Tag Archives: internet security

Living in the Russian Digital Bubble

Vladimir Putin, Russia’s president, has portrayed his aggression on the Ukrainian border as pushing back against Western advances. For some time he has been doing much the same online. He has long referred to the internet as a “CIA project”. His deep belief that the enemy within and the enemy without are in effect one and the same… Faced with such “aggression”, Mr Putin wants a Russian internet that is secure against external threat and internal opposition. He is trying to bring that about on a variety of fronts: through companies, the courts and technology itself.

In December 2021, VK, one of Russia’s online conglomerates, was taken over by two subsidiaries of Gazprom, the state-owned gas giant. In the same month a court in Moscow fined Alphabet, which owns Google, a record $98m for its repeated failure to delete content the state deems illegal. And Mr Putin’s regime began using hardware it has required internet service providers (ISPS) to install to block Tor, a tool widely used in Russia to mask online activity. All three actions were part of the country’s effort to assure itself of online independence by building what some scholars of geopolitics, borrowing from Silicon Valley, have begun calling a “stack”.

In technology, the stack is the sum of all the technologies and services on which a particular application relies, from silicon to operating system to network. In politics it means much the same, at the level of the state. The national stack is a sovereign digital space made up not only of software and hardware (increasingly in the form of computing clouds) but also infrastructure for payments, establishing online identities and controlling the flow of information

China built its sovereign digital space with censorship in mind. The Great Firewall, a deep-rooted collection of sophisticated digital checkpoints, allows traffic to be filtered with comparative ease. The size of the Chinese market means that indigenous companies, which are open to various forms of control, can successfully fulfil all of their users’ needs. And the state has the resources for a lot of both censorship and surveillance. Mr Putin and other autocrats covet such power. But they cannot get it. It is not just that they lack China’s combination of rigid state control, economic size, technological savoir-faire and stability of regime. They also failed to start 25 years ago. So they need ways to achieve what goals they can piecemeal, by retrofitting new controls, incentives and structures to an internet that has matured unsupervised and open to its Western begetters.

Russia’s efforts, which began as purely reactive attempts to lessen perceived harm, are becoming more systematic. Three stand out: (1) creating domestic technology, (2) controlling the information that flows across it and, perhaps most important, (3) building the foundational services that underpin the entire edifice.

Russian Technology

The government has made moves to restart a chipmaking plant in Zelenograd near Moscow, the site of a failed Soviet attempt to create a Silicon Valley. But it will not operate at the cutting edge. So although an increasing number of chips are being designed in Russia, they are almost all made by Samsung and TSMC, a South Korean and a Taiwanese contract manufacturer. This could make the designs vulnerable to sanctions….

For crucial applications such as mobile-phone networks Russia remains highly reliant on Western suppliers, such as Cisco, Ericsson and Nokia. Because this is seen as leaving Russia open to attacks from abroad, the industry ministry, supported by Rostec, a state-owned arms-and-technology giant, is pushing for next-generation 5g networks to be built with Russian-made equipment only. The country’s telecoms industry does not seem up to the task. And there are internecine impediments. Russia’s security elites, the siloviki, do not want to give up the wavelength bands best suited for 5g. But the only firm that could deliver cheap gear that works on alternative frequencies is Huawei, an allegedly state-linked Chinese electronics group which the siloviki distrust just as much as security hawks in the West do.

It is at the hardware level that Russia’s stack is most vulnerable. Sanctions imposed may treat the country, as a whole,  like Huawei is now treated by America’s government. Any chipmaker around the world that uses technology developed in America to design or make chips for Huawei needs an export license from the Commerce Department in Washington—which is usually not forthcoming. If the same rules are applied to Russian firms, anyone selling to them without a license could themselves risk becoming the target of sanctions. That would see the flow of chips into Russia slow to a trickle.

When it comes to software the Russian state is using its procurement power to amp up demand. Government institutions, from schools to ministries, have been encouraged to dump their American software, including Microsoft’s Office package and Oracle’s databases. It is also encouraging the creation of alternatives to foreign services for consumers, including TikTok, Wikipedia and YouTube. Here the push for indigenization has a sturdier base on which to build. Yandex, a Russian firm which splits the country’s search market with Alphabet’s Google, and VK, a social-media giant, together earned $1.8bn from advertising last year, more than half of the overall market. VK’s vKontakte and Odnoklassniki trade places with American apps (Facebook, Instagram) and Chinese ones (Likee, TikTok) on the top-ten downloads list.

This diverse system is obviously less vulnerable to sanctions—which are nothing like as appealing a source of leverage here as they are elsewhere in the stack. Making Alphabet and Meta stop offering YouTube and WhatsApp, respectively, in Russia would make it much harder for America to launch its own sorties into Russian cyberspace. So would disabling Russia’s internet at the deeper level of protocols and connectivity. All this may push Russians to use domestic offerings more, which would suit Mr Putin well.

As in China, Russia is seeing the rise of “super-apps”, bundles of digital services where being local makes sense. Yandex is not just a search engine. It offers ride-hailing, food delivery, music-streaming, a digital assistant, cloud computing and, someday, self-driving cars. Sber, Russia’s biggest lender, is eyeing a similar “ecosystem” of services, trying to turn the bank into a tech conglomerate. In the first half of 2021 alone it invested $1bn in the effort, on the order of what biggish European banks spend on information technology (IT). Structural changes in the IT industry are making some of this Russification easier. Take the cloud. Its data centres use cheap servers made of off-the-shelf parts and other easily procured commodity kit. Much of its software is open-source. Six of the ten biggest cloud-service providers in Russia are now Russian…The most successful ones are “moving away from proprietary technology” sold by Western firms (with the exception of chips)…

Information Flow

If technology is the first part of Russia’s stack, the “sovereign internet” is the second. It is code for how a state controls the flow of information online. In 2019 the government amended several laws to gain more control of the domestic data flow. In particular, these require ISPS to install “technical equipment for counteracting threats to stability, security and functional integrity”. This allows Roskomnadzor, Russia’s internet watchdog, to have “middle boxes” slipped into the gap between the public internet and an ISPS’ customers. Using “deep packet inspection” (DPI), a technology used at some Western ISPS to clamp down on pornography, these devices are able to throttle or block traffic from specific sources (and have been deployed in the campaign against Tor). DPI kit sits in rooms with restricted access within the ISPS’ facilities and is controlled directly from a command center at Roskomnadzor. This is a cheap but imperfect version of China’s Great Firewall.

Complementing the firewall are rules that make life tougher for firms. In the past five years Google has fielded 20,000-30,000 content-removal requests annually from the government in Russia, more than in any other country. From this year 13 leading firms—including Apple, TikTok and Twitter—must employ at least some content moderators inside Russia. This gives the authorities bodies to bully should firms prove recalcitrant. The ultimate goal may be to push foreign social media out of Russia altogether, creating a web of local content… But this Chinese level of control would be technically tricky. And it would make life more difficult for Russian influence operations, such as those of the Internet Research Agency, to use Western sites to spread propaganda, both domestically and abroad.

Infrastructure

Russia’s homegrown stack would still be incomplete without a third tier: the services that form the operating system of a digital state and thus provide its power. In its provision of both e-government and payment systems, Russia puts some Western countries to shame. Gosuslugi (“state services”) is one of the most-visited websites and most-downloaded apps in Russia. It hosts a shockingly comprehensive list of offerings, from passport application to weapons registration. Even critics of the Kremlin are impressed, not least because Russia’s offline bureaucracy is hopelessly inefficient and corrupt. The desire for control also motivated Russia’s leap in payment systems. In the wake of its annexation of Crimea, sanctions required MasterCard and Visa, which used to process most payments in Russia, to ban several banks close to the regime. In response, Mr Putin decreed the creation of a “National Payment Card System”, which was subsequently made mandatory for many transactions. Today it is considered one of the world’s most advanced such schemes. Russian banks use it to exchange funds. The “Mir” card which piggybacks on it has a market share of more than 25%, says GlobalData, an analytics firm.

Other moves are less visible. A national version of the internet’s domain name system, currently under construction, allows Russia’s network to function if cut off from the rest of the world (and gives the authorities a new way to render some sites inaccessible). Some are still at early stages. A biometric identity system, much like India’s Aadhaar, aims to make it easier for the state to keep track of citizens and collect data about them while offering new services. (Muscovites can now pay to take the city’s metro just by showing their face.) A national data platform would collect all sorts of information, from tax to health records—and could boost Russia’s efforts to catch up in artificial intelligence (AI).

Excerpt from Digital geopolitics: Russia is trying to build its own great firewall, Economist, Feb. 19, 2022

Q-Day: the Behind-The-Scenes Internet

In cybersecurity circles, they call it Q-day: the day when quantum computers will break the Internet. Almost everything we do online is made possible by the quiet, relentless hum of cryptographic algorithms. These are the systems that scramble data to protect our privacy, establish our identity and secure our payments. And they work well: even with the best supercomputers available today, breaking the codes that the online world currently runs on would be an almost hopeless task.

But machines that will exploit the quirks of quantum physics threaten that entire deal. If they reach their full scale, quantum computers would crack current encryption algorithms exponentially faster than even the best non-quantum machines can. “A real quantum computer would be extremely dangerous,” says Eric Rescorla, chief technology officer of the Firefox browser team at Mozilla in San Francisco, California.

As in a cheesy time-travel trope, the machines that don’t yet exist endanger not only our future communications, but also our current and past ones. Data thieves who eavesdrop on Internet traffic could already be accumulating encrypted data, which they could unlock once quantum computers become available, potentially viewing everything from our medical histories to our old banking records. “Let’s say that a quantum computer is deployed in 2024,” says Rescorla. “Everything you’ve done on the Internet before 2024 will be open for discussion.”

But the risk is real enough that the Internet is being readied for a makeover, to limit the damage if Q-day happens. That means switching to stronger cryptographic systems, or cryptosystems. Fortunately, decades of research in theoretical computer science has turned up plenty of candidates. These post-quantum algorithms seem impervious to attack: even using mathematical approaches that take quantum computing into account, programmers have not yet found ways to defeat them in a reasonable time.

Which of these algorithms will become standard could depend in large part on a decision soon to be announced by the US National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland. In 2015, the US National Security Agency (NSA) announced that it considered current cryptosystems vulnerable, and advised US businesses and the government to replace them. The following year, NIST invited computer scientists globally to submit candidate post-quantum algorithms to a process in which the agency would test their quality, with the help of the entire crypto community. It has since winnowed down its list from 65 to 15. In the next couple of months, it will select a few winners, and then publish official versions of those algorithms. Similar organizations in other countries, from France to China, will make their own announcements…

Although NIST is a US government agency, the broader crypto community has been pitching in. “It is a worldwide effort,” says Philip Lafrance, a mathematician at computer-security firm ISARA Corporation in Waterloo, Canada. This means that, at the end of the process, the surviving algorithms will have gained wide acceptance. “The world is going to basically accept the NIST standards,” he says. He is part of a working group that is monitoring the NIST selection on behalf of the European Telecommunications Standards Institute, an umbrella organization for groups worldwide. “We do expect to see a lot of international adoption of the standard that we’ll create,” says Moody…

China is said to be planning its own selection process, to be managed by the Office of State Commercial Cryptography Administration... “The consensus among researchers in China seems to be that this competition will be an open international competition, so that the Chinese [post-quantum cryptography] standards will be of the highest international standards,” says Jintai Ding, a mathematician at Tsinghua University in Beijing. Meanwhile, an organization called the Chinese Association for Cryptologic Research has already run its own competition for post-quantum algorithms. Its results were announced in 2020, leading some researchers in other countries to mistakenly conclude that the Chinese government had already made an official choice…

Fully transitioning all technology to be quantum resistant will take a minimum of five years and whenever Q-day happens, there are likely to be gadgets hidden somewhere that will still be vulnerable, he says. “Even if we were to do the best we possibly can, a real quantum computer will be incredibly disruptive.”

Excerpts from Davide Castelvecchi, The race to save the Internet from quantum hackers, Nature, Feb. 8, 20202

Why a Dumb Internet is Best

Functional splintering [of the internet] is already happening. When tech companies build “walled gardens”, they decide the rules for what happens inside the walls, and users outside the network are excluded…

Governments are playing catch-up but they will eventually reclaim the regulatory power that has slipped from their grasp. Dictatorships such as China retained control from the start; others, including Russia, are following Beijing. With democracies, too, asserting their jurisdiction over the digital economy, a fragmentation of the internet along national lines is more likely. …The prospect of a “splinternet” has not been lost on governments. To avoid it, Japan’s G20 presidency has pushed for a shared approach to internet governance. In January 2019, prime minister Shinzo Abe called for “data free flow with trust”. The 2019 Osaka summit pledged international co-operation to “encourage the interoperability of different frameworks”.

But Europe is most in the crosshairs of those who warn against fragmentation…US tech giants have not appreciated EU authorities challenging their business model through privacy laws or competition rulings. But more objective commentators, too, fear the EU may cut itself off from the global digital economy. The critics fail to recognise that fragmentation can be the best outcome if values and tastes fundamentally differ…

If Europeans collectively do not want micro-targeted advertising, or artificial intelligence-powered behaviour manipulation, or excessive data collection, then the absence on a European internet of services using such techniques is a gain, not a loss. The price could be to miss out on some services available elsewhere… More probably, non-EU providers will eventually find a way to charge EU users in lieu of monetising their data…Some fear EU rules make it hard to collect the big data sets needed for AI training. But the same point applies. EU consumers may not want AI trained to do intrusive things. In any case, Europe is a big enough market to generate stripped, non-personal data needed for dumber but more tolerable AI, though this may require more harmonised within-EU digital governance. Indeed, even if stricter EU rules splinter the global internet, they also create incentives for more investment into EU-tailored digital products. In the absence of global regulatory agreements, that is a good second best for Europe to aim for.

Excerpts from Martin Sandbu,  Europe Should Not be Afraid of Splinternet,  FT, July 2, 2019

Internet or Equinet?

“The Internet governance should be multilateral, transparent, democratic,and representative, with the participation of governments, private sector, civil society, and international organizations, in their respective roles. This should be one of the foundational principles of Internet governance,” the external affairs ministry says in its initial submission to the April 23-24 Global Multistakeholder Meeting on the Future of Internet Governance, also referred as NETmundial, in Sao Paulo, Brazil.  The proposal for a decentralised Internet is significant in view of Edward Snowden’s Wikileaks revelations of mass surveillance in recent months.

“The structures that manage and regulate the core Internet resources need to be internationalized, and made representative and democratic. The governance of the Internet should also be sensitive to the cultures and national interests of all nations.”The mechanism for governance of the Internet should therefore be transparent and should address all related issues. The Internet must be owned by the global community for mutual benefit and be rendered impervious to possible manipulation or misuse by any particular stake holder, whether state or non-state,” the ministry note says.  NETmundial will see representatives from nearly 180 countries participating to debate the future of Internet…

The US announced last month of its intent to relinquish control of a vital part of Internet Corporation for Assigned Names and Numbers (ICANN) – the Internet Assigned Numbers Authority (IANA).  “Many nations still think that a multilateral role might be more suitable than a multistakeholder approach and two years back India had proposed a 50-nation ‘Committee of Internet Related Policies’ (CIRP) for global internet governance,” Bhattacharjee added.

The concept of Equinet was first floated by Communications Minister Kapil Sibal in 2012 at the Internet Governance Forum in Baku, Azerbaijan.  Dr. Govind, chief executive officer, National Internet Exchange of India, is hopeful that Equinet is achievable. “Equinet is a concept of the Internet as a powerful medium benefiting people across the spectrum.It is all the more significant for India as we have 220 million Internet users, standing third globally after China and the US.””Moreover, by the year-end India’s number of Internet users are expected to surpass that of the US. The word Equinet means an equitable Internet which plays the role of an equaliser in the society and not limited only to the privileged people.”

He said the role of government in Internet management is important as far as policy, security and privacy of the cyber space is concerned, but the roles of the private sector, civil society and other stakeholders are no less. “Internet needs to be managed in a more collaborative, cooperative, consultative and consensual manner.”  Talking about the global strategy of renaming Internet as Equinet, he said: “Globally the US has the largest control over the management of the Internet, which is understandable since everything about Internet started there. Developing countries have still not much say over the global management of the Internet. But it is important that the Internet management be more decentralised and globalised so that the developing countries have more participation, have a say in the management where their consent be taken as well.”  The ministry note said: “A mechanism for accountability should be put in place in respect of crimes committed in cyberspace, such that the Internet is a free and secure space for universal benefaction. A ‘new cyber jurisprudence’ needs to be evolved to deal with cyber crime, without being limited by political boundaries and cyber-justice can be delivered in near real time.”

But other experts doubt the possibility of an Equinet or equalising the Internet globally.  Sivasubramanian Muthusamy, president, Internet Society India, Chennai, who is also a participant in the NETmundial, told IANS that the idea of Equinet is not achievable.  “Totally wrong idea. Internet provides a level playing field already. It is designed and operated to be universally accessible, free and open. Internet as it is operated today offers the greatest hope for developing countries to access global markets and prosper.”  “The idea of proposing to rename the Internet as Equinet has a political motive, that would pave way for telecom companies to have a bigger role to bring in harmful commercial models that would destabilize the open architecture of the Internet. If India is considering such a proposal, it would be severely criticized. The proposal does not make any sense. It is wrong advice or misplaced input that must have prompted the government of India to think of such a strange idea,” he said.

Excerpt from India wants Internet to become Equinet, Business Standard, Apr. 20, 2014

The Nationalization of Internet

The Swiss government has ordered tighter security for its own computer and telephone systems that could block foreign companies from key technology and communications contracts.  The governing Federal Council’s decision Wednesday cited concerns about foreign spies targeting Switzerland.

National Security Agency leaker Edward Snowden, who worked for the CIA at the U.S. mission to the U.N. in Geneva from 2007 to 2009, has released documents indicating that large American and British IT companies cooperated with those countries’ intelligence services.According to a Swiss government statement, contracts for critical IT infrastructure will “where possible, only be given to companies that act exclusively according to Swiss law, where a majority of the ownership is in Switzerland and which provides all of its services from within Switzerland’s borders.”

Swiss govt tightens tech security over NSA spying, Associated Press, Feb. 5, 2014

The Damaged Credibility of Internet

On Nov. 6, 2013,  the Internet Engineering Task Force (IETF), an organisation which brings together the scientists, technicians and programmers who built the internet in the first place and whose behind-the-scenes efforts keep it running, debated what to do about all this. A strong streak of West Coast libertarianism still runs through the IETF, and the tone was mostly hostile to the idea of omnipresent surveillance. Some of its members were involved in creating the parts of the internet that spooks are now exploiting. “I think we should treat this as an attack,” said Stephen Farrell, a computer scientist from Trinity College, Dublin, in his presentation to the delegates. Discussion then moved on to what should be done to thwart it….

Even America’s government is getting in on the act. The credibility of its National Institute of Standards and Technology, which sets American cryptographic standards with the help of the NSA, has been dented by Mr Snowden’s revelations. On November 1st it announced it would review the way it carries out its work, in an effort to rebuild trust. The unspoken implication was that it would try harder to stop spooks attempting to slip “unreliable” technology past its vetting procedures.Other security experts are re-examining existing products. Dr Green and his colleague Kenn White are leading a forensic audit of Truecrypt, a popular program that enciphers a user’s hard disks but which displays some odd-looking behaviour and has rather murky origins (it is open-source, but its designers are anonymous, and are thought to live in eastern Europe).

Fixing cryptography is only part of the problem. Intelligence agencies can also tap data cables, allowing them to capture unscrambled information being sent between a user and a server, regardless of whether it is later encrypted.  Mr Snowden’s leaks seem to have boosted the market for better ways of dealing with this behaviour, too. Mike Janke, a former commando who now runs Silent Circle, a firm that offers “end-to-end” encryption software (meaning all messages are transmitted pre-scrambled), counts everything from corporations worried about industrial espionage to the Dalai Lama among his customers. He says that “business is up about 400% since the summer of Snowden”. In the wake of Mr Snowden’s revelations, his firm shut down its e-mail service and is preparing a new one that will transmit all messages pre-scrambled, meaning that only the recipient, not even the company itself, will be able to decode them…

On October 30th the Washington Post reported that America’s spies have bugged private, unencrypted fibre-optic cables which carry bits and bytes between the data centres in the worldwide networks of Google and Yahoo, without the companies’ knowledge. Google, which, of course, must be able to read its customers’ e-mail in order to inflict advertisements on them, nevertheless relies on people trusting it to guard their data, observes Dr Green.  “There’s a lot of anger out there,” says Christopher Soghoian, principal technologist at the American Civil Liberties Union, a lobbying group. “I’ve seen two blog posts by Google engineers in the last three days that contained the words ‘fuck you, NSA’.”

Excerpts, Internet security: Besieged, Economist, Nov. 9, 2013 at 83