TechLetters Insights: information security in the new Russian doctrine
Russia approved a new Foreign Policy Doctrine. Primarily this is of interest to analysts dealing with issues of another nature. However, the doctrine speaks also about information security, including variants of “informational security”, and some things the West would regard as cybersecurity (the Russian government uses the broader term “information security”, indeed, and not “cybersecurity”).
It apparently highlights the role of artificial intelligence. Indeed, the document mentions “artificial intelligence technologies, the latest information and communication, energy, biological technologies and nanotechnologies” at the very beginning, as means of aspects of State competition! This also means for the doctrine to argue that the international relations in the world are multi-polar, and not unipolar with the preponderance of the U.S. - this is not written openly. Apparently, these processes result in “rejection among a number of states that are accustomed to thinking according to the logic of global domination and neocolonialism” (again, U.S.?).
The doctrine then mentions “offensive and subversive operations in the information space”, so clearly: cyber/information operations. In Russia’s view, the use of such tools is bypassing United Nations (UN) Security Council and is “provoking coup d’etats” (revolutions) or even wars. In other words: Russia officially says that cyber/information operations may be employed to cause a coup d’etat or even a war. It of course does not say whether they do or do not employ these tools themselves. Obviously.
Russia says that “a narrow group of States” want to “replace” the UN system with a “rules-based world”. Here it is mentioned that it is difficult to respond to “the use of information and communication technologies for illicit purposes”. Next, Russia expresses concern with “the exploration of outer space and information space as new spheres of military operations, the blurring of the line between military and non-military means of interstate confrontation”. That may come as a surprise since you are probably not unaware that Russia is using offensive cyber/information capabilities quite systematically, over the previous and this decade. Also, who was benefitting from the “blurring the lines” exactly, over the previous 10 years?
This sounds important: “the national interests of the Russian Federation in the foreign policy sphere are … development of a safe information space, protection of Russian society from destructive foreign information and psychological influence”. In other words, it is a State priority to “develop safe information space” (here meaning: local internet/RuNet AND the media environment + social media?). This maybe sounds like the need to build filtering capabilities, isolation from external networks.
Now about retaliations. “In the event that foreign States or their associations commit unfriendly actions that pose a threat to the sovereignty and territorial integrity of the Russian Federation, including those related to the application of restrictive measures (sanctions) of a political or economic nature or using modern information and communication technologies, the Russian Federation considers it legitimate to take symmetrical and asymmetric measures”. This means that: the response to sanctions, or information/cyber operations may happen using various means (asymmetric). That is quite a powerful statement to issue: “we will retaliate to cyberattacks”? I mean, many States issued similar lines in their national strategies. But here it confirms that Russia surely has to be building their information/cyber-capabilities, which as far as I recall, they apparently often deny that they use (though nobody doubts in this use, of course).
There’s also a specific section about information security, and one goal here is: “countering the policy of unfriendly states on the militarization of the global information space, on the use of information and communication technologies to interfere in the internal affairs of states and for military purposes”.
Now, I don’t know what “restricting the access of other states to advanced information and communication technologies” means.
It’s not like Russia has any power over that. Russia is not a significant exporter of IT technology.
So what then, will they prohibit Russian citizens from selling vulnerability information/exploits?
Summary
A mixed bag. It’s not a specific document about cybersecurity or even information security. It seems that Russia’s goals are two-fold: assert control over local media/information space, and also be prepared to “respond” to foreign “unfriendly States”.