The Russian State Duma (lower house of parliament) adopted a new set of laws, on January 27, aiming to “protect critical infrastructure of the Russian Federation against hacker attacks” (Rosbalt.ru, Duma.gov.ru, January 27). Dmitry Shalkov, a top-ranking ultra-conservative official of the Federal Security Service (FSB) articulated the initiative before the Duma. He justified the need for new cyber infrastructure legislation on the basis of a growing number of cyberattacks against Russia’s information resources. According to the official, in 2016 alone, Russia was subjected to 70 million cyberattacks targeting its critical IT infrastructure.
The adopted package of laws puts particular emphasis on the following points:
- The main principles of protection of critical informational infrastructure of the Russian Federation;
- The scope of power to be exercised by the state;
- The bulk of rights and responsibilities of private IT companies.
Moreover, the laws have exponentially expanded the notion of “critical infrastructure,” which has obtained a much more thorough definition that covers strategically vital branches such as electronics, energetics/energy economics, the healthcare system, transportation, mining, as well as the space, chemical and nuclear industries (Filearchive.cnews.ru, December 6, 2016). By and large, this means that from now on, the Russian state will be able to exercise even greater control over public and private entities employing IT technologies and infrastructure.
Consisting of three separate though tightly interrelated blocks of legislation, the adopted laws impose additional state controls over domestic cyberspace. This is done via the introduction of a roster of the most crucial objects of critical IT infrastructure. That list is to be additionally categorized in accordance with weight and importance. However, that information will be labelled “classified” (gosudarstvennaja tajna).
The Penal Code of the Russian Federation has been supplemented by Article No. 274.1, which concerns various types of “illegal activities” in the domain of Russian cyber security, with emphasis on “secret information” and “critical IT infrastructure of the Russian Federation.” Infringement of this law will be punishable by imprisonment of up to ten years and a considerable financial fine (Rapsinews.ru, January 27).
The new cyber infrastructure protection initiative was hailed by most conservative forces serving in the Russian Duma, including former KGB agents, representatives of the Communist Party of the Russian Federation (KPRF) and the pro-Kremlin Fair Russia party. High-ranking Duma deputy Leonid Levin underscored that the initiative is particularly timely and fully complies with the country’s recently adopted Information Security Doctrine (Emigrados.ru, January 27). During the discussion that followed ratification of these laws, lawmakers once again explicitly declared that the strategic goal of the Russian IT sector is to eliminate its dependence on external gadgets and technologies as a means to decrease the “foreign factor,” diminish Russia’s dependence on the external market, and optimize the work of domestic IT-sector producers (Scilla.ru, January 28).
A deeper and more comprehensive review of surrounding domestic circumstances shed additional light and provide a somewhat different prospective on the nature of these laws, however. On January 28, it was announced that Vladimir Anikeev (a.k.a. Lewis, the creator of the Shaltay Boltay international hacking group), Segey Mikhaylov (the head of the Center for Information Security division at the FSB), Dmitry Dokuchayev (Mikhaylov’s deputy director) and Ruslan Stoyanov (a top manager at the Russian cybersecurity firm Kaspersky Lab) were accused of high treason. Incidentally, the arrests of these and several other persons were carried out between October 2016 and January 2017, but the details of their cases were kept secret by the authorities until now. Allegedly, these figures had provided foreign special services with valuable information pertaining to Russian cybersecurity. Later, charges put forth against Mikhaylov and Dokuchayev were specified: both are accused of alleged collaboration with the Central Intelligence Agency (CIA) and supplying the United States with information classified as “secret” (Rufabula.com, January 31).
Yet, these charges are being contested by external sources. According to cybersecurity experts at the UkrainianCyberAlliance (UCA), the aforementioned arrests should primarily be seen as the Russian state’s retaliation for the so-called “SurkovLeaks” scandal. These alleged leaks of Vladislav Surkov’s hacked e-mails dealt a severe blow to the reputation of the chief architect of the so-called “Russian Spring” and the notorious “Novorossiya project”—political-informational-military initiatives that culminated in the unlawful Russian annexation of Crimea and the outbreak of war in southeastern Ukraine. Furthermore, the alleged hacking of Surkov’s e-mail account (reportedly done by Shaltay Boltay and later exposed by Ukrainian hacker collective Cyber Hunta) implicated other powerful Russian elites in Moscow’s surreptitious aggression against Ukraine. For example, “Orthodox oligarch” Konstantin Malofeev, who has been repeatedly accused of sponsoring Russian aggression in Ukraine and financing the activities of the so-called “rebels” in Donbas (eastern Ukraine), surfaced in the SurkovLeaks dump. Malofeev chairs the board of directors of the business group “Tsargrad” as well as the St. Basil the Great Charitable Foundation and is close to the Russian Orthodox Church. The leaked e-mails also cast a shadow on Russian far-right (and Kremlin-backed) philosopher Alexander Dugin (Cyberhunta.com, accessed February 6).
It appears that the “Surkov affair” was not only a huge embarrassment for Moscow, but in many ways also identified the Russian state’s susceptibility to attack in the cyber domain—hence the wave of arrests in recent months and the new cyber infrastructure legislation. Meanwhile, the Kremlin is also preparing to implement the notorious “Yarovaya Package” of laws (scheduled to go into effect in 2018), which will give Moscow greater control over the personal online information of Russian citizens as well as empower the authorities to label and prosecute critical online speech as “extremist” (see EDM, July 15, 2016). Taken together, it appears the Kremlin is preparing to undertake a great “cyber purge” that may change the entire architecture of relations between Russian IT companies and the state, leading to the establishment of full government control over this sector (UNIAN, January 26). Indeed, a number of well-known and highly esteemed domestic sources have confirmed this supposition, predicting visible cadre reshuffles in the near future, which are likely to affect the most powerful figures within Russia’s cyber security architecture (Kommersant, January 13).