A Russian cybercrime group was behind the hack of JBS, the world’s largest meat supplier, the FBI said in early June—less than two weeks ahead of President Joe Biden’s Wednesday summit with Russian President Vladimir Putin. It was just the most recent Russia-linked cybersecurity story. The Biden White House’s sanctions over Russia’s influence operations in the 2020 election included six technology companies supporting Russian intelligence operations—plus multiple front organizations for Russian propaganda. Now, there is much speculation on the Kremlin’s involvement in a ransomware attack on Colonial Pipeline, the largest refined oil pipeline in the U.S., and the more recent attack on JBS. Biden said the administration does not believe the Russian government was involved in the first incident, but that the criminals are likely based in Russia—and the government should clamp down on such ransomware groups.
Biden will undoubtedly confront Putin about some of these activities to try and hold the Russian government to greater account for cyber activity emanating from within Russia. But for any progress on cybersecurity to come out of the summit, the White House must situate its policy toward Russian cyber operations in the context of the Putin regime’s growing pursuit of “cyber sovereignty,” which to Russia has historically represented the state’s desire to control the internet within its borders. A comprehensive treatment of Russian state cyber behavior means directly facing the entanglement between the Kremlin’s internet policy domestically and its cyber activity at home and abroad.
Internet control in Russia has a long history. In the early 1990s, the Russian security services implemented SORM-1, a telephone monitoring system; that was soon expanded to SORM-2 and SORM-3, used to monitor emails and many other kinds of internet data. The Russian Federation’s 2000 Information Security Doctrine, signed by Putin himself, laid out the Kremlin’s view of the internet and goals for managing perceived threats — with a focus on the idea of social and political stability (e.g., regime security).
As the internet picked up steam in Russia, though, authorities paid more attention to the internet as a “security” issue and took on new powers to address it.
The Kremlin’s growing alarm with “color revolutions” taking place in former Soviet republics—Georgia in 2003, Ukraine in 2004, Kyrgyzstan in 2005—fused with concern about the way internet users could spread information. Online coverage of the 2008 Russo-Georgian War, social media’s role in the Arab Spring, and the Snowden leaks in 2013, among other events, accelerated this Kremlin fear of internet openness. It also fed a conspiratorial view of Western online interference. When citizens used social media to mobilize protests against Putin in 2011 and 2012, authorities told Russian platform VKontakte to censor posts. Its CEO refused and was later ousted. Putin famously called the internet a “CIA project” in 2014; when the Panama Papers were published online in 2016, Putin blamed the “provocation” on American officials and called the documents an “informational product” meant to “destabilize” Russia.
Alongside these developments, the Kremlin used cyber operations to achieve strategic objectives: leveraging “patriotic hackers” who launched distributed denial of service attacks on Georgia in 2008; turning off power grids in Ukraine in 2015 and 2016; directing the GRU, Russian military intelligence, to hack and leak documents from the Democratic National Committee while the state-backed Internet Research Agency conducted information operations on American social media platforms. All the while, the state imposed internet website blacklists, data localization rules, and other restrictions that have seriously harmed human rights in Russia and undermined citizens’ ability to freely engage with the web.
You can’t separate the Putin regime’s view of domestic internet control from its view of cyber behavior abroad. Increased control over the online space within Russia has only enabled the regime to further use technology companies to achieve strategic objectives—including through spying, disinformation, and cyberattacks—and to censor, harass, and otherwise coerce firms that are uncooperative. Moreover, the Kremlin’s view of the open internet as a security vulnerability feeds into both chaos-sowing in countries abroad and control-cementation at home.
Any U.S. attempts to have the Putin regime place greater limits on cyber actors operating within Russia must take this broader pursuit of “cyber sovereignty” and “information security” into account.
Putin does not coordinate all cyberattacks emanating from within Russian borders. Gleb Pavlovsky, a “political technologist” (propagandist) and former Kremlin adviser, has spoken of “creating the illusion that Putin controls everything in Russia.” Putin is a delegator, not a micromanager, often stepping back from decisions and only getting involved when there are problems to be addressed. Others yet have described this as the Kremlin setting broad strategic objectives and then allowing “adhocrats” across the elite to “become policy entrepreneurs, seeking and seizing opportunities to develop and even implement ideas they think will further the Kremlin’s goal.” Putin doesn’t always exercise control, even if he could.
The Russian government orders some cyber and information operations conducted by state actors, but it also leverages networks of state-sponsored groups to do so, as with the Internet Research Agency in 2016 or the multiple disinformation front groups recently exposed by the Treasury Department. Russian authorities reportedly tap nonstate hacker groups on the shoulder to launch operations on their behalf—sometimes a voluntary recruitment, other times under threat. Not to mention that the Kremlin frequently looks the other way on domestic cybercrime activity so long as offenders focus on targets beyond Russia and don’t contradict or undermine the Kremlin’s interests. Domestic control of the internet sphere enables the cooption of a range of domestic actors for a range of regime objectives.
In confronting Putin on cyber operations, then, the Biden administration must communicate very clearly what kinds of cyber activities it wants to shape. There are degrees of responsibility for cyberattacks, which means addressing state-sponsored election interference is different from something like the Colonial Pipeline incident, where the White House said the Kremlin may not have been involved at all. This is further complicated by the importance of deniability to the Kremlin’s political warfare strategy. If the administration can separate out some of these cyber and information operations from others, that may increase the slim odds for U.S.-Russian cyber engagement.
The Biden administration must also watch the creation of a domestic Russian internet alongside more assertive weaponization of cyber operations abroad. In the Kremlin’s ideal scenario, this domestic internet could be isolated from the rest of the world at will. For a regime where internet control frequently hits technical roadblocks—and relies on a far less technical system of internet control and coercion than in China—this may very well be a pipe dream. But the more the Russian government alters the internet in Russia to meet these objectives, it may shift the technical ways in which cyber operations must be conducted from within Russia. Limited connectivity to the global internet could shift the Kremlin’s cyber calculus—for instance, with leveraging more hacker groups based geographically outside Russia, or needing to uniquely architect some systems to enable attackers to launch operations from within the country.
The Kremlin is visibly committed to greater domestic internet control and continues to use cyber and information operations at home and abroad to promote strategic objectives. Further, Kremlin perceptions of information onslaught from the West—through U.S. social media platforms and internet openness itself—continue driving top-level attention to internet isolation. But Putin’s hold on power is not guaranteed, and the state’s political willingness to impose high costs on companies and citizens to achieve a domestic internet is uncertain. For Biden to confront everything from years of election interference to the recent Colonial Pipeline hack, the White House can’t just focus on a few select incidents. Rather, the U.S. must push for narrow objectives while navigating these relationships between internet control priorities at home and Russian cyber actors’ increasingly damaging operations abroad.