Russia’s Global Information Security Initiatives

September 2023 marks the 25^th anniversary of Russia’s revolutionary move in 1998, as 25 years ago Russia became the first country to raise the issue of information security at the UN, having timely assessed the risks of the digital future. In those days, widespread digitalization was just gaining momentum and the flywheel of the global Internet spread and development started spinning faster. Nevertheless, it became clear even then that the international community needed clear rules of behavior in the digital space—similar to the internationally acclaimed rules of conduct in the air, space or maritime space.

Chaos in the information environment has not yet been overcome, which negatively affects the security of both individuals and entire states. First, cyberattacks on critical information infrastructure (CII) continue – thus, according to the FSB, more than 5,000 hacker attacks on Russia’s CII have been recorded since the beginning of 2022.

In addition, malicious cyberattacks will inevitably be evolving in parallel with technological advances. In particular, with the development and implementation of artificial intelligence technologies, there arises a risk that various systems under AI control could be overridden (or remotely reformatted), which might have dire consequences, up to and including physical destruction of infrastructure as well as inflicting harm upon human health and life. Also, AI technologies can be used to search for vulnerabilities, to analyze the target environment, to obtain data on the structure of networks, to choose a method of penetration into the CII system, etc., which will greatly simplify the execution of cyberattacks. A potential threat is also posed by rapidly developing quantum technologies that can be instrumental, as experts note, in cracking any encryption key of the most secure computer system.

Deregulation of the ICT environment may also entail another important consequence: the trend to protect digital borders and sovereignty from the actions of other states and transnational hi-tech corporations. On the one hand, the measures taken are aimed at strengthening the information security of individual states or government associations. Meanwhile, this trend is so dangerous because it leads to fragmentation of the global digital space, with different regions introducing their own technological standards, developing their own approaches to data flow control, blocking various information resources, etc. And no reverse movement has been observed thus far: no bridges are built that would allow the Internet to remain global, cohesive and open.

Another major problem arising from the lack of a universal cyber code is militarization of the digital space, which poses a serious threat to peace and security.

In general, the Russian vision of a peaceful digital space is based on the following principles: prohibition of cyberattacks on critical information infrastructure and concealment by software manufacturers of information about vulnerabilities in their products; use of ICTs exclusively for peaceful purposes; protecting the interests of all states in the information space regardless of their level of technological development; ensuring equal rights for all nations to participate in the Internet governance, etc. In the future, Russian cyber diplomacy intends to push for agreement on the rules of responsible behavior of states in the global information space, which could later serve as a foundation for the UN convention on IIS.

Over the past 25 years, no progress has been made beyond the development of and agreeing on some norms and rules of conduct in the ICT environment, which are advisory rather than mandatory. The introduction in the foreseeable future of universal, legally binding norms regulating international relations in the digital realm is an elusive task. Progress is stalled because of opposition to the Russian initiatives on the part of Western countries (the United States, in the first place), which have a different vision of the ideal model for regulating relations in the digital space.

Opposition to Russian approaches causes the fragmentation of the IIS dialogue space into Western and Russian initiatives. Undoubtedly, the current geopolitical situation makes it very difficult to promote Russian initiatives – so far, confrontational rhetoric, rather than dialogue, is overruling. Yet, the work of the OEWG on the UN platform continues, and this inspires some optimism. Most countries stoke interest in this negotiation mechanism, thus preserving an important channel of communication on the IIS under turbulent circumstances and preventing the predominance of Western initiatives in this area.

September 2023 marks the 25^th anniversary of Russia’s revolutionary move in 1998, as 25 years ago Russia became the first country to raise the issue of information security at the UN, having timely assessed the risks of the digital future. In those days, widespread digitalization was just gaining momentum and the flywheel of the global Internet spread and development started spinning faster. Nevertheless, it became clear even then that the international community needed clear rules of behavior in the digital space—similar to the internationally acclaimed rules of conduct in the air, space or maritime space.

Dangerous trends, threats and risks

Elena Zinovieva:
International Information Security in US-Russian Bilateral Relations

Chaos in the information environment has not yet been overcome, which negatively affects the security of both individuals and entire states. First, cyberattacks on critical information infrastructure (CII) continue – thus, according to the FSB, more than 5,000 hacker attacks on Russia’s CII have been recorded since the beginning of 2022 [1]. Second, in parallel with the growth of phishing and ransomware, the problem of personal data leakage is aggravating. During 2022 and 2023, the data of more than 200 million users of the social network Twitter [2] have been leaked, and in 2020 – personal data of more than 267 million users of Facebook (owned by Meta, a company recognized as extremist and banned in Russia) [3]. Third, the world economy greatly suffers from the actions of hackers – the global economic damage is estimated in trillions of dollars. According to Secretary General of Interpol Jürgen Stoсk, this figure will reach $10.5 trillion by 2025 [4]. Fourth, cross-border digital space is increasingly used to incite conflicts and interfere in the internal affairs of states in order to undermine their social and political life through the dissemination of destructive and false information.

Of course, this is by no means the entire list of threats in the information space, which also includes cyber espionage, the use of ICTs for terrorist purposes, the widening digital divide between developed and developing nations, etc.

In addition, malicious cyberattacks will inevitably be evolving in parallel with technological advances. In particular, with the development and implementation of artificial intelligence technologies, there arises a risk that various systems under AI control could be overridden (or remotely reformatted), which might have dire consequences, up to and including physical destruction of infrastructure as well as inflicting harm upon human health and life. Also, AI technologies can be used to search for vulnerabilities, to analyze the target environment, to obtain data on the structure of networks, to choose a method of penetration into the CII system, etc., which will greatly simplify the execution of cyberattacks [5]. A potential threat is also posed by rapidly developing quantum technologies that can be instrumental, as experts note, in cracking any encryption key of the most secure computer system [6].

Deregulation of the ICT environment may also entail another important consequence: the trend to protect digital borders and sovereignty from the actions of other states and transnational hi-tech corporations. Since the late 1990s, China has consistently been developing the Great Firewall of China system to block access to foreign digital platforms [7]. As for Russia, in accordance with the law on the sovereign Internet that was passed in the fall of 2019 to protect the Russian segment of the Internet from external threats, all telecom operators have installed special equipment on their networks, through which Roskomnadzor (federal media watchdog) can manage traffic routing if necessary [8]. The European Union has put forward a whole set of special legislative initiatives, as the Europeans seek to protect the confidential data of users, establish control over the activities of foreign digital platforms and limit their expansion [9]. The General Data Protection Regulation (GDPR) of 2018, the Digital Service Act (DSA) of 2022, and the Digital Market Act (DMA) of 2022 are on the guard of the European digital space. In turn, the United States, which laid the foundations of the Internet, intends to retain control over its development. In particular, the Americans promote their international initiatives to establish technological norms and standards with the intention to involve as many countries as possible. We can mention the Declaration on the Future of the Internet, adopted in April 2022, as well as the Global Forum on Cross Border Privacy Rules (CBPR), also established in April 2022 [10].

On the one hand, the measures taken are aimed at strengthening the information security of individual states or government associations. Meanwhile, this trend is so dangerous because it leads to fragmentation of the global digital space, with different regions introducing their own technological standards, developing their own approaches to data flow control, blocking various information resources, etc. And no reverse movement has been observed thus far: no bridges are built that would allow the Internet to remain global, cohesive and open.

Another major problem arising from the lack of a universal cyber code is militarization of the digital space, which poses a serious threat to peace and security. Today, about 100 states have their own cyber armies, conduct regular exercises, develop strategies for warfare in the information space, and carry out cyber operations [11]. For example, the U.S. Cyber Command (USCYBERCOM), which launched its operations in 2010, conducts various types of hostile activity (including covert ones) in the networks of potential adversaries [12].

Russian cyber initiatives

Oleg Shakirov:
Mutual Warning: What Ended the Short Cyberspace Detente Between Russia and the United States

Over the past quarter of a century, Russia has taken several important steps towards the formation of a safe information space. The catalyst for this process was a special message from former Russian Foreign Minister Igor Ivanov to the UN Secretary General Kofi Annan dated September 23, 1998, where, among other things, he mentioned the need to prevent confrontation in the ICT environment, which is fraught with provoking the next round of the arms race [13]. Later, in December 1998, in the First Committee of the UN General Assembly, Russia proposed a draft resolution called “Developments in the sphere of information and telecommunications in the context of international security” (A/RES/53/70) [14], which served as a formal trigger for the process of creating a new international legal regime in the information space. Subsequently, the UN started adopting annual resolutions on this agenda, with draft documents substantively updated to take into account the rapid development of new information technologies. One of the most important achievements of Russian cyber diplomacy was the approval by the UN General Assembly of the Russian resolution (A/RES/73/27), which formulated a set of 13 rules and norms of responsible behavior of states in the Internet space (ban on the use of intermediaries to commit cyberattacks, mandatory justification of any accusations of cyberattacks, assistance to states affected by cyberattacks if they request for help, cooperation with the private sector and civil society organizations in implementing the rules of responsible behavior of states in the Internet space). [15] This resolution was supported by 119 nations [16].

Various negotiation mechanisms were launched on the UN platform to discuss the problems of international information security (IIS) [17] at the initiative of the Russian side. Thus, in 2004, the UN Group of Governmental Experts (UN GGE) began its work, with several final reports released in 2010, 2013 and 2015. These contained recommendations on threat reduction and fixed the norms of behavior for states in the information space [18]. Then, in 2019, concurrently with the UN GGE, also at the initiative of Russia, the UN’s Open-Ended Working Group (OEWG) on the security and use of ICTs was launched, implying the participation of all interested UN member states. At that time, the Russian side believed that the narrow format of the UN OEWG had exhausted its potential, and so it was necessary to rise to a new level, that is, to democratize the negotiation process, making it open and transparent [19]. In 2021, the OEWG format was relaunched. Among the top priorities of this negotiating platform are the rules for responsible behavior of states in the information space, studying the applicability of international law to the ICT environment, as well as discussing confidence-building measures. The group’s mandate is valid until 2025.

In general, the Russian vision of a peaceful digital space is based on the following principles: prohibition of cyberattacks on critical information infrastructure and concealment by software manufacturers of information about vulnerabilities in their products; use of ICTs exclusively for peaceful purposes; protecting the interests of all states in the information space regardless of their level of technological development; ensuring equal rights for all nations to participate in the Internet governance, etc.

In the future, Russian cyber diplomacy intends to push for agreement on the rules of responsible behavior of states in the global information space, which could later serve as a foundation for the UN convention on IIS. It is worth noting that the concept of this convention was submitted by Russia for consideration as an official document at the 77^th session of the UN General Assembly in May 2023 [20].

In addition to developing universal rules and principles of behavior in the information space, the Russian side promotes the idea of creating a comprehensive convention to combat cybercrime, which should raise the quality of international cooperation in this area and serve as an alternative to the Budapest Convention [21]. Thus, back in 2017 Russia submitted a draft convention on Cooperation in Combating Information Crimes, and already in 2019 it initiated the creation of the UN Ad Hoc Committee for the development of the relevant convention (Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes). The plan calls for the work on the draft document to be finalized in 2023 during the 78^th session of the UN General Assembly [22].

Largely due to the efforts of the Russian side, since the 2000s the IIS topic has been discussed in other international venues – negotiation processes were launched within the SCO, BRICS, CIS, etc. Within the BRICS, Russia and China are the main initiators of discussions on information security and digital sovereignty. Thanks to their efforts, the contours of policy coordination in this area have been outlined [23]. The SCO also supports the discussion of the IIS problem. Thus, in July 2023, the SCO Council of Heads of State adopted a joint New Delhi Declaration, in which some provisions relate to the digital space. In particular, it was stated that the member states will block radical and terrorist materials on the Internet [24]. Consultations of foreign policy departments on the IIS take place within the CIS. The recent one was held on June 22 this year in Moscow under Russia’s chairmanship [25].

Elena Zinovieva, Bai Yajie:
Digital Sovereignty in Russia and China

In the meantime, the BRICS, SCO and CIS attach great importance to strengthening cooperation within the UN venues, as the latter are recognized as a key platform for discussing the international information security [26].

What’s stalling the progress?

Over the past 25 years, no progress has been made beyond the development of and agreeing on some norms and rules of conduct in the ICT environment, which are advisory rather than mandatory. The introduction in the foreseeable future of universal, legally binding norms regulating international relations in the digital realm is an elusive task. Progress is stalled because of opposition to the Russian initiatives on the part of Western countries (the United States, in the first place), which have a different vision of the ideal model for regulating relations in the digital space. Let us cite some significant differences as an example:

• The difference in approach is reflected in the main emphasis: while the U.S. prefers to focus on highly specialized, technical issues (e.g., measures to protect CII), Russia seeks to steer the international debate toward discussing general rules of conduct in the ICT environment. In particular, the UNGA resolution “Creating a global culture of cybersecurity and taking stock of national efforts to protect critical information infrastructures” (adopted in 2002, 2003 and 2009), promoted by the United States, suggests sharing summary information on measures taken and seeks to build a national cybersecurity culture, including sharing information on CII vulnerabilities and other sensitive data [27]. In addition, Western nations often divert the discussion to topics that are not critical to addressing the problem of IIS (e.g., gender issues).
• Russia is in favor of an open and global Internet, where equal opportunities for access are provided to all countries, while pointing to the sovereign right of states to manage the Internet in their national segment. The U.S., on the other hand, proceeds from the logic that technologies are transboundary by their very nature, so there should be no barriers in the information space like national regulation and suchlike.
• The Russian side considers the use of ICTs for military and political purposes unacceptable. The United States, on the other hand, while believing in the regulation of cyber means in principle, nevertheless admits the possibility of their military use.
• The Russian side promotes the concept of secure operation and development of the Internet, which is based on the transfer of control functions from a private corporation managing domain names and IP addresses (Internet Corporation for Assigned Names and Numbers, ICANN), which is based in the United States and acts within the U.S. jurisdiction and legal environment, to international institutions. It is worth noting that the principle of Internet governance internationalization was enshrined in the program of the World Summit on the Information Society, held in Tunisia back in 2005 [28]. In general, the U.S. declaratively supports this principle, which can be seen, for example, from the text of the U.S. resolution A/RES/64/211, while actually ignoring it, with no serious changes in the Internet governance system being observed thus far.
• Russia holds to the opinion that it is impossible to accurately identify the source of computer attacks. This proposition is reflected in the concept of the Convention on Ensuring International Information Security [29]. When indicted for a cyberattack, the Russian side insists on the mandatory provision of solid evidence. The United States and other Western nations often practice public attribution, using the “name and shame” tactic [30].
• Russia seeks to have a special section in international law dedicated to the information space, as the current norms of international law may not always be applicable to this very special realm. The US and its allies believe that the existing norms of international law are quite sufficient. In this context, Russia favors legally binding norms and rules in the information space, while Western countries believe that they should be advisory in nature.

Meanwhile, the problem of searching for consensus on IIS is aggravated not only by different visions of an ideal digital future, but also by geopolitical tensions – all strategic documents adopted in the United States over the past few years have identified Russia as a threat [31], including in the information space.

Opposition to Russian approaches causes the fragmentation of the IIS dialogue space into Western and Russian initiatives. Here we can recall the launching of negotiation mechanisms working in parallel (as was the case, for example, in 2019-2021, when the American-style GGE and the OEWG worked simultaneously on the UN platform), as well as the proposal of alternative projects on information security. For example, these include the Program of action to advance responsible State behavior in the use of information and communications technologies in the context of international security, proposed by France, with the United States joining it in 2021.

Of course, there have been brief periods of cyber détente in the UN venues. For example, in 2021, a joint U.S.-Russian resolution on negotiations about security in the ICT environment was adopted. Unfortunately, such events were rather short episodes in the long backstory of pungent rivalry between the leading cyber powers. Today, the dialogue on information security issues at the bilateral level between Moscow and Washington is virtually frozen. Moreover, according to Andrey Krutskikh, Special Representative of the President of the Russian Federation for International Cooperation in the Field of Information Security (2014-2023), most recently “Russian authorized negotiators are prevented from performing their diplomatic functions in the UN, their access to the headquarters of this organization being restricted, which undermines the international negotiation process on the IIS as a whole” [32].

The political crisis in the Russia-West relationship is reflected not only in the negotiation process within the UN, but is also visible on other international platforms. For example, in 2012, the OSCE launched an informal working group (WG) to develop confidence-building measures (CBMs) that would reduce the risks of conflicts in the ICT environment. As a result, 16 CBMs were agreed upon in 2016 [33]. However, today, in the midst of strained relations between Russia and the West, there is no constructive interaction on this issue, and the work of the WG is actually undermined. A similar situation is taking place within the International Telecommunication Union (ITU) – a specialized agency of the United Nations. Although ITU deals with purely technical issues, this organization has been crippled by politicization of its efforts and discrimination of the Russian side (refusal to appoint Russian representatives to leadership positions in various investigation commissions and advisory groups, revocation of entry visas, etc.). [34]. Thus, Russian diplomacy faces the problem of discrimination on important international platforms, which narrows the dialogue space and further complicates the search for a solution to the problem of international information security.

***

Industry 4.0 is gaining momentum as more sophisticated technologies are emerging and revolutionary innovations are being introduced. In the meantime, the political process of developing a “universal cyber code” is moving at an extremely slow pace, so issues of regulating the digital space hoard up, while fragmentation and militarization of this space are gathering pace.

Undoubtedly, the current geopolitical situation makes it very difficult to promote Russian initiatives – so far, confrontational rhetoric, rather than dialogue, is overruling. Yet, the work of the OEWG on the UN platform continues, and this inspires some optimism. Most countries stoke interest in this negotiation mechanism, thus preserving an important channel of communication on the IIS under turbulent circumstances and preventing the predominance of Western initiatives in this area.

First published on the CASТ website.

1. The FSB of Russia has reported 5,000 cyberattacks on Russian infrastructure during the past year // RIA Novosti, 13.04.2023, https://ria.ru/20230413/kiberataki-1865007760.html.

2. Biggest data leaks in 2022 and 2023 signal the rapid spread of phishing and ransomware // SecurityLab, 31.03.2023, https://www.securitylab.ru/blog/personal/valerylinkov/352731.php.

3. TOP-10 most sensational cyberattacks of the XXI century // RBC Trends, 20.02.2021, https://trends.rbc.ru/trends/industry/600702d49a79473ad25c5b3e.

4. Secretary General of Interpol urged people to watch their money amid a rising tide of cybercrime // TASS, 17.10.2022, https://tass.ru/proisshestviya/16075835.

5. Sebekin S. Threats to International Information Security in the Era of Industry 4.0. Analytical note No. 41, Russian International Affairs Council (RIAC), M.: NPO RIAC, 2023, 13 pages

6. The U.S. Wants to Make Sure China Can’t Catch Up on Quantum Computing // FP, 31.03.2023, https//foreignpolicy.com/2023/03/31/us-china-competition-quantum-computing/.

7. Tolstukhina A., Matveenkov K. Big Tech vs Regulators: Long-Term Global Trend, Workbook No. 71, Russian International Affairs Council (RIAC). M.: NPO RIAC, 2022, 58 pages

8. Russia has tested the stability of the Runet against the possibility of its disconnection from without // RBC/, 05.06.2023, https://www.rbc.ru/technology_and_media/05/07/2023/64a569439a7947106d06262b.

9. See Tolstukhina A., Matveenkov K in the work mentioned above

10. Ibid.

11. Krutskikh A.V. Cyber-Bullying Tactics as an Integral Element of Western Sanctions Policy // International Life, 13.10.2022, https://interaffairs.ru/news/show/37404.

12. Web-document: https://sgp.fas.org/crs/natsec/IF10537.pdf.

13. International Information Security. Theory and Practice, three volumes, Vol. 2: Document Digest (in Russian) / Edited by A.V. Krutskikh, second edition, add. M.: Aspect Press Publisher, 2021, p. 225

14. Web-document: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N99/760/05/PDF/N9976005.pdf?OpenElement.

15. Web-document: https://www.hse.ru/data/2023/02/06/2044873314/%D0%A0%D0%B5%D0%B7%205%2012%2018.pdf.

16. Web page: https://www.un.org/ru/ga/73/docs/73res1.shtml.

17. The term “international information security” was also proposed by Russia, which advocates its use in diplomatic discourse and official documents. “The IIS is a state of international relations that excludes the disruption of world stability or creating a threat to the security of states and the world community in the information space,” as stated in the “Draft Principles Concerning International Information Security” of May 12, 1999, which was submitted for consideration by the UNGA.

18. Digital International Relations, in two volumes, Vol. 1 / edited by E.S. Zinovieva, S.V. Shit’kov, M.: Aspect Press, 2023, p. 213

19. Tolstukhina A. Two Cyber Resolutions Are Better Than None // RIAC, 13.02.2019, https://russiancouncil.ru/analytics-and-comments/analytics/luchshe-dve-kiberrezolyutsii-chem-ni-odno....

20. On the Concept of the UN Convention on International Information Security // Russian Ministry of Foreign Affairs, 16.05.2023, https://www.mid.ru/ru/foreign_policy/news/1870609/.

21. The Russian side explains the need for an alternative to the Budapest Convention by the fact that, firstly, the approaches to the definition, prevention and investigation of cybercrime are remarkably outdated due to the fact that the text of the Convention was developed in the late 1990s, and secondly, paragraph ‘b’ of Article 32 in this document allows one of the parties to the Convention, without official notification and consent, to gain access to various data stored in the computer networks of the other party, which, according to the Russian authorities, poses a threat to national security and sovereignty.

22. On the submission to the UN Special Committee of the Russian draft universal international convention on combating the use of information and communication technologies for criminal purposes // Russian Ministry of Foreign Affairs, 28.07.2021, https://www.mid.ru/ru/foreign_policy/news/1770170/.

23. Zinovieva E., Yatsze B. Digital Sovereignty Practice in Russia and China // RIAC /, 29.05.2023, https://russiancouncil.ru/analytics-and-comments/analytics/praktika-tsifrovogo-suvereniteta-v-rossii....

24. SCO member states sign a joint declaration // TASS / 04.06.2023, https://tass.ru/mezhdunarodnaya-panorama/18185115.

25. On Inter-MFA Consultations of CIS Member States on International Information Security // Russian Ministry of Foreign Affairs, 24.06.2023, https://www.mid.ru/ru/foreign_policy/international_safety/mezdunarodnaa-informacionnaa-bezopasnost/1....

26. Web document: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N18/418/07/PDF/N1841807.pdf?OpenElement.

27. Web document: https://documents-dds-ny.un.org/doc/UNDOC/GEN/N09/474/51/PDF/N0947451.pdf?OpenElement.

28. Web document: https://www.un.org/ru/events/pastevents/pdf/agenda_wsis.pdf.

29. Web page: https://namib.online/2021/07/koncepcija-konvencii-oon-ob-obespechenii-mezhdunarodnoj-informacionnoj-....

30. Why the US chose to “name and shame” Russia over cyberattacks // DefenseNews, 21.02.2020, https://www.defensenews.com/international/2020/02/21/why-the-us-chose-to-name-and-shame-russia-over-....

31. Web document: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf; web document: https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security...; web document: https://media.defense.gov/2022/Oct/27/2003103845/-1/-1/1/2022-NATIONAL-DEFENSE-STRATEGY-NPR-MDR.PDF.

32. Krutskikh A.V. The work referred to above

33. Commentary by the Information and Press Department at the Russian Ministry of Foreign Affairs in connection with the approval by the OSCE Permanent Council of additional confidence-building measures in the area of ICT security // Russian Ministry of Foreign Affairs, 15.03.2016, https://www.mid.ru/en/foreign_policy/news/1524323/?lang=ru.

34. The head of the Russian delegation spoke out against the politicization of the International Telecommunication Union // TASS, 27.10.2022, https://tass-ru.turbopages.org/tass.ru/s/ekonomika/15887467.