After President Biden’s Geneva meeting with Russian President Vladimir Putin, the heads of state declared their commitment to future, lower-level cybersecurity dialogues. Biden, in a press conference held separately from Putin — smartly so, given the latter’s propensity for lying and what-about-ism at media events — also said he pressed Putin to crack down on cybercrime in Russia. And yet, just weeks later, over the July 4 weekend, a criminal group in Russia launched a ransomware attack on Kaseya, a U.S.-based managed service provider.
Now, ransomware is all over the news. Biden told Putin in a July 9 phone call to curb recent ransomware attacks coming from within Russia, and on July 20, the House Energy and Commerce Committee held a ransomware hearing that further catalyzed productive conversations about government responses to the threat. Yet when talking about Russia and ransomware in particular, the national security and cyber policy communities should not forget another force shaping the Russian internet security landscape, and one that the U.S. and its NATO allies can no longer ignore: Putin’s push for an isolatable domestic internet.
Western debates often separate out Russian domestic internet policy from the Russian cyber ecosystem, but there are many important links between the two, which I explore in a new Atlantic Council report. The so-called domestic internet law in Russia, signed in 2019, was itself propelled by Kremlin fears of U.S. interference in Russian politics and with Russian interests via the open internet. As Moscow pursues its (frankly, very) aspirational goal to isolate the internet in Russia from the rest of the world, it’s worth asking what further internet isolation could do to shift cyber operations conducted from within Russia — and the Kremlin’s calculus around them.
Putin’s general worldview — one of paranoia, conspiratorial thinking, zero-sum international competition — is reflected in his comments on, and his regime’s approach to, the internet domestically. The Kremlin sees internet openness as a threat to regime stability. It continually imagines a Western hand in digitally coordinated protests in Russia (even those visibly organized by Russian citizens), and in the influence Silicon Valley tech giants have on global online discourse. Olga Melnikova, head of the Russian Ministry of Foreign Affairs’ Department of International Information Security, recently underscored this belief in an article that lamented the United States’ “dominance” of global cyberspace and pointed to greater state control of internet standards as the solution.
Internet control in Russia is not easily understood, though, if Beijing’s internet control model is taken as the sole paradigm of digital repression. The Kremlin relies on much less technical control than its Chinese counterpart, and instead uses a mix of traditional, offline tactics along with some technical ones to shape behavior. As the Atlantic Council report says, “Intimidation, harassment by security services, court-ordered fines, and complex, restrictive, and inconsistently enforced speech laws are all employed to shape the internet in Russia and citizens’ interactions with it.”
The Russian government’s push to develop a domestic internet — the focus of a so-called domestic internet law that went into effect November 2019 — is already changing this internet landscape. Moscow has already run into hurdles, including technical challenges in consolidating control of internet traffic routing and political challenges in compelling internet companies to install packet-filtering equipment on their networks. A domestically isolatable internet is easier said than done. But as part of this push, changes to internet within Russia are already underway: more authorities for Roskomnadzor, Russia’s internet and media regulator, to issue orders to companies; wider deployment of deep packet inspection, which the state used to throttle (slow down) Russians’ access to Twitter in March.
Further internet isolation could increase the Kremlin’s feelings of insulation from foreign cyber threats, prompting more assertive, overseas-focused operations in response. It could also cause the Russian government, if isolation were widespread enough, to increase its involvement with select cyber proxies in some cases, to provide necessary infrastructure or other technical capacities to launch operations that would require strong and prolonged connectivity to the global internet.
However, negatively impactful possibilities abound; building a custom DNS for Russia could make it easier for foreign powers to manipulate traffic routing within Russia, or aid in the attribution of Russia-originating cyber operations due to unique DNS signatures. Isolating the internet within Russia from the rest of the world could also harm the Russian technology sector and, specifically, cyber skill development. There are many possibilities, and they may shift as the Russian government continues its push to establish a sovereign, isolatable internet domestically.
The White House said it did not believe the Kremlin was involved with ransomware attacks launched earlier this year against major U.S. companies, and that may very well be true. Putin does not control everything in Russia. Yet the regime’s coercion of domestic tech companies — meshed with its overall coercion and control of regime-threatening forces — underscores that Putin could crack down on cybercrime if he so desired.
The U.S. and its NATO allies must confront this interplay head-on. Washington should link strategic and operational interagency conversations on Russian cyber operations with those on Russian internet policy. It also must bridge these gaps within bureaucratic organizations, such as in the Department of State, where teams often manage these issue sets separately from one another. Internationally, the NATO bloc must pay more attention to domestic Russian internet policy developments, including integrating changes to Russian internet architecture into conflict scenario planning and commissioning further studies on the interplay between Russian internet policy and the Russian cyber ecosystem. U.S. and EU partners must also recognize there is limited room for maneuver: The Kremlin is not going to waver in pursuing internet isolation. The greater pressure points for the Putin regime may be the technical and economic difficulties it faces in pursuing the “sovereign internet,” rather than its overall political calculus (where internet control and regime security are aligned).
Russia’s Deputy Foreign Minister recently advocated for the U.S. and Russia to broaden their cyber talks beyond cybercrime, likely an attempt to distract from the ransomware issue by bringing espionage, military cyber operations, and other topics into the fray. But if the U.S. is going to continue addressing cyber threats from within Russia, it must prioritize a comprehensive analysis of Russian cyber policy amidst all these incidents.
Justin Sherman is a fellow at the Atlantic Council’s Cyber Statecraft Initiative.