By Tamian Derivry
In this interview, Marie-Gabrielle Betran, PhD candidate at the French Institute of Geopolitics, discusses the geopolitical, economic and technical specificities of the Russian digital sovereignty agenda. It follows our annual conference on “Digital Sovereignty and Geopolitical Crisis” held on 6 December 2022 (which can be viewed here) and complements a first interview with Kevin Limonier (available in French and English), in which he presented the historical evolution of the concept of digital sovereignty in Russia.
It seems that the Russian authorities started to take an interest in digital sovereignty in the 1990s, though the concept of ‘‘digital sovereignty’’ (‘‘tsifrovoj suverenitet’’ in Russian) did not really exist at the time. In 1998, they issued a statement for the creation of the first agreement on the ‘‘Developments in the Field of Information and Telecommunications in the Context of Inter-national Security’’ at the United Nations General Assembly (UNGA). They quickly considered the possibility that there was a high probability of some links and collaborations between the GAFAM (Google, Apple, Facebook, Amazon and Microsoft) and the government and intelligence services of the United States; especially since these companies were officially domiciled in the United States, and could thus be solicited by the authorities in the context of investigations.
In 2014, the existence of this type of collaboration between the public and the private sectors in the United States was indeed confirmed by spokespersons for Google, Facebook, Yahoo and Microsoft, who revealed that the NSA regularly issued warrants for the disclosure of some of their users’ data. These confirmations occurred several months after the revelations made by Edward Snowden in 2013, about the massive surveillance of the Internet by the country members of the ‘‘Five Eyes’’ (Australia, Canada, New Zealand, the United Kingdom and the United States). Edward Snowden’s revelations played a major role in the emergence of a concept of ‘‘digital sovereignty’’ in Russia, which encompassed not only the economic and commercial opportunities of an independent and strong digital industry, but also the strategic risks posed by the use of foreign digital solutions in terms of information and data leaks.
The 2010s had been characterised indeed by a greater openness of the Russian digital economy, due to the personal implication of the then President of the Russian Federation, Dmitrij Medvedev. During his presidential mandate, he pleaded for the creation of a dynamic digital sector, turned more towards the international market and generally more focused on innovation. Yet, the creation of a more opened digital sector was already conceived as an opportunity to develop Russian digital solutions, which would also increase the attractiveness of the Russian market.
The combination of public and private interests made it interesting for most players to adopt and develop this concept of a Russian ‘‘digital sovereignty’’ after 2013 – the public sector being more focused on digital security, and the private one on economic opportunities – through the prioritisation of Russian hardware and software on the internal market. These solutions were thus labelled as ‘‘domestic technologies’’ (‘‘otetchestvennye tekhnologii’’), and then as ‘‘sovereign’’ ones (‘‘suverennye tekhnologii’’).
Nowadays, Russia seems to have even more interest in the implementation of an autonomous digital sector, since its military engagement in the war in Ukraine in February 2022 provoked responses and attempts to destabilise its manoeuvres on the digital field and in cyberspace. The Russian authorities are now trying to quickly implement the ‘‘Sovereign Internet Law,” or “Sovereign RuNet Law” (where “RuNet” stands for “Russian Internet” or “Russian Network”), – in fact, Amendment No. 608767-7 to the Federal Law No. 90-FZ – adopted on 1st March 2019, and officially into force since 1st November 2019. The main purpose of this law is to allow the creation of an entirely autonomous Russian network, which would be able to keep functioning in case of a massive cyberattack incoming from other countries, or in case of disconnection from the global Internet through its main root servers and Domain Name System (DNS: the system which allows machines to convert IP addresses into domain names, e.g. the names given to websites, and vice versa); though such disconnection would be technically and (geo)politically difficult – if not impossible – to implement.
The RosKomNadzor agency, which depends on the Ministry of Digital Development, Communications and Mass Media of the Russian Federation and is often nicknamed “the policeman of the Russian Internet,” plays a major role in the implementation of the law. It is currently installing new D.P.I. (Deep Packet Inspection) and SORM surveillance boxes solutions on the government information system and the RuNet infrastructures, through its public company Main Radio Frequency Center (Glavnyj RadioTchastotnyj Tsentr, GRTchTs), in order to improve the filtering of digital traffic (data packages) and Web requests which enter the Russian network, and to prevent Denial of Service (DoS) attacks.
Thus, the current tendency in Russia is to close the digital space by increasing and centralising control over the RuNet, and the digital field through closer control of the digital economy and the digital market.
2. How do private actors in Russia influence the national digital sovereignty strategy?
Private actors have greatly influenced the Russian strategy of digital sovereignty during the 2010s, by advocating for the implementation of economic and commercial laws designed to support the quick growth of the sector, and the development of domestic technologies. These laws were meant to favour the use of hardware and software produced in Russia by domestic players on the public digital infrastructure, and thus to reinforce these players’ position on the internal market.
During the 2010s, they mainly consisted in the obligation, for any company wanting to apply for public and governmental contracts, to offer free and open-source digital solutions, which mostly impacted software sellers and producers.
They also consisted of both protectionist policies and openness for Russian players to international trade. Protectionist policies were implemented through the reinforcement of state standards (GOST) issued by the Federal Technical Regulation and Metrology Agency (RosStandart) and the capping of foreign investments, which had to be subjected to an overall limit of 20% in strategic and digital companies in 2019. Meanwhile, the position of Russian players on external markets has been insured by the implementation of more equivalences and compatibility between GOST and ISO standards (i.e. international standards and norms issued by the International Organisation for Standardisation), then eased by the suppression of thousands of standards inherited from the Soviet period in 2019.
This strategy had to be modified in 2022, after the important loss of foreign investments and economic sanctions due to the war in Ukraine. Since 24th February 2022, more than three hundred foreign companies had “suspended or withdrawn from the Russian market in response to Russia’s [‘military] operations’ in Ukraine”. Prime Minister Mikhail Mishustin, ex-director of the Federal Taxation Service, and the Russian Presidency, issued a presidential decree (ukaz) on 5th March 2022 – Decree No.95 “On Temporary Order of Discharge of Obligations Towards Certain Foreign Creditors” –, in order to limit the withdrawal of foreign investments out of the Russian economy.
Some of the biggest Russian digital companies, like Yandex, seriously suffered from these withdrawals, international sanctions, and the necessary reshaping of the Russian economy since 2022.
3. What is the role of free and open-source software in the Russian digital agenda?
Free and open-source software has played a major role in the Russian digital agenda during the past decade. The Russian authorities have been aware that the use of this kind of software would help to boost the economy and the digital industry, because it allows software producers to quickly develop new computer programs, such as Operating Systems’ (OSs) distributions, at low cost.
The source code of free and open-source software is largely readable online (it has to be), and totally or partly reusable, following the rules defined by the licences used to label it as “free” or “open-source.” These licences can for example be granted by the Free Software Foundation (FSF) or the Open Source Initiative (OSI). These specificities make it an interesting choice for any software producer who cannot really afford the cost of serious research and development (R&D) policies, and the economic risks posed by the creation of products that would be entirely new; i.e., without knowing if these products would easily find new users, or a solid user base.
What is more, the biggest free and open-source projects – such as some Linux-based distributions (like the Debian-based distro called “Ubuntu”) – benefit from a large user base, allowing their developers to find bugs and vulnerabilities within their code more easily, and to correct them with the help of the “community.”
The generally lower prices of free and open-source software are also an advantage for buyers. Considering all these advantages, and the high prices of proprietary software produced – and services offered – by big American companies like the GAFAM, the Russian authorities and digital players agreed to implement new legislations to favour the use of free and open-source software on public digital infrastructures, and its production and selling on the internal market.
Federal law n°764677-6 “‘On technologies and the protection of information and on the ‘contractual system in the attribution of public markets for goods and services’”, adopted on 29th June 2015 by the State Duma, ordered the creation of a register of domestic software: the Unified Register of Russian Programs for Computers and Databases. It came into force on 1st January 2016. Since then, the only vendors who are allowed to take part in public contracts for the supply of goods and services in the field of IT are companies, the solutions of which belong to this register. With this law, the use of foreign software by federal authorities has been banned when domestic alternatives exist. However, the law (already) allowed any public entity to use foreign software when necessary, if the software was open-source. This exception clause shall be widened this year. The law will be revised because it is considered to be too restrictive, especially considering the difficulties encountered by the private IT sector since the beginning of the full-scale war in Ukraine, on 24th February 2022.
Nevertheless, the openness of the source code of free and open-source software allows the Russian authorities to better control its functioning: a tremendous advantage, considering the threats of attacks involving vulnerabilities and security holes in foreign products by foreign companies or states, and the risks posed by the possible discontinuity of supply for digital products (risks which are particularly high since 2022 and the reluctance of foreign companies to maintain their solutions up-to-date for their Russian clients).
However, these advantages have been played down by some cases of abuse by Russian companies. In 2019, for example, a branch of the state conglomerate RosNano called Elvis NeoTekh led its client, the Russian Ministry of Education, to believe that it had produced thousands of video cameras using Russian software. Yet, the software used by these cameras depended on a Chinese firmware (a program allowing different pieces of hardware to perform several tasks), which contained a backdoor. This vulnerable software could therefore be used to carry out Distributed Denial-of-Service (DDoS) attacks – which disrupt the functioning of a targeted server, network or service by overwhelming its infrastructure with a flood of Internet traffic –, or to mine cryptocurrencies, at the expense of the Russian public schools in which these video cameras were supposed to be installed.
Marie-Gabrielle Bertran is a PhD candidate at the French Institute of Geopolitics (IFG-Lab) since September 2019, and a researcher in the GEODE Project (Geopolitics of the Datasphere). She works under the direction of Frederick Douzet and Kevin Limonier, and benefits from the scientific support of the Institute for Strategic Research of the Military School (IRSEM). Her research work focuses on the state policies for the promotion of cyber sovereignty in Russia, and on their consequences on the work of Russian IT developers and the internal and international IT markets.