Skepticism about Russian Internet Cutoff, Backpack Nukes, and Cybersecurity Awards

What We're Reading, Hearing and Watching -- July 13, 2023

Did Russia Really Test a Cutoff of the Russian Internet on July 4?

Russia’s Internet watchdog, Roskomnadzor, claimed on July 5 that on the previous night it had conducted a planned drill to test its ability to cut off the entire Russian Internet from the global Internet in case of outside attack. Some observers, however, showed skepticism. International relations analyst Oleg Shakirov, for example, wrote on July 6, “Please don't take Russian (or anyone's) claims about testing 'disconnection from the global Internet' at face value. Always remember about incentives within the system to exaggerate one's work. There are plenty of reports that there were [sic] no universal break in connectivity.” Shakirov noted that disruptions at Russian Railways were not likely part of the test cut-off as reported; they had lasted several days, Russian Railways attributed them to a cyber attack, and pro-Ukrainian hacktivists took credit for them. Twitter user @Cyberknow20, a widely cited account that tracks cyber incidents, was equally skeptical, “Haven't seen any chatter on telegram about this from the usual cyber suspects. Other than IT army Ukraine claiming ddos on trains earlier” (DDoS refers to distributed denial-of-service attacks). User @ug_sig noted, “Yes, a quick look at the sites that monitor Internet plumbing did not reveal any great disruptions during the time period identified in the reporting. One would have expected to see massive routing drops and other disconnections, but I didn’t see any of that.” Doug Madory of network monitoring company Kentik did report, “I can see a small drop in traffic for two RU mobile operators during the timeframe. Maybe the test consists of blocking international traffic for just a portion of RU to identify outside dependencies.” He added that Russia has claimed in the past to have conducted a test cutoff; however, “Each time Internet measurement data does not corroborate the claim of a complete disconnection.”

Halting Steps Toward Russian “Internet Sovereignty”: It is true that Russia has a 2019 law on “Internet sovereignty,” which expresses the aspiration to enable the Russian Internet to function if it were cut off from the global Internet. Roskomnadzor has been working to compel Russian Internet service providers to install equipment allowing Roskomnadzor to filter out Internet traffic that crosses borders and to take over control of Internet traffic in case of a crisis. Efforts are also underway to create an independent domain name system (DNS) for Russia. The 2019 law does indeed mandate regular exercises to test the readiness of this system.

However, experts doubt that Russia is close to being ready to operate its Internet independently. For example, the self-contained Russian DNS system has not been fully implemented. Over the years, Russian tech companies have long expressed qualms about the viability of the country’s Internet sovereignty program. Aleksandr Lyamin of Qrator Labs commented that the reported July 4-5 test would have been intended to find out “to what extent the Russian segment of the Internet can function sustainably offline [в автономном режиме]. In effect, you can compare it to checking how long an arm can survive if it is cut off from the body.”

All in all, it is unclear to what extent the reported July 4 test cut-off actually happened.

One possible explanation for Roskomnadzor’s claimed test at this time was the June 30 appearance of an investigative article in the Russia-focused independent media source The Insider, which outlined the delays and shortcomings in Russia’s Internet sovereignty program.

Context: Debate Over Internet Governance and Fragmentation: Another possible reason for Roskomnadzor to claim a test Internet cutoff at this time is to bolster Russia’s ongoing efforts at the United Nation’s International Telecommunications Union (ITU) to enact Russian proposals for Internet governance. Russia and China have for decades advocated for the ITU, rather than the current multi-stakeholder Internet Corporation for Assigned Names and Numbers (ICANN), to coordinate and maintain the global Internet. The US and its allies have warned that these proposals would allow for Internet censorship. In its proposal submitted in advance of an ITU meeting scheduled for July 11, Russia appealed to the ITU to “consider steps to coordinate [regulatory] action so as to prevent the definitive political fragmentation of the Internet and the transformation of the global network into a series of loosely connected national fragments.” The Russian delegation could point to its own Internet sovereignty program as a warning example of such fragmentation and then present its proposals for ITU oversight as a solution.

Not only authoritarian countries but also democracies are effectively eroding the ideal of an open global Internet, said Marietje Schaake of Stanford University’s Cyber Policy Center in a June 12 Financial Times editorial; concerned over privacy violations, hate speech or disinformation, countries are enacting a “patchwork” of regulations that further splinter the Internet. Schaake called for agreement on practical steps such as “commitments not to block internet access and to invest in public digital infrastructure in order to limit over-dependence on powerful private companies,” as well as safeguards for “the internet’s delicate physical infrastructure, such as undersea cables.”

Backpack Nukes

Ukrainian military intelligence chief Kyrylo Budanov has claimed that, during the June 23-24 mutiny, when the Wagner Russian mercenary group briefly took control of territory in southern Russia, the group reached the Voronezh-45 Russian nuclear weapons storage facility and allegedly sought to steal “backpack nukes,” small Soviet-era nuclear devices. Security experts have urged skepticism toward these claims, noting that such weapons, even if they still exist, are likely non-functional; Russian nuclear weapons are well-guarded and have safeguards making them difficult to use; Wagner chief Yevgeniy Prigozhin likely never conceived of carrying out nuclear terrorism. Security analyst Mark Galeotti notes that Budanov has made outlandish claims in the past, in what Galeotti characterizes as part of Budanov’s job of information warfare. Galeotti links to a 2007 article addressing that era’s similar panic about rogue actors wielding Russian “suitcase nukes.”

Cybersecurity Awards

Cybersecurity vendors often advertise themselves by citing various awards they have won. Natto Thoughts recently had occasion to examine one such program, the Cybersecurity Excellence Awards. The awards website showed that over 130 companies had won such awards in 2023 alone. Though some of these are well-known companies, the awards program comes across as an advertising tool, not necessarily a measure of outstanding quality. The nominations page says, “Participation in the cybersecurity awards program is a great opportunity for your company and products to get recognized for excellence in cybersecurity….” For a flat fee of $900, which the website describes as “the most cost-effective award nomination fee in the industry,” companies can self-nominate, then promote themselves by citing those nominations. The website advertises a “premium sponsorship package” in which companies can propose new “custom award categories.” One can envision a scenario in which a company creates an obscure prize category, nominates itself, wins the award, and advertises itself as being the prize-winner.

True, the website claims that the program selects award-winners based on the “strength of their nomination,” with popular votes serving as a tie-breaker. It does not clarify who will evaluate the strength of nominations and on what basis. Internet surveys and voting do not generally use scientific sampling techniques and are thus of limited value in measuring popular opinion.

Judging from this brief look at the Cybersecurity Excellence Awards website, Natto Team assesses that a company’s receipt of such an award does not guarantee that it has good cybersecurity. For example, Kaseya reported in early 2021 that it had received five Cybersecurity Excellence Awards, just months before a 2 July supply-chain attack exploiting Kaseya’s remote management software unleashed ransomware on multiple managed service providers and hundreds of their customers.

A 2019 article about a little-known company that dubiously attributed a Citrix hack to Iran found that the company’s promotional materials cited several awards that appear to follow a similar “pay-to-play” theme.

Which brings us back to the message of our very first posting: to evaluate anything you read, remember the mnemonic SIFT, a reminder to “Stop, Investigate the source of information, Find better coverage, and Trace claims, quotes and media to the original context.”