By Andrei Soldatov and Irina Borogan*
Russia is currently busy rewriting the country’s doctrine of information security, to be adopted in 2016. The internet is defined in the text as a major challenge to the political stability of the regime.
“Special services” and Western countries’ “controlled NGOs” actively use information and communication technologies (the Russian euphemism for the internet) “as a tool to undermine the sovereignty and territorial integrity” and “to destabilize political and social situation” of other countries, reads the text of the draft, published by Kommersant this week.
The fear of what goes on the internet and what comes off it seems to be growing in the Kremlin, but it reflects an old concern, as the horizontal and global nature of the Internet has been a challenge for decades to the suspicious Russian secret services, the direct successors to the KGB.
In the 1990s, when the internet in Russia was mostly a telecommunication technology, it meant that the information, including sensitive stuff, was circulated on the network built by Americans using technologies designed by Americans. Russian generals openly said that the Internet was a direct threat to national security.
In the 2000s, with the blossoming of websites and then social networks, the new direction came up, now the Internet was primarily made of content generated and stored under control of Americans. For Putin’s government, that meant that the large and mighty fortress Russia had a huge breach, and this breach had to be dealt with as soon as possible.
In this excerpt from the recently published The Red Web, Andrei Soldatov and Irina Borogan describe how the Kremlin has been trying to rewrite the rules for the internet to make it “secure” as it is understood by Russia’s secret services.
Vladimir Putin was certain that all things in the world—including the internet—existed with a hierarchical, vertical structure. He was also certain that the internet must have someone controlling it at the top. He viewed the United States with suspicion, thinking the Americans ruled the web and that it was a CIA project.
Putin wanted to end that supremacy.
Just as he attempted to change the rules inside Russia, so too did he attempt to change them for the world. The goal was to make other countries, especially the United States, accept Russia’s right to control the internet within its borders, to censor or suppress it completely if the information circulated online in any way threatened Putin’s hold on power.
Andrey Krutskikh devoted his entire career in the Russian Foreign Ministry to arms control. He joined the diplomatic service in 1973, right after university, and served in the ministry for the final eighteen years of the Soviet Union’s existence. He admired the diplomatic style of the stolid and uncompromising foreign minister, Andrei Gromyko, known informally in the West as Mr. Nyet. Krutskikh often called Gromyko “great.”
From the very beginning of his service Krutskikh’s work centered on disarmament, nuclear weapons, and the so-called main adversaries, the United States and Canada. When he was 24 years old, in 1975, he was sent to Salt Lake City as a member of the Soviet delegation to negotiate strategic nuclear arms control. Krutskikh’s experience at the negotiations in Salt Lake City left a strong impression on him. It was a time when Soviet diplomats had stature; they decided the fate of the world and spoke on equal terms with the Americans. After the Soviet collapse and into the late 1990s Krutskikh continued to focus on arms-control issues and rose through the ranks of the ministry.
He was not a smooth or slick diplomat; he had a rather agitated manner—expressive, his hands always in motion. Krutskikh soon wondered whether arms control could be useful in the emerging realm of cyber conflict.
Among a particular group of Russian generals who represented FAPSI, the powerful electronic intelligence agency that had grown out of the KGB, a similar mindset was developing.
The agency’s headquarters was located in a stark, modern terraced building with giant antenna globes on the roof not far from the KGB headquarters. Like the US NSA, FAPSI was responsible for information security, signals, and electronic intelligence. For many years their generals watched the growth of the internet with suspicion, thinking it was a threat to Russia’s national security, because in the early days the Russian internet was built with Western technology, and they were obsessed with the fear that it would be thoroughly penetrated by the Americans.
The leader of this group of suspicious generals was Vladislav Sherstyuk, a colonel-general in the intelligence wing of the agency and a KGB officer since 1966. By the 1990s he became head of the very mysterious and powerful Third Department of FAPSI, in charge of spying on foreign telecommunications. All Russian centers of electronic espionage abroad were subordinated to this department, including the radio interception center at Lourdes in Cuba, which was in charge of monitoring and intercepting radio communications from the United States. Sherstyuk was a spymaster, determined to exploit communications to steal US secrets and protect Russia against espionage of the same kind. This naturally made him wary of the internet, where so much was beyond his control.
When the war in Chechnya began, Sherstyuk was put in charge of FAPSI’s group there, and he organized the interception of Chechens’ communications. In December 1998 he was appointed director of FAPSI, a mighty intelligence service in its own right that competed head-to-head with the FSB. Among other things, they had a very special role in controlling the government’s most sensitive communications networks.
Krutskikh and the FAPSI generals spoke the same language of suspicion—a language of threats posed by the internet. In early 1999 Krutskikh was helping to draft a resolution for the UN General Assembly that reflected these views and warned that information—the internet—could be misused for “criminal or terrorist purposes” and could undermine “the security of States.” In other words, information technologies had to be controlled because they could be dangerous. The resolution was adopted without a vote.
Krutskikh and the generals viewed the internet as a battleground for information warfare. (This term should not be mixed with cyberwarfare, which is mostly about protecting a nation’s critical digital networks from hackers.) For Krutskikh and the generals, information warfare encompasses something political and menacing, including “disinformation and tendentious information” that is spread to incite psychological warfare, used for altering how people make decisions and how societies see the world. In contrast to those who celebrate free media and the internet as a glorious information superhighway that opens limitless possibilities for discovery, Krutskikh and the generals worried that it could become the front lines of conflict between nations and hostile groups.
In December 1999 Sherstyuk moved out of FAPSI to the Russian Security Council, an advisory group to the president on security. Once there, he supervised a department for information security, which included the internet, and brought his ideas with him. The Security Council normally is made up of top officials, including the president, and meets periodically, but it also has an influential staff, which Sherstyuk joined. In 2000 his team composed the “Doctrine of the Information Security of the Russian Federation,” which included an unusually broad list of threats, ranging from “compromising of keys and cryptographic protection of information” to “devaluation of spiritual values,” “reduction of spiritual, moral and creative potential of the Russian population,” as well as “manipulation of information (disinformation, concealment or misrepresentation).”
Quite ominously, it identified one source of the threats as “the desire of some countries to dominate and infringe the interests of Russia in the global information space.”
Putin approved the doctrine on December 9, 2000. In 2003 FAPSI was disbanded, but not the ideas of the suspicious generals. Sherstyuk remained at the Security Council, and some of his views were reinforced when a like-minded top official from the FSB, Nikolai Klimashin, was moved to the Security Council. Sherstyuk founded and headed the Information Security Institute at Moscow State University, which he built into a major think tank to define Russian foreign policy on information security.
Meanwhile, Krutskikh rose to become deputy chief of the Department for Security and Disarmament Issues at the ministry.
For years at international meetings Krutskikh had been driving home that Russia wanted to govern its own space on the internet. Whereas others, including the United States, saw the internet as a wide-open expanse of freedom for the whole world, Krutskikh insisted that Russia should be able to control what was said online within its borders. He expressed fear that, without such control, hostile forces might use the internet to harm Russia and its people.
“If through the internet we would be forced to forget our mighty great Russian language, and speak only using curse words, we should not agree with that,” he told us, echoing Putin’s deep suspicions about the internet and who was behind it. Krutskikh repeatedly proposed some kind of international agreement or treaty that would give Russia the control it sought over the internet. Influenced by his own career in arms-control negotiations, he was convinced that such an agreement must be between Russia and the United States. He wasn’t anti-American, but he grew emotionally attached to the idea that the two former Cold War superpowers could somehow make a pact that would give Russia control over its digital space.
The United States, however, never warmed to the idea—the US government never attempted to control content on the internet, and many of the first internet pioneers in America were very open about the internet as a symbol of how information should roam free—but what Krutskikh wanted most was to be taken seriously and to have his views treated with respect, as they were during the Cold War.
But he didn’t get much respect. At a bilateral meeting in March 2009 in Vienna, Krutskikh delivered a long monologue arguing that Russia and the United States—and perhaps other nations—should collaborate to regulate the internet as nations and governments.
He expressed fear that the internet was building beyond their control, that there could be an arms race in cyberspace, and it was time for governments to take charge.
Russian generals felt they were losing the global cyber arms race and wanted to put some limits on the United States’ offensive capabilities. But Krutskikh’s speech fell on deaf ears.
An American diplomat cabled back an account of the meeting, saying, “There was little change, if any, between U.S. and Russian long-held views” on the subject. Krutskikh desperately wanted some sort of joint statement with the United States, but the US administration was reluctant to sign anything.
But he didn’t give up. In 2010 Kaspersky Lab investigated Stuxnet, the US-Israeli worm that wrecked nearly a thousand Iranian centrifuges. Krutskikh seized on the incident—with its destructive malware, designed in part by the United States—as a justification for a ban on cyber weapons. In 2011, Eugene Kaspersky, who was highly regarded in Russia as an internet entrepreneur, added his voice to the idea of a ban on cyber weapons, and in November he wrote on his blog, “Considering the fact that peace and world stability strongly relies on the internet, an international organization needs to be created in order to control cyber-weapons. A kind of International Atomic Energy Agency but dedicated to the cyberspace.”
In the Bavarian Alps a small mountain resort town, Garmisch-Partenkirchen, is famous for its spectacular views and NATO’s Marshall Center for Security Studies, which is based there.
Nearby is a pretty hotel, Atlas, with a traditional Bavarian three-story lodge that is a twenty- minute walk from the Marshall Center. Founded in the early sixteenth century as a tavern, the hotel proudly lists among its previous guests Duke Ludwig from Bavaria, the Prince of Wales, and the King of Jordan. Every April, for almost a week, the hotel hangs a Russian flag from its balcony, hung personally by Sherstyuk, who, since 2007, has been bringing to the lodge a group of Russian and American generals and high-placed officials to talk quietly about information security and cyber conflict.
The first two days are always reserved for general discussions, mostly on cybersecurity and what kind of research is required. Russians gathered in one part of the hotel, and non-Russians gathered in another, partly because many Russians didn’t speak English, and most Americans didn’t speak Russian. The third day was devoted to individual meetings. The real business was conducted in closed rooms with only a few participants.
Klimashin was among the guests, as well as Krutskikh, who never tired of making speeches and arguing for agreement on “terms and definitions” in cyberspace and for greater UN involvement in internet governance. He favored the United Nations because it was filled with governments, not companies, and many of them were sympathetic to Russia’s desire to control the internet within their borders.
The US government took the gatherings in Garmisch very seriously every year. High-level officials were sent; in 2010 the US delegation included Christopher Painter, the second-ranking White House official on cybersecurity, and Judith Strotz, the director of the State Department’s Office of Cyber Affairs.
Russian officials in charge of information security often spoke bitterly of US domination of the internet, believing all the tools and mechanisms for technical control were in US hands.
Their main target was the internet Corporation for Assigned Names and Numbers, known as ICANN, a nonprofit organization headquartered in California. In 1997 President Clinton directed the secretary of commerce to privatize the management of the domain name system, a critical part of the internet that serves as a giant warehouse of web addresses looked up every time a user wants to go somewhere online. The Defense Advanced Research Projects Agency (DARPA), the National Science Foundation, and other US research agencies had previously performed this task.
On September 18, 1998, ICANN was created and given a contract with the US Department of Commerce to oversee a number of internet-related tasks, but the most important among them was to manage the distribution of domain names worldwide.
In the 2000s other nations campaigned to have a greater role in ICANN, but the Kremlin’s idea was more radical: to strip ICANN of its powers.
The president of ICANN, Paul Twomey, hastened to the second gathering in Garmisch in 2008. He and other high-ranking ICANN representatives tried to keep open channels of communications with the Russians. One of the top US ICANN representatives who made sure always to attend was George Sadowsky.
Looking always professorial, he taught mathematics at Harvard and was a technical adviser to the United Nations in the 1970s. In 2001 Sadowsky became executive director of the Global internet Policy Initiative, which promoted internet freedoms in the former Soviet Union and Central Asia. In 2009 he was selected to the board of directors of ICANN.
Sadowsky had a great deal of experience in dealing with Russian officials. He found the endless discussions to be frustrating, as both sides saw the world differently and had trouble even agreeing to a common language about the internet; there were very basic divisions over definitions regarding the internet. “Is it a communications service or is it an information service?” he recalled. “And this went on, and on, and on.”
In Garmisch both Russians and Americans tried to be pleasant and friendly, but they were at a stalemate. And with each passing year the discussions became increasingly difficult—after the conference in 2010 Sadowsky admitted, “The Russians have a dramatically different definition of information security than we do; it’s a broader notion, and they really mean state security.”
Andrei Soldatov and Irina Borogan are co-founders of Agentura.ru and authors ofThe New Nobility. Their work has been featured in the New York Times, Moscow Times, Washington Post, Online Journalism Review, Le Monde, Christian Science Monitor, CNN, and the BBC. The New York Times has called Agentura.ru “a website that came in from the cold to unveil Russian secrets.” Soldatov and Borogan live in Moscow.
To learn more about The Red Web, which was published on Sept. 8, click here.
Published on Motherboard on October 13, 2015