What’s being tested?
From June 15 to July 15, 2021, Russia held a series of multi-day exercises to test the robust operation of Runet, reported the newspaper, RBC, citing the infosec working group of the autonomous non-profit organization, Digital Economy.
All the major Russian telecom operators (MTS, Tele2, Beeline, Megafon, as well as Rostelecom, Transtelecom and ER-Telecom Holding) took part in the tests, which, according to sources, checked whether Runet could operate in the event of an attack by a hostile state. Another source told the newspaper that "the possibility of physically disconnecting the Russian part of the Internet was tested."
These are not the first such drills. In December 2019 open tests were carried out in Moscow, Rostov, Vladimir and other Russian cities to allow telecom operators and government agencies to check the level of protection of cellular subscribers’ personal data, as well as energy and financial companies’ networks and IT equipment against external threats, including hacking, as well as to see whether it is possible to intercept traffic and text messages, and determine subscribers’ location.
“The tests showed that, in general, both Russian authorities and telecom operators are ready to respond to emerging risks and threats, and ensure the stable operation of the Internet and telecommunications networks in Russia,” Deputy Minister of Digital Development, Communications and Mass Media, Alexei Sokolov, said at the time.
Testing was also due to take place in 2020, but was postponed because of the pandemic.
Why disconnect from the global Internet?
In October 2017, following three major hacker attacks that affected Russia and a number of other countries, President Vladimir Putin called for an increase in Runet security at a meeting of the Russian Security Council.
“External intrusion and leakage of electronic documents in the fields of defense, public administration, life-support infrastructure and finance can have the gravest consequences. <...> The security and stability of the infrastructure of the Russian segment of the Internet must be improved,” said the president.
A year later, in December 2018, a group of Federation Council senators and State Duma deputies introduced a bill on the autonomous operation of Runet, which later became known variously as the “Runet protection”, “sovereign Runet” and “Runet isolation” law. An explanatory note stated that the bill took account of the hacking accusations against Russia and the U.S. National Cyber Strategy, adopted in September 2018, which, according to senators, restated the “peace through strength” principle.
The essence of the law is to create a domestic infrastructure that will allow Runet to continue working even if Russia is disconnected from global servers.
The law also stipulates that Russian communications watchdog Roskomnadzor and operators will control data exchanged by Russian users, and, if necessary, not transfer it abroad and disable traffic if an attempt is made to access websites with prohibited information.
A separate clause provides for annual drills to be carried out by expert government agencies and telecom operators.
Before its signing, the bill was subjected to repeated criticism, primarily by operators and large IT companies. In their view, the requirements could lead to disruptions in communications services and the Internet. The bill was also criticized by the international organization Reporters Without Borders, which stated that the law would allow Russia to cut off the flow of digital information as and when it pleased.
Even government experts criticized the bill – in their opinion, the dangers it describes pose no real threat. Nevertheless, in May 2019 Vladimir Putin signed the adopted law, which came into force on Nov. 1 of that same year.
“Most servers are located abroad <...> assuming theoretically that these servers are turned off, or their operation impeded somehow, we must ensure the reliable operation of the Runet. This, in point of fact, is what the law aims to do. Only this. No restrictions are planned,” Putin responded in June 2019 to criticism of the law.
How will the “sovereign Runet” work?
All operators are installing special equipment to ensure uninterrupted data exchange in Russia in case it is ever necessary to unhook the country from the global Internet.
Roskomnadzor intends to set up a control center to monitor this equipment and the possibility of external threats.
If ever cyber actors tried to disconnect Russia from global servers, disrupt cellular communications or Internet access for members of the public, or target the IT infrastructure of critical facilities, Roskomnadzor would assume control of internal traffic.
As outlined on the State Duma website, traffic would be managed with the help of special “exchange points” – physical premises with switches where the networks of large companies, ISPs, hosting providers, etc., would be connected and internal traffic exchanged.
In addition, the regulator will be able to independently block websites prohibited in Russia without contacting the relevant operators and providers (this task is currently performed at the request of Roskomnadzor). At the same time, the State Duma website underlines that the law is not designed to block social networks and video-hosting platforms, such as Twitter, YouTube and Facebook. But how it might be able to keep popular foreign sites up and running when Russia is disconnected from the global Internet is left unanswered.
Roskomnadzor is showing backbone when it comes to interfering with foreign services. In March 2021, it slowed down Twitter for failing to remove prohibited content. According to RBC, the regulator did so with the help of that same equipment installed to comply with the “sovereign Runet” law. In May 2021, it partially lifted the restrictions on the popular social network.
Russia is already technologically capable of disconnecting from the global network, said Dmitry Medvedev, deputy chairman of the Security Council of the Russian Federation, in February 2021. However, according to cellular operators, the already malfunctioning equipment had to be temporarily disabled in March 2021 in order to restore it to operation. Furthermore, the Russian Ministry of Communications periodically puts forward new requirements for equipment modernization, which can also lead to a deterioration in communications quality, said MTS.
At the same time, non-compliance with the requirements is not an option: operators face a fine of up to 1 million rubles ($13,600) for the first violation, and up to 3 million ($40,000) for the second.
So will Russia be as isolated as China?
No, but that’s no reason to celebrate.
The main difference between the “sovereign Runet” and the “Great Firewall” of China lies in their architecture, Mikhail Klimarev, executive director of the non-profit organization Internet Protection Society, explained in a column for Znak.com.
In Russia, filtering and traffic management systems are installed on the side of telecom operators; but in China, that control technology is situated on its ‘border’ with the rest of the world. Facebook and other popular social networks do not work in China, but even if filtering systems break down, the Internet will still work there. Russia, meanwhile, would face unexpected downtime across the country.
“Disconnecting Google would hit 30% of all Russian websites... The economy would be struck where we least expect it. Anything could fail: a medical system or gas pipeline control system, it’s impossible to predict,” argued Klimarev.
The same opinion was confirmed by Dmitry Medvedev in February 2021. In his words, if Runet became autonomous, it would create big problems.
“It would take a while. But, in principle, Runet’s operational autonomy could be restored or created,” said Medvedev, stressing that it would “not be easy or desirable.”