The Runet and the rest of the world

Their authorship is attributed to—and sometimes claimed by—both Russian and Ukrainian actors, either official or less formal. These actors include hacker groups, the Ukrainian IT army[1], and Anonymous[2].

For its part, Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology, and Mass Media), which had already blocked Facebook and Twitter on 11 March 2022[3], announced the suspension of Instagram from 14 March[4].

In addition to these restrictions on access to news content, the law on the dissemination and reposting of fake news about the war has been tightened, making perpetrators liable to 15 years in prison[5].

In addition, Western sanctions contributing to Russia’s economic isolation increase the risk of reducing the population’s access to the Internet. In this context, it seems that Russia is preparing to cut itself off from the global Internet[6], a desire that has been materialised by several requests made to Internet players. In the wake of the 2016 and 2019 laws, what are the feasibility and consequences of this aspiration to disconnect the Runet (the Russian Internet) from the global Internet?

A legislative context to control the Internet

For many years, the issue of Internet freedom and its control has been a persistent one in a Russia that has tolerated a relative space of freedom on the Internet while tightly controlling the media. In 2014, initial legislation required platforms and operators to host the data of Russian individuals or legal entities on national territory[7]. In 2016, the so-called “Yarovaya laws”[8] sought to impose on platforms the obligation to store their users’ metadata for 3 years, to install backdoors in their applications and, above all, to communicate their decryption keys to the security services who would request them. Promulgated in 2019, the Sovereign Runet Law[9] provides for the creation of a kind of digital space control door. To meet this obligation, ISPs and operators must install TSPUs (devices designed to “fight threats” and controlled by Roskomnadzor) at their network’s nodal points. Several researchers point out that the TSPUs[10] allow for the monitoring of incoming and outgoing data packets (in accordance with the Sovereign Runet Law) and facilitate the disconnection of the Russian segment in case the central power wishes to respond to “external threats,” for instance.

Isolation of the Runet and recent actions

In the wake of these texts, the Russian Ministry of Telecommunications has given instructions to the administrators of websites and Internet resources[11]. These organisations must look for DNS servers located in Russia, register a domain name in the “.ru” zone, delete the JavaScript codes that bill for “foreign resources”, and host their sites on servers located on Russian territory[12]. This clear desire to reorganise Internet resources in a space controlled by the government does not prevent Russia from accessing the global Internet, but it does allow the Kremlin to retain control of its network and, if it decides to do so, to block all or part of the traffic, officially to contain cyberattacks, but also to facilitate the surveillance of content.

Furthermore, by complicating access to websites, Western sanctions impact the renewal of TLS (Transport Layer Security) certificates, while browsers block sites whose certificates have expired. For the record, TLS is a protocol for securing the Internet by encrypting the data that circulates between the user’s browser, the websites visited, and the website’s server. TLS certificates thus preserve the confidentiality of data transmission and prevent modification, loss, or theft[13].

In response, the Kremlin has announced the creation of a national certification authority for Internet security protocols, which are key factors in secure web browsing, email, instant messaging, and the other media used to provide secure HTTPS connections. In this configuration, Russian control over TLS/SSL certificates could increase Moscow’s ability to censor by making it easier to intercept, decrypt, and spy on encrypted connections thanks to government-issued certificates.

In this sense, the Russian government this week published a message on its public services portal Gosuslugi[14], indicating that the Russian state will provide, free of charge and within five days, an electronic security certificate that will replace foreign security certificates that have expired or been revoked due to Western sanctions and refusal to support Russian customers.

Another factor in the isolation of the Runet—this one beyond Russia’s control—is that Cogent Communications[15] and Lumen Technologies[16], the companies that run several of the Internet’s most important backbones, have decided to stop carrying traffic for structures based in Russia[17]. This decision does not mean that Russia no longer has access to the Internet. However, a significant amount of traffic bandwidth is no longer accessible there, even though Cogent continues to provide services to the outposts of major Russian ISPs[18], as long as they are not located in Russia.

According to Kentik, these decisions have resulted in a significant decrease in overall traffic, although the decrease remains relative as other carriers such as Lumen and Vodafone were still active at the time[19]. However, beyond the effect obtained, the fact that a backbone operator took this type of decision on the scale of a territory as vast as Russia constitutes a first in the young history of the Internet.

As the 2019 law already suggested, this limitation of access for Russian users has revived the Kremlin’s regular threat to ‘unplug’ its Internet. However, if this decision were to become a reality, it would affect—notably economically—a large part of the population, as nearly 85% of Russians regularly use the Internet[20]. Yet, although the demands for migration of sites and services to the national territory may be a first step towards a national Internet, Russia should first succeed in overcoming the pitfalls encountered in 2019 during the attempt to disconnect the network.

Furthermore, to continue to communicate with other countries, Russia will need to maintain a minimum number of links to the global Internet, even if it is a chosen framework.

Finally, taking into consideration the modalities of use of TSPUs, it will be necessary to keep, at least, the control of the main Autonomous Systems (ASes) which have their own internal management policies. These ASes—which may be ISPs or large-scale networks—are not all controlled by the state. In practice, the Border Gateway Protocols (BGPs) connect the various sub-networks—the ASes—that make up the Internet. To control the Internet it would therefore be necessary to first control the most important nodes, namely the ASes where the majority of BGP routes converge. If these ASes belong to large federal ISPs (such as Rostelecom or MegaFon), control is fairly easy to implement. However, since Russia—unlike Iran[21]—has a multiplicity of BGP routes, a policy aiming to isolate the Runet is more complex to implement. Nevertheless, Russia (which has condensed BGP routes towards ASes to a significant degree) conducted disconnection tests from 15 June to 15 July 2021. But this “network flattening” does not only concern Russia. The question is thus whether this process is sufficient for Moscow to isolate its Internet from the rest of the world, with the exception of certain sites—notably governmental ones—over which the Kremlin has complete control.

Finally, in addition to the technical difficulties, Moscow will have to make people accept this disconnection, which is likely to make them even more unhappy as they are already suffering from the recent ban on Instagram—frequently used as a commercial interface by many Russians—and will soon be affected on a daily basis by the Western sanctions against Russia.