Information security doctrine
The Doctrine of Information Security of the Russian Federation, adopted at the end of 2016, is not a direct normative act. It is a system of official views on how all national information objects of value should be protected. In accordance with it, laws and by-laws should be developed. Contrary to popular belief, the essence of the document was not censorship, but strategic planning and application of technology. The new document, approved by the Decree of the President of the Russian Federation, replaced the previous one, adopted back in 2000 and significantly outdated. The new version of the information security protection concept was developed by the Security Council.
The purpose of developing a strategic document
Over the 16 years that have passed since the adoption of the first edition of the document, a significant part of communications, management, and financial resources have moved to the Internet and are at risk. The information security doctrine of the Russian Federation has introduced new concepts and terms that meet the requirements of the moment. The purpose of its publication was to protect the interests of a person, the entire society and the state from threats that are caused by the possibilities of using information technologies for military or political purposes. These threats may turn out to be not only foreign or international, but also domestic. The degree of threat to national interests does not depend on the territorial affiliation of the terrorist or extremist organization. At the same time, if in the early 2000s the risks were of a more criminal nature, they were associated with the drug and arms trade, extremism, then in 2016 there were threats to the security of infrastructure facilities. The Chairman of the State Duma Committee on Information Policy noted that the facts of interference through the Network in the control systems of individual production facilities had already been revealed. This enhances the need to ensure not only ideological, but primarily technological security.
Types of threats. Their severity and risks
The developers of the information security doctrine identified the main groups of information threats, which include:
- the desire of the leadership of some countries to dominate the world, including in the information space, for which technological capabilities are used, sometimes exceeding those available to domestic specialists, while this desire becomes part of the official state policy;
- informational and psychological influence on the citizens of Russia, which is used to intensify internal contradictions, destabilize the situation, weaken the sovereignty and level of internal security of the Russian Federation. Strategic adversaries are constantly building up their capabilities and resources to accomplish this task. To control the economy and politics, foreign states seek to control opinions and emotions, actively using the media and social networks for this;
- using the media to significantly worsen the image of Russia in the eyes of the international community, systematically undermining the authority of the Russian media.
But the concept developers did not limit themselves to ideology and geopolitics and paid considerable attention to technology issues. They referred to the real dangers that significantly reduce the country's information defense capability:
- noticeable lag of internal IT-developments from the world level;
- fearsome dependence on foreign equipment and components used for the production of computers and telecommunications networks;
- low level and ineffectiveness of research in the field of information technology conducted on the basis of Russian scientific institutions and institutes.
Less significant from the point of view of national security, but significant for the interests of the individual, was named such a threat as the growth of cybercrime, including in the banking sector. It is not named separately in the Doctrine, but there is such a threat as deface, or hacking of the site of a state or public organization by a hacker group and placing an extremist appeal on its pages. Hackers can represent international terrorist organizations, nationalist movements from a number of countries that are in the wake of Russian foreign policy, but in most cases the special services of Western states are behind them. The use of deface as a demonstration of force is intended to show the vulnerability of the state's information system, to introduce uncertainty in the minds of hundreds of thousands of citizens.
Where are the provisions of the document planned to apply?
The developers of the Information Security Doctrine named five spheres of political and public life in which the application of the system of views set out in the document should be most relevant:
- defense, which is understood as the external aspect of protecting national interests;
- state security and issues of internal stability;
- science, education, high technologies;
- strategic stability. It refers to issues not only internal, but also geopolitical, maintaining the concept of a multipolar world. Also in this part of the concept, the task of controlling the internal Internet is considered.
How to manage this
The greatest number of questions to the National Doctrine of Information Security was caused by its proposed methods of combating threats, it was they that led to public misunderstanding, talk in the press about censorship and the "Chinese model" of the Internet. The document suggests the following methods:
- identification of information signals aimed at "undermining the historical foundations and patriotic traditions associated with the defense" of Russia, their elimination. This task arises in the country's defense sector;
- fight against the leveling of “traditional spiritual and moral values”. It is entrusted to the state security agencies, along with the protection of infrastructure facilities that provide information exchange, and the fight against extremism;
- import substitution and innovative development of the electronics industry. Interestingly, the Doctrine does not name communication technologies, the development of the Russian Internet, the creation of an internal analogue of SWIFT and other significant issues;
- scientific development of technologies that have prospects for practical application;
- managing the Russian segment of the Internet to ensure strategic stability.
Innovations relative to the previous version of the document
The 16 years that have passed since the development and adoption of the first version of the Doctrine of Information Security of the Russian Federation have significantly changed the world, and with it the understanding of the structure and significance of the main threats. Some new positions and views appeared in the document. Among them:
- the danger of "information and psychological impact" on citizens is recognized as one of the main threats;
- in addition to foreign intelligence services and international terrorist organizations, extremist groups are recognized as subjects of threats to the information security of the Russian Federation. The basis for this was the active development of Islamic extremist movements. Human rights, religious and ethnic organizations were also named as independent entities;
- for the first time, a distortion of the image of Russia in foreign media was named as a problem. The doctrine does not consider media concerns as independent subjects of threats as representatives of the "fourth estate", seeing in them only agents of foreign governments. In an earlier version of the document, only those risks were noted that arise due to the fact that the spiritual, political and economic life in the country is highly dependent on the position of foreign information structures.
It is interesting that, judging by the analysis of the texts of the two editions of the Doctrine, such a danger as the presence of a monopoly on the formation, receipt and distribution of information in the Russian Federation has been completely eliminated. Obviously, the emergence of a large number of independent news agencies, television channels and private media has reduced the risk. Most likely, in the first edition, it was mentioned against the background of the case of NTV, a television channel controlled by the oligarchy and providing information in a way convenient for him and uncomfortable for the country's leadership. The NTV case was finally completed only in 2003.
In interpreting the Doctrine, such dangers were also named, such as attempts by Western countries to introduce global censorship on the dissemination of information in the world, having an advantage in technology and audience coverage, achieved by control over key TV channels and publications. The creation and development of our own mouthpieces for the dissemination of information has become one of the essential tasks that must be solved within the framework of the implementation of the Information Security Doctrine. It is the dissemination of information that can increase influence in the international arena at a level that cannot be achieved only by political means.
Since the system of views set forth in the Doctrine does not have an independent regulatory and legal force, its implementation is expected through the adoption of sectoral documents on strategic planning in the Russian Federation. The list of documents and the stages of their implementation in the medium term should be determined at the level of the Security Council of the Russian Federation. They study how the provisions of the concept are applied at the level of government, science and economics, as well as the results of monitoring, the head of the Security Council must report annually to the president. Now the scope of the document is expanding, it is assumed that it will form the basis of the practice of communicating Russia's position on international politics to the whole world, which is now being implemented both by the work of the media and by official statements of Russian officials broadcast by news agencies.
After the adoption of the Doctrine of Information Security of the Russian Federation, the government developed and submitted to the State Duma for consideration a package of bills on the protection of critical infrastructure facilities. The Critical Information Infrastructure Law came into force in 2018. In accordance with it, the FSTEC orders were developed, defining technical means and resources designed to protect facility management systems from illegal entry. The laws on the media were practically avoided, and the developers of the Doctrine sought to evade any accusations of prohibiting the free movement of information. However, laws on fake news can also be viewed as one of the areas of protection of national information security, since it is these news that are most often used for internal political destabilization.
Business and Doctrine
Despite the fact that most of the provisions of the document are devoted to issues of internal and external information security of the state, it also affects the interests of business. A significant part of the company's income is now in electronic form, in bank accounts, therefore, the protection of the national credit system has become one of the main tasks declared by the document, the essence of which is the security of the interests of not only the state, but also the individual and society. In addition, the Doctrine pays attention to the protection of power supply facility management systems and other backbone facilities, which often belong to business representatives. Here, in terms of implementing the provisions of the strategy, entrepreneurs join forces with the state. Businesses can count on R&D support aimed at creating innovative information technologies.
From the business side, the following participants in the process of ensuring information security in Russia were named:
- companies that own or for one reason or another (lease, public-private partnership) operate critical infrastructure facilities and maintain systems for protecting their information security;
- print and electronic media, TV channels;
- banks, companies operating in the organized securities market. Insider risks that could undermine the prices of stocks and bonds of Russian companies are also significant;
- operators of communications, telecommunications, information systems;
- developers of IT technologies.
Business, accepting the provisions of the Doctrine, must understand that cooperation with the state and public authorities in terms of protecting information security ensures the observance of its interests.
Like any concept affecting the interests of various departments and sectors of the economy, the Information Security Doctrine has collected a bunch of mixed opinions of experts. Among its advantages, experts unanimously noted the emergence of specifics, a clear systematization of threats, an understanding that technological weakness is a more significant risk than encroachment on ideological concepts, despite the fact that, in fact, semantic values in the concept are recognized as significant. However, the threat analysis paid insufficient attention to such issues as:
- lack of competent personnel capable of working in the field of information security protection, weakness of the system for their training, especially at the junction of information technology and ideology;
- poor informing of citizens in terms of protecting their own security in the information world, especially with regard to protecting the rights and freedoms of children;
- underestimation of social engineering methods and their impact on company employees who often violate information security rules, being insufficiently informed about the work of such technologies.
Also, the document did not explicitly name the geopolitical strategic goals that follow from the foreign policy of the Russian Federation. Their direct mention would facilitate the adoption of laws and other normative acts concerning this aspect of information interaction with other states.
The Russian doctrine of information security has not been valid for so long, but an analysis of the practice of its application already shows that the laws adopted in accordance with it and the national consensus achieved in terms of protecting critical infrastructure facilities are bearing fruit.