When Russian President Vladimir Putin signed a law in 2019 allowing the state to isolate the internet within Russia in the event of a security incident, international media outlets extensively covered the development, with many (incorrectly) likening it to China’s Great Firewall. The spotlight quickly swiveled back to Beijing’s grip on online content and data—even though a Kremlin campaign continues to ratchet up pressure on US technology giants, and could soon create a disruptive playbook for other states.
While Moscow made headlines after throttling Twitter and coercing Google and Apple into censoring opposition leader Alexei Navalny’s election app last year, Western media coverage of internet repression and security threats still tends to focus on China. This penchant persists despite Russian developments that impinge on both the internet ecosystem and human rights in the country—and which constitute broader cyber threats and efforts to undermine the global internet.
In no small part, this pattern stems from the fact that Russian state control of the internet differs from that in China: It relies less on technical measures and more on traditional, offline mechanisms of coercion such as harassment, intimidation, and vague and inconsistently enforced speech laws. Notably, Russia’s domestic efforts to control the internet quite closely parallel its efforts overseas to shape information and to both weaponize the internet and undermine its global nature.
As the world watches Putin’s moves in and around Ukraine, these developments—while of course not comparable to the possibility of large-scale armed conflict—are worthy of attention, given their impact on the Russian cyber and internet landscape more broadly.
The more the Kremlin cements its control over the internet, the more it can potentially suppress dissent and control information and data flows at home. And the more it slowly works on implementing the domestic internet law, the more it centralizes its control of the architecture of the internet in Russia—which could also affect Russian cyber behavior abroad, such as by encouraging more assertive operations against global Internet infrastructure. Though US policy debates often separate Russian internet governance and technology policy at home from Russian cyber behavior abroad, there is actually great interdependence and entanglement between the two.
As the Kremlin demonstrates and further develops a model of internet and information control that appeals to states without China’s technical capacity, Moscow’s techniques may portend the future of internet repression elsewhere. Several recent, but largely overlooked, developments signal that the Kremlin may crack down on the internet more than ever in 2022—while US tech companies and the US government increasingly have little room to push back.
A tough 2021
Last year was a stifling one for Russian internet freedom. When citizens took to the streets to protest state corruption and the Kremlin’s jailing of Navalny, the government sent censorship orders to YouTube, Facebook, Instagram, Twitter, TikTok, VKontakte (Russia’s leading social network, also known as VK), and other domestic and foreign tech firms. Many caved and removed protest-related content. When Twitter refused to comply, the government leveraged newly deployed “deep packet inspection” capabilities to throttle it from within Russia. That was only partly successful, as many other websites were inadvertently affected by the traffic slowdown, but it still demonstrated to foreign technology firms that Moscow was expanding its censorship capabilities—which it also threatened to use again as desired.
The crackdowns hardly ended there. The government demanded that foreign tech companies set up local offices in Russia, and the Foreign Ministry called in the US ambassador to complain that US tech firms were not complying with the Kremlin’s censorship orders—decrying the companies’ behavior as “election interference” and describing them as tools of the American state. The government blocked access to the website for TOR (short for the Onion Router), an anonymizing browser often used to bypass government restrictions when surfing the web. It also blocked access to six major virtual private network (VPN) websites, where citizens were accessing software to circumvent online censorship; set up a registry to track tech company compliance with censorship orders; blocked many other websites, including those for Navalny’s campaign; and used its “foreign agents” designation to crack down on numerous online media.
As more and more Russians get their news from social media, and as internet mobilization and outreach become more important to protesters and opposition figures, the state’s crackdown on the web means citizens will have an even harder time accessing and sharing news that criticizes (or merely reflects poorly on) the Putin regime.
Several recent developments—including official pressure on Google, the expansion of domestic software and a push for domestic internet, as well as local office requirements for tech firms—illustrate how both economic and security motivations drive Russia’s new campaign to control and shape the domestic internet environment. They also underscore just how wide-ranging this campaign is.
In September, when Apple and Google refused to delete Navalny’s election app from their platforms, the Russian government threatened their employees in Russia and sent armed thugs to Google’s Moscow office; both companies then removed the app. Since then, the State Duma (Russia’s lower house of parliament) met with Google to issue even more demands (for example, edit Google Maps in Russia to show illegally annexed Crimea as part of Russia), while a Moscow court fined it $40,400 for not removing content the Kremlin deemed illegal—then fined it a record $98.4 million for not complying with state censorship orders. Google was targeted again just last month, when another Moscow court upheld a ruling from last April that found Google-owned YouTube must restore the account for Tsargrad, the TV channel owned by sanctioned Putin ally and oligarch Konstantin Malofeev. Though unsurprising, the ruling nonetheless gives the state another reason to increase its pressure on Google.
Meanwhile, a recently published BBC analysis found that between 2011 and 2020, the Russian government had filed more than 123,000 individual requests to Google search or YouTube to delete content—many times more than the number issued by Turkey (14,000), India (9,800), the United States (9,600), Brazil (8,000), Israel (2,000), or China (1,200). Moscow continued issuing those censorship orders in 2021, mostly focused on removing content related to Navalny. The Russian government’s commitment to fining Google a percentage of its annual revenue in Russia for not removing content signals increased Kremlin frustration at Google not bending the knee and suggests the pressure will ramp up even further.
Google matters as a stand-alone issue here because YouTube is the most widely used social media platform in Russia. It also provides cloud and other services to Russian citizens, while opposition leaders have used Google services as well—such as when the Navalny campaign used Google Docs to share a list of opposition candidates. Moreover, how the Kremlin treats Google, and its mixed record of compliance with the Russian government, could foreshadow how the state will treat other foreign tech companies facing similar demands.
The Russian government has increasingly been pushing the development and use of domestic software. Driven by economic and security factors, Russia aims to replace Western software with its Russian versions where possible. (However, if forced to choose between those two considerations, security would likely win out: While the Russian government doesn’t want to undermine the operations of Russian tech firms, the Putin regime has demonstrated increasing concern about Western espionage through Western technologies.)
Moscow has been making this push on multiple fronts. For one, it has been updating its domestic software registry, established in 2015, which lists government-approved software that state bodies and companies should use when replacing foreign software. It also implemented a law requiring that smartphones, laptops, smart TVs, and many other consumer devices sold in Russia have state-approved, Russian software preinstalled. This is primarily economically driven—a way to theoretically give domestic firms a leg up against foreign software developers and big US tech companies—but security factors (like Moscow wanting to secure backdoor access to Russian phones) may play a role as well.
The Russian government also updated its tax incentives for domestic technology production, making Russian companies with at least seven employees and 90 percent or more of their revenue from information technology (IT) eligible for reductions in their social security and corporate profit taxes. Given broader issues in Russian tech production (such as the quality of domestic hardware and the brain drain of IT talent to foreign countries), the effectiveness of this initiative seems questionable.
Overall, there has been mixed success in Moscow’s push to develop domestic tech. While some Russian companies have made small gains as Western technology is expelled from government and business systems, in many cases Chinese firms take slightly more market share in Russia. Chinese telecom company Huawei Technologies, for instance, has played into Kremlin fears of Western espionage to accelerate expansion in Russia.
It remains to be seen whether Russia’s increased use of domestic software will better protect the state against espionage or end up undermining the cybersecurity of Russian citizens and the Russian internet ecosystem.
…and foreign finagling
On January 1, a new law came into effect requiring any foreign internet company with five hundred thousand daily Russian users to open an office in Russia. This is a blatant tool of coercion which fits neatly into the Russian government’s internet control model. Technical measures play a part, but traditional forms of physical, offline coercion—such as stalking and intimidation by the security services, including the Federal Security Service (or FSB, the KGB’s successor) in the digital sphere—are a means of scaring citizens, keeping tech firms in check, expanding surveillance, and generally controlling the shape of internet conversation.
The Kremlin demonstrated the power of this tool when it sent armed, masked thugs to Google’s Moscow office: When a company has employees on the ground, those are people who can be stalked, harassed, intimidated, threatened, jailed, or even killed. As of a few months ago, Google and Apple had complied with the local-office law; other major companies with users in Russia, such as Facebook and Twitter, have not.
Russian authorities have said they will not begin fining companies immediately for noncompliance if they demonstrate they are working on setting up an office. The list of companies which are required to open offices is notable: Facebook, Twitter, Telegram, TikTok, Zoom, Pinterest, and Spotify. It will be key to watch if they comply—and whether doing so would create any new legal or jurisdictional challenges amid any Kremlin censorship or data-access requests.
An internet of its own
In December 2021, a law came into effect mandating that only Russian entities can own cross-border communications lines. While many telephone and internet cable systems in Russia are already owned by Russian entities (and, often, by state-owned firms such as Rostelecom), it’s unclear what this means for the undersea cables that link the Russian internet to the global internet and are owned by multiple companies, some of them foreign.
The government also set up a registry of autonomous systems (routing internet traffic) that would be critical to the operation of the planned domestic internet, as well as mandated that internet providers work on countering Kremlin-defined “threats” on their networks.
In short, the Russian government continued building out components of the domestic internet law this year and has slowly started centralizing control over internet infrastructure in Russia.
This year: escalating crackdowns and limited room for maneuver
While it’s a very different internet and political environment, Western tech companies are at least generally familiar with a similar story in China: Companies wanted to enter the market and remain in the country to provide services and make money—yet they all reached a point at which the Chinese government was cracking down harder on the internet, and at which compliance with Beijing’s demands was simply too much. Many US tech companies exited the market, or at least closed their local offices. The Russian government has far less technology leverage than China’s vis-à-vis market size and power, as well as its chokehold on the global tech supply chain; but it has also demonstrated a considerable willingness to use outright force against foreign companies.
The Kremlin’s escalating pressure on Google portends a growing intolerance of Western technology companies that don’t comply with its demands. Importantly, the state’s will and ability to crack down will not apply equally or identically to all firms. Twitter, for instance, has been resisting the Russian government’s local office requirement—which meant the Kremlin had no Twitter employees in Russia to threaten when it wanted the company to censor protest content in March 2021. Still, companies are likely to face even more Kremlin pressure in 2022, and there is increasingly little that they can do to push back.
Filing appeals in the Russian courts is not a viable option, nor is looking for market leverage to negotiate with Russian officials. The US government is likewise in a tricky position, because any efforts to support Internet freedom in Russia will only exacerbate Moscow’s accusations, as conspiratorial and deluded as they are, that the internet and US tech firms are tools of the CIA and American subversion. If the Russian pressure campaign on tech companies ramps up further, as appears highly likely this year, it may prompt some (especially smaller) foreign tech companies to contemplate exiting the market altogether.
Many factors will influence whether and how the Kremlin will act, including traditional political considerations. Tech-company actions or inactions that intersect with high-priority issue areas for the Russian government, such as election opposition and mass demonstrations, are likely to continue receiving Kremlin attention (and therefore more coercive force). Conversely, it remains to be seen if historically lower-priority areas, such as enforcing Russia’s 2015 data-localization law, will get any more buy-in amid the domestic internet push.
Website or platform popularity and the reach of particular content may also be factors in the Kremlin’s response. YouTube, for instance, is the most widely used social media platform in Russia (with 85.4 percent penetration versus VK’s 78 percent penetration), whereas Twitter is much less popular among Russians. Even if Russian tech companies can functionally operate without YouTube in the Russian market, a severe crackdown on it would still be a serious decision given the platform’s immense popularity with Russians.
Notably, this campaign marks a departure from years past, when laws were enacted (such as on encryption, source code inspections, or data localization), but not necessarily enforced with high-level political buy-in. So while the pressure now seems like a means for the Kremlin to achieve compliance with its wishes, there is no guarantee it will stop there. Companies may find themselves facing a regime willing to use these tools for outright punishment as well.
Justin Sherman is a nonresident senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. Follow him on Twitter: @jshermcyber
Wed, Jan 12, 2022
While Russia has attempted to reduce its dependence on the SWIFT payment system, it remains vulnerable to a sanctions cut-off in the event of a new Kremlin offensive in Putin’s eight-year undeclared war against Ukraine.