WASHINGTON After more than 20,000 common vulnerabilities and exposures (CVEs) were disclosed in 2021, U.S and allied cybersecurity authorities are helping organizations prioritize and mitigate the most exploited vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdoms National Cyber Security Centre (NCSC-UK) issued a joint Cybersecurity Advisory on the top 15 common vulnerabilities and exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.

In 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To mitigate the threats and/or adverse consequences from having vulnerabilities exploited by these actors, the cybersecurity authorities recommend prioritizing and strengthening:

We know that malicious cyber actors go back to what works, which means they target these same critical software vulnerabilities and will continue to do so until companies and organizations address them, said CISA Director Jen Easterly. CISA and our partners are releasing this advisory to highlight the risk that the most commonly exploited vulnerabilities pose to both public and private sector networks. We urge all organizations to assess their vulnerability management practices and take action to mitigate risk to the known exploited vulnerabilities. "The FBI, together with our federal and international partners, is providing this information to better arm our private sector partners and the public to defend their systems from adversarial cyber threats," said FBI's Cyber Division Assistant Director Bryan Vorndran. "Though the FBI will continue to pursue and disrupt this type of malicious cyber activity, we need your help. We strongly encourage private sector organizations and the public to implement these steps to mitigate threats from known vulnerabilities, and if you believe you are a victim of a cyber incident, contact your local FBI field office.""This report should be a reminder to organizations that bad actors don't need to develop sophisticated tools when they can just exploit publicly known vulnerabilities," said NSA Cybersecurity Director Rob Joyce. "Get a handle on mitigations or patches as these CVEs are actively exploited.Malicious cyber actors continue to exploit known and dated software vulnerabilities to attack private and public networks globally, said Abigail Bradshaw, Head of the Australian Cyber Security Centre.The ACSC is committed to providing cyber security advice and sharing threat information with our partners, to ensure a safer online environment for everyone. Organisations can implement the effective mitigations highlighted in this advisory to protect themselves.Cyber security best practices, including patch management, are essential tools for organizations to better protect themselves against malicious threat actors, said Sami Khoury, Head of the Canadian Centre for Cyber Security. We encourage all organizations to take action and follow the appropriate mitigations in this report against known and routinely exploited vulnerabilities, and make themselves more secure.We are seeing an increase in the speed and scale of malicious actors taking advantage of newly disclosed vulnerabilities, said Lisa Fong, Director of the New Zealand Government Communications Security Bureaus National Cyber Security Centre (NCSC). The NCSC works with international partners to provide timely access to critical cyber threat information. This joint advisory underscores the importance of addressing vulnerabilities as they are disclosed and better equips New Zealand organisations to secure their information and systems.The NCSC and our allies are committed to raising awareness of global cyber vulnerabilities and presenting actionable solutions to mitigate them, said Lindy Cameron, CEO of NCSC. This advisory places the power in the hands of network defenders to fix the most common cyber weaknesses within the public and private sector ecosystem. Working with our international partners, we will continue to raise awareness of the threats posed by those which seek to harm us.Globally, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. To a lesser extent in 2021, these actors continued to exploit publicly known or dated software vulnerabilities some of which were also identified as routinely exploited in 2020 or earlier.All organizations are encouraged to review and implement the recommended mitigations in this detailed joint CSA.

Visit our full library for more cybersecurity information and technical guidance.

View original post here:
CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited C - National Security Agency

Robotics, medical research, bridges, Heinz Ketchup, the Pittsburgh Toilet these are the signatures of innovation in the Steel City. But buried underneath the surface of its journey from kitschy and industrial to kitschy and tech-centric is a story about the origins of the global cybersecurity industry.

Pittsburghs tech economy has long been recognized for its prowess in robotics and artificial intelligence, largely stemming from a strong pipeline of expertise out of local schools like Carnegie Mellon University and the University of Pittsburgh. While autonomous vehicle companies and autonomous mobile robot providers alike have found ways to profit off of those opportunities, theres a bedrock of a wider range of technical know-how still waiting to be leveraged into commercial possibilities.

Enter cybersecurity: an industry that was (arguably) born in Pittsburgh.

As the story goes, it all started with CERT, formerly an acronym for the computer emergency response team. The division was founded within CMUs Software Engineering Institute in 1988 as a response to the internet vulnerabilities exposed by the Morris worm, the countrys first major internet attack.

In the early hours of response to the Morris worm, you had a number of people working at DARPA at the time the Defense Advanced Research Projects Agency who had either ties to the SEI or to Carnegie Mellon School of Computer Science, Bill Wilson, current deputy director of the CERT Division, told Technical.ly.

Bill Wilson. (Courtesy photo)

Those DARPA employees reached out to CMU contacts, and they quickly kind of cobbled together a foundation and framework to begin to work with and build a community to as quickly as possible first, mitigate and solve the vulnerability underlying the Morris worm, Wilson said. But really, the purpose was to respond to what had been a sort of technical wakeup call in the realm of internet security. From the outset, it was always clear that CERT would be a new kind of organization in tech, something to work with a network of vendors and researchers to as best as possible, analyze and identify the [new internet] vulnerabilities and then rally the community to get the necessary solutions in place, he said.

A big part of that effort was building the talent base and expertise of people who could keep up with new cyber threats as computers and associated technology rapidly evolved throughout the 90s. Leveraging both talent within the SEI and working to foster the creation of new agencies across the globe, CERT spent the first 10 years helping other see the necessity of its services.

Much of that involved working with the government. By 2003, the Department of Homeland Security formed its own computer security incident response team, US-CERT. (At this point, CMU had trademarked the CERT name, and it still maintains that trademark. But it frequently licenses it out to organizations doing work in the realm of computer security incident response.) The US organization, which is distinct though often collaborative with the CMU one, is now housed in the DHS Cybersecurity and Infrastructure Security Agency.

That same year saw the founding of another significant effort from CMU, the CyLab Security & Privacy Institute, which is really an umbrella over all of its cybersecurity researchers, Wilson said. Now, CyLab brings together over 100 faculty and 30 graduate students across 15 departments within the university, and has trained over 75,000 people in security and privacy skills since its formation. Its research encompasses hardware security, IoT security and privacy, biometrics, blockchain, network security and more.

Outside of its research, CyLab has also been the source of some of Pittsburghs more noteworthy commercialization efforts in the world of cybersecurity. David Brumley, CEO and cofounder of application security startup ForAllSecure, was previously the director of CyLab. His company made waves earlier this year by closing a $21 million Series B round and promptly launching a new initiative to pay software engineers to use the startups fuzz testing tech to protect their open source software.

He sees CyLab as the organization that really launched a surge in cybersecurity talent concentrated in Pittsburgh.

At one point CMU had the majority of papers at top-tier conferences, he said of the early days for CyLab. So if you went to [the conferences] we had over 50% [of the work there], and its kind of that culture of having that top cybersecurity research that grew the cybersecurity field here. And Pittsburghs relative proximity to DC certainly helped too, Brumley said, adding that having easy access to the funding and resources provided by DARPA or the National Security Agency created more opportunities for CyLab to evolve its research over time as new threats emerged.

But as far as commercialization resources for CyLabs depth of academic projects and research, Brumley sees some struggles that might help explain why more startups havent come out of the organization so far. One is a need for improved tech transfer processes from local universities, but another is the classic problem of limited local venture capital volume, he told Technical.ly.

There is some access to capital, but its typically not an easy process and its not abundant in the amount, he said, though there are signs that has started to change with the pandemic, as some of the biggest VC firms in the country have begun to look outside of their signature markets.

Theyre starting to look at new places, and were starting to see more than one target outside of the West Coast, Brumley said. Still, its a new trend, and top firms like Sequoia Capital or Andreessen Horowitz, theyre not here, they dont have offices here yet.

But what if the reason Pittsburghs cybersecurity industry hasnt generated as many startups as, say, its robotics industry isnt because of funding challenges, but because the latter is product-oriented while the former is a more nuanced service?

David Hickton, who is the former US attorney for the Western District of Pennsylvania and the founding director of the University of Pittsburgh Institute for Cyber Law, Policy and Security (Pitt Cyber), thinks that difference between the two makes sense for why entrepreneurship hasnt taken off for cybersecurity despite a deep well of local expertise. As one of the regions and countrys most prominent cyber attorneys, hes been approached several times by startups looking to take him on as an advisor or leader of some sort. But none have persuaded him.

In order to be a startup that I would be interested in, youd have to have a tangible product to sell as opposed to a labor-intensive service, he said. Im not interested in, for example, being a cybersecurity service tech to teach people how to protect their program. I would be interested in something that would be a more wholesome application.

Outside of the expertise of CERT, CyLab and CMU, Hicktons work as the local US attorney under President Barack Obama and his leadership at Pitt Cyber have anchored the city as more than just a mecca for technical expertise, but for law and policy, too. Recognizing the local talent available in the cyber industry, Hickton focused his team on law enforcement within that industry. He counts six big cases as moments of progress for Pittsburgh in building an understanding of how cybersecurity laws can be formed and enforced, making the city a leader in that space.

From the outset, his team focused on a growing problem at the time, of intellectual property theft through hacking from foreign actors. And in May 2014, the US Justice Department indicted five members of the Chinese military based on findings that Hicktons team had compiled the first time the US would charge another country in connection with cyber-related criminal charges. The other five cases Hickton mentioned as early landmarks in his offices work on cyber law are the June 2014 indictment of Evgeny Bogachev, the July 2015 Darkode case, the Avalanche case in November 2016, Boyusec in November 2017, and the Fancy Bear case in May and October 2018. The latter three concluded after Hickton had left his role as US attorney and helped launch Pitt Cyber in 2016.

When it comes to the local cybersecurity industry, Hickton has one of the more experienced perspectives, which makes his thoughts on the lack of local startups all the more intriguing. Because while cyber-focused entrepreneurship hasnt thrived, local cyber jobs look like they soon might.

According to a CompTIA report published earlier this month, Pittsburghs tech industry currently employs around 5,655 cybersecurity and systems engineers, a number thats expected to grow by at least 0.8% by the end of this year. Nationally, the industrys expected to grow by over 253% by 2030. That makes sense given the rapid increase in the number of cybercrime threats in 2021, which is expected to cost the world $10.5 trillion annually by 2025.

So, what role does Pittsburgh have in mitigating these threats?

Some companies have started to take matters into their own hands, hiring in-house cyber professionals to ensure their technical products are built safely and securely. Meanwhile, local academic institutions continue to partner with nearby corporations to continue building expertise and cross-industry initiatives in cybersecurity.

To grow the local cyber economy even more, though, a key step will be figuring out how to stop losing talent to other markets, Hickton said, noting that there arent as many cybersecurity-focused corporations with locations in Pittsburgh. However, he said, Pittsburgh is increasingly on the map as a tech and advanced manufacturing hub, pointing to Commerce Secretary Gina Reimondos recent remarks on the benefits semiconductor chip funding could have for the Steel Citys economy.

But cyber, in the mind of the everyday person, is still different from other spheres of tech that Pittsburgh has found success in.

Cybersecurity, in the minds of most people, its like the hockey goalie you know, protecting against the other team putting the puck in the net, Hickton said. Its not like the scorers and and so it doesnt have some of the same sex appeal that artificial intelligence, self-driving vehicles and semiconductor tech have.

And maybe thats part of the issue. Maybe the one factor needed to propel the local cyber industry to the success other sectors of tech have seen is simply a bit more excitement. Who knows maybe todays Pittsburgh cyber pros will squash the 21st-century version of the Morris worm.

Read the original:
Pittsburgh calls itself the robotics capital of the world. But it's also the birthplace of cybersecurity - Technical.ly

Nearly two-thirds of the global population will have internet access by next year, according to Ciscos Annual Internet Report (2018-2023) White Paper. There will be 5.3 billion total internet users (66% of the global population) by 2023, up from 3.9 billion (51% of the global population) in 2018. With this growth in internet usage, the need to secure sensitive data across industries has never been more relevant, especially in light of global events ushering in an increase in attacks on data.

To prepare to defend your data, you need a strategy that can keep up with todays environment. You want to be an innovator, a trendsetter and, most of all, a security leader. That requires a comprehensive strategy as you move forward. As technology continues to advance, the need for greater security will increase as well.

The number of data breaches was 17% higher in 2021 than in 2020. The manufacturing and utility sector was affected the most, followed by health care, which saw more than40 million patient records breached. Ransomware attackers earned about $590 millionin the first half of 2021, which surpassed 2020s total estimated earnings of $416 million.

Its no secret that it takes a detailed strategy and a trusted partner to protect your data. Are you struggling to keep up? As a starting point, take a look at these five signs that you might need guidance through your data security journey.

Managing your companys security that focuses on the most crucial gems of the business is serious work. It requires the skills of those best in the business. With how complex modern security strategies can be, your team may be working within multiple environments across many different vendors. To make matters worse, skilled workers are in short supply.

The security industry is ever-changing. The tech in our everyday world advances at a breakneck pace, changing how work in security must be done. By 2022, 70% of companies will be using hybrid multicloud platforms as part of a distributed IT infrastructure, according to McKinsey. By 2025, more than 75% of enterprise-generated data will be processed by edge or cloud computing.

Software sourced by companies from cloud-service platforms, open repositories and software-as-a-service providers will rise from 23% today to nearly 50% in 2025. As a result, leaders in security need to understand the direction their companies are headed and ensure proper protections are put into practice.

Many companies find themselves growing quickly, realizing that their IT infrastructure is becoming too much to handle. They are mired in tool sprawl and looking to scale and provision technologies quickly. In an ideal world, those will be technologies that integrate and work together well. However, they lack the capital to invest in new hardware, software and skilled workers.

Often, organizations will build their security strategy for the current project rather than the future. This is understandable, considering the speed at which the security landscape changes. But the pull of having an adaptive strategy for the long term is always present, even if seemingly unattainable.

Everything comes down to one thing: budget. Given the recent events across the industry, it should be apparent to leadership in all roles that skimping on the security budget is never a good idea. However, even as executive leadership has come to realize the importance of security investment, security still loses out to projects seen as revenue generating rather than as a cost center.

To better prepare for the modern data landscape, businesses should look to partner with a trusted advisor and move toward modern solutions. There is a trend away from simply using a vendors tools. Consulting is often more critical than the tool itself. The benefits of managed service providers take precedence over the services they manage. Why is this?

Well, one assumption we can make, based on the problems outlined earlier, is that working with a skilled advisor or service provider can reduce costs (whether time, money, resources or computing costs), provide long-term direction and help develop a strategy to derive value from existing and new solution investments that may have otherwise sat on the shelf. And thats a good start for the future.

Guardium Insights Product Marketing Manager

Katie Schwarzwalder is a product marketer with IBM Security and focused on Guardium Insights. She has worked in software for the last several years and conti...

Continue Reading

Link:
5 Data Security Challenges and How to Solve Them - Security Intelligence

Summary: The RussiaUkraine conflict, as well as Russias 2014 annexation of Crimea, draw light on the geopolitics of data routing and the usage of the Border Gateway Protocol (BGP) as a tool of control. BGP is used by states to monitor and ensure censorship, block users and websites, carry out cyberattacks on other internet infrastructures, and hijack traffic from other networks. Russia created a sovereign internet network named RuNet, out of concerns that the West can constrict its access to global internet and to ostensibly protect its citizens from alleged disinformation campaigns and cyberattacks. Russia, though, has not been fully successful in achieving the objectives which led it to create the separate network.

Russias military operations in Ukraine brings to the foreground the geopolitics of data routing and the manner in which states use data routing in contested areas to assert their power. In the aftermath of the 2014 Russo-Ukrainian conflict, Russia gained control over the Crimean internet network, as well as that of the Donbas region. Through data protection laws and various other measures, Russia gradually created a Sovereign Internet/RuNet that gave it complete control of all Internet Transit Points in that region through which data packets flow in the network.1 Even before Russian troops set foot in Donbas in the current conflict, Russia had complete control over the regions internet network.2

The shaping of cyberspace by both Russia and Ukraine is based on the technical principles of data routing. As per the International Telecommunication Union (ITU), the Internet is a collection of interconnected networks using the Internet Protocol which allows them to function as a single, large virtual network.3

As shown in Figure 1, these interconnected networks are called Autonomous Systems (ASes). An Autonomous System (AS) itself is a network that manages the internal routing of data, distributes Internet Protocol (IP) addresses, and sets standards for access policies.4 Data or Internet routing is the assignment of a path for the data package through which this package reaches its destination.5 Currently, data routing happens through a routing protocol called Border Gateway Protocol (BGP), which is used in inter-domain routing for ASes. A Regional Internet Registry (RIR) allocates Autonomous System Numbers (ASN) to its ASes and IP addresses to the users within the ASes. An AS establishes a BGP exchange-of-data session with other ASes. These BGP sessions are Transmission Control Protocol (TCP) sessions between two routers connecting different ASes. TCP is essential to manage and keep the connections open.6

Geopolitical Nature of ASes and BGP

Autonomous Systems are Internet Service Providers that can be controlled by governments, universities, or companies. Each AS has an administrator that communicates and agrees to a path followed by data packets to other ASes which is made possible through a BGP. As of 5 April 2022, 1,90,928 active ASes are constituting the Internet, as per the Regional Internet Registries Statistics.7 These ASes have geographical limitations and need common infrastructure like cables to be operational. Also, an AS might have BGP agreements with multiple ASes but not necessarily with all ASes on the Internet. Hence, these agreements need human intervention that might be of political, commercial, or geographical nature. Although these agreements are generally confidential, the BGP needs ASes to communicate with each other for coordinated routing which is done through constantly releasing connectivity update messages. Therefore, through these updates, the cyberspace around these ASes can be mapped and assessed.

In the initial stages of the growth of the internet, the protocol for routing followed a more decentralised structure. Any system on the network was a possible gateway. However, as the networks became more complex, there was a visible hierarchy between paths taken by the data packets and some transit points became more important than others based on commercial, political, and geographical reasons.8 Geopolitical reasons can impact the number of gateways a region has. For example, a remote island like Tonga is connected to the world only through one submarine cable via Fiji, hence, limiting its number of gateway entries severely.9 Chinas Great Firewall10, Irans Halal Internet11, and Russias Sovereign Internet12 are all based on the efforts of these states to better control data and content flow through a combination of techniques including IP blocking, DNS tampering and hijacking, and deep packet inspection and keyword filtering.

The BGP was created in 1989 for the regulation of data gateways or transits between ASes. The ASes receive directions on which path to take to reach the specified IP address. These directions are based on routing policies of BGP rules and the path preference set by an AS administrator. The BGP is controversial in the sense that it was formed from a utilitarian perspective without keeping security in mind and hence, can be exploited for traffic hijacking (re-routing of traffic through malicious transit points), obfuscation of cyberattacks, censorship, internet shutdowns, and cyber espionage.13

Who governs the internet?

The absence of a central organisation to oversee internet operations does not imply that everyone can have unrestricted access. For example, IP addresses and hostnames are finite and are bound by technical and geographical restrictions. The delegation of hostnames and IP addresses was controlled by the United States (US) until 2009, when the US government gave autonomy to ICANN to operate independently. The US Department of Commerce still played a role in reviewing the operations of ICANN till 2016. Another entity called the Internet Engineering Task Force (IETF) consists of experts that develop and approve protocols needed for Internet functioning and is considered to be free of political interference, unlike ICANN. Nonetheless, ICANN does not have the authority to debar any actor from the Internet.

Amidst the RussiaUkraine conflict, the Ukraine Government sent a request to ICANN's Government Advisory Committee for revoking the Russian Internet country code .ru' and its Cyrillic equivalence but this request was rejected. This rejection notwithstanding, it is within the capabilities of ICANN and the Europe and Central Asia's Regional Internet Registry to take back all IP addresses assigned to Russia, essentially causing Russian websites to disappear from the Internet.14

The connections that bind RussiaUkraine internet networks are some of the most complex in the world, involving thousands of small ASes which have evolved based on 30 years of shared historical dependencies. During the time of the USSR, the emerging network in the region was isolated as the the global internet had not formed fully and was exceptionally centralised with hardly any gateway connections with the rest of the world. When the USSR disintegrated, due to the paucity of bandwidth, there was an urgent need to have more ASes for connectivity across the region. This led to a disorganised proliferation of small ASes with not much governmental supervision leading to the unusual complexity of the network. The internet grew faster than the Russian and Ukrainian governments response to tame these ASes, causing much anxiety. Their inability to control the internet infrastructure due to the never-ending demand for more connections and access led the two countries to aggressively shape the routes of data circulation within their respective nations, especially Russia with its Sovereign Internet initiative.15

In December 2019, Russia successfully conducted a test of disconnecting its network from the global internet as an attempt to test its cyber defences. This test was based on the Sovereign Internet/RuNet law passed by the Russian Government in November 2019.16 The law is implemented and monitored by Roskomnadzor, a Russian federal communications agency. Under the law, it is mandatory to install certain tracking software and hardware at all internet gateway points across Russia. The tracking data is then sent to a central monitoring facility that has the power and authority to block the flow of data it deems a threat to Russias sovereignty. The law also lets Russia isolate RuNet from the Global Internet Infrastructure/ World Wide Web in case it anticipates a cyberattack from its adversaries.17 Using a technical process called Deep Packet Inspection (DPI)18, the central monitoring facility will analyse the internet traffic while blocking or redirecting problematic data packets instantaneously.

The Russian government has stated that the legislation is in response to the USs 2018 National Cybersecurity strategy that aims to build a more lethal joint force and compete and deter in cyberspace.19 While Russian analysts justify their countrys concern vis--vis US big tech companies' influence, the flipside is that the Russian government now has complete control over what its citizens consume online.20 Also, Russian fear of the US cutting it out from the global internet is not in-sync with her accusation of the US using its big tech companies platforms to influence Russian citizens.21 This is because it would have been in American interest to keep Russians connected to the global Internet to influence them. Russias Sovereign Internet law is based on politics surrounding data routing which has led to further fragmentation of the Internet in the region.

On the Ukrainian side, its Internet architecture is split between the two global powersthe US, with a few European ASes and Russia. It is connected to Russia through 95 ASes (comprising Rostelecom, Rascom, and Transtelecom) and to the US via 22 ASes, mainly through the Hurricane Electric AS. Ukraines connections with Russia have fallen sharply since the 2014 Russo-Ukrainian conflict. From 2019 onwards, the US has increased its AS connections with Ukraine mainly due to Russia's attempts to control the data flow in Eastern Ukraine, especially in the Donbas region.22

In the 2014 Russo-Ukrainian conflict, the regions of Crimea and Donbas, situated broadly on the eastern and southern sides of Ukraine, were vociferously fought over by Russia and Ukraine (Figure 2). Following this, Crimea came under Russian control and the territories of Donetsk and Luhansk in Donbas came under the authority of Russian-backed separatist groups. Russia also has control over the region's water and energy supply, internet access, and crucial infrastructure. By 2018, Russia had succeeded in the complete integration of Crimean and Donbas network with the Russian network.23

Crimea

Before Russia's successful integration of Crimea's economic, bureaucratic, infrastructural, and informational apparatus, Crimea's network adhered to Ukrainian rules and regulations. Post-annexation, Crimea's Internet infrastructure is entirely integrated with the Russian network. The integration started with the Russian-backed Crimean government building the necessary infrastructure to replace the Ukrainian network. This, however, was a very slow and tedious process as Crimeas location ensured substantial dependency on Ukraines infrastructure. Russia gradually and systematically curtailed reliance on Ukraine through the replacement of ASes and other infrastructure over a period of three years. The systematic overhaul happened in three stages. Firstly, Ukraines telecom companies and internet service providers started pulling out of their operations from Crimea. Some did it willingly, like MTS Ukraine selling its holdings in Crimea, whilst others, like Ukrtelecom, were forced to shut down their operations, when armed militia restricted the entry of the company's staff inside their facilities.24 Later, the operations of Ukrtelecom were overtaken by Russia-backed Krymtelekom.25

Secondly, Russia attempted to truncate all direct links between Crimea and Ukraine. Ukrainian actions did not help its case as it put sanctions against ASes (Russian included) operating in Crimea post-annexation. This further diminished Ukrainian control and access to the region and resulted in the creation of small Crimean ASes connected to Russia-registered ASes like Miranda Media, Crelcom, and CrimeaCom.

Finally, Russia aggressively started building telecommunications infrastructure to connect with Crimea. Russias state-owned telecom company Rostelecom built a 110 Gbps submarine link called the Kerch Strait Cable from Russia to Crimea, costing $25 million. Therefore, from 2014 to 2017, Russia gradually altered Crimea's internet routing routes, essentially moving data through Russia. By mid-2017, no more data paths from Crimea were going through Ukrainian ASes.26 This signifies that Russia-influenced ASes started operating in Crimea, establishing their BGP agreements, and ousting the Ukrainian network. As a result, since 2014, Crimeans have been watching on the internet what Russians want them to see. For the Russian Federation, the lessons they learned from the Crimean experiment were significant and they wasted no time in applying the same strategy to Donbas.

Donbas

Where Eastern Ukraine differs from Crimea is the ambiguous political nature of its relationship with Russia and Ukraine, with neither country having complete control over the region. Russia's attempt to control internet routing has been challenging because its network is far more complex with many more actors operating in the region than in Crimea. Reports note that even though there are several direct links between Russia and Ukraine, since 2014, the data flow between these routes has severely dropped.27 The level of Russian control over Donbas is hard to access but according to research by the University of Paris, there are no data routes between Donbas and Ukraine anymore.28 Further, a data package from Donbas directly reached Russia without any rerouting. What this essentially means for Donbas locals is that they have slower connectivity for higher prices and complete Russian control on what they are allowed to access online. Furthermore, the Donbas network is now part of the Russian Sovereign Internet/RuNet indicating the possibility of online surveillance, data capture, and censorship.29 Hence, Russian control over the Donbas network indicates its intention to bring the entire Donbas territory under its influence/ authority.

The RussiaUkraine conflict, as well as Russias 2014 annexation of Crimea, draw light on the geopolitics of data routing and the usage of the Border Gateway Protocol (BGP) as a tool of control. BGP is used by states to monitor and ensure censorship, block users and websites, carry out cyberattacks on other internet infrastructures, and hijack traffic from other networks. Russia not only successfully created a Sovereign Internet named RuNet, out of concerns that the West can constrict its access to global internet and to ostensibly protect its citizens from alleged disinformation and cyberattacks, but has also integrated the Donbas and Crimean networks into RuNet. Has the current conflict between Russia and Ukraine reaffirmed the Russian campaign for Sovereign Internet?

Firstly, Russia established RuNet to ensure protection from cyberattacks. Russias Foreign Ministry alleged that the US and its allies have put together a group of internal offensive cyber-forces, attacking Russias critical infrastructure.30 Therefore, RuNet, it seems, has not been successful in stopping cyberattacks. Secondly, as a result of Russias military operation in Ukraine, Western big tech companies and their platforms have pulled out of the country.31 This, of course, does not equate to Russia being barred from the global internet. ICANN and the US have repeatedly stated that the Russian Internet will not be blocked.32 Therefore, Russian concern of being blocked from the global internet by the West has not materialised. Thirdly, Russian backing of RuNet to protect its citizens from alleged Western disinformation too has not been successful. Reports note that Russians are finding several technical workarounds to bypass the RuNet.33 Finally, the creation of such splinternets, have made the business of data routing slower and more expensive in Donbas and Crimea, forcing the local governments there to unnecessarily invest in infrastructure for connectivity with Russia.34 It would seem that Russia has not been able to fully achieve the objectives which led the country to develop RuNet.

Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.

Go here to see the original:
RussiaUkraine Conflict and Geopolitics of Data Routing | Manohar Parrikar Institute for Defence Studies and Analyses - Institute for Defence Studies...