Understanding Russia’s new “Sovereign Internet” Law

At the end of 2019, we saw so-called “Sovereign Internet” Law come into force, meaning we are starting to live in a very new Internet space in Russia. Like most similar legislation, it was quickly surrounded with different interpretations. As a nationwide service provider in Russia, we took a deeper look into how it works and assessed what requirements and opportunities it really brings.

However, before inviting you to read this blog, I would like to share a couple of links to BBC articles. On the morning of February 11, I read an article with the header “Swiss machines used to spy on governments for decades.” In short: the U.S. and German secret services control a Swiss company that makes encryption devices for secret services around the world. While the Swiss government got an untampered version, other governments paid a lot of money to get a tampered version. Interesting fact: Russia and China did not trust this company, Crypto, and did not buy these devices.

The other article is a bit older but also with an interesting header: “President Obama tells Hollande US no longer spying on France.”

Sovereign Law in a nutshell

The new law, designed to improve cybersecurity, will affect all users of the Russian Internet, both individuals and legal entities. But it does not mean that the Internet is suddenly being switched off or that its access is being altered in any way. For the majority of Internet users, there will be no immediate change.

What the law does do is allow the government to block malicious traffic, activities or sites. This will protect the Ru-Net and allow stable functioning and continuity in case of a critical nationwide cyber threat.

To implement the law effectively, Internet service providers are required to install deep packet inspection (DPI) tools that can identify the source of Internet traffic and filter content as required. This is monitored by Russian telecommunications authority Roskomnadzor.

Understanding the regulation’s workings

The Sovereign Internet Law does impose certain obligations on technology and infrastructure companies. These apply to Russian telecom operators, owners and holders of infrastructure and networks, such as cross-border communications networks, and anyone else who has an autonomous system number (ASN). An ASN is a unique global number used to aggregate communications and other technical facilities on the Internet. Numbers are assigned by the Internet Assigned Numbers Authority (IANA).

It may come as a surprise that technological networks were previously unregulated. It was assumed that they did not need to access the public network. Now, however, ASN falls under the Sovereign Internet Law. This means that organizations have certain obligations to meet, such as implementing operational-search measures and ensuring data storage.

To be clear: not only operators, but also a decent amount of enterprises, have ASNs, meaning for example that an MNC operating in Russia having an ASN may become subject to the Internet Sovereign Law – including having to organize legal interception within their corporate network.

In addition, telecom operators, certain infrastructure owners and Internet providers must notify Roskomnadzor of existing Internet exchange points and report on the use and users of cross-border circuits. These organizations must also take part in training sessions organized by the regulator.

The implications

The implications of the Sovereign Internet Law are complex and can appear blurred in places. Organizations are worried about where they stand and if they are compliant. We have taken a deep dive into the regulation and are here to advise customers on solutions that fulfill their responsibilities under the new regulation.

Those with networks that possess ASNs, for example, will have to comply with certain technical obligations. They will need to understand which category they fall into and what measures they need to take to protect their businesses. We can offer technical consulting services, together with a full audit, to help customers understand how applicable their infrastructures are to the Sovereign Internet Law and what they need to do to comply or if there is an option to move away from public autonomous systems.

Being prepared

At this stage, you must quickly assess if you have entities, equipment or network infrastructures that fall under the Sovereign Internet Law, if you have not yet done so.

Once you have determined if you use communications networks linked to an autonomous system, it is imperative that you run an audit to see exactly where your organization sits. You then need to analyze the options and costs in making your IT infrastructure compliant with the law while minimizing business disruption. You also need to designate employees who will be responsible for all organizational and technical activities involved in ensuring that you comply with the Sovereign Internet Law.

We are still in the early days, and we’ll keep assessing the influence of the Sovereign Internet Law on organizations. This will not be the last piece of regulation we will see around the Internet either within Russia or outside.

I look forward to keeping you posted on the Sovereign Internet Law.

Richard Van Wageningen

Richard van Wageningen is CEO of Orange Business in Russia and CIS and is the Head the IMEAR (Indirect, Middle East, Africa and Russia) region. He has extensive leadership experience in the IT and telecommunications industries – both in services and equipment manufacturing – and holds degrees from Groningen State Polytechnics and the University of North Carolina. Richard has lived in Russia for more than 10 years and speaks fluent Russian.