Inside Cyber Warfare - Jeffrey Carr [129]
The first Russian National Security Blueprint issued under President Yeltsin in December 1997 placed little emphasis on information warfare. Prime Minister Vladimir Putin chaired a fall 1999 series of Russian Security Council meetings to revise the document. The new National Security Concept, issued under President Putin in January 2000, pointed to “information warfare” and the disruptive threat to information, telecommunications, and data-storage systems. The new Military Doctrine issued in July 2000 discussed hostile information operations conducted through either technical or psychological means.[76]
In September 2000 the Security Council issued the first Russian Federation Information Security Doctrine.[77] The 46-page document provided the first authoritative summary of the Russian government’s views on information security in the public, government, and military sectors. The document also provided the strategic plan for future legal, organizational, and economic developments. The Security Council’s Department of Information Security,[78] one of seven Security Council Departments, drafted the document. Since September 2000, the Security Council has published additional supporting documents identifying research areas and Russia’s transition to an “Information Society.” The most recent presidential decree in May 2011 augmented the Security Council’s Interdepartmental Commission on Information Security’s capability to coordinate government action. As a body, these documents show a coherent government response to perceived information security threats.[79] Changes in government and military structures and procedures show the plan is being implemented aggressively.
New Laws and Amendments
The Information Security Doctrine stated that existing Russian law did not address Russia’s information security needs. As a result, the government passed a series of laws, and amendments to existing laws, addressing these deficiencies. However, certain laws also support information operations directed against perceived threats. For example, in 2009, amendments to Federal Law No. 149-FZ—On Information, Information Technologies, and Information Protection—mandated national identification numbers for Internet registration. The amendments also required that Russian operators provide authorities with registration information and other data needed for an investigation. The Russian press saw this as a threat to Internet freedom because the government could quickly identify who posted critical comments on a social media site.
At the same time, Federal Law No. 152-FZ, On Personal Data, prohibits Russian operators from releasing data to an “authority of a foreign state, a person or entity of a foreign state,” except under several limited and unlikely circumstances.[80] As a result, the law effectively prohibits Russian operators from passing data to foreign law enforcement agencies investigating cyber crimes or Distributed Denial of Service (DDoS) attacks. Inquires must be made from government to government. Thus by controlling the information they choose to release, the Russian government can protect Russian Internet operations from investigations by foreign states.
The amendments to the Russian Federal Security Service (FSB) Law are particularly worrisome. The FSB Law authorizes activities in counterintelligence, combating terrorism, crime, intelligence gathering, border security, and information security. The FSB is responsible for protecting critical infrastructure, including communication networks. Article 15 defines modalities for relations between the FSB and other Russian institutions in executing FSB responsibilities. Under Article 15:
Public authorities, as well as enterprises, institutions, and organizations, are obliged to provide assistance to the Federal Security Service in carrying out their assigned duties.
Individuals and legal entities in Russia providing postal services, telecommunications of all kinds, including systems, data communication, confidential, satellite communications are obliged at the request