Should the West Build its Own ‘Great Firewall’?

Lost amid all the focus on China’s ‘Great Firewall‘ and Beijing’s efforts to censor what its citizens can see and say is the undeniable capability afforded to a nation’s defensive posture through a sovereign intranet. An irrefutable fact that likely contributed to Russia’s decision to build their own.

In June and July of 2021, Russia’s government disconnected its national internet from the global network to test its “sovereign internet,” Runet. The level of preparation needed and the cooperation necessary to disconnect the country’s networks from the global internet is significant. In 2019, Russia adopted a sovereign internet law aimed at ensuring the country could still function if it was cut off from global networks, in the event of a crisis with the United States, for example. Under this law, the country’s telecommunications companies were mandated to cooperate with the government and annually test this kind of disconnection.

Unsurprisingly, the law and its implementation prompted concerns by civil rights and free speech advocates who saw the move as an effort by the Kremlin to further control what was said and seen on the domestic internet. Similar concerns have been raised about China’s implementation. These are reasonable concerns and there exists sufficient evidence to confirm these networks are exploited in such ways.

This law, the test and Russia’s efforts to develop a sovereign internet mask a much more sinister possibility—Moscow could take the country offline, maintain its defensive cyber posture with minimal disruption and unleash relentless cyberwarfare on the west’s infrastructure; denying the United States and its allies the ability to respond in cyberspace. A disconnected Russian internet would allow them to attack telecommunications, financial networks and the electrical grid, largely with impunity and making it nearly impossible to retaliate—a capability that China already possesses. This renders any concept of ‘mutually assured cyber destruction‘ moot.

Russia and China’s efforts to isolate their cyberinfrastructures give the rest of the world reason to pause. The west’s digital infrastructure is expansive, unregulated, a creator of opportunity … and a point of significant weakness. Its vast, open and flexible nature allows amazing freedom—online bookings, communication, shopping, etc.—and has transformed the way we live. It also inhibits our security, limits opportunities for governments to ensure our safety and creates an ever-expanding threat landscape.

On the contrary, Russian internet traffic must pass through government-controlled nodes that allows the government to monitor and—if necessary—restrict access. Further, a Russian-owned Domain Name System (DNS) has been established to ensure the country’s sovereign internet continues to operate if external connections are severed.

Now, the Great Firewall of China has not made them immune to cyberespionage. As recently as March 2021, a Chinese cybersecurity research firm announced it had detected at least 40 high-level overseas hacker organizations and more than 2,700 advanced cyberattacks against China in the past few years. What these systems enable—on top of the ability to surveil their citizens’ internet activity, which must be reiterated—is the ability to take their entire nation offline if required. From this offline state, either Russia or China would be capable of relentless cyberattack without retaliation. The only cost? The freedom of their citizens to participate as global citizens.

Citizens of China are more familiar with the absence of internet freedom than their Russian counterparts. It has become increasingly widespread under General Secretary of the Chinese Communist Party (CCP) Xi Jinping’s administration to monitor and restrict the internet freedom of their citizens. The development of Russia’s sovereign internet evidences a transition by their government toward a similarly strict surveillance state. That said, no matter how familiar Russia and China are with their approach to citizen surveillance, the decision to completely remove their respective countries from the global community would be devastating to national stability.

One result of the COVID-19 pandemic—more now than ever—is that enterprise, innovation and opportunity are intertwined with the ability of an individual to participate as a global citizen. Ironically, citizens of China and Russia are two of the most internet-dependent nations in the world. For instance, in eSports, the fastest growing online community in the world, Russian and Chinese competitors rank second and third behind only the United States. Any justification for disconnecting either nation is unlikely to be well-received for long before the seeds of dissent take root and flower.

It is through expanding their sovereign internet to facilitate national surveillance that these countries have crippled the defensive capability it offers. The ability to maintain a defensive posture without inciting unrest is critical to the success of this capability. The sustainability of these exceptional defensive measures beyond the capability of any would-be adversary while maintaining the security of critical infrastructure is critical to its success. The west should not be looking to implement a nationwide internet managed through government-controlled nodes (that may or may not be used to surveil citizens). But a sovereign intranet that protects and maintains our critical infrastructure during periods of global conflict? That’s an idea.

No nation is prepared for the current cyberthreat landscape. The global skills shortage alone demonstrates the difficulties facing the sector. If the global landscape shifts to such an extent that nation-states are openly engaging in cyberwarfare against critical services, organizations would be as effective at protecting their infrastructure as sandcastles are at stopping the tide. It should be a priority for legislators to adopt strategies that improve the preparedness of our critical infrastructure should such an event occur.

There are existing legislative frameworks for managing risks relating to critical infrastructure that introduce positive security obligations for critical infrastructure assets. However, recent amendments to legislation in Australia, the United Kingdom, the United States and other western governments fall short of accounting for the necessary defensive measures required in the global climate that both China and Russia are actively preparing for. This oversight leaves nations exposed when faced with cyberattacks that would cripple health systems, communication, transportation and utilities.