Can Russia really cut itself off from the global Internet, and does it really want it?
There is no denying it: Russia is preparing the digital ground so that it can one day separate itself from the rest of the global Internet. And the war in Ukraine has only accelerated the process. However, the country is far from ready for such isolation.
According to Ukrainian officials, a fibre-optic cable in the southern Ukrainian city of Kherson was taken out of service in early May and redirected to Miranda Media, a separatist telecom operator in Crimea and a subsidiary of the giant corporation Rostelecom established after the annexation of the peninsula. With this act—which redirects broadband data out of Ukraine to Kremlin-controlled regions—Russia is repeating a practice carried out in the separatist regions of Donbass in the aftermath of the annexation of Crimea in 2014.
This appropriation of the Internet infrastructure within Ukraine’s borders is another way for Russia to entrench its control over the territory and extend its control over the Web. This is evidenced by the law against “misleading information” of 4 March (which forbids the use of the terms “war” or “invasion” for the situation in Ukraine), the blocking of Facebook, Twitter, and Instagram, of NGO sites such as Amnesty International, or even of digital services such as Chess.com, an online chess platform that published an open letter from chess champions calling for an end to the war in Ukraine.
However, Moscow’s desire for a Russian Internet—commonly known as the Runet—is not new. “It is actually the acceleration of a trend by the Kremlin to control information in the country, to give itself the possibility to block websites, and to migrate to its territory the technologies on which the Internet infrastructure relies—a trend that started a few years ago,” describes Alena Epifanova, a researcher in Russian cyber policy at the German Council on Foreign Relations (DGAP), interviewed by inCyber.
Anti-Putin protests in 2011-2012, an authoritarian turn in Russia’s digital policy
This authoritarian turn dates from 2011-2012, after large protests against the return of Vladimir Putin to power, according to Kévin Limonier, scientific director of the Russian-speaking infosphere observatory. “It was at that time that the authorities realised the importance of social media,” he said to the news medium Basta.
Then came the annexation of Crimea in 2014, after which the Kremlin began building the necessary Internet infrastructure—or at least migrating the existing one to pro-Russian stakeholders. One year later, a law was enacted in Russia requiring foreign digital platforms to host Russian citizens’ data on Russian soil.
In 2016, the “Yarovaya laws” were passed, which “sought to impose on platforms the obligation to store their users’ metadata for three years, to install backdoors in their applications, and to communicate their decryption keys to the security services who would request them“, explained Christine Dugoin-Clément, a professor affiliated with the Paris-based Institute of Business Administration (IAE) on inCyber. “In 2016-2017, a bill to ban VPNs has even been envisaged,” adds Marie-Gabrielle Bertran, a doctoral student at the GEODE Centre (Geopolitics of the Datasphere) working under the direction of Frédérick Douzet and Kévin Limonier, the Centres’ director and deputy director, respectively. But until now, the Duma (the Russian parliament) has always rejected this idea.
The ‘Sovereign Runet’ law as the foundation of an isolationist discourse
However, if VPNs are still allowed in Russia, “their use can be considered as an aggravating circumstance in the event of an investigation initiated by the FSB or ROSKOMNADZOR (the Russian telecoms watchdog) for acts deemed illegal on the Internet“, continues Marie-Gabrielle Bertran. Like talking about “war” in Ukraine on the Web since last March. Moreover, “some VPNs—such as the famous NordVPN—have closed their servers in Russia“, details the doctoral student.
The most draconian legislation came in 2019, when the so-called “Sovereign Runet” law was passed, thus “giving the state the legal and administrative means to implement a total disconnection of the Runet” from the rest of the Internet, explains Kévin Limonier. One of the key measures of this law requires ISPs to install TSPUs, which are devices supplied by companies close to the Russian government—including Citadel, a surveillance firm that sells its services abroad—and controlled by ROSKOMNADZOR that are capable of monitoring incoming and outgoing data packets. These devices facilitate the disconnection of the Runet. In parallel, at the time, the Kremlin claimed to want to conduct disconnection tests.
Since the beginning of the war in Ukraine, in addition to muzzling social media, the Kremlin has sought to strengthen its control over the Internet. On 6 March, the Belarusian opposition media Nexta revealed that ROSKOMNADZOR would impose from 11 March several measures on official websites, including the obligation to have domain name servers in Russia—more precisely under the .ru—and to expunge from websites the code that loads resources hosted abroad. “Russia has begun preparations to disconnect itself from the global Internet,” Nexta captioned.
#Russia began active preparations for disconnection from the global Internet
No later than March 11, all servers and domains must be transferred to the #Russian zone. In addition, detailed data on the network infrastructure of the sites is being collected. pic.twitter.com/wOCdRqOJej
— NEXTA (@nexta_tv) March 6, 2022
ROSKOMNADZOR prepares for different cyberattack scenarios, the Kremlin argues
“In addition, there seems to be discussions in the Russian high circles about banning the Tor service,” Marie-Gabrielle Bertran understands. The Onion Router—aka Tor—is a software program that allows access to certain sites not indexed by traditional search engines, what is sometimes called the dark web. After it was blocked by the Kremlin, Twitter, for example, launched its mirror site (in .onion) to be accessible via this type of software. “The site for downloading Tor had already been blocked last December,” recalls the doctoral student.
Despite all the technical and legal measures taken by the Kremlin to extend the control of its Runet, one should be wary of making categorical assertions about a possible disconnection from the global Internet. First of all, the measures taken in March officially concern only Russian administrative sites. “There are no plans to disconnect the Internet,” said Andrey Chernenko, Russia’s deputy minister for digital affairs, to Interfax news agency. “There are ongoing cyberattacks on Russian sites from abroad [and] we are preparing for different scenarios,” he added. A justification that makes sense, according to Alena Epifanova and Marie-Gabrielle Bertran.
The latter also noted that “the Russian government has also put in place protections against DDoS [Distributed Denial of Service, an attack that consists of saturating a server with requests to make it crash, editor’s note] and geofencing, a technique that prevents connecting to Russian sites—including that of the Russian Ministry of Defence—without a Russian (or Chinese, actually) IP address.”
Russia “far from technically ready for digital isolation”
Stéphane Bortzmeyer, a French computer scientist, agrees: the measures taken in March are “far from a Russian disconnection from the Internet“, he said in a blog post. He also notes a certain “hypocrisy” in this regard: “No site on the top-level domain (TLD) of the U.S. government (.gov) uses any name servers other than those controlled by U.S. organisations. But no one is accusing the U.S. government of disconnecting from the Internet. The country is just applying security principles (that are questionable, but not absurd) by avoiding dependencies on actors located outside the country.”
Certainly, Russia is preparing the ground for a possible disconnection. In the measures taken in March, it took a further step in its ambition to develop its own domain name system (DNS). But “it is far from being technically ready for such digital isolation,” concur Marie-Gabrielle Bertran and Alena Epifanova.
For example, the disconnection tests in 2019—which were claimed by the Kremlin and covered by Western media—never really took place, said Kévin Limonier in an article on the Data Centre Dynamics website: “In November 2019, Russian telecoms companies said that the tests of isolation devices—although very limited—had caused slowdowns and service interruptions,” he detailed. “While the Russian authorities announced, at the time of the Sovereign Runet law in 2019, the ambition of an Internet infrastructure ready to be autonomous as early as 2021, this has not been the case, and probably still is not the case,” adds Alena Epifanova.
The “passive resistance” by local Russian ISPs
And for good reason: “To disconnect from the global Internet, all foreign operators who have peering agreements with their Russian counterparts would have to agree to stop sending data over Russian networks, which seems very unlikely to me,” says Marie-Gabrielle Bertran. But above all, the biggest lock comes from within: unlike the Chinese Internet and its Great Firewall or the Iranian “halal” Internet, the Russian Internet is not very centralised—less so, even, than the American or French Internet—assures Kévin Limonier. From the 1980s-1990s until the major demonstrations of 2011, the Russian Internet developed in a rather chaotic way thanks to a myriad of Internet Service Providers (ISPs) that sometimes operate in only one city or region and largely use Western technologies. Even today, “there are many different ISPs and no centralised means of control“, sums up Stéphane Bortzmeyer. And in 2017, Kévin Limonier counted more than 13,000 ISPs in Russia, compared to about ten in France.
Thus, the Kremlin’s official injunctions are sometimes far from being applied by all of these players, some of which exercise what Kévin Limonier calls “passive resistance” by dragging things out, or even refusing to abide by the rules at the local level. A practice confirmed by Marie-Gabrielle Bertran: “The big ISPs are close to the government and follow the Kremlin’s directives,” she begins. But some local ISPs refuse to submit. This was the case for Firma Svyaz, an operator in the city of Yezk, located in the Krasnodar Krai, following the Sovereign Runet law in 2019.” The small ISP in southwest Russia refused to buy the TSPU boxes at its own expense, claiming it could not afford them, and demanded that ROSKOMNADZOR provide them free of charge. The operator and the Russian regulator ended up in a legal imbroglio, which was settled out of court, the doctoral student said.
Currently insurmountable technical constraints, Internet infrastructures so dense that they are difficult to control, and the reluctance of many local actors make up a cocktail that should thwart any plans for a Runet disconnected from the rest of the world—if they even exist. And the recent exodus of computer scientists and other IT experts will not make things easier…
- Security and Stability in Cyberspace
- Cyber industrial safety
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition