The Russian internet broke and Putin is building a new one
It is becoming increasingly clear that the implications of cyberattacks and data breaches bear disproportionately high economic and personal costs to civilians. U.S. sanctions on Russia have shut down countless Russian websites as foreign Certificate Authorities (CAs) are no longer able to accept payments for web security maintenance. In response, Vladimir Putin is kicking down his own backdoor and leading the charge to issue Russian security certificates instead. For context, most websites have to pay security authenticators—known as CAs—for internationally standardized Transport Layer Security (TLS) certificates, which ensure that a select few hold the power to authenticate how your personal information travels across the internet. In trying to set up an independent CA, Putin is setting a dangerous precedent for state-controlled communications. More broadly, this response calls into question the proportionality—or fairness—of weaponizing cyber in times of war as it needlessly impacts civilians.
Currently, the major CAs in the world—including Comodo, GlobalSign, DigiCert and GoDaddy—are primarily based out of the United States and the United Kingdom, and they account for over 50 percent of global TLS certifications. Because the majority of these organizations are privately owned, their profit model relies on trust, so their customers need only suspect the organization isn’t being transparent to move their business elsewhere. The risk of having state-owned CAs is that it openly gives the government the power to eavesdrop on any data transfers at will, also known as Man in the Middle attacks.
Putin isn’t the first leader to express dissatisfaction with the bureaucracy and barriers that accompany TLS certification compliance or try to create his own scheme. China’s Great Firewall has blocked several foreign encryption standards and made it significantly harder for web developers to continue their business with global security certificates. Just last year, the Dutch decided to remove themselves from the European Union’s certification process because it’s simply too complicated.
However, state-owned certifications set a particularly dangerous precedent that will compromise freedom of speech, freedom of the press and other core democratic values. Putin’s choice to lead this charge threatens to spur more censorship and disinformation across Russian communities that are quickly losing access to safe spaces where they can voice different or dissenting opinions.
This is an example of how sanctions, even when well-intentioned and deserved, can backfire and isolate communities in a way that fuels autocracies and opens the door to radicalization. By including cybersecurity standards in the sanctions rollout, the United States has inadvertently handed Putin far more power than before and crippled Russian communities by pulling them farther from their rights to freedom of speech. Further, the isolation of Russia from the United States and Europe—particularly as Chinese media are splashing their front pages with attributions of U.S. spyware technology on Chinese soil—will likely nudge Russia closer to countries whose profiles fit the “enemy of my enemy is my friend” model.
As many national security experts strive to understand how to best delineate the rules of engagement around hybrid warfare, it is critically important to understand that acts of cyber warfare cannot be contained in a way that minimizes the intended or unintended harm on civilians. Further, the underlying norms of warfare, dating back to St. Thomas Aquinas, state that acts of war must be met with proportional responses. In this instance, Russian communities can’t conduct business or communicate with each other on the websites that have effectively been locked down, which has forced Putin’s hand to either acquiesce or create a workaround, and evidently, he is opting for the latter. As we navigate new classifications of warfare, we have an ethical and humanitarian obligation to redefine rules of engagement that will not disproportionately infringe upon civilian rights, and that includes cybersecurity protections.
International cybersecurity efforts to protect global infrastructure and basic human democratic rights are most effective when the rules are standardized. When a country’s leadership goes rogue, it jeopardizes the confidentiality, integrity and the availability of the global economy. Perhaps more importantly, it deprives individuals of basic freedoms that determine whether we can safely take up space on this planet. And that is not a risk we can afford to take.