December 14 2018 will be remembered for striking news about a new bill submitted to Russia’s State Duma: “On amendments to some legislative acts of the Russian Federation.” Behind the meaningless title there are a bunch of amendments to the laws 126-FZ “On communications,” and 149-FZ “On information.” According to the explanatory note, this bill got its impetus from the latest US cybersecurity strategy, where Russia is directly called the enemy and the US asserts its intention to keep the peace in cyberspace by use of force, if necessary. Thus, Russian officials emphasize that the Internet in Russia has become vulnerable to external threats, especially its deliberate disconnection from abroad during international conflicts. Andrey Lugovoy, State Duma deputy and one of the co-authors of the bill, said:

Americans say – we must seek peace by force. And at the same time, they connect this statement with the actions of Russia, which allegedly committed some irresponsible hacker attacks on American state bodies and Europe. And so, Russia must be punished. They, of course, haven’t written it literally, but the sense is this. So, we have to be prepared…they will try to create problems for us on the Internet.

Deputy Minister of digital technologies and communications Oleg Ivanov compared once again ICANN and DNS to a kill switch:

“It is wrong when a system that has a critical impact not only on citizens, but also on the whole economy, a “switch” for the Internet, is in the wrong hands. Previously, when communication technologies occupied a smaller share in GDP and did not affect critical economic processes, we looked at it through the fingers.”

Ivanov reminded that Russia has repeatedly advocated the internationalization of the Internet governance system. 

Aside from the usual geopolitical concerns, economic reasons are increasingly worrying Russian lawmakers now. According to the last study of the Russian Association of Electronic Communications, the Internet economy has reached 5.1% of the Russian GDP in 2018. The government authorities are now aware of the risks that could disrupt Internet stability and normal functioning for the national economy.Alexandr Pankov, the Deputy head of Roskomnadzor, Russia’s communications regulatory authority, confirmed this thought:

“At the first stage, the Internet was a medium for toys and communications, but now financial transactions, business, telemedicine, and etc. are tied to this network. If today the Internet ‘falls,’ it will be a real disaster.”

Therefore, it was decided that it is necessary to ensure the stability of the Internet in Russia in a centralized way at the state level.

What the bill proposes to do

To this end, the bill proposes the following steps:

  1. To develop new rules and regulations for all major organizations responsible for Internet functioning in Russia. In addition, new rules for traffic routing will be created.

In addition to Internet providers, owners of technical communication networks and owners of autonomous system numbers (ASNs), the bill adds new categories: owners of cross-border communication lines and a registry for traffic exchange points (don’t confuse with the existing IXPs). All owners of ASNs will be obliged to comply with the traffic routing rules established by Roskomnadzor. In cases of “threats to the integrity, stability and security of the Russian segment of the Internet,” Roskomnadzor will “centrally manage the public communications network.”

The traffic routing policies are now established by network operators, but under the new bill the traffic must pass only through the exchange points listed in the special registry (the principle of its formation is not yet specified) and according to the rules of Roskomnadzor (also to be defined). The bill introduces the ability to deny operators and organizers of information dissemination on the Internet (including instant messengers, social networks, e-mail services, etc.) to connect to traffic exchange points. The refusal will follow if the operators do not comply with the requirements of Roskomnadzor or LEAs. Finally, “owners of communication lines (their functional elements or resources)” are required to report these lines to Roskomnadzor in order to compile a register of “communication lines crossing the border of the Russian Federation.”

2. To develop a national domain name system.

The bill has an article declaring that “In order to ensure the sustainable functioning of the Internet, a national system for obtaining information about domain names (or network addresses) is being created as a set of interrelated software and hardware designed to store and obtain information about network addresses in relation to domain names, including those included in the Russian national domain zone, as well as authorization for domain name resolution.Roskomnadzor will determine the requirements for the national domain name system, the procedure for its creation, and rules for its use.” Further provisions are much more confusing: “When resolving domain names, the organizer of information distribution on the Internet, which have an ASN, is obliged to use the software and hardware necessary for such resolving, as well as the national domain name system, established by Roskomnadzor. The last point is the biggest puzzle: “Information from databases of information systems in which authorized persons form the domain names belonging to the Russian national domain zone is transferred to national system of domain names in the order and in the terms established by rules of use of national system of domain names. Roskomnadzor registers persons authorized to generate domain names that are included in the Russian national domain zone.”

It seems that legislators’ intent was to protect Russian domains from potential seizure. However, its relation to the global DNS is unclear. Is it just a backup of the existing DNS? But then it has no practical meaning, since all operators learned how to cache and reserve requests to the root servers. If the national DNS will be completely independent, it will cause serious risk to the connectivity of the Russian networks with the global Internet.

Also, the bill leaves a range of open questions:

  • Why only organizers of information distribution on the Internet must use national DNS, meanwhile using special means defined by Roskomnadzor? (Are these means the same that should be used for countering threats and traffic filtering described below?)
  • What do these “databases of information systems” imply? The file of root zone? The database maintained by Coordination Center for TLD .RU/.РФ?
  • What is the “Russian national domain zone”? Does it mean that it excludes the Russian resources registered on other domains like .com, .gov, for example?

For the last question I have a guess (from what can be comprehended from the text) that for the national DNS companies will manually collect a special database, that will have all the Russian Internet resources regardless of the domain name they use. However, this step creates more danger for connectivity instead of serving the purpose of the bill.

3. All Russian network operators will have to install special technical means to counter threats in their networks.

These “technical means” (the bill doesn’t specify exactly their type and configuration) will have to be provided by Roskomnadzor free of charge to all operators. Interestingly, these means will serve a dual purpose: to protect Runet from external threats (which are not detailed in the bill) and to block the resources from the blacklist maintained by Roskomnadzor (currently this is the responsibility of operators to execute filtering of information prohibited for distribution in the territory of the Russian under the federal law 139-FZ and each operator use its own equipment and methods to comply with the law) thus waiving the responsibility of operators for Internet filtering.

Among the Russian technical community there are vague guesses that these “technical means” imply deep packet inspection technology (DPI). However, it is widely known that DPI equipment is costly and greatly affects the quality and speed of traffic. The bill explicitly said that it does not involve costs from the federal budget, so it is unclear at whose expense such “technical means” will be set up.  Lugovoy tried to explain it: “There will be no financial costs! These technical means all operators put earlier, put now and will put in future, regardless of our bill. We only specify and ask them to report to the monitoring center when they set technical means to protect their information. The center will understand where and what “fences” each operator has put. This is for the case, when there is some kind of a cyberattack, or a threat to resilience of the Internet, so it will enable the state to react appropriately to inform operators about what is happening. This strange explanation suggests that ultimately operators will be responsible for the technical means, but then, what will  Roskomnadzor provide?

4. To create a Center for Monitoring and Control of Public Communication Networks

The Center will be created as part of the General Radio Frequency Center of Roskomnadzor (the same agency that monitors the compliance of operators to filter Internet resources from the blacklist). The Center will collect all the necessary information from lots of agencies about their network infrastructure, available IP-addresses, and maintain the registry of traffic exchange points and, if necessary, adjust the traffic routing.

5. To conduct regular exercises

The efficiency of the entire system under the bill will be checked and improved at regular exercises of authorities, operators and owners of technical networks.

“Where is the money, Zina?”

This is the summary of the main novelties to the federal laws. Going back to the budget issues, we remember that the financial and economic justification of the bill states that “adoption and implementation of the Federal Law will not require expenditures from the federal budget.” However, it is obvious that the creation of registries for traffic exchange points, cross-border communication lines, and owners of ASNs, a national DNS and the Center of Monitoring and Control will require enormous funds and human resources with high qualifications. Moreover, it is unclear what will be the “technical means” compulsory for all operators, but their vague functions imply a high price for potential equipment.

The member of the Federation Council Lyudmila Bokova (the second co-author) specified that the implementation of the bill will be financed by the national program “Digital economy” and Roskomnadzor itself. The working group on communications and IT of the Expert Council under the Russian Government roughly estimated that the amount can reach 25 billion rubles of one-time costs. This figure could grow even higher once more detailed information about functional requirements for hardware and software are available.

Russian human rights organizations’ reaction

Director of the Internet Protection Society Mikhail Klimarev criticizes the idea of centralized routing of Internet traffic: “Judge for yourself – after the introduction of the “center for monitoring and control of the public communication network” it will become, in fact, the main target during cyber warfare. And this “monitoring and control center” of Roskomnadzor, which showed its incompetence during the blocking of Telegram messenger, doesn’t have the appropriate knowledge and skills to manage such an important system.” Also, he points out that the majority of communication lines exist in the form of routing policies, where operators sometimes have no idea whether specific communication lines cross the border of the Russian Federation, or not. Stanislav Shakirov, the Technical Director of Russian human rights group Roskomsvobodaclaims the bill allows the authorities to disable the “external Internet” when necessary and filter traffic — both internal and external. “External Internet” refers to those sites and services that are physically located outside of Russia, on foreign servers. He points out that the bill continues the state policy of reacting to the Arab spring: “the authorities began to introduce repressive laws for Internet and consolidate the key elements of the infrastructure of the Russian segment of the network to protect themselves from mass protests whose participants coordinate their actions on the Internet.” However, he added that “judging by how other technical initiatives of the government are implemented in Russia, the new initiative will be hardly fully implemented. Laws in Russia are often written by people who do not understand the how Internet works, and, as a result, the regulations are simply technically impossible to execute effectively.” Artem Kozlyuk, Head of Roskomsvoboda, believes that the bill creates a Russian censorship firewall. The director of the Digital Rights Center Denis Lukash pays attention to the problems arising from the new filtering system and its correlation with the reality of traffic exchange.

How Russian industry reacted to the bill

The representatives from industry are also pessimistic about the bill’s potential effects. Telecom operators think the transfer of powers to Roskomnadzor to manage traffic by IP carries risks of interception of traffic routes and the breach of integrity of the network, because Roskomnadzor will elaborate rules on the basis of data received from all market participants who are not telecom operators. Domain name registrars point to the creation of an extra domain name registry that will confuse the players of the market even more. Experts emphasize that the bill creates the possibility to shut down traffic from any undesirable resource, for example Amazon, or Apple, or Facebook, as they also have their own AS. Also, such deep technical regulation, including traffic routing, will result in even higher Internet access prices for end users, as routes are usually economically and technologically justifiable. The development of new protocols for working with the registry of traffic exchange points will bring additional costs that will be imposed on providers. And providers, in turn, will impose these costs on their customers.

“Minimization of data transfer abroad, exchanged between Russian users”

The issue of the loopback of Russian traffic inside state boundaries deserves special attention. An explanatory note to the bill puts one of the aims: “Create opportunity to minimize data transfer abroad, exchanged between Russian users.” In reality, the share of loop traffic is only 1.61% of the total amount, according to a recent study conducted by the Association of Documentary Telecommunication. Interestingly, the share of foreign traffic in Russia comprises about 25%. The diagram below shows the usual distribution of traffic origins for one of the Russian regions:

The rest of the traffic comes from CDN networks or cache servers connected directly to the network of an operator, as well as from the organizers of information dissemination (Vkontakte, Odnoklassniki, Mail.ru, Yandex), or from networks of other Russian operators through direct peer-to-peer or client connections. Ensuring that the client receives traffic on the shortest path, that is, excluding the loops through other operators (primarily foreign) is a priority routing policy for any operator of the Internet. Based on this, the construction of an expensive and complex traffic routing system under the new bill looks impractical.

So, what are the threats?

The main aim of the bill, it claims, is to protect the Internet from threats, but you won’t find any detailed description of these threats in the text. Explanatory note connects them to the US cybersecurity strategy; however, it remains unclear how the new power of Roskomnadzor for monitoring, routing, and filtering traffic in a centralized way counters the American national strategy. Attempts of legislators to explain the correlation are amazing for their complete incompetence and lack of knowledge about basic principles of Internet operations. Lugovoy mixed up the cross-border traffic flows with DNS and second-level domains with top-level domains:

Each Russian site is registered on the root server, which is located in the United States or Europe. If at some point access to this server will be terminated, you won’t be able go to any Russian site. Or rather, you will, if you know the nine-digit password for that site. Not quite a passwords, passwords are private things. And Russian users will feel uncomfortable but keep using it anyway. This is not to turn Internet off just once and immediately! Shut down for 100% is impossible. We have many entry and exit points. Therefore, we want to create a duplicate system within the country, so that, no matter what, we can use it. That’s why we are creating a national domain name system.”

The member of the Federation Council Andrey Klishas (the third and final co-author of the bill) claimed that “amendments will prevent cases of the disconnection of access routes to Russian sites from abroad, creating conditions for the possibility of opening pages in the Russian segment of the Internet.” Routing policies can’t be “disconnected from abroad” unless telecom operators themselves decide to change them, but it contradicts the whole idea of Internet connectivity.

Probably, legislators were frightened by comments from James Lewis, who criticized the Obama and Trump administrations for a too-soft response to the alleged Russian interference into elections and suggested a “menu of options” for a response that included “blocking access to all Russian domain websites for one day.” How could they take seriously these words from think-tank representative?

The bill should be prepared for consideration at the meeting of the State Duma in January 2019.