You are here: American University School of International Service Centers Security, Innovation, and New Technology Russian Cyber Sovereignty: Global Implications of an Authoritarian RuNet


Russian Cyber Sovereignty: Global Implications of an Authoritarian RuNet

By  | 

Just before Russia’s parliamentary elections began in September 2021, Apple and Google removed a voting app that was created and promoted by supporters of jailed opposition leader Alexei A. Navalny. The app was supposed to help voters who opposed Russian president Vladimir Putin consolidate their votes, and it’s likely the Kremlin viewed this as a threat. Russian authorities put pressure on Apple and Google to take the app down by threatening to prosecute companies’ local employees. Acquiescence by the tech giants not only made headlines, it also exemplified one of the many steps that the Kremlin has taken to achieve an authoritarian and isolated version of cyber sovereignty.

A broad definition of cyber sovereignty is “the ability to create and implement rules in cyberspace through state governance.” Today many states claim to have some degree of sovereignty over the internet. After all, even liberal democracies are able to intervene in cyberspace to protect citizens’ privacy online and combat disinformation and cybercrime. But Russia’s concept of cyber sovereignty—which mimics China’s—differs from this broad rule-based definition, as it enables digital authoritarianism, meaning a government’s use of digital information technology to repress citizens. For Russia, a sovereign internet is one that the Kremlin can control and surveil as well as isolate from the rest of the world.

What Prompted the Kremlin to Pursue Cyber Sovereignty?

Before 2012, although the Russian government tracked traditional media and scared many dissidents into silence, the Russian-language part of the internet (dubbed RuNet) was fairly free. In the early 2000s, opposition activists could hold lively political discussions on the Russian blogging and social networking site LiveJournal; journalists could share unedited stories and directly communicate with their audiences through personal blogs; and informal groups could come together on VKontakte, a social networking site for Russian speakers that, at one point, was an unregulated environment for communication. These types of digital activities on RuNet challenged the narratives of traditional Russian media.

During the Russian parliamentary and presidential elections that took place 2011-2012, activists took to social media to mobilize protests, while online media outlets exposed the scale of fraud in the elections and covered the protests. Activists continued the momentum by sharing internet videos that satirized and belittled the Kremlin and by venting their frustrations about Putin’s decision to run for president after serving as prime minister. When Putin unveiled his campaign website, a swarm of online comments called for him to resign. In response to the mass protests and dissenting voices on RuNet, the Kremlin created legal provisions and developed new technologies to crack down on the cyber public square.

Steps Russia has Taken Toward an Authoritarian and Isolated RuNet

Since 2012, the Kremlin has made a number of legal moves that, according to transatlantic relations expert Alina Polyakova and Brookings fellow Chris Meserole, de facto criminalize criticism of the government, legalize unfettered surveillance of citizens’ online activities, and increase state control of RuNet.” Russian authorities framed the 2012 internet blacklist law as a way to protect children from harmful internet content by allowing the government to blacklist and force websites offline without a trial. Roskomnadzor, Russia’s media regulator, was put in charge of overseeing online and media content as well as maintaining a centralized list of blocked sites. Because Roskomnadzor can blacklist  any site without accountability, it has placed major independent news sites and websites run by opposition leaders, among others, on the list.

In 2015, the Russian government further tightened its grip on RuNet by instituting a strict data localization law. This law mandates that Russian citizens’ data be stored on servers located in Russia. Though the Kremlin has been inconsistent in enforcing the law, tech companies have faced consequences because of it. For example, Russian regulators expelled LinkedIn from operating in the country because the company refused to locate a data center in Russia.

The Yarovaya law—named after the Duma member who proposed them, Irina Yorovaya—is a set of so-called “anti-terrorist” amendments made in 2016, which include provisions that, according to Human Rights Watch, “severely undermine the right to privacy and are detrimental to freedom of expression on the internet.” For example, the amendments require that certain information and communications technology (ICT) companies retain copies of all communications content (text messages, voice, data, and images) for six months as well as communications metadata for three years. Companies impacted by the amendments must hand over such information to authorities upon request and without a court order. The Kremlin has also created legislation specifically targeting proxy services like virtual private networks (VPNs), which allow users to access content that is banned in their countries.

SORM (Система оперативно-разыскных мероприятий or, in English, “System for Operative Investigative Activities”)is the Russian government’s surveillance system first developed by the KGB in the ’80s to monitor phone calls. Over the years, the Russian government has made updates to this system so it could encompass all Russian telecommunications and serve as the FSB’s backdoor to the internet. Since Putin’s rise to power, seven law enforcement and security government agencies have also received access to SORM: the Interior Ministry, Federal Protective Service, Foreign Intelligence Service, Customs, Federal Drug Agency, Federal Prisons Service, and GRU.

In 2019, legislation came into effect to establish the “sovereign Russian internet.” According to the law, internet providers must install Deep Packet Inspection (DPI) equipment to auto-block banned websites, monitor cross-border communication, and allow Roskomnadzor to take the reins “at a time of crisis”—a vaguely defined phrase. In other words, the Kremlin could isolate RuNet from the global web at its own discretion. According to the Kremlin, the country successfully tested an unplugged RuNet in 2019, and again in 2021. Authorities framed both as important tests of the country’s cyber security.

The Kremlin is further bolstering an isolated RuNet by building alternatives to foreign tech services and pushing these services onto the Russian public. Russia’s government has proposed policies to promote the domestic versions, including taxes on foreign digital services, tax cuts for domestic IT firms, and a requirement that digital devices bought in Russia offer Russian software to users when they turn them on. If Russian citizens become dependent on domestic services, then the Kremlin will more easily ban global platforms.

A Model That’s Tempting Other Countries

Russia’s digital authoritarianism not only stifles Russian privacy, freedom of expression, and civil society, the model has also become attractive to other countries. If a state wants to tighten its reins on citizens’ internet behavior and online content consumption, it can use aspects of Russia’s RuNet model to do so. For example, countries in Russia’s geopolitical sphere of influence have been importing its SORM tech and replicating its legal framework for surveilling domestic citizens.

Aspects of Russia’s version of cyber sovereignty are expanding to Brazil, India, and Turkey, where policymakers have been discussing provisions that can enable further crackdowns on free expression, privacy, and other human rights. These developments have set off alarm bells for human rights NGOs; one Freedom House report even states that the listed countries “may prove to be the ‘swing states’ of internet governance.”  

How the US and Big Tech Should Respond

The original philosophy of the internet—idealizing personal freedom and individual rights—has evolved as states have adapted to it in ways that reflect governments’ (though not necessarily citizens’) interests. So how should the US and Big Tech respond to the Kremlin’s tightening grip on RuNet while prioritizing global connectivity?

While the US may not be able to fully preserve internet freedom for Russia’s citizens—as well as the citizens of other countries who choose digital authoritarianism—the US government should continue to coordinate with like-minded democracies to prevent digital authoritarianism from becoming the global cyber norm. The Biden administration, in fact, is already prioritizing such coordination, as the US government has been working on establishing the Alliance for the Future of the Internet, which is meant to bring together democratic countries to develop a set of principles for a secure and open internet.

The US should also work with such democracies to develop  a democratic model of internet governance that is more appealing to states than digital authoritarian models are. Just as Russia has been offering SORM technology, the US’s and Europe’s tech sectors and policymakers should offer their own versions of digital surveillance tech that can improve security while protecting individual privacy and human rights.

Also, Big Tech must tread carefully when responding to the demands of the Kremlin. When Apple and Google removed the Navalny app in September, Navalny’s supporters and internet freedom advocates criticized the companies’ response to Russian government pressure. While it’s true that Big Tech companies influence global internet freedom, and their responses to authoritarian governments’ pressure impact the development of global cyber norms, they cannot always push back with blanket refusals—especially as RuNet heads closer to being fully functional without foreign platforms.

Western tech giants  like YouTube have served as platforms through which Russian online activism could function and flourish, and opposition leaders like Navalny gained an amplified voice because of such companies. In the face of future demands by the Russian government, western giants like YouTube, Google [Alphabet], Twitter, Facebook [Meta], and Apple should weigh whether their presence in Russia, even with Kremlin-set limitations, can help bolster the internet freedom of Russian citizens before deciding whether or not to comply. It may be better to comply and have some sort of presence in Russia rather than to push back and be banned all together (as in the case of LinkedIn).

All in all, the US should respond to Russia’s cyber sovereignty efforts by continuing its work to establish an internet alliance of like-minded democracies and working to create a democratic model of internet governance that’s appealing to other states. Meanwhile, Big Tech companies should not refuse all Kremlin requests and instead should calculate what response would best serve Russian citizens. Understanding the Kremlin’s cyber isolationist efforts is integral, especially since such sovereignty may embolden the country to more aggressively conduct cyberattacks on its neighbors and adversaries. After all, with a RuNet that’s fully capable of cutting itself off from the rest of the global internet, big tech’s leverage on Russia is sure to diminish.


About the Author: 

Emily Tavenner is a current graduate student in the School of International Service’s Intercultural and International Communication program. Her research interests include security, technology, and public diplomacy.