace in international relations, as well as the current state of Russia’s defensive cyber domain.

Less-regulated cyber domains, such as those of the U.S. and UK, are vulnerable and prone to foreign attacks not only by their adversaries but by rogue and anonymous hacking groups and cyber criminals [1]. Interestingly, clandestine surveillance programs such as the American Presidential Policy Directive 20 (PPD-20), which was leaked by Edward Snowden in 2013, allows the U.S. to spy on citizens and foreigners, but not to completely protect itself from cyber operations. It is difficult to guarantee both security and privacy. However, since cyber attacks are on the rise, should security not come first?

Interestingly, in that regard, the Russian cyber domain is “one step ahead” of other international actors, mainly global powers such as the U.S., the UK, most of the European Union and others. Due to the problem of attribution and the increase in the practice of cyber warfare, Russia perceives the cyber domain, cyberspace, as a threat to Russian national security and stability. On the one hand, the U.S. unsuccessfully tried to present the norm of privacy as more important than security and executed espionage and regulations with hiding initiatives such as PPD-20. On the other hand, Russia acted with transparency when it placed the norm of security ahead of privacy and accordingly changed its regulation of the cyber domain. Indeed, criticism has been raised over recent Russian initiatives such as the Yarovaya Law or the Sovereign Internet Law. The criticism and concerns are legitimate. However, we argue that in respect to the international struggle over power and security Russia has the lead over Western powers. Philosophically speaking, what good is privacy if there is no national security. Moreover, Russian privacy is undermined by foreign forces (i.e., States, cyber criminals) that spy and exert influence.

Cyberspace: Structure and Vulnerabilities

Cyberspace is complex and ubiquitous. By the definition of the U.S. Joint Chief of Staff (JCS), cyberspace is “the domain within the information environment that consists of the interdependent network of information technology (IT) infrastructures and resident data. It includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” Moreover, the U.S. JCS refers mostly to the operational level of virtual cyber operations. At the same time, in practice, cyberspace is comprised of several layers, each with its own unique characteristics. Each layer facilitates and acts as the infrastructure for the next one. Thus, as suggested by Yochai Benkler or by Nazli Choucri and David D. Clark, there are four layers to cyberspace; the physical foundations, the logic layer, the information layer, and the users. These layers affect IR and IR affects them.

The physical layer of cyberspace is the infrastructure. It consists of the physical elements which are necessary for the function of the internet. Fiber optic cables, nodes of cables, satellites, cellular towers, servers, computers, and other physical components all serve as a base for the next layer (the logic). Fiber optic cables are of great importance since they interwind the world with mostly submarine cables. These cables make up approximately 95% of the intercontinental telecommunications traffic, with the rest being satellite communication used for military and research. Without such an extensive layout, the internet would have been in use only by state actors and not the general public, globally. The vulnerabilities of this layer lie within the physical elements themselves – cables can be cut, damaged, hacked, eavesdropped. Furthermore, physical damage is difficult to repair (in most cases) as it requires special ships and equipment. In the ce of satellite damage, a new one would probably be needed. Repairs are difficult and expensive.

The next layer is logical. The central nervous system of cyberspace is responsible for routing information and data, from clients to servers and back to clients. This happens through systems such as the domain name system (DNS), Transmission Control Protocol (TCP), internet protocols (IP), browsers, software that makes use of physical foundations, and websites, to name key examples. The vulnerabilities of this layer are numerous, while manipulations to the communication systems and denial of service (DoS) are just a few examples.

For instance, in regard to the physical and logical layer, Russia was accused of attacking the American power grid. The U.S., as it was mentioned earlier, also attacked the Russian power grid. Another example is that during the Cold War, American ships and submarines conducted espionage and eavesdropping operations on Soviet undersea communication cables. Today, both the U.S., Russia, China, and other capable powers conduct underwater espionage operations.

Next is the information layer, comprised of encoded text, photos, videos, audio, and any kind of data stored, transmitted, and transformed through the IPs. The main vulnerability of this layer is the information itself, which is susceptible to manipulation by malicious or unwanted means such as disinformation material and malware. Foreign actors can also steal valuable and protected information. Needless to mention that all of the mentioned types of information can be manipulated and adapted as needed for cyber operations.

The final layer consists of the users who shape the cyberspace experience and its nature by communicating with each other, creating and spreading content. The main vulnerability of the users are other manipulative users (i.e., foreign agents, criminals, terrorists). In this regard, for instance, the global Covid-19 crisis has also seen an “infodemic” alongside it. A “global battle of narratives” is taking place, as argued by the European Union High Representative for Foreign Affairs and Security Policy, Josep Borrell, on March 24, 2020. China is accused of promoting theories suggesting that the American Army was responsible for introducing the disease while visiting Wuhan in October 2019. Thus, while the outbreak might have occurred in Wuhan, this kind of disinformation campaign shifted the perception of origin away from China and blamed the virus on the U.S. “Not wishing to waste a good crisis,” China (as well as others) is promoting an intelligent and data-driven campaign against its global adversaries.

Cyber Warfare: A Tool of International Security

Since Westphalia, states longed to preserve their sovereignty. States, especially great powers, usually prefer to avoid conventional conflict and to avoid MAD (Mutual Assured Destruction), as was experienced during the Cold War. Whenever states do intervene in the affairs of others, they do so to acquire territory, domains or power to protect ethnonational groups, as well as economic, military or diplomatic interests. States also intervene due to ideological reasons and, lastly, to keep or adjust the regional or global balance of power. Hence, cyberspace serves as the perfect domain to avoid conventional military conflict and even a MAD situation while trying to obtain the reasons for intervention. Thus, states and other IR actors do so by using cyber warfare strategies and tactics.

Cyber warfare could be broadly defined as the use of cyber weapons and other systems and means in cyberspace for the purpose of injury, death, damage, destruction or influence of international actors and/or objects. Acts of cyber warfare can be executed by all types of IR actors, including individuals, organizations, companies, states, and state proxies. Cyber warfare is an integrated part of the defense and offense strategy used by many international actors. Russian military officials do not use the term “cyber warfare” as a standalone term. They prefer to conceptualize it within a wider framework of information warfare – a holistic approach which includes, inter alia, computer network operations, electronic warfare, and psychological and informational operations.

Regarding IR and international security (IS), cyber warfare can be viewed from two different perspectives. A revolutionary perspective and an evolutionary one. From a revolutionary perspective, cyber warfare and cyber weapons are a revolution of military affairs to some extent, in the same way that sailors once perceived the development and widespread of airplanes. That is, much like airplanes, cyber weapons can transform strategies and shift the balance of power in the international arena. From an evolutionary perspective, cyber warfare and cyber weapons serve merely as a tactical development with no drastic strategic changes. As mentioned before, IR actors still seek power and influence over others and are willing to fight over it, as they did for centuries. We assume that the Russian approach to the cyber domain can be defined as evolutionary. This argument was also proven to be valid for the term “Hybrid Warfare,” as recently published by Vassily Kashin.

Generally, the arsenal of cyber warfare tactics includes acts of espionage, propaganda, denial of service, data modification and infrastructure manipulation or sabotage. Further, according to the Tallinn Manual on The International Law Applicable to Cyber Operations, some tactics such as espionage or data modification and false information spread are not illegal. At the same time, cyber attacks can be regarded as kinetic attacks and retaliation can be justified only if the victim can reveal the true and full details of the perpetrator — a very limited and rare phenomenon nowadays.

Consequently, the characteristics of cyber tactics make them very attractive for use. Countries like the U.S., UK, Russia, China, smaller regional powers such as Israel or Iran, rogue states like North Korea and even terror organizations and human rights organizations are all shifting towards cyberspace.

Russian Cyber Sovereignty: A Barrier Against Foreign Influence

Russian authorities perceive cyberspace as a major threat to Russian national security, stability as the flow of information in cyberspace could undermine the regime. Social networks, online video platforms, secure messaging applications and foreign-based internet mass-media remain a great concern as Moscow has no control over information on these platforms, which are either created or influence by Russia’s global competitors such as the U.S. or the UK. Yet, as we show, cyberspace is a domain only partly controlled by the authorities, enabling a relatively free flow of information while Russia still seeks to take some necessary precautions.

Russian authorities, through legislation and cyber regulation, strive to control Russian cyberspace in order to prevent or deter, as much as possible, the dissemination of information which may mar the positive representation of its regime, or any activity which may endanger the regime’s stability. Therefore, Russian authorities seek to control the content of the information layer and the information circulating in Russian cyberspace.

Generally, Russian legislation directed at control over domestic cyberspace consists of two major categories, which are also interconnected. These categories can be defined as legal-technological and legal-psychological. The most prominent legal-technological efforts by Russian authorities consist of the following measures: the Yarovaya Law; Russia’s “sovereign internet” law; SORM system’s installation mandatory; and the law making Russian applications mandatory on smartphones or other devices. Simultaneously, the legal-psychological efforts consist of the three major measures: “disrespect law”; “fake news” law; and the new “foreign agent” law. As further explained, these are meant to pressure Russians and others from spreading disinformation from within.

The Yarovaya Law obliges provision of encryption/decryption keys (necessary for decoding transmitted electronic messages/information) to Russian special services (such as the FSB) upon request by distributors of information such as internet and telecom companies, messengers and other platforms that allow the exchange of information. Moreover, according to this law, Big Data attributed to activity in Russian cyberspace must be stored in Russian territory, while the special services should have unrestricted access to this data [2]. For example, companies like Facebook or Google must store information concerning data and activities of their Russian users in Russian territory and provide unrestricted access to the Russian special services.

Furthermore, the Decree of the Government of the Russian Federation from April 13, 2005, (number 214) with changes from October 13, 2008, regarding SORM (Russia’s System of Operational-Investigatory Measures), requires telecommunication operators to install equipment provided by the FSB. This allows the FSB and other security services to monitor unilaterally and unlimitedly, without a warrant, users’ communications metadata and content. This includes web browsing activity, emails, phone calls, messengers, social media platforms and so on. Moreover, the system has the capability of Deep Packet Inspection (DPI). Thus, the SORM system is one of the major tools helping implement and regulate the Yarovaya Law. While the Yarovaya Law is criticized by many for harming citizens’ privacy, it could be extremely effective for its initial and official purpose, which is counter-terrorism and foreign missionary interventions.

On December 2, 2019, Russian President Vladimir Putin signed a legislation bill requiring all computers, smartphones and smart devices sold in Russia to be pre-installed with Russian software. Afterwards, the government announced a list of applications developed in Russia that would need to be installed on the mentioned categories of devices. This legislation came into force on July 1, 2020. Apparently, an initiative will be promoted later on, calling to register devices with government-issued serial numbers. This will allow Moscow to tighten control over end-users through regulation, monitoring and surveillance. These kinds of laws can help Russia avoid the need to rely on technology companies for crime and terror forensics. For instance, such cases took place in the U.S., for instance, after the December 2019 terror attack at a Navy base in Florida.

On May 1, 2019, President Vladimir Putin signed the law on Russia’s “Sovereign Internet,” effectively creating the “RuNet” — Russia’s internal internet. The goal of this law is to enable the Russian internet to operate independently from the World Wide Web if and when requested by Moscow. In practice, this “kill switch” allows Russia to operate an intranet, a restricted regional network such in use by large corporations or militaries. This network gives authorities the capacity to deny access to parts of the internet in Russia, potentially ranging from cutting access to particular Internet Service Providers (ISPs) through cutting all internet access in Russia.” With risks of foreign cyber operations such as disinformation or even physical eavesdropping, this “kill switch” can prevent Russia from suffering a dangerous offensive. This can also mean that Russia could initiate cyber warfare but keep itself protected, at least from outside threats.

At the same time, the legal-psychological efforts consist of three laws directed at the prevention of distribution of unreliable facts and critique directed at the government’s activities and officials. For example, the law which regulates “disrespect” allows courts to fine and imprison people for online mockery of the government, its officials, human dignity and public morality. This law is relevant to the dissemination of information through informational-telecommunication networks. Additionally, the “fake news” law also outlaws the dissemination of what the government defines to be “fake news” – unreliable socially significant information distributed under the guise of reliable information.

These laws give Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media) and the Kremlin’s censorship agency to remove unreliable content from the web. Moreover, the law prescribes heavy fines for knowingly spreading fake news and prescribes ISPs to deny access to websites disseminating fake news in the pretrial order following an appropriate decision issued by Roskomnadzor. Effectively, this puts a negative incentive to cooperate with foreign propaganda campaigns or other unwanted forces.

Next, the “Foreign Agent” law applies to any individual who distributes information on the internet and is funded by foreign sources. Interestingly, YouTube channels can be defined as such. According to this law, Russian citizens and foreigners can be defined as foreign agents. Consequently, all materials (including posts on social media) published by an individual who receives funds from non-Russian sources must be labeled as foreign agents. The commission of the Ministry of Justice and the Ministry of Foreign Affairs are endowed with powers to recognize individuals as foreign agents. Consequently, foreign agents will be obliged to create a legal entity and mark messages with a special mark.

Furthermore, individual foreign agents are subject to the same requirements as non-profit organizations recognized as foreign agents (the law regarding non-profit organizations was adopted in 2012). Therefore, foreign agents will be obliged to provide data on expenditures and audits regarding their activities to the Ministry of Justice. It should be noted that these administrative obligations are time consuming, complicated and expensive — they are aimed to discourage foreign agents from their activities. Overall, the purpose of the legal-psychological efforts is to discourage the population from participating in any king of anti-government activities in cyberspace. This law is of similar nature to the Foreign Agents Registration Act (FARA) enacted by the U.S. in 1938.

Conclusion: Structural Advantage and Strategic Superiority

In her article from August 25, 2017, Maria Gurova asked, “How to Tame the Cyber Beast?” Since offensive cyber operations are becoming more prominent and frequent, including cyber crime and cyber terrorism, and since these attacks are becoming more political, Russia chose to protect itself from foreign forces and global adversaries by regulating and monitoring its cyber domain directly, in contrast to Western proxy regulation practices. Interestingly, it has also created a “Kill Switch” which, if threatened by foreign forces, will allow the RuNet to keep internal internet connection — a significant need, especially for the largest country in the world. In fact, while other, less strategically sophisticated, countries will have to rely on outdated means of communication in the case of a major cyber attack, Russia can remain relatively safe and connected.

The negative aspect of the aforementioned regulation is the incompatibility to Western norms, mainly to the General Data Protection Regulation (GDPR) and the European Court of Human Rights (ECHR) decisions. This incompatibility can undermine Russian economic and socio-political relations and developments with the U.S., UK and EU, pushing Western hi-tech companies away. These regulations may also harm freedom of speech in the Russian cyber domain, as users may feel threatened to criticize the authorities. This is despite the fact that the regulations are to be implemented mostly on security-related issues. However, Western proxy regulation practices are having trouble addressing this issue as well.

All in all, Russia has the lead over Western powers — it controls all of its own cyberspace layers. In fact, as an international actor, Russia has an offensive and defensive strategic edge over its global competition. As articulated in this article, Russia has built a strategic “firewall” against foreign cyber attacks. Currently, there is no binding international law that forbids cyber attacks. In this case, the anarchy in IR and IS must be dealt with domestic solutions by each international actor. For instance, it was reported that the American Central Intelligence Agency conducted offensive cyber operations against Russia and others after a secret Presidential order in 2018. Of course, Russia had also conducted cyber and hybrid operations against its global adversaries. A U.S. special report from August 2020 concluded that Russia had created an entire ecosystem of cyber operations. This means that while Russia has a relatively secure infrastructure, the U.S., with no proper regulations, is one step behind. In this regard, China is also a step ahead of the U.S. and the EU.

*Lev Topor, PhD, Senior Research Fellow, Center for Cyber Law and Policy, University of Haifa, Israel

[1] We ask to clarify that the U.S. and the UK do regulate their cyber domains extensively. However, they mainly focus on privacy and not security and conduct some regulation through Public-Private Partnerships (PPP). For more, see Madeline Carr or Niva Elkin-Koren and Eldar Haber.

[2] Metadata is stored for a period of one year and data (messages of internet users, voice information, images, sounds, video etc.) for a period of six months.

From our partner RIAC