The Russian Federations information security development has, much like the UNGGE cyber norms debate, been shaped by its complex relationship with international law. This approach will have a significant influence in the way they interpret and approach the cyber norms as presented in the 2013 and 2015 reports. Therefore, the purpose of this chapter is to answer the sub-question “How is the development of international cyber norms framed within the Russian Federations approach to information security?”. The approach of the Russian Federation within is security strategies is often difficult to parse due to its often ambiguous and contradictory nature.
International law and Human Rights
The starting position of the Russian Federation towards the UNGGE is that the existing rights, principles, and obligations as derived from international law are insufficient to protect them in cyberspace. They believe that current laws are unable to prevent potential malicious actors from damaging or disruption its information infrastructure (A/66/359, 2011; A/69/723, 2015). In contrast, the Russian Federation also argues that adherence to international law is in the national interest and part of its national security objectives (MFARFFP, 2016; SCRF, 2013). The solution to this contrasting position is for the Russian Federation the creation of a separate international information security system (IISS) (MFARFIS, 2016; MODRF, 2011).
The overarching purpose of the IISS would be to counter the potential malicious use of ICTs for activities which run contrary to existing international law, rights, principles, and obligations (MFARFIS, 2016; MODRF, 2011). To realise this, the Russian Federation seeks to create new laws or amend existing ones, until they are tailored to the specific interest of the Russian Federation.
To contribute to the development of regional systems and establishment of a global information security system based around universally recognized principles and standards of international law (respect for state sovereignty, non-interference into internal affairs of other states, refraining from the threat or use of force in international relations, right of individual and collective self-defence, respect for human rights and fundamental freedoms) (SCRF, 2013, p. 6)
The interest of Russia is to have the IISS exist within the sphere of the UN and be linked to “generally accepted principles of international law” such as sovereignty, territorial integrity, and non-intervention (SCRF, 2013). However, beyond this, little is explained about its actual
35 construction and functioning. Nonetheless, some assumptions about its functioning can be made based on the recommendations of the members of the Shanghai Cooperation (A/66/359, 2011; A/69/723, 2015).
In their 2011 and 2015 letters to the UN General Assembly, the Russian Federation, amongst others, provided a codes of conduct to the UNGGE debate to provide an alternative perspective against the UNGGE norms (A/66/359, 2011; A/69/723, 2015). However, despite their presentation, these codes of conduct do not entirely qualify as norms along the line of the UNGGE.
Like the UNGGE norms, a code of conduct are non-legal, in that the intent to adhere to these norms or codes is derived from the context and environment they were created in (Bothe, 1980). The difference is that the UNGGE norms eventually have the potential to become legal norms whereas the codes of conduct do not. The codes of conduct rely on a voluntary adherence to the principles of sovereignty, non-intervention, territorial integrity, but do not include a legal responsibility (A/66/359, 2011; A/69/723, 2015). The UNGGE reports do not discuss responsibility or legal consequences either but do suggest that international law is applicable in cyberspace (A/68/98, 2013). Thus, although the UNGGE norms currently do not qualify as legal norms, it is mainly due to a lack of specification, clarification, and progress.
The purpose of the codes of conduct and the IISS combined is to establish a regime with a voluntary adherence to universally recognized principles and standards of international law but without any of its enforcement mechanisms (Von Heinegg, 2015). The issue is that the UNGGE generally agrees on the inclusion of these principles (A/68/98, 2013; A/70/174 2015). The difference being the development and interpretive position the Russian Federation has with respect to these principles. These principles through the IISS are for the most part an effort by the Russian Federation to extend its control over cyberspace (Von Heinegg, 2015).
This effort is problematized in respect to international law concerning human rights and fundamental freedoms. The UNGGE takes a strict stance on protecting and ensuring these rights and freedoms are universally applied in cyberspace (A/68/98, 2013; A/70/174 2015). In contrast, the Russian state seeks to remain the guarantor of security and the rights of its citizens. Meaning, the state should be responsible for the protection of these human rights and effectively determine which rights and freedoms apply and which do not.
For the Russian Federation, the purpose of international law and the UNGGE cyber norms should not be to limit or regulate the behaviour of states. Instead, the UNGGE norms should focus on preventing the malicious use of ICTs by states and non-state actors altogether (MODRF, 2011). The belief is that state and non-state actors could potentially use malicious
36 ICTs to damage or disrupt the Russian Federations information infrastructure for criminal, terrorist, extremist, or separatist purposes (MOFRF, 2014; MFARFFP, 2016; SCRF, 2009, 2013). Sovereignty in this context is for the Russian Federation absolute. It awards each state the right to manage its own cyberspace according to its domestic laws and regulations. Sovereignty therefore also extends to give each state the right to control the flow of incoming and outgoing information and as a result prevent the malicious use of ICTs (Krutskikh & Streltsov, 2014).
Yet, despite being a fervent proponent of the sovereignty of states, the Russian Federation fears said principle in relation to the use of self-defence. This in particular concerns IHL and the use of force to include a cyber component (Krutskikh & Streltsov, 2014). The fear is that the inclusion of a cyber component could lead to the legitimization of cyberconflicts through the right of self-defence as described in article 51 of the UN Charter (UN Charter, 2015). The cyber-attack could be framed as the use of force and potentially lead to states using extraordinary measures to defend themselves against the attack (Krutskikh & Streltsov, 2014). An inherent issue in this logic for the Russian Federation is the possibility for wrongful attribution (Krutskikh & Streltsov, 2014).
Although this may have been the case in the past, most cyber-attacks can and are identified and attributed accurately (Jensen, 2012). The fear that a cyber-attack could justify a cyber conflict also remains unsupported. Besides, not every cyber-attack which violates a state’s sovereignty could convincingly be qualified as a use of force and trigger the self-defence mechanisms (Von Heinegg, 2015). The UNGGE suggest that states are allowed to undertake measures consistent with international law and the UN Charter, which would include Article 51. However, the right to self-defence in Article 51 is only permitted in cases of an armed attack which cyber-attacks currently are not classified as (UN Charter, 2015). However, this entirely depends on the definition cyber-attacks may obtain in the future. The lack of clarification in the UNGGE reports can thus be dangerous if left open to the interpretation by states.
The discussion on this issue during the 2016-2017 UNGGE did however not lead to a consensus on the matter; indicating that the Russian Federation and its allies were unable to convince the other participating members of their concerns (Lewis & Vignard, 2016). The push for control by the Russian Federation is directly linked to the framing and interpretation of its referent objects, the Russian information infrastructure, whose functioning is linked to its sovereignty and survival.
37
Infrastructure
Infrastructure in the Russian Federation is predominantly approached as information infrastructure. Information infrastructure refers to the systems and means which use and store information (SCRF, 2013). Unlike the UNGGE, the Russian Federation does not frequently mention its critical information infrastructure and fails to explain the definitional difference adequately. Instead, it focuses more on discussion its information infrastructure and critical infrastructures separately, although they both fall under the Russian Federations national security umbrella (MODRF, 2010, 2014). For Russia, the information infrastructure has to remain a safe environment within which information can be circulated safely, is reliable, and where damaging and disrupting impacts can be resisted. This resistance is framed as the protection of human and civil rights, and to sustain the socio-economic development of the Russian Federation (MFARFIS, 2016).
Enhancing the safe operation of information infrastructure objects, including with a view to ensuring stable interaction between government bodies, preventing foreign control over these objects, and ensuring the integrity, smooth operation and safety of the unified telecommunications network of the Russian Federation, as well as ensuring the security of information transferred through this network and processed within information systems in the territory of the Russian Federation (MFARFIF, 2016, p. 8)
The fear within the Russian Federation that its infrastructure is at a high risk to be damaged or disrupted by state and non-state actors. The ultimate goal of protecting these systems is the creation of a single unified system which is controlled by the state and supports the Russian Federations national security objectives (SCRF, 2009). The threats from cyberspace are directly linked to the survival of its information infrastructure. Damage or disruption to these systems is seen as a violation of the Russian states sovereignty, non-intervention, and territorial integrity (MODRF, 2010; A/69/723, 2015).
A problem is that the Russian Federation extends its information infrastructure to the functioning of the organs of state power. Meaning, the Russian states ability to govern is linked to the continuing of the information infrastructures (MODRF, 2010). Within such a framing, it becomes difficult to see where the boundary of the Russian information infrastructure begins and ends. It could encompass all infrastructure within the geographical borders, under the notion that all critical infrastructure contains a component of information infrastructure (Lopez et al., 2012). As such, it becomes another means for the Russian Federation to justify its total
38 control over the flow of information that passes through its information infrastructures (Finnemore & Hollis, 2016; Von Heinegg, 2015).
In terms of human rights and fundamental freedoms, the Russian Federation would not benefit from the application of international law onto cyberspace. Such a move would interfere with its understanding of sovereignty in relation to the level of control it wishes to maintain over its own cyberspace. Thus far, the Russian Federation has been relatively successful in tightening its control over the flow of information in Russia (Freedom House - NET, 2017; Freedom House - PRESS, 2017). The creation of the IISS is more of a condition which prevents the violation of the Russian rights within cyberspace (SCRF, 2013). A separate system would allow the Russian Federation to add its information infrastructure as a protected entity and justify its level of control over it. Thus, the Russian Federation has clearly securitized its information infrastructures as referent objects. Yet, instead of using extraordinary measures, the Russian Federation instead supposedly seeks to promote its ideals on an international level through the UNGGE (A/66/359, 2011; A/69/723, 2015). This approach to protecting the information infrastructure and the information flow within, influences to a considerable degree the prevention, deterrence, and attribution measures the Russian Federation is willing to undertake.
Prevention, Deterrence, and Attribution
The objective of the Russian Federation is to prevent the malicious use of ICTs completely. A significant part of this prevention effort is preventing the spread of information weapons and the demilitarization of cyberspace (MODRF, 2011). Information weapon is defined only once in 2011 as the means and methods used for the purpose of waging information war using information technologies (MODRF, 2011). Information war is defined as:
…confrontation between two or more states in the information space for damaging the information systems, processes and resources, which are of critical importance, and other structures, to undermining the political, economic and social system, and massive brainwashing of the population for destabilizing the society and the state, and also forcing the state to make decisions in the interests of the confronting party (MODRF, 2011, p. 5).
To prevent such an information war or conflict, the Russian Federation wants to create the IISS as a legal regime for the non-proliferation and arms control of information weapons (SCRF, 2013). The existential threat is linked to the referent objects of international principles of sovereignty, non-intervention, and territorial integrity and are thus also linked to efforts of
39 control. However, the above-mentioned application of a legal regime does indicate a rather conflicting IISS if it is to pick and choose the instances where international law is applied.
Finnemore and Hollis (2016) argue that the proposed non-proliferation and arms control measures have been met with little enthusiasm by other states (Finnemore & Hollis, 2016). Many of the states fear that these measures may not work and is largely dependent on the definition used for malicious ICTs and information weapons. Furthermore, demilitarizing cyberspace would be difficult in itself. All armed forces in the world use ICTs to a degree and make use of both public and private infrastructures to do so (Gottwald, 2009; Von Heinegg, 2015). Even outside of a conflict, ICTs can be used for purposes which may go against the interests of the Russian Federation. ICTs could facilitate political violence through collective action and increase the mobilization of people. A particular example of this being the Arab Spring. A revolution which was to a large extent facilitated by the use of social media and thus information (Weidmann, 2015). However, ICTs could also be used by states to limit political speech or for intelligence gathering efforts (Finnemore & Hollis, 2016; Weidmann, 2015). The Russian Federation wants to protect and deter this possibility and believes it is allowed to take all necessary measures to do so (MODRF, 2010).
Enhancing the protection of the critical information infrastructure and reliability of it’s functioning, developing mechanisms of identification and prevention of information security threats and elimination of their effects, as well as enhancing the protection of citizens and territories from the effects of emergencies caused by information and technical impacts on the objects of critical information infrastructure (MFARFIS, 2016, p. 7).
These measures include the creation of information weapons and the involvement of the Russian Armed forces as part of a strategic deterrence effort to prevent armed conflicts (MODRF, 2010, 2011). No definition for strategic deterrence is provided, although it is frequently discussed in relation to nuclear deterrence. The purpose of these deterrence measures in cyberspace is to deter the use of ICTs for military or political aims which can damage the sovereignty and territorial integrity of the Russian Federation (MFARFFP, 2016). Following Nye (2016) categories of deterrence, the Russian Federation appears to rely on entanglement measures. The purpose of the entanglement measures is to ensure that both sides benefit from the status quo much like nuclear-deterrence (Nye, 2016).
The enforcement of these preventative measures can to some extent be linked to the Russians deterrence measures. As part of the IISS, the Russian Federation advocates for the creation of an international mechanism to continuously monitor cyberspace. The purpose of
40 the system would be to prevent the malicious use of ICTs in interfering in the internal affairs of states and violate its sovereignty (SCRF, 2013). This system could in essence also be used as a deterrence measure. States may be less likely to use information weapons or malicious ICTs if their activities are continuously monitored. The implementation of this system may be difficult. This measure of denial may be effective but does require states to have the resources to do so (Nye, 2016). However, as Von Heinegg (2015) argues, not many states are capable of monitoring their data traffic consistently and effectively. It would also require a state-centric approach and a level of control over their ICT industry which only like the Russian Federation have and are unlikely to be adopted by democratic states (Von Heinegg, 2015).Yet, this monitoring system would follow the UNGGE norm recommendation that states should not knowing allow their territory to be used for international wrongful acts (A/69/723, 2015). It may be only way for states to be certain that their territory was not knowingly used. However, according to the International Telecommunications Union (ITU), over 48% of the world’s population uses the internet (ITUFAF, 2017). Effectively monitoring all this data traffic may be impossible.
Nonetheless, the Russian Federation has securitized its information infrastructure and contradictory advocated for both the use of extraordinary measures, but also for the non- proliferation of these measures (SCRF, 2013). Through the framing of the referent objects and the existential threats, it appears that the Russian Federation has not necessarily securitized its information infrastructure, but rather the information it contains and its sovereign right to control the access to said information within its territory. The development of its security strategies is guided by this principle, which to a large extent is not compatible with the purpose and objective of the UNGGE norms. The UNGGE reports recognise that (critical) information infrastructures are referent objects and the jurisdiction states have over it (A/69/723, 2015). However, this is in relation to human rights and fundamental freedoms which does not allow the type of control the Russian Federation wants and advocates for through the UNGGE, and which differs significantly from the approach of the Netherlands.
41