Russia just released an interesting strategic document concerning “information security” (in their nomenclature this includes cybersecurity and more) with a view to “determine the main threats to international information security”, it supposedly complements the doctrine of information security, and more. I'll go through a few points below. Unlike some documents of other countries, this is not about interpreting the rules of international cybersecurity (like done e.g. here, here, or here). But it does contain an idea: create a stand-alone committee or an institution/agency, an instrument tasked to settle "conflicts" (and perhaps reconcile issues of cyberattack attribution?).
Contents
Interestingly, among the goals stated in the document is “to promote the creation of international legal mechanisms for the prevention (settlement) of interstate conflicts in the global information space”. Think of this as including cybersecurity. In other words: work on a mechanism to “prevent or settle” cyber conflict matters. They also define what “information security” is: “International information security is a state of the global information space in which based on generally recognized principles and norms of international law and based on the equal partnership the maintenance of international peace security and stability is ensured”. This is supposedly done by a set of “institutions”.
Russia also counts among the main “threats” the following:
- “The use of information and communication technologies in military-political and other spheres to undermine sovereignty, violating the territorial integrity of states”, etc.
- “The use of information and communication technologies for terrorist purposes, including for the propaganda of terrorism”, etc.
- “The use of information and communication technologies for extremist purposes, as well as for interference in the internal affairs of sovereign states”
- “The use of information and communication technologies for criminal purposes, including for computer crimes”
- “The use of information and communication technologies to carry out computer attacks on the information resources of states, including critical information infrastructure”
- “The use of technological dominance in the global information space to monopolize the market of information and communication technologies, to restrict the access of other states to advanced information and communication technologies”
Apparently, the new policy is meant to reduce the above-mentioned risks. The way forward is supposedly via 1) United Nations frameworks, including the proposed “Convention on ensuring international information security” (i.e. think of this as a cybersecurity international treaty…?), 2) Creation of cyber norms (“assistance in the development, taking into account the specifics of information and communication technologies, of new principles and norms of international law governing the activities of states in the global information space”), 3) bilateral and multilateral cybersecurity treaties as well as expert consultations, including with regional partners and blocks (Asia's SCO, G20, BRICS, etc.), 4) “organization of international conferences and seminars on international information security” (I wonder who would be attending those?), 5) “improving the mechanism for the participation of representatives of the Russian scientific and expert community in research, analytical and scientific-methodological support for the promotion of the initiatives of the Russian Federation” (indeed, it appears that nobody attended the open sessions organised at the Open-Ended Working Group?), 6) technology standardisation - “promoting the national standards of the Russian Federation in the field of information security in the implementation of international and regional cooperation in the field of standardization”, 7) building “global, regional, multilateral and bilateral levels of confidence-building measures” 8) promoting the improvement, under the auspices of the UN, of the principles and norms of international humanitarian law in relation to the use of information and communication technologies, taking into account the specifics of these technologies.
New treaty and an international cyber-agency?
The policy speaks of a creation of a new international body or a process: “facilitating the creation of an effective international mechanism for monitoring the use of information and communication technologies to prevent their use for extremist purposes, as well as to interfere in the internal affairs of sovereign states”.
In other words, possibly an agency that would be tasked with the monitoring of how “information space” (so also “cyberspace”) is "used", including the threats, possibly such as cyber weapons or disinformation operation.
The elephant in the room (and a no-go territory?) for Western countries may be the very conception: the linking of cybersecurity and “information security”, which typically might also include aspects of information dissemination like the media or social media.
That said, the policy never mentions tools - cyber “weapons” or malware or such.
But the policy does speak of an establishment of a permanent monitoring process: “the development by an ad hoc open-ended intergovernmental committee of experts - a comprehensive international convention on countering the use of information and communication technologies for criminal purposes, as well as creating conditions for the subsequent adoption by the UN member states of this convention”. The problem of legitimacy would likely be solved as usual: such a committee would bring together a group of diplomats from a number of countries. It is unclear to me how technical competences would be reconciled, which is an important question considering the technical issues in the final report of the Open Ended Working Group:
Seems that demonstrably false content of the United Nations group on cybersecurity is in the final report... It will be voted by many countries. Will that make it true? Hint: the capability flow's direction is/was different. #uncyberoewg #cyberoewg #oewg
— Lukasz Olejnik (@lukOlejnik) March 11, 2021
https://t.co/QKOC43KhEh https://t.co/EugBnx40xh pic.twitter.com/ODjo4vRKNk
Summary
The policy never speaks of technologies, but it does speak of the use of technologies, including cyberattacks. In this sense, this document is very interesting.
This assertive policy might look a bit challenging from the Western perspective. Fortunately, we are not a Minister of Foreign Affairs so the big diplomacy issues do not necessarily concern us, so we focus on the aspects of merit.
Did you like the assessment and analysis? Any questions, comments, complaints, or offers for me? Feel free to reach out: me@lukaszolejnik.com