SOCIETY
Can Russia disconnect from the internet?
August 5, 2022
Kevin Limonier
Associate Professor in Slavic studies and geography, French Institute of Geopolitics,
University of Paris-8
The Kremlin is anxious to bring the Runet under tight control and isolate it from the global internet. But Kevin Limonier warns that such attempts face multiple difficulties and might radically disrupt the Runet’s operation.
Emblem of Roskomnadzor, 2011. Source: Wiki Commons
In 2019, the State Duma passed Law FZ-90, dubbed the “sovereign Runet law.” It provided the Russian authorities with the legal, administrative and technical means to control all data flows in and out of Russia and, if necessary, disconnect the country from the rest of the world in the case of a “proven external threat.”
Five months into the Russian invasion of Ukraine, the disconnection envisioned by the 2019 law has still not been implemented – even though the country is gradually being cut off from many global financial, logistics and economic flows, either by sanctions or the actions of the Russian government itself.
This does not mean that nothing is happening in the Russian-speaking cyberspace, however: blocking most of the country’s independent media (see Sergey Pakhomenko piece about the current situation with Russian nongovernment media on Russia.Post) , as well as mostWestern news sites, represents disconnecting Russia from certain information flows considered “undesirable” by the authorities. Similarly, the state has asked Roskomnadzor, the Russian telecommunications watchdog, to slow down or block certain social networks such as Facebook on the pretext that they would spread “false information” about the Ukrainian conflict.
These measures are no major innovation, but rather a spectacular acceleration of the ongoing policies aimed at limiting Russians’ access to flows of information outside the government’s control, in particular those coming from the West. It is still possible to bypass this digital censorship: the spread of VPNs, or the use of the TOR network, advised for example by the BBC to its readers located in Russia, helps for the moment to overcome many restrictions—at least for those who have the necessary technical knowledge.
These elements of censorship are, however, far from the much-discussed disconnection defined by the 2019 law. If that were to occur, no VPN or digital trickery would help to circumvent the firewall. Data flows would be interrupted or filtered to levels that would amount to a digital “iron curtain.”
The purpose of this article is to highlight the origins, principles, perspectives and – above all – limits of the strategy implicit in the 2019 law for the “borderization” of the Russian internet. Indeed, Russia seems unable to implement such a disconnection yet, notably for structural reasons linked to the history of the Russian internet and Russia’s geography, as well as to the very architecture of its internet network.
Five months into the Russian invasion of Ukraine, the disconnection envisioned by the 2019 law has still not been implemented – even though the country is gradually being cut off from many global financial, logistics and economic flows, either by sanctions or the actions of the Russian government itself.
This does not mean that nothing is happening in the Russian-speaking cyberspace, however: blocking most of the country’s independent media (see Sergey Pakhomenko piece about the current situation with Russian nongovernment media on Russia.Post) , as well as mostWestern news sites, represents disconnecting Russia from certain information flows considered “undesirable” by the authorities. Similarly, the state has asked Roskomnadzor, the Russian telecommunications watchdog, to slow down or block certain social networks such as Facebook on the pretext that they would spread “false information” about the Ukrainian conflict.
These measures are no major innovation, but rather a spectacular acceleration of the ongoing policies aimed at limiting Russians’ access to flows of information outside the government’s control, in particular those coming from the West. It is still possible to bypass this digital censorship: the spread of VPNs, or the use of the TOR network, advised for example by the BBC to its readers located in Russia, helps for the moment to overcome many restrictions—at least for those who have the necessary technical knowledge.
These elements of censorship are, however, far from the much-discussed disconnection defined by the 2019 law. If that were to occur, no VPN or digital trickery would help to circumvent the firewall. Data flows would be interrupted or filtered to levels that would amount to a digital “iron curtain.”
The purpose of this article is to highlight the origins, principles, perspectives and – above all – limits of the strategy implicit in the 2019 law for the “borderization” of the Russian internet. Indeed, Russia seems unable to implement such a disconnection yet, notably for structural reasons linked to the history of the Russian internet and Russia’s geography, as well as to the very architecture of its internet network.
The Runet and its “digital borders”: A geopolitical construction
The trends that led to the adoption of the 2019 law began in the early 2010s. We were then in the aftermath of the Arab Spring, in which online mobilization played an important role. In the winter of 2011-12, Russia itself was hit by a wave of demonstrations, generally centered in Moscow and St Petersburg, but also in other large urban centers. People protested the rigged parliamentary elections and Vladimir Putin’s declared intention to return to the presidential post. These rallies were largely organized on social networks, which were relatively new at the time and whose potential the security services failed to realize.
After his return to the Kremlin in March 2012, Vladimir Putin switched to a much more authoritarian policy. The internet, which had been mostly untouched by the authorities, was now considered a threat to the stability of the regime. A few months later, the Edward Snowden revelations provided an ideal pretext for the Russian authorities to take steps aimed at “escaping Uncle Sam’s big ears,” and shielding the Russian population from Western influence, perceived as a threat of destabilization.
Between the denunciation of the US digital hegemon, the defense of moral values and imperatives of national security, the internet was high on the Kremlin’s agenda, which led to the law-making frenzy that started with the 2019 law.
The trends that led to the adoption of the 2019 law began in the early 2010s. We were then in the aftermath of the Arab Spring, in which online mobilization played an important role. In the winter of 2011-12, Russia itself was hit by a wave of demonstrations, generally centered in Moscow and St Petersburg, but also in other large urban centers. People protested the rigged parliamentary elections and Vladimir Putin’s declared intention to return to the presidential post. These rallies were largely organized on social networks, which were relatively new at the time and whose potential the security services failed to realize.
After his return to the Kremlin in March 2012, Vladimir Putin switched to a much more authoritarian policy. The internet, which had been mostly untouched by the authorities, was now considered a threat to the stability of the regime. A few months later, the Edward Snowden revelations provided an ideal pretext for the Russian authorities to take steps aimed at “escaping Uncle Sam’s big ears,” and shielding the Russian population from Western influence, perceived as a threat of destabilization.
Between the denunciation of the US digital hegemon, the defense of moral values and imperatives of national security, the internet was high on the Kremlin’s agenda, which led to the law-making frenzy that started with the 2019 law.
“There has been a slow integration of the Runet into the geographic, mental, strategic and cultural universe of Russian power and its representations of the world."
Gradually, the term Runet, which until then designated the segment of the internet where Russian was the language of communication, was taken over by the authorities, who made it the digital projection of their geopolitical ambitions, recreating a regional sphere of influence, instrumentalizing the Russian language, denouncing the moral hegemony of the West and so on.
Graph showing all Iranian ASs (green) and foreign neighbors (other colors) – the non-Iranian ASs that are an interface with the rest of the global Internet. It is immediately clear that there are only a few points of intersection between Iran and the rest of the world (see the article “The geopolitics behind the routes data travel: a case study of Iran” in the Journal of Cybersecurity).
“Digital borders”: A technical matter
The Kremlin therefore needed to keep the Runet within borders (mental, cultural, political, and technological) consistent with its geopolitical goals and to turn it away from the model of the global, open internet. This is precisely the purpose of the 2019 law, which intends to institute real “digital border posts” to control traffic entering and leaving the country.
As we understand, the technical implementation of this law relies on the state’s ability to fundamentally reorganize the routing logic that structures the internet, in particular by means of “anti-threat devices” (TSPUs) that operators and ISPs are now obliged to install on the nodal points of their network.
The TSPUs, which are boxes operated by Roskomnadzor, Russia’s telecommunications watchdog, have a dual purpose. One is to enable the Russian state to exercise the right of oversight conferred by the 2019 law on data packets entering and leaving the country. The other purpose is to carry out the order to isolate the Russian segment of the internet in the event of an external threat.
To do this, TSPUs must act primarily on the BGP layer of the internet. BGP is the protocol that allows the subsystems that make up the internet to communicate with each other. These subsystems, which are called Autonomous Systems (ASs), are the basic building blocks of the Internet.
In concrete terms, an AS corresponds to an internet access provider, cable operator, administration etc. In short, an entity which manages its own perimeter autonomously. For two ASs to exchange data, they must have a “BGP agreement” – that is to say, an agreement, contractual or not, which governs the terms and conditions according to which two autonomous systems can exchange data.
However, no AS has a BGP agreement with all the other As that make up the internet, since these agreements are the product of contractual relationships between network operators. Therefore, they are the result of commercial and technical negotiations, which may be influenced by political or even geographic considerations.
The main consequence of this is that, to get from point A to point B on the internet, a data packet sent by one user to another will generally pass through several intermediate ASs, tracing a logical path. Furthermore, the fact that not all the ASs in the world are interconnected makes some of them more central than others. In some countries, such as Iran, some ASs even act as an interface between the national network and the rest of the world, creating strategic bottlenecks that are controlled by national authorities or interests close to them.
It is precisely such bottlenecks that the Russian authorities hope to use to filter, or even cut off, the flow of data entering and leaving Russian territory with the TSPU boxes in particular. On paper, all the authorities need to do is give the order to disconnect the networks by way of this infrastructure. However, most of the tests conducted by the government do not seem to have had the desired effects: they were even postponed in 2020, officially because of the Covid 19 pandemic. Since then, activity on this front has remained very low and has not picked up since the Russian invasion of Ukraine.
The Kremlin therefore needed to keep the Runet within borders (mental, cultural, political, and technological) consistent with its geopolitical goals and to turn it away from the model of the global, open internet. This is precisely the purpose of the 2019 law, which intends to institute real “digital border posts” to control traffic entering and leaving the country.
As we understand, the technical implementation of this law relies on the state’s ability to fundamentally reorganize the routing logic that structures the internet, in particular by means of “anti-threat devices” (TSPUs) that operators and ISPs are now obliged to install on the nodal points of their network.
The TSPUs, which are boxes operated by Roskomnadzor, Russia’s telecommunications watchdog, have a dual purpose. One is to enable the Russian state to exercise the right of oversight conferred by the 2019 law on data packets entering and leaving the country. The other purpose is to carry out the order to isolate the Russian segment of the internet in the event of an external threat.
To do this, TSPUs must act primarily on the BGP layer of the internet. BGP is the protocol that allows the subsystems that make up the internet to communicate with each other. These subsystems, which are called Autonomous Systems (ASs), are the basic building blocks of the Internet.
In concrete terms, an AS corresponds to an internet access provider, cable operator, administration etc. In short, an entity which manages its own perimeter autonomously. For two ASs to exchange data, they must have a “BGP agreement” – that is to say, an agreement, contractual or not, which governs the terms and conditions according to which two autonomous systems can exchange data.
However, no AS has a BGP agreement with all the other As that make up the internet, since these agreements are the product of contractual relationships between network operators. Therefore, they are the result of commercial and technical negotiations, which may be influenced by political or even geographic considerations.
The main consequence of this is that, to get from point A to point B on the internet, a data packet sent by one user to another will generally pass through several intermediate ASs, tracing a logical path. Furthermore, the fact that not all the ASs in the world are interconnected makes some of them more central than others. In some countries, such as Iran, some ASs even act as an interface between the national network and the rest of the world, creating strategic bottlenecks that are controlled by national authorities or interests close to them.
It is precisely such bottlenecks that the Russian authorities hope to use to filter, or even cut off, the flow of data entering and leaving Russian territory with the TSPU boxes in particular. On paper, all the authorities need to do is give the order to disconnect the networks by way of this infrastructure. However, most of the tests conducted by the government do not seem to have had the desired effects: they were even postponed in 2020, officially because of the Covid 19 pandemic. Since then, activity on this front has remained very low and has not picked up since the Russian invasion of Ukraine.
Runet: One of the most complex networks in the world
Russia thus seems to be experiencing significant difficulties in implementing its “sovereign Runet law.” The hypothesis formulated here is that these difficulties are first and foremost due to the very structure of the Russian network: it has too many players, too many entry points, too many crossroads. In short, it is the antithesis of the Chinese or Iranian networks, which, being organized around a few centralized points of passage, are easily controllable.
The graph above shows all Russian autonomous systems and their neighbors, i.e. foreign autonomous systems allowing Russia to connect to the rest of the world. The difference from the Iranian network is striking: the routes and ASs connecting Russia to the rest of the world are a great deal more numerous than the few points carefully established by Teheran to control its network.
In fact, Russia has one of the most complex and dense networks in the world. As of December 2020, 6,575 autonomous systems were reported to be registered in Russia, according to IPinfo. This figure places Russia third by number of ASs, behind the US (28,914 ASs) and Brazil (8,566 ASs), but far ahead of Germany (3,034 ASs) abd France (2,111 ASs).
In addition to this abundance of players, the number of BGP routes that make up the Russian internet is also considerable. According to our data, there are at least 12,582 BGP agreements on Russian territory. This is a third of what the US has (37,000 agreements), but double that of Germany (6,269 agreements) and ten times more than France (1,165).
Russia thus seems to be experiencing significant difficulties in implementing its “sovereign Runet law.” The hypothesis formulated here is that these difficulties are first and foremost due to the very structure of the Russian network: it has too many players, too many entry points, too many crossroads. In short, it is the antithesis of the Chinese or Iranian networks, which, being organized around a few centralized points of passage, are easily controllable.
The graph above shows all Russian autonomous systems and their neighbors, i.e. foreign autonomous systems allowing Russia to connect to the rest of the world. The difference from the Iranian network is striking: the routes and ASs connecting Russia to the rest of the world are a great deal more numerous than the few points carefully established by Teheran to control its network.
In fact, Russia has one of the most complex and dense networks in the world. As of December 2020, 6,575 autonomous systems were reported to be registered in Russia, according to IPinfo. This figure places Russia third by number of ASs, behind the US (28,914 ASs) and Brazil (8,566 ASs), but far ahead of Germany (3,034 ASs) abd France (2,111 ASs).
In addition to this abundance of players, the number of BGP routes that make up the Russian internet is also considerable. According to our data, there are at least 12,582 BGP agreements on Russian territory. This is a third of what the US has (37,000 agreements), but double that of Germany (6,269 agreements) and ten times more than France (1,165).
“This means that to reach any point on the Russian internet, the number of routes that a data packet can take is considerable, difficult to map and therefore difficult to control."
Much of this can be explained by the Runet’s history: in the early 1990s, the global internet looked a lot like the contemporary Russian internet, with a host of small ASs connected to each other. But the explosion in the number of internet users in the Western world from the mid-1990s onward led to the emergence of large players and the disappearance of many small ones.
In Russia, this trend was less intense due to a lack of investment, especially from the government, to provide faster connectivity across its territory. In addition, the size of the country was also an important factor: many cities and towns located far from the main communication routes were of little interest to Russia’s few large operators: since they had few potential subscribers, connecting them did not justify the costs. As a result, a host of “bottom-up” initiatives were launched to overcome these difficulties, giving rise to many small operators that are now well established.
Passive resistance from some operators
This proliferation of routes and actors would seem to bode ill for the effectiveness of the “sovereign Runet” strategy, whether aimed at filtering the network or disconnecting it in the event of “external threats.” In contrast to Russia, China and Iran, whose governments effectively control their networks, have only a few international routes, owned by actors controlled – directly or indirectly - by the state. Therefore, it can be concluded that one of the objectives of the Russian authorities is to reduce the number of routes and organize logical corridors that can be controlled, first by making an inventory of existing routes and then by demanding that ASs remove some of them.
Recently a network monitoring center has been set up whose goal is to ensure coordination of autonomous systems and operators with the authorities. However, it has experienced significant difficulties, which probably reflects a lack of cooperation by at least some of Russia’s thousands of ISPs or even their passive resistance to the Russian state.
This reluctance to cooperate stems mainly from a profound lack of trust between operators and the Russian authorities. The 2019 sovereign Runet law mandates that each operator with its own infrastructure and autonomous system must install a TSPU device on its routers to filter or block traffic. To install these devices, operators must, for example, provide Roskomnadzor with access to all the routers they administer but also most importantly communicate to Roskomnadzor the internal structure of their networks.
However, as an anonymous senior ISP official pointed out at the end of March 2021, “where is the guarantee that a young employee [of Roskomnadzor], with his tiny salary, will not decide tomorrow to resell this data [on the black market]?" In a country with serious corruption problems, this is an important question.
In Russia, this trend was less intense due to a lack of investment, especially from the government, to provide faster connectivity across its territory. In addition, the size of the country was also an important factor: many cities and towns located far from the main communication routes were of little interest to Russia’s few large operators: since they had few potential subscribers, connecting them did not justify the costs. As a result, a host of “bottom-up” initiatives were launched to overcome these difficulties, giving rise to many small operators that are now well established.
Passive resistance from some operators
This proliferation of routes and actors would seem to bode ill for the effectiveness of the “sovereign Runet” strategy, whether aimed at filtering the network or disconnecting it in the event of “external threats.” In contrast to Russia, China and Iran, whose governments effectively control their networks, have only a few international routes, owned by actors controlled – directly or indirectly - by the state. Therefore, it can be concluded that one of the objectives of the Russian authorities is to reduce the number of routes and organize logical corridors that can be controlled, first by making an inventory of existing routes and then by demanding that ASs remove some of them.
Recently a network monitoring center has been set up whose goal is to ensure coordination of autonomous systems and operators with the authorities. However, it has experienced significant difficulties, which probably reflects a lack of cooperation by at least some of Russia’s thousands of ISPs or even their passive resistance to the Russian state.
This reluctance to cooperate stems mainly from a profound lack of trust between operators and the Russian authorities. The 2019 sovereign Runet law mandates that each operator with its own infrastructure and autonomous system must install a TSPU device on its routers to filter or block traffic. To install these devices, operators must, for example, provide Roskomnadzor with access to all the routers they administer but also most importantly communicate to Roskomnadzor the internal structure of their networks.
However, as an anonymous senior ISP official pointed out at the end of March 2021, “where is the guarantee that a young employee [of Roskomnadzor], with his tiny salary, will not decide tomorrow to resell this data [on the black market]?" In a country with serious corruption problems, this is an important question.
“Many datasets collected at the request of the authorities become available on the black market – recall that Alexei Navalny was able to identify his poisoners thanks to flight records sold on the black market – and those concerning the internal structure of an operator’s network can be sold at a high price, as they can facilitate certain cyberattacks."
The legal ambiguity surrounding the deployment of TSPUs is also an issue. For example, while the law has it that the device is to be paid for by the state, it is silent on who is to pay for its maintenance; neither does it make clear who should cover the ancillary costs incurred from its installment.
Moreover, the law requires that the TSPU be in a secure room to which even the operator cannot have access. For a small municipal operator, this is a considerable additional cost, and the government can hardly be expected to cover it. Broadly speaking, operators are constantly inventing new strategies for circumventing some legal obligations (see the article “Migrating Servers, Elusive Users: Reconfigurations of the Russian Internet in the Post-Snowden Era” in Media and Communication).
Moreover, the law requires that the TSPU be in a secure room to which even the operator cannot have access. For a small municipal operator, this is a considerable additional cost, and the government can hardly be expected to cover it. Broadly speaking, operators are constantly inventing new strategies for circumventing some legal obligations (see the article “Migrating Servers, Elusive Users: Reconfigurations of the Russian Internet in the Post-Snowden Era” in Media and Communication).
Page of a blocked website, 2021. Source: Wiki Commons
Disconnecting Russia from the rest of the internet: still a distant goal?
Does this mean that the controlled disconnection sought by the 2019 law remains unattainable? The question obviously remains unanswered. Since Russia’s invasion of Ukraine, the Russian regime is becoming more and more authoritarian, which may put an end to the evasive tactics of operators. At the same time, TSPU boxes seem to be at least partly operational, since theу have effectively slowed down some Western social networks.
Still, even if a disconnection such as defined in the 2019 law were implemented, there is no guarantee that it would radically disrupt the Runet. Too many resources are hosted abroad, not to mention DNS servers, which, even if they are in the .ru zone, may be connected to infrastructures located outside Russia.
Of course, the government is aware of the problem and is working on it, as shown by a recent internal memo of the Ministry of Telecommunications, which asked the administrators of Russian public websites to repatriate all their resources to Russian territory.
Yet for internet resources beyond state control, the authorities are still powerless to impose such directives, as the Runet is still far too dependent on data located outside Russian borders. Attempts at radically disconnecting Russia from such international data flows would probably wipe out a major part of the Russian network.
However, some measures taken by Western players could well help Russia to achieve its goal of total control of its digital borders. For example, some Western transit operators such as Cogent have announced they will stop serving Russia. The result is a reduction in the number of international routes connecting the country to the rest of the world, thereby increasing the state’s ability to control the remaining paths. In addition, such measures increase Russia’s dependence on Chinese resources.
Does this mean that the controlled disconnection sought by the 2019 law remains unattainable? The question obviously remains unanswered. Since Russia’s invasion of Ukraine, the Russian regime is becoming more and more authoritarian, which may put an end to the evasive tactics of operators. At the same time, TSPU boxes seem to be at least partly operational, since theу have effectively slowed down some Western social networks.
Still, even if a disconnection such as defined in the 2019 law were implemented, there is no guarantee that it would radically disrupt the Runet. Too many resources are hosted abroad, not to mention DNS servers, which, even if they are in the .ru zone, may be connected to infrastructures located outside Russia.
Of course, the government is aware of the problem and is working on it, as shown by a recent internal memo of the Ministry of Telecommunications, which asked the administrators of Russian public websites to repatriate all their resources to Russian territory.
Yet for internet resources beyond state control, the authorities are still powerless to impose such directives, as the Runet is still far too dependent on data located outside Russian borders. Attempts at radically disconnecting Russia from such international data flows would probably wipe out a major part of the Russian network.
However, some measures taken by Western players could well help Russia to achieve its goal of total control of its digital borders. For example, some Western transit operators such as Cogent have announced they will stop serving Russia. The result is a reduction in the number of international routes connecting the country to the rest of the world, thereby increasing the state’s ability to control the remaining paths. In addition, such measures increase Russia’s dependence on Chinese resources.
Share this article
Read More
