Your browser is not supported. Please update it.

15 February 2019

Russia plans internet disconnect to test resilience, world expects carnage

Russia seems set on testing its national resilience to hostile cyberattacks, following the introduction of a draft law that would require internal Russian internet traffic to stay within the country, so that it won’t be damaged by being disconnected from the rest of the World Wide Web. As such, the test is going to simulate such an event, by disconnecting Russia from the web, to see how well the country fares. It’s a good idea on paper, but many onlookers expect chaos.

The Digital Economy National Program, which to reiterate is still in a draft form, would require Russian ISPs to implement policies that ensure they remain operational if they are cut off from the rest of the internet. The results of this test, which is expected to occur before April, will then be used to provide feedback for the final version of the law. Russia has been taking steps towards this for the past few years, so the ISPs should have had plenty of time to get ready.

Given Russia’s geopolitical strategy, where it has been widely accused of interfering in European and US elections, it’s not impossible that future sanctions would venture beyond Magnitsky Act and economic punishments, to ones that try to limit Russia’s international reach. NATO has talked of stronger punishments for cyberattacks, and while blowing up satellites and marine cables seems like something out of science fiction currently, there are certainly intermediate steps that could be taken.

Based on the law, Russia fears that its access to DNS (Domain Name System) servers would be cut off, meaning that Russian devices and servers would not be able to translate text-based URLs into the associated IP addresses. CloudFlare has a good explainer, should you wish to dive deeper, but essentially, cutting off DNS access would be akin to taking away Russia’s telephone address book – it wouldn’t know which numbers to call anymore.

As you can imagine, that would cause chaos for all manner of connected applications and IoT projects inside Russia, as well as for all those outside the country that suddenly lost their link to Russian assets. Never mind social media and media consumption; there would be a very real chance that people die from such an outage, as connected systems begin to fail in potentially catastrophic fashion. That’s a risk that gets more dangerous as time goes on, as more of the world is connected.

As such, Russia’s draft law requires that it creates its own version of DNS, so that it can’t be excluded in such a manner. The ISPs will be required to route data between government-owned routing points, run by its telecom watchdog Roskomnazor, filtering out and discarding international traffic while ensuring that internal traffic makes it through without issue, and preventing Russia-to-Russia (“Runet”) traffic from straying outside the country – where it could be intercepted by geopolitical rivals. The target is 95% of all internal traffic to be routed internally by 2020.

But here’s where the ulterior motive comes in. Those government routing points are expected to become mandatory for all Russian traffic, and so the Russian government would be able to monitor all Russian internet usage. One Australian-style anti-encryption bill would then ensure that the government could see everything that its citizens are doing online, as well as control what the citizens can access. It would be able to prevent citizens from reaching undesired content, very much like China’s Great Firewall.

The Russian ISPs are apparently onboard with the project, but unsurprisingly, they do not agree with how to implement the technologies required. The government is making funds available for the work, but members of the Information Security Working Group, which includes Kaspersky, MegaFon, Beeline, MTS, and RosTelecom, warn of severe disruption.

Given that President Putin has been vocal in his support for the law, the results of the test disconnection would have to be pretty devastating to prevent the law being signed into being. A brief interruption in the early hours of the morning makes most sense, but the risk of systems falling over and disrupting systems and routines for many hours or even days post-test is something that will be keeping sysadmins up at night.

Of course, creating this ‘Runet’ should allow Russia to protect itself from hostile foreign traffic. If it detects that it is being flooded with spam, malware, and DDoS traffic, as part of a cyberwarfare campaign, then being able to disconnect from the internet and carry on as normal would be a huge advantage. However, it is never going to be as consequence free as Russia would like, and so that would likely be something of a last resort.

Ulterior motive and politics aside, there are definite pragmatic benefits to such an experiment. Knowing just how badly things are going to be fouled up is a good first step in encouraging people to fix those problems ahead of time, and might be the shock to the system needed to take internet security as seriously as they should.

Riot frequently writes about the danger of IoT-related security threats, and not a week goes by without something outrageous happening – and yet nothing really changes. The industries just plod along. In many ways, Russia’s plan is analogous to Japan’s plan to hack its own IoT devices, including the ulterior motives perhaps. Both will confront end-users with the reality of the situation, and stand a better chance of providing the political or business impetus to actually make the necessary changes. Real-world shock or pain looks like it is going to be necessary to actually shift the needle.