Inside Cyber Warfare Part 24

Russian Government Policy

The first Russian National Security Blueprint issued under President Yeltsin in December 1997 placed little emphasis on information warfare. Prime Minister Vladimir Putin chaired a fall 1999 series of Russian Security Council meetings to revise the doc.u.ment. The new National Security Concept, issued under President Putin in January 2000, pointed to "information warfare" and the disruptive threat to information, telecommunications, and data-storage systems. The new Military Doctrine issued in July 2000 discussed hostile information operations conducted through either technical or psychological means.[76]

In September 2000 the Security Council issued the first Russian Federation Information Security Doctrine.[77] The 46-page doc.u.ment provided the first authoritative summary of the Russian government's views on information security in the public, government, and military sectors. The doc.u.ment also provided the strategic plan for future legal, organizational, and economic developments. The Security Council's Department of Information Security,[78] one of seven Security Council Departments, drafted the doc.u.ment. Since September 2000, the Security Council has published additional supporting doc.u.ments identifying research areas and Russia's transition to an "Information Society." The most recent presidential decree in May 2011 augmented the Security Council's Interdepartmental Commission on Information Security's capability to coordinate government action. As a body, these doc.u.ments show a coherent government response to perceived information security threats.[79] Changes in government and military structures and procedures show the plan is being implemented aggressively.

New Laws and Amendments

The Information Security Doctrine stated that existing Russian law did not address Russia's information security needs. As a result, the government pa.s.sed a series of laws, and amendments to existing laws, addressing these deficiencies. However, certain laws also support information operations directed against perceived threats. For example, in 2009, amendments to Federal Law No. 149-FZ-On Information, Information Technologies, and Information Protection-mandated national identification numbers for Internet registration. The amendments also required that Russian operators provide authorities with registration information and other data needed for an investigation. The Russian press saw this as a threat to Internet freedom because the government could quickly identify who posted critical comments on a social media site.

At the same time, Federal Law No. 152-FZ, On Personal Data, prohibits Russian operators from releasing data to an "authority of a foreign state, a person or ent.i.ty of a foreign state," except under several limited and unlikely circ.u.mstances.[80] As a result, the law effectively prohibits Russian operators from pa.s.sing data to foreign law enforcement agencies investigating cyber crimes or Distributed Denial of Service (DDoS) attacks. Inquires must be made from government to government. Thus by controlling the information they choose to release, the Russian government can protect Russian Internet operations from investigations by foreign states.

The amendments to the Russian Federal Security Service (FSB) Law are particularly worrisome. The FSB Law authorizes activities in counterintelligence, combating terrorism, crime, intelligence gathering, border security, and information security. The FSB is responsible for protecting critical infrastructure, including communication networks. Article 15 defines modalities for relations between the FSB and other Russian inst.i.tutions in executing FSB responsibilities. Under Article 15: Public authorities, as well as enterprises, inst.i.tutions, and organizations, are obliged to provide a.s.sistance to the Federal Security Service in carrying out their a.s.signed duties.

Individuals and legal ent.i.ties in Russia providing postal services, telecommunications of all kinds, including systems, data communication, confidential, satellite communications are obliged at the request of the Federal Security Service to include in the extra hardware equipment and software, as well as create other conditions necessary for the operational and technical measures by the Federal Security Service.

In order to meet the challenges of RF, security forces of the Federal Security Service could be a.s.signed to public authorities, enterprises, inst.i.tution, and organizations irrespective of owners.h.i.+p, with the consent of their managers in the manner prescribed by the President of Russia, leaving their military service.

Russian law ensures that significant Internet infrastructure remains under Russian control. Under the provisions of Federal Law No 57-FZ, The Strategic Companies Law, foreign ent.i.ties cannot acquire a controlling interest in a strategic company without prior approval from the Russian government. Through provisions specifying which ent.i.ties can perform data-encryption services, the law covers the telecommunications sector directly and the Internet sector indirectly.

The Russian government controls the critical Russian Internet structure. The Russian fiber optic network, which is owned by national and regional communications companies that are Russian Railways subsidiaries, is normally routed along railroad right of ways. Russian Railways is the state-owned company run by Vladimir Yakunin, a former KGB officer who is in Putin's St. Petersburg circle.

The primary organization overseeing Russian Internet development is the Russian Inst.i.tute for Public Networks (RIPN/RosNIIROS). According to its website (www.ripn.net), RIPN was started in 1992 as a nonprofit organization by the Russian State Committee for Science and Education and Kurchatov's Inst.i.tute of Atomic Energy. RIPN founded another nonprofit, the Moscow Internet Exchange (full name: ANO TSVKS MSK-IX), in 2001.

According to its website (www.msk-ix.ru), MSK-IX provides vendor-neutral Internet infrastructure. However, MSK-IX's website shows that customers sign two contracts: one for ANO TSVKS MSK-IX basic services and one for technical connection to the Internet. The technical connection contract states that MSK-IX's M9 facility is located at a facility owned by Open Joint Stock Company MMTS-9 (OAO MMTS-9) at Butlerova 7. OAO MMTS-9 is a subsidiary of Russia's nationally owned telecom company Rostelecom. Essentially, this means that the Russian government ultimately controls the Internet connections.

Government Structures

A March 2011 article in Finansovaya Gazeta, a publication of the Russian Finance Ministry, provided a tutorial on the top-level structure of Russia's "Comprehensive Information Protection System (KSZI)." (See Figure 15-1.) According to the article, the KSZI starts with two organizations: the Federal Service for Technical and Export Control (FSTEC[81]), subordinate to the Ministry of Defense, and the Federal Security Service (FSB), subordinate to the Russian president. The FSTEC certifies technical equipment and issues licenses to both private and government organizations for work with cla.s.sified information. The FSB issues licenses for work with cryptographic material, and it controls the dissemination of cryptographic material, including technical equipment and software. Federal Law No. 40-FZ, On the Federal Security Service, a.s.signs the FSB overall responsibility for protecting Russia's information security and critical infrastructure-including telecommunications and the Internet-placing the FSB above the Ministry of Defense in the KSZI food chain. Indeed, FSB authority over Russia's cryptographic infrastructure is nearly absolute.[82] Even the Russian Academy of Cryptography, a prestigious academic inst.i.tution, is subordinate to the FSB.

Russian Presidential Decree No. 351 identifies one additional organization critical to the Russian Internet, the Federal Security Organization (FSO)[83]-also subordinate to the president. Decree No. 351 tasks the FSO with developing secure Internet connections for the Russian government that deali with cla.s.sified information. The KSZI starts with the Russian Federation Security Council's Information Security Department, a Ministry of Defense body, and two security service components.

Figure 15-1. Russian cyber security structure *

[76] The uncla.s.sified Russian Military Doctrine is accompanied by cla.s.sified annexes with implementation instructions. Russian government and Russian military personnel comment on the uncla.s.sified doc.u.ments; however, references to the cla.s.sified annexes are infrequent. Nevertheless, they led to changes in force structure and training that can be tracked.

[77] The Russian Federation Security Council operates as an operational staff both coordinating and implementing policy through a system of Interdepartmental Commissions. It exercises more authority than the US National Security Council (NSC), which is a policy coordination body.

[78] Career intelligence officer Colonel-General (Ret.) Vladislav Petrovich Sherstyuk has headed the Information Security Department since 1999. Sherstyuk started in the signals intelligence components of the Committee on State Security (KGB). He is a cryptologist by training.

[79] The doctrine's threat definitions, especially technical threats, are similar to those found in US doc.u.ments. However, there are differences. For example, the doctrine repeatedly defines threats posed by "disinformation" and "propaganda" that threaten citizens' "spiritual life" and the Russian government's ability to communicate with domestic and foreign audiences. Foreign owners.h.i.+p of networks and media is defined as a threat. Monopolies-whether foreign or domestic-controlling dissemination of information are defined as threats. The "unlawful use of special techniques influencing the individual, group, and social consciousness" is also perceived as a threat.

[80] For example, the operator could release the data to "protect the life, health and other vital interests of the personal data subject or others if you cannot obtain the written consent of the subject of personal data."

[81] Frequently translated as FSTEK. However, they are the same organization.

[82] Under Russian law, even the Ministry of Defense uses cryptography that the FSB can monitor. The Federal Security Organization (FSO) provides presidential communications using FSB-approved cryptographic technology-however, the FSO maintains the keys.

[83] Depending on the translation source, this can also appear as the Federal Protection Service. They are the same organization.

Russian Ministry of Defense

We now turn to changes in the Russian Ministry of Defense (MOD) driven by the Information Security Doctrine. These changes enhance the MOD's ability to develop IO- relevant technology and rationalize IO force structures.

Administrative Changes

President Putin's Edict No. 1477 in November 2007 mandated changes in the Russian Ministry of Defense. The edict created two new deputy defense ministers. The Deputy for Information and Telecommunications Technologies now handles automated control systems, telecommunications, and information technology. Russian press commentary stated that this transferred responsibilities from the Directorate of Communication Troops and the General Staff's 8th Directorate (Information Security) to a civilian. Press commentary also stated that the General Staff was not pleased. Chief of General Staff Yuri Baluyevsky, his First Deputy, the chief of the Main Operations Directorate, the chairman of the General Staff Military Scientific Committee, and the chief of Armed Forces Communications all left their offices in protest over the diminution of their authority.[84] The first deputy minister was Major General (Reserves) Oleg Eskin, a former FSB officer.

While not stated specifically, the new deputy defense minister's portfolio almost certainly includes IO.

Electronic Warfare Troops

The decade after the 2000 Information Security Doctrine saw an explosion of IO writing by Russian military officers and defense oriented academics (see the sidebar, Russian Information Technology (IT) Security Training). Some, such as Noncontact Wars by Major General (Ret.) Vladimir Ivanovich Slipchenko, attracted foreign comment.[85] By decade's end, the Russian military was consolidating significant offensive and defensive IO capabilities in the Electronic Warfare (EW) Troops. Indeed, speaking at a conference in February 2008-before the August Russia-Georgia conflict-Deputy Chief of the General Staff Aleksandr Burutin stated that the military, and the security services, were creating appropriate units and conducting training. In an April 2010 Krasnaya Zvezda interview, Chief of Russian Electronic Warfare Troops Colonel Oleg Ivanov stated that the EW Troops had special equipment for operations against information management systems.[86]

The senior officer's statements highlighted an ongoing process. In June 2001 Russian Public Television, ORT, presented a segment on the Voronezh Military Radio-Electronics Inst.i.tute (VIRE). The ORT correspondent stated that the inst.i.tute started one secret information security school in 1997, and then another secret school devoted to information warfare. The information warfare school began training professional hackers for the military in 2001. Both schools were located in the Department of Automatic Control Systems.

In 2008 Russian Federation Order No. 1951 restructured military higher education and established the Voronezh Military Aviation Engineering University (VAIU). The order authorized the university 15,092 total civilian and military personnel. According to a May 2009 article, the university was expanding, with the cadet body growing from 4,800 to 6,500.

The restructured university includes two schools covering information security and information warfare. The VAIU website shows departments for Electronic Warfare and Electronic Warfare (Information Security). The five-year program in Electronic Warfare (Information Security) leads to designation as Specialist Data Protection for both military and "law enforcement agencies." The web page content for the Department of Electronic Warfare (Information Security) is quite spa.r.s.e compared to other department pages, which suggests that the material is sensitive. The extremely high ratio of staff to students-approximately 15,000 total staff and 6,000 students-is strange unless VAIU's role goes beyond training junior officers.

There is also a Department of Electronic and Information Warfare at the Strategic Rocket Forces (SRF) Academy. The web page for Dr. Anatoly h.o.r.ev, the head of the Department of Information Security at the Moscow Inst.i.tute of Electronic Technology (MIET), states that he headed that SRF Academy department from 2001 to 2007.[87] However, published articles show the previous department head, Colonel Vladimir Novikov, speaking on information warfare at a Moscow think tank in 2001.

There is little information on the specialized electronic and information warfare curriculum at VAIU and the SRF Academy. However, university-level training in various IT security specialties is taught at approximately 90 inst.i.tutions (see the sidebar, ). Many, including the prestigious Moscow Engineering Physics Inst.i.tute (MIFI), train students sponsored by the security services and military. Indeed, MIFI's Department of Information Security "partic.i.p.ates in military-scientific and scientific research work on military topics."

Information warfare's softer side is addressed at the Military University in Moscow. According to a 2000 Krasnaya Zvezda article, the university's Department of Foreign Military Information-formerly the Department of Special Propaganda-had reorganized to include information security material.[88]

Russian Information Technology (IT) Security Training Russian IT security training was done by the security services from 1949 until the early 1990s. Traditional Russian universities, starting with the Russian State Humanities University (RSUH), began offering information security degrees in the late 1980s. In 1991 the Moscow State Engineering Physics Inst.i.tute (MEPHI) began offering information security training under the Faculty of Applied Mathematics. In 1995 the security services formed a state standards committee with members from the civilian universities and military academies. The current standards-published jointly by the Russian Federation Ministry of Science and Education and FSTEC-are developed by a scientific advisory board, which is chaired by the Federal Security Service (FSB). All Russian university IT security programs use the approved curriculum. There are currently six majors, with approximately 90 Russian universities offering at least one specialty: Cryptography 090101 Computer Security 090102 Organization and Technology of Information Security 090103 Integrated Protection of Objects of Information 090104 Integrated Information Security of Automated Systems 090105 Information Security Telecommunication Systems 090106 One additional major, Countering Technical Intelligence 090107, is offered only by Moscow State Technical University.

The Federal Service for Technical and Export Control (FSTEC)-Military Unit (Vch) 96010

In 2004 two presidential edicts transformed the State Technical Commission (Gostekhkomissiya) into the Federal Service for Technical and Export Control (FSTEC), subordinate to the Russian Ministry of Defense. All federal and regional Gostekhkomissiya components transferred to the FSTEC. Edict No. 314 also transferred export control from the Russian Ministry of Economic Development and Trade to FSTEC.

FSTEC's focus is information security and export control of sensitive technology. FSTEC is responsible for information security in Russia's information and telecommunication networks,[89] and it directs technical intelligence countermeasures guarding networks from foreign penetration. FSTEC works closely with the FSB. The FSB retains sole responsibility for cryptographic technology.

FSTEC exercises its responsibilities by licensing organizations and technology, overseeing projects, and monitoring networks. The FSTEC website posts reference doc.u.ments, such as information security-related laws and regulations. The site also posts lists of technologies and organizations certified for information security projects.

FSTEC also projects information security threats and develops countermeasures, including future training requirements for information security personnel. FSTEC's State Scientific Research Experimental Inst.i.tute of Problems of Technical Protection of Information (GNIII PTZI FSTEC), located in Voronezh, works with government laboratories, educational inst.i.tutions, and certified contractors. GNIII PTZI FSTEC also works with government-owned Russian companies, such as Gazprom and Russian Railways. Several well-known information security companies, such as Informzashchita and Bezopasnost, are probably GNIII PTZI FSTEC spinoffs.

The Russian Duma is debating amendments to Federal Law No. 152-FZ, On Personal Data, which would expand FSTEC's reach. Amendments to the current law, ostensibly written to protect personal privacy, would require FSTEC and FSB certification for organizations that store personal data. Russian press commentators point out that this includes social media. The Duma is also considering amendments to the Criminal Code, which would require social network operators to register users' internal pa.s.sport numbers. Because certification includes monitoring for compliance, FSTEC could quickly identify "problems" on social media sites and the persons involved.

5th Central Research and Testing Inst.i.tute of the Russian Defense Ministry (5th TSNIII)-Military Unit (Vch) 33872

Founded in 1960, the 5th TSNIII is the MOD's lead inst.i.tute for EW research. The 5th TSNIII has long been listed as an FSTEC-approved certification center for information security. Several official information security publications list the inst.i.tute as author. Russian social media sites and posted resumes include employment at the inst.i.tute and/or Vch 33872.[90]

The postings indicate that the inst.i.tute employs 100 to 1,000 range, or 1,000 to 10,000. An uncla.s.sified article on MOD research inst.i.tutes stated that the 5th TSNIII employs around 2,000 people, with approximately 200 of those personnel possessing PhDs.

The 5th TSNIII probably changed names during the 2010 MOD reorganization. The new name is Federal State Research and Test Center of Electronic Warfare and Evaluation of Low Observables (FSI FGNIITS EW OESZ).[91] The new center is located at the same Voronezh address as the 5th TSNIII, and is listed as an information certification center on the 2011 FSTEC list. For the first time since the late 1990s, the 5th TSNIII no longer appears. The VAIU website lists the new center as a VAIU component. However, while not mentioned specifically, Putin's 2008 Russian government decree reorganizing the military educational system does allow for "subsequent formation of separate structural subunits."[92] The center's location under VAIU might explain the high ratio of staff to students, as mentioned previously.

Voronezh city doc.u.ments and the VAIU website show VAIU's Department of Electronic Warfare and Information Security and the center located at the same Voronezh address. The co-location of an FSTEC information security certification center and VAIU's "hacker" training department is interesting (see the sidebar, ). A 2006 Russian military press article stated that VIRE-now a VAIU component-needed a unified teaching and research center for the quality EW training of personnel from the armed forces, FSB, and Interior Ministry (MVD). The co-location achieves that goal.

Structure of Russian EW (IO) Forces Since 2006, Russian military press has predicted that the EW Troops would become an independent combat arm. In 2010 Military Frontier, a Ukrainian hosted forum on Russian military developments, provided a projected structure for Russian EW Troops composed of military units (Vch) 21882, 77111, 33872, and 96010.

Research shows that Vch 77111 is the MOD Main Center for Computer Security located in the new General Staff building in Moscow (see Figure 15-2). Vch 33872 is the 5th TSNIII and-based on standard Russian military practice-is almost certainly the new research center's unit number. Indeed, the forum accurately projected the name change for Vch 33872 from 5th TSNIII to a new name including "low observables."

Russian doc.u.ments indicate that Vch 21882 is a component of the Federal Communications Agency (FCA) within the Ministry of Defense. According to the 2004 Russian Government Resolution, the Federal Communications Agency, under the Ministry of Communications, is responsible for managing communication, satellite, and broadcast networks.

The resolution also states that FCA manages Russia's entire telecommunications network during emergencies, organizes the certification system for communications, and deconflicts frequency a.s.signments. The FCA doc.u.ments do not list a MOD component. The organization chart, however, shows a Department of Special Communications and Information Protection that probably correspond to Vch 21882. The FCA's authorized strength is 112 (i.e., 112 staff members).

An organization like Vch 21882 is likely necessary to coordinate normal network operations with information operations during "emergencies." Establis.h.i.+ng FCA is consistent with objectives set out in the 2000 Information Security Doctrine.

Figure 15-2. Old (bottom) and new (top) General Staff buildings in Moscow

18th Central Research Inst.i.tute of the Russian Defense Ministry (18th CRI MOD)-Military Unit (Vch) 11135

Subordinate to the General Staff's Main Intelligence Directorate (GRU), the 18th CRI is the MOD's main research center for signals intelligence. Originally focused on radio intercept and satellite communications, the 18th CRI also works on wireless devices, and it may have a role in Supervisory Control and Data Acquisition (SCADA) system security.[93] The FSTEC 2011 list on certified information security products lists Vch 11135 as a testing laboratory.[94] Russian press articles state that Vch 11135 developed the first electromagnetically s.h.i.+elded personal computer approved for use by the MOD, FSB, and MVD. The articles state the computer, produced in a Vch 11135 facility, is also used by financial inst.i.tutions. The 18th CRI employed approximately 5,700 people in 2010.

27th Central Research Inst.i.tute of the Russian Defense Ministry (27th CRI MOD)-Military Unit (Vch) 01168

The 27th CRI is the MOD's lead inst.i.tute on information technology and command and control systems. The 27th CRI's full t.i.tle includes the subt.i.tle "Scientific and Research Testing Center Communication Systems," reflecting the 2010 merger with the 16th Central Research and Testing Inst.i.tute (16th TSNIII-Vch 25871) done under Ministry of Defense Order No. 551. The 27th CRI headquarters is in Moscow; the test center is in Mytishchi, northeast of Moscow.

According to an uncla.s.sified history, the 27th CRI was founded in 1954 as the MOD's Computer Center No. 1. As the country's first computer center, the 27th CRI recruited personnel from the military academies and from Russia's most prestigious schools, including Moscow State University (MGU) and the Moscow State Engineering Physics Inst.i.tute (MEPHI). 27th CRI software personnel worked on the Soviet s.p.a.ce program and military missile programs. The 27th also provided support to the GRU. According to General of the Army Aleksandr Starovoytov (a KGB SIGINT officer), Vch 01168 examined ways to use computer networks to spread disinformation.