The new Russian Information Security Doctrine (Doktrina informatsionnoy bezopasnosti Rossiyskoy Federatsii) might appear to be a rather general document. Upon first sight, it seems that it doesn’t contain much interesting information. This view is misguided - it’s worth to look at the text of the doctrine in order to understand the direction of cybersecurity perception in the eye’s of Russian state. It offers a potent, rich field for interpretation.
New Russian doctrine recognizes the meaning of information technology and cybersecurity industry, as well as the impact it has on functioning of the state. It’s identified as a matter of great importance. During the doctrine analysis, It’s important to realize that Russia is a territorially big country and additionally - it’s also very diverse and divided (ethnically, religiously) - this creates obvious challenges on the state level. Creation of the strategy that is coherent, sound and feasible to implement and deploy is not an easy task. Especially when considering internal and external factors.
The text of the Doctrine demonstrates that Russian Federation has performed a broad analysis of weak points of its domestic economy and industry, as well as functioning of its own information systems. According to the Doctrine, the main weak points are: insufficient human resources (skilled people), weak (non-competitive) scientific and technological potential and as insufficient industry in the sphere of information technology. Russian Federation has also recognized the negative potential of foreign capital on its internal economy. The sole fact of the presence of foreign capital (zavisimost otechestvennoy promyshlennosti ot zarubezhnykh informatsionnykh tekhnologiy) is assessed as a threat and risk.
How can Russia respond to the challenges? According to the Doctrine, Russian Federation is not planning to rely on international cooperation. The response is rather centered around thinking in strong terms of state and sovereignty. The solution, according to the Doctrine, is to develop own resources in the information technology sector and build following bases: people, companies, and industry. One of the driving factors in this case should be the creation of preferential conditions for domestic business, science and technology.
When it comes to information technologies, Russia overtly places itself at a disadvantage in relation to other countries. In this case it’s interesting to ponder what is the true aim of formulating a message in this particular way. Is it intended for internal or external use? It’s obvious that the document will be widely and broadly debated and analysed.
In reality, Russian capabilities in cyber warfare are quite remarkable. But the Doctrine is apparently aiming to strengthen this particular aspect even more. This point is directly highlighted. Russia plans to develop strong cyber-offensive capabilities. Interestingly, the Doctrine specifies no reasons for building such an offensive potential. There is no answer to this question. Missing indication of the reasons may sound in a possibly passive-aggressive tone. Again, this point will be highly analyzed in a large number of compounds around the world. It’s interesting itself.
Additionally, Russia assesses that it is a target of ongoing misinformation campaigns. One example of such campaign is recognizing foreign propaganda, and specifically - intentional discrimination of Russian media abroad. Again, Russian passive-aggressive rhetorics.
Doctrine discusses territorial and cultural integrity of the state, it also focuses on traditional values, which are understood as an axis for building Russian national identity. The Doctrine highlights that traditional values are also put at risk and there are ongoing actions by foreign actors which aim to undermine them. It’s another interesting statement for an information security doctrine, which generally concentrates on the state of economy, science and development of information technology.
Summary
Russian Doctrine contains a number of valid and interesting points. It’s possible to see similarities to cybersecurity strategies of other countries (e.g. France, UK, US). However, the difference lies in motivation and structure.
It’s also interesting to wonder about the motivation for building a cyber-offensive potential, capable of conducting cyber-operations and cyber warfare. It is also clearly understood that this potential is a domain of the military. Again, the reasons for strengthening the potential aren’t mentioned.
PS. That’s probably my first article where I’ve used “cyber” so many times!