The Russian invasion of Ukraine has been accompanied by a chilling wave of repression inside Russia. The number of blacklisted websites increased dramatically in the aftermath of the war, as the Kremlin sought control over the narrative of its “special military operation,” and encryption technologies have become the next target. Media in the West has responded by calling the new system a “Digital Iron Curtain” and comparing it to China’s infamous Great Firewall. These comparisons are not accurate: the ship has already sailed for recreating the Communist Party’s leviathan of online censorship. But that doesn’t mean Moscow isn’t trying.
Artem Sheikin, a senator in the Russian Duma responsible for digital technology, announced in October that beginning in March 2024, Russia’s Communications Supervision Authority will block all VPN services from being downloaded in app stores if they provide access to material that the Russian state has banned. While the proposal is not feasible for various reasons, it indicates the level of concern that Russian authorities have regarding the potential for encrypted communications to allow citizens to access uncensored information.
Russian internet users, much like the rest of the world, are increasingly aware of the importance of VPNs for information security: for the first six months following the invasion of Ukraine, Russia, a country of 143 million, was the country after India with the highest number VPN software downloads, totaling 33.5 million, in 2022, as an increasingly security-savvy segment of the browsing population sought independent sources of news, away from Russia’s state-controlled media. Analysis of the adoption rate of forty-five leading VPN providers shows that VPN adoption rates in 2022 reached nearly 23 percent of Russian internet users, almost tripling 2021 numbers.
Russia began to clamp down on VPNs prior to the war, ordering all VPN services operating in the country to block access to blacklisted sites in 2019. Only the VPN provider Kaspersky Labs followed through and complied; international VPN services simply ignored it. Russian ISPs could bolster their capabilities for detecting VPNs, including using Deep Packet Inspection (DPI). Still, users can respond with various easy-to-configure countermeasures to obfuscate the use of VPNs.
If the Kremlin’s aims for VPNs are not as realistic, the arena where Russia and other authoritarian states have more success is in targeting Transport Layer Security (TLS) encryption systems. TLS encrypts HTTP traffic, the foundation of the World Wide Web, without which data would be easily intercepted. TLS depends on a network of certificate authorities to issue certificates verifying that websites have been secured. International SSL certificate authorities, mirroring other technology companies, exited Russia and Belarus following the Russian invasion of Ukraine in February 2022.
Russia was ready for the market exit, however. Russian cryptographers published a paper in March 2022 through the Internet’s International Standards Organization outlining a new encryption system for TLS certificates to be used in lieu of those international certificate-granting authorities. These certificates use an alternative encryption algorithm known as GOST, which functions with the existing TLS architecture. GOST is not supported by foreign browsers such as Chrome, Safari, and Firefox. Still, it has been adopted by Russian domestic browsers such as Yandex, pressuring the Russian populace to use the alternative system to access banking and government services.
Russia’s state-issued TLS certificates are now being adopted; thousands of Russian sites, including leading financial organizations, have adopted the certificates. Estimates from Russia’s largest bank released in June 2023 calculated that 25-30 percent of devices have installed the certificate thus far, an impressive rate of adaptation over a relatively short period. Not surprisingly, Сrypto Pro, the firm that helped develop the certificates, works closely with Russia’s Federal Security Services (FSB).
Authoritarian states in the region have recognized TLS encryption as an internal security concern for some time. Russia floated the idea in 2016 of creating its own national TLS certificate authorities under the guise that they would be needed in case of a conflict with foreign actors. Kazakhstan, another post-Soviet state, pushed the idea further in 2019 when it began to require ISPs to inform citizens that they must install a government-issued TLS certificate, which would allow interception and eavesdropping, leading Western web browsers to block the certificate from being used in their software.
The targeting of TLS encryption in post-Soviet Eurasia runs parallel with Chinese efforts. Research by American network security experts presented in April 2023 documented how the Great Firewall rolled out new capabilities in November 2021, coinciding with the Chinese Communist Party’s Sixth Plenary Session, to detect TLS encryption and passively block attempts at encryption in real-time utilizing new detection algorithms.
The exact engineering behind the Great Firewall has been a closely guarded secret. Yet, the Chinese Communist Party had the foresight to build such an unprecedented censorship and surveillance system in the 1990s when the internet was in its infancy. The Firewall’s price tag was an estimated $700 million and still requires vast resources to maintain. Attempting to create such a system now in a country with over 3,000 ISPs stretched across eleven time zones where 80 percent of the population uses the internet regularly would require the resources of a super-civilization, a far cry from the dysfunctional, byzantine Russian security state.
This movement to create domestic TLS infrastructure is part and parcel with tactics pursued by other authoritarian states in their increasingly brazen war on internet freedom. Belarus successfully cut off large portions of the internet during protests against election fraud in 2020, a move Iran attempted to copy in 2022. Russia announced legislation to create a sovereign internet system in 2019, using a localized system of DNS servers, which function as the phonebook of the internet, and the government has increased tests of the system since the outbreak of the war.
Perhaps the greatest reason for optimism is that these policies run against the grain of the internet’s development in the post-Soviet region. Eastern Europe is home to the world’s most sophisticated community of hackers and cybercriminals, who still fully embrace the 1990s vision of the internet as the world’s last “stateless space.” A sizable minority of Russian ISPs are already widely used by cybercriminals because they ignore abuse complaints.
Attempts by Russian censors to block forums used by Russian-speaking cybercriminals have led to the discussions shifting to dark web locations. While it is widely acknowledged that Russian law enforcement turns a blind eye to cybercrime that targets entities outside former Soviet countries, the sheer size and sophistication of the community would require draconian state policies that the Russian state does not have the resources to muster.
Russia will not successfully construct a true Digital Iron Curtain, but not for lack of effort. While increasingly aggressive tactics and sharing of “best practices” pursued by the Kremlin and other authoritarian states to target VPNs and internet encryption are not as headline-grabbing as their increasingly brazen state-sponsored hacking and espionage campaigns, they are just as crucial for all who are concerned about a free and open Internet. Cyber conflicts are no longer confined to states but increasingly impact citizens as well.
Luke Rodeheffer is the founder and CEO of Alpha Centauri, a cyber security and due diligence firm.