Hall of Mirrors: Foreign Perception of Russian Information Security Concerns

Keir Giles
Director,
Conflict Studies Research Centre, UK

Initiatives put forward by Russia for international cooperation in information security have received a mixed response from other states. In particular, over a period of years they have been consistently ignored or rejected by the U.S., the UK and other like-minded nations. This response is indicative of a huge remaining divide between the views and assumptions expressed in the Russian initiatives and a very different Euro-Atlantic consensus on how the internet works and what it is for. Underlying this is a gap in comprehension between two very different approaches to information security. This paper seeks to draw on experience of explaining the Russian proposals and ideas to Western audiences, in order to outline how they are perceived by their intended audience.

The issues and contradictions described here will be wearily familiar to those directly involved in international discussion of information security; it is outside the scope of this short paper to describe them in detail, and they have been exhaustively listed elsewhere. [1] But it has to be remembered that this international group with exposure to both sides of the argument is only a very small subset of the much larger range of individuals engaged with the issues as a whole. Many more officials, diplomats, policy-makers and advisers in Western nations will only be acquainted with their own side of the debate, and it is their view of Russian concerns and proposed solutions that will be discussed here. The reaction to Russian statements, actions, and policy initiatives from this group can include words like “unpredictable”, “unnecessarily uncooperative”, “incomprehensible” and frequently “irrational”, and it is this failure of communication which we will seek to describe.

First exposure to the Russian view of information security on the internet for those with no previous Russia expertise gives rise, as a rule, to a sequence of three reactions: ignorance, followed by incomprehension, followed by either instinctive or reasoned rejection. We will examine each of these phases in turn.

Ignorance

The international information security debate has long been characterised by mutual blind spots. Unless directly engaged with Russia or China, many in Euro-Atlantic policy or academic communities remain simply unaware that there is a view which diverges sharply from the one they are accustomed to.

In part, this is because of the striking unanimity of view on the subject, particularly among English-speaking nations, where it is hard to identify any divergence in approach and underlying assumptions on the role and nature of cyber security. This deep consensus can give rise to a situation where even those experts with international exposure can overlook the fact that this is not the only possible view. For example, attendees at the London launch of the “Tallinn Manual on the International Law Applicable to Cyber Warfare” in March 2013 heard the following description of its universal acceptance: “The US, the UK, the EU and NATO all agree. Everybody agrees” — rather overlooking that “everybody” includes substantially more nations with a very different approach to the subject.

This situation derives in part from the relative lack of visibility of key Russian proposals. Opportunities to bring the Russian ideas to broader notice appear often not to be taken. We can take as an example the Budapest Conference on Cyberspace in October 2012, on the face of it a prime venue for explaining the Russian point of view to the world. Ahead of the conference, “International Cyber Documents” were provided for reference on its website, outlining national and international approaches to cyber security — for example, the text of a speech by Swedish Foreign Minister Carl Bildt, Australian and Canadian White Papers and Cyber Security Strategies, the Budapest Convention on Cybercrime, OECD recommendations, and NATO statements. Yet no Russian equivalent was provided. [2] And during the conference itself, just as at the London Conference on Cyberspace the previous year, a presentation delivered in Russian failed to account for interpretation and therefore failed to put across key points at which the Russian view diverged from the Euro-Atlantic consensus on nature of internet and rights and obligations in cyberspace. It was for this reason, among others, that many observers experienced considerable surprise when this consensus came face to face with the rest of the world at the World Conference on International Telecommunications (WCIT) in Dubai in December 2012.

Incomprehension

Even when it becomes clear that a distinct official Russian point of view on cyber security exists, it is often imperfectly understood. This is due in large part to the fact that many of the proposals for international agreement, and the assumptions about the nature of the internet which underlie them, are in direct conflict with how the Euro-Atlantic community understands the internet to work — and, indeed, with the understanding of Russian internet authorities themselves at a working level. For instance, a key principle of the Russian proposals is the concept of national information space under state control — but this is not compatible with the work of Russian internet service providers and domain authorities, unrelated to the state, who on a daily basis ensure the free circulation of information across borders because this is a fundamental feature of the internet. As stated on the website of the Russian Internet Governance Forum, which took place in late April 2013:

Интернет является надгосударственным образованием и, де-факто, не имеет границ. Именно поэтому для ин- тернета так подходит модель коллективного управления Сетью (т.н. мультистейкхолдеризм)

(The internet is a supra-governmental entity, and de facto has no borders. It is for this reason that the model of collective governance (so-called multistakeholderism) is so suitable for the internet.) [3]

This is in direct contradiction to some key principles of Russian initiatives at a political level. The mismatch of fundamental notions of what cybersecurity is about extends into other areas, where basic principles espoused by governments other than Russia make it hard to understand some Russian ideas. For the purpose of illustration, we can avoid well-known US statements on cyber security, and instead take Sweden as a case study. According to Swedish Ministry of Foreign Affairs officials from the International Law and Human Rights Department: We analyse internet freedom within a human rights framework… The foundation is basic human rights law: security needs to be arranged so as not to violate human rights law… Information security is to protect the individual, not governments. It’s to protect you and me. [4]

This notion that human rights are a fundamental concern determining how the internet should be managed contrasts with the Russian approach voiced in public statements that security is an essential basis and other considerations are secondary. Sweden is not the only country that disagrees: the UK view is that economic issues are the foundation and security has to be built around these:

Cyber is first about the economy and prosperity. National security and military security are not the most immediate concerns there. [5] The overall assumption that cyber security is “to protect the individual, not governments” overlaps with, but does not equate to, the Russian formulation of security being about protection of the trinity of individual, society and state. [6]

An additional complication is that Russian policy statements on this and other issues differ widely depending on their source, giving rise to yet more incomprehension abroad. Officials from bodies including the Ministry of Foreign Affairs, the Ministry of Internal Affairs, the Ministry of Communications, the Federal Security Service, the Security Council and the Presidential Administration (the latter two, voiced through their academic offshoots, the Institute of Information Security Issues and the Russian Institute for Strategic Studies respectively) make pronouncements which rightly or wrongly are seen as voicing official Russian government policy, and which are mutually contradictory. For this reason and others, commercial entities in Russia and those following the topic overseas eagerly await the promised release of a new Cyber Security Strategy, which it is hoped will clarify at least some of the more controversial issues.

Emphasis on freedom of expression as a human right causes an allergic reaction among foreign observers when exposed to official Russian statements which appear to call for regulation of expression on social media. These statements, while they may appear entirely rational within context, are received overseas in an environment in which freedom of expression is sacrosanct, and which finds it inconceivable that social media, as a means of that expression, can be subject to restriction.

This conviction is so deep that some nations take upon themselves a mission to assist this free expression in other countries, regardless of whether this is in accordance with those countries’ national law. Returning to the case of Sweden, of the Swedish overseas development budget, 20% is spent on “capacity building / democracy support” — including “providing tools needed to communicate successfully” in repressive environments and “providing encryption software for activists” to ensure this communication remains concealed from the national government and law enforcement authorities. Regardless that this constitutes the kind of interference in another state’s “information space” which Russia wishes to proscribe, this is not construed by Sweden as a hostile act. According to Carl Fredrik Wettermark, of the International Law and Human Rights Department, Swedish MFA, “there is no tension between democracy support — including encryption and communications provision — and working with the governments that the activists are opposing”.

This arises in part because of an almost total lack of threat perception arising from social media among the Euro-Atlantic community. Fortunately, a case study is available to demonstrate why Russia and other nations are concerned over misuse of social media — or why, as expressed by Maj-Gen Aleksey Moshkov of the Russian Ministry of Internal Affairs in late 2011, “social networks, along with advantages, often bring a potential threat to the foundations of society”. [7] This is the case of the uprising and civil war in Libya, where social media and online communication circumventing government control played a key role in regime change. According to a study published by the US Naval War College:

Successful dispute of the government control of communications led to freedom of action in the cyber and land domains. This freedom of action led to traditional military support from the U.S. and NATO that ultimately allowed the opposition to achieve the physical objectives of defeating the Gaddafi regime and the eventual election of a new government. [8]

Translated to the context of Russian security concerns, this maps to statements like the one by FSB First Deputy Director Sergei Smirnov in early 2012: “New technologies are used by Western secret services to create and maintain a level of continual tension in society with serious intentions extending even to regime change.” [9]

When Russian proposals are reviewed overseas, a further perceived incompatibility arises between Russian initiatives for international action on cyber security and Russia’s own bad reputation as a permissive environment for cyber crime. In a book published in 2011, it was stated that:

Given the strength of… comprehensive surveillance of the Internet, one might assume that Russia would represent an implacably hostile environment for cyber criminals. Yet the Russian Federation has become one of the great centres of global cybercrime. The strike rate of the police is lamentable, while the number of those convicted barely reaches double figures.

The reason, while unspoken, is largely understood. Russian cyber criminals are free… provided the target of [their]attacks are located in Western Europe and the United States. [10] And this statement appeared entirely uncontroversial — because of a relative lack of publicity for recent Russian efforts against cyber crime, and the high profile of commercial entities, as opposed to law-enforcement agencies, in combating crime. The impression abroad persists, therefore, that there has been no change in the (at the very least) permissive attitude to cyber crime and to other forms of antisocial behaviour online, including the activities of “patriotic hackers” carrying out destructive and criminal activity in foreign states such as Estonia and Georgia, which happens to coincide with the Russian state aims of the day. Indeed, Russia’s perceived unwillingness to prosecute cyber crime against overseas targets has been put forward as a serious and plausible explanation for the concurrent unwillingness to join the Budapest Convention on Cybercrime.

Rejection

All of the above creates an unforgiving environment for positive reception of Russia’s ideas on the nature and purpose of cyber security, and contributes to the lack of meaningful debate on what precisely those ideas are. This leads to their rejection, either instinctive or reasoned as mentioned above. In the words of Swedish diplomats, Russia’s proposed Draft Convention on International Information Security and the International Code of Conduct proposed by Russia and other states in the United Nations are simply “not acceptable to us”.

In fact, as explained by another Nordic diplomat speaking anonymously, some states deliberately avoid any use of the term “information security” in official statements because of its negative associations; even if the phrase is the most appropriate one to describe the topic under discussion, it has been sufficiently tainted by association with the regulatory stance adopted by Russia and China in particular, that it is shunned in favour of the more acceptable “cyber security”. Meanwhile, official representatives of other states which are deeply cautious about naming specific states as cyber security offenders overall can casually refer to Russia, China as the “worst adversaries” — not in cyber conflict, but in discussion over human rights. [11]

At a public level, examples abound of a total failure to achieve not just dialogue, but the level of mutual comprehension which would be its essential precursor. The dialogue of the deaf continues, with a failure on each side to appreciate how statements will be perceived by the other. This includes a lack of understanding that policy which is taken as normal and uncontroversial in the West can appear threatening not just in Russia, but in other parts of the world as well. For instance, when Giuseppe Abbamonte of the European Commission’s Directorate General for Communications Networks, Content and Technology (DG CONNECT) states publicly that a key part of EU cyber security strategy is «engaging with third parties and making sure that we export our values», many of those hearing him will not take into account that there are substantial parts of the world which do not wish to have their values exported to them from Brussels [12] — and in fact, precisely this kind of export is construed as a direct information security threat in Russia’s Information Security Doctrine.[13]

Meanwhile, those following Russian statements in the same field have to contend not only with the multiple and conflicting sources of apparent policy initiatives as described above, but also with accompanying statements which can leave them disinclined to take what they read seriously — as, for instance, with the following response to moves for improved protection of intellectual property online:

Is the world about to allow the US and its surrogates to come after all of us? Apparently it is. The total enslavement of mankind will soon be here, brought to you by the fascist United Corporate States of America.14 It can be argued that commentary in independent media should not be taken as representative of an official Russian position, but this is harder to argue when the name of the media outlet is in fact “Voice of Russia”.

The result of this disconnect between radically different approaches to the same issue can be compared to other areas of strategic contention between Russia and the Euro-Atlantic community, such as Russia’s proposals for a new European Security Treaty, or Russian objections to plans for basing missile defence systems in and around Europe. In all of these cases, the Russian position is based on considerations and assumptions which are wholly incompatible with reality, as it is understood by the European and North American audience. The result, in many cases, is that what often seems the simplest and most appropriate response to them is not to engage with the incomprehensible Russian view, but simply to ignore it and hope it will go away.

Footnotes

[1] As for instance in “Russia’s ‘Draft Convention on International Information Security’ – A Commentary”, Conflict Studies Research Centre, April 2012. Available from http://conflictstudies. org.uk/files/20120426_CSRC_IISI_Commentary.pdf

[2] See http://www.cyberbudapest2012.hu/national-cyber-documents — last accessed 28 June 2013

[3] Author’s translation into English. See RIGF website at http://rigf.ru/about/ last accessed 19
June 2013

[4] Johan Hallenberg, Deputy Director, International Law and Human Rights Department, Swedish MFA, speaking at European Council on Foreign Relations, London 17 April 2013

[5] Kevin Tebbitt, former Director of GCHQ and Permanent Under Secretary of State for the UK Ministry of Defence, speaking at Global Strategy Forum, House of Lords, London 21 November 2012.

[6] It should be noted that Russia is not the only nation to place less emphasis on the human rights aspect of cybersecurity. Insistence by European nations on highlighting rights at the Budapest Conference led to a Chinese question of whether the delegation was at a conference on cybersecurity or on human rights.

[7] Interviewed in Rossiskaya Gazeta, 8 December 2011.

[8] John Scott-Railton, “Revolutionary Risks: Cyber Technology and Threats in the 2011 Libyan Rebellion”, United States Naval War College Center on Irregular Warfare and Armed Groups, Newport RI, 2013.

[9] Speaking at meeting of Shanghai Cooperation Organisation (SCO) Regional Anti-Terrorist Structure, 27 March 2012.

[10] Misha Glenny, “DarkMarket: Cyberthieves, Cybercops and You”, Knopf, 2011.

[11] Private conversations with author, April 2013.

[12] Speaking at Cyber Defence and Network Security conference, London, 26 January 2013 — emphasis added.

[13] According to the Information Security Doctrine of the Russian Federation, 2000, “spiritual, moral, and cultural values of citizens” should be protected from outside influence.

[14] “Remember that MP3? The police are en-route”, Voice of Russia website, 10 December 2012

 

 

This article is based on a presentation delivered at the 7th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 22-25 April 2013 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.