Technology companies and regulators in the EU and west have the power to disturb the functioning of Russia’s internet and the malicious use of the internet outside the country without affecting the country’s essential data and infrastructure or harming other countries’ infrastructure. These digital sanctions can be implemented quickly and removed easily when appropriate.
Andrey Kolodyuk and Jan Thys are co-founders of the Free Ukraine Foundation, a non-profit just created in Belgium to assist Ukrainian people and businesses affected by the war.
Yobie Benjamin, former chief technology officer of Global Transaction Services, Citibank, also contributed to this opinion.
Today, as Russia is bombing Ukraine and threatening the world, one of its most potent weapons — the internet – should not be overlooked.
The aggressor’s cyber warfare capabilities are world-class. Not only are they being used to attack Ukraine: they are ready to strike the world’s critical infrastructures.
The recent past has shown how tangible this threat is. For example, the Russian government is suspected to be behind the 2020 SolarWinds attack, which affected thousands of organisations globally, including multiple parts of the United States federal government.
Tomorrow, we may witness a complete crash of capital markets or wake up without heat and electricity – unless we’d learn to live without toilet paper, food, medicine, and fuel due to supply chain disruptions.
Russia has also wielded the internet as an effective weapon in destabilising governments and institutions, dividing political and civil discourse in the USA, Western Europe and beyond. From the trucker protests in Canada to ethnic tensions and the January 6 insurrection in the United States, Russia has been aggressive in creating active societal unrest to its advantage.
What could be done
In response to the invasion of Ukraine, the west has moved fast to support Ukraine in military terms and to sanction Russia economically and technologically.
A lot could be done in the digital field, too, supported by regulatory action as a crucial component of the west’s answer.
We need to reduce the cyber threat, i.e. the capacity of the nuisance of Putin’s cyber army, the hackers and trolls working with him. Here are some steps, some easier, some less, public and private actors in the western world should consider and prepare.
- Render the Russian internet ‘untrustworthy’ worldwide by revoking SSL and CAs from trusted lists.
Russian institutes (financial, energy, other) will have all their SSL certificates revoked. Russian CAs (Certificate Authorities) will be removed from trusted lists (browsers, others).
As a result, Russian websites (any site currently using the Russian namespace with domains such as .ru, .su and .рф) would be considered ‘untrustworthy’ outside of Russia and a security risk by web browsers around the world – but still accessible.
Russian sites will be extremely difficult (but not impossible) to find as users would need to use an IP address instead of simple names.
These measures must be implemented by software companies making web browsers (incl. Apple, Google, Microsoft, Mozilla, Opera) and by private companies providing Internet security certificates to verify that a website is secure.
- Disable peerings (in- and out-) at IXPs that connect to Russia to close off hacker routes, prevent non-Russian traffic using the Russian infrastructure, and slow down the Internet within Russia
Internet exchange providers (IXP) are where the global Internet network interconnects.
Europe alone has more than 100 private IXPs, including a physical Point of Presence of the Russian-owned Moscow Exchange in Riga, Latvia.
Disabling peerings at the IXP level means that Internet traffic from Russia, including cyber attackers, trolls and misinformers, will be funnelled into a smaller number of access points. Thus, it will be easier to monitor traffic, identify Russian cyber troops, and negate their actions.
The measure will also hit Russian internet users, slowing down their access to international Internet resources.
The measure would also reduce the amount of non-Russian internet traffic going through the Russian internet system, which should at this time be considered highly hostile.
Who should enact the sanctions
Technically, these measures would be taken by private companies:
- Software companies making web browsers (incl. Apple, Google, Microsoft, Mozilla, Opera);
- Providers of Internet security certificates (Certificate Authorities or CAs) to verify that a website is secure;
- Private Internet exchange providers (IXPs).
Some internet companies have already enacted these initiatives of their own accord – as exemplified in March by London Internet Exchange (LINX), one of the largest peering points, which has decided to stop routing for Russian ISPs Rostelecom and MegaFon.
However, most private players will not implement these measures spontaneously. They should be pushed to act under public pressure or be constrained by the appropriate public authorities at the national or EU levels.
Strong, but not destructive
While effectively constraining Russia’s cyberwar capacities and limiting the flows of online disinformation from this country, the suggested measures are not destructive.
They would not harm access to essential data and infrastructure. Neither Russian schools, hospitals, railroads, nor even military installations will be affected – even though it might slow them down.
The reason is that Russia has already built its “parallel Internet” to protect its sensitive infrastructure. Since 2014, when the first economic sanctions-hit Russia as a response to its annexation of Crimea, Russia has been building its own internet infrastructure.
Runet’s design and model are similar to the dark web and onion. They do not depend on the global mainstream Internet. They were tested as early as 2017 to serve local pages in case of disruption. It is now primarily functional.
The suggested sanctions are reversible – can be withdrawn when peace emerges.
True, these digital sanctions will inconvenience not only hackers but also people within Russia by making the Internet slower. But those who will seek out information abroad will not be cut off from it. And the Russian population will ultimately benefit from the regime’s fall, which is the true target of these digital sanctions.