Podcast
Root Causes 07: Russian Disconnection from the Internet
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
February 19, 2019
Russia has stated that it will disconnect from the internet as a trial exercise for full-blown cyber warfare. This idea presents many problems for Russian services, systems, and businesses, especially since they depend on global systems such as DNS and public Certificate Authorities. Join us to learn some of the problems Russia will face if indeed it disconnects.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanToday, I get to pick the topic, and I have picked Russia. Russia has stated that they are going to “unplug” from the internet for some period of time. I did a bit of research. The period of time isn’t entirely clear to me but I guess it’s substantial enough to prove the concept of disconnecting internet traffic inside of Russia from the rest of the world in order to prepare for a state of full-on cyber war.
Jason SorokoSo, this a temporary disconnection, Tim?Tim CallanThat’s my understanding from the headlines. It’s really vague but the gist of it is it looks like what they’re going to somehow decouple stuff that happens inside Russia from stuff that happens outside Russia for a long enough of period of time that everybody can understand how all of this is going to work. I guess they can prove their concept and then reconnect it again. Think of it as a fire drill or a trial run for a date in the future when Russia decides that there’s some kind of full blown cyber war going on and they need to be independent of the rest of the internet.Jason SorokoSo that means if you’re a citizen in Moscow during this period of time, you’re not looking at your Facebook account?Tim CallanPresumably. Presumably your Facebook and Twitter are gone. If you happen to have a Bank of America bank account you will not be able to access that. And I can see that. I can see saying, “Ok, we’re going to say that citizens don’t get access to Twitter. We don’t really care.” But this strikes me as deeply problematic in much more basic ways. In terms of things like domain registry or certificates, all these systems depend on parties that are outside national boundaries, and I'm unconvinced this kind of thing is actually workable.Jason SorokoEspecially because of the fact that they’ve installed a whole lot of trust mechanisms, certificate-based trust mechanisms that are centralized outside of Russia.Tim CallanRight.Jason SorokoYeah. Challenging.Tim CallanThis is my hypothetical, an extreme hypothetical, but if three or four CAs revoked every certificate they had for every Russian bank, I think the Russian electronic economy would just kind of stop.Jason SorokoThis would be an act of war, obviously, where the commercial CAs perhaps were compelled by western governments to do some of this. This is the kind of scenario we’re looking at.Tim CallanSure, but let’s set that aside. So for some period of time there is a parallel internet and the two are not allowed to talk. What happens with certificate revocation? What if there is a bad actor who is sitting there waiting for the day, waiting for the second that they’re going to disconnect because they have their activities that they plan on and they know that they will be immune to certain responses that would shut them down? They know that nobody will be able to take back a DNS address or nobody will be able to revoke a certificate for the duration of this, we’ll call it an outage. That’s a real exploit that somebody could really do.Jason SorokoI guess obviously there’s all kinds of use cases that we’d have to consider, but doing something as simple as: You’re a citizen in Moscow. You’re looking at a website even within Moscow, the checking of that SSL certificate that perhaps was provisioned onto the web server would’ve been revoked, and therefore then what does the browsing experience look like?That might be the simplest use case. Could be quite difficult there.
Tim CallanThe OCSP servers are not in Russia, so OCSP checking is not happening. What about renewal? What happens when my certificate expires during that downtime period and I can’t renew it? What happens if I'm trying to get a certificate and I'm in the midst of the process? I'm in the midst of authentication, and it becomes broken, and I can’t authenticate my DNS?Jason SorokoThere’s just so much where the key material originates from somewhere else and is validated somewhere else outside of Russia.Tim CallanYeah. It just feels to me like the collateral damage is really high.Jason SorokoSo theoretically then Tim, do the Russians feel confident that they have a solution to this or are they considering some grand re-engineering effort that could take years, and are they willing to bite the bullet to get to that point during a potential shutdown?Tim CallanRight. Again you can imagine—and the headlines seem to suggest—that the this is kind of a nuclear option, right? That we need to be prepared for the ultimate worst case, and in the ultimate worst case there will be a certain amount of collateral damage, and we’re willing to live with it.But what’s interesting is if the reports are correct, they’re going to go ahead and live with it with a little bit now. Right? It would be like saying, “Look we’re prepared for the nuclear option and yeah, we’ll go ahead and nuke a few of our citizens today just to see what it’s like.”
Jason SorokoYeah. And I'm sure the results of that, the way that it will be portrayed outside of Russia, will be a little bit different than what it would actually look like in reality. It is perhaps also a bit of marketing by Russia to say, “Look we could do this ,and we’re willing to do this.”You know if you were to try to pull that off in a western country, you know it might result in a little bit of flak, let’s say.
Tim CallanAbsolutely. It would be hard to imagine getting away with that in a European or a North American country. You’d think that that would be a non-starter in terms of the collateral damage and the harm it would do to various individuals. Like, I think about domain names that are up for renewal. If a domain name expires during that time period, domain squatters can go get those. Now inside of Russia, it’s still resolving to your site. But outside of Russia it’s resolving to the domain squatter.This is assuming you’re not on a .ru. Let’s say you’re on .com/.net or one of the common TLD’s. So then after they reunite, it’s going to the main TLD, right? It’s going to go back to what Verisign says, at which point the domain squatter now owns it and people in Russia start resolving to the domain squatter. That’s it. You didn’t renew your domain. You don’t get to go get it back.
Jason SorokoOne of the things that always interested me over the past few years was watching the way that Russian ISP’s have a very different set of rules and therefore it is a very different kind of internet for Russians anyway. Especially nefarious Russians, of which there might be a few.In other words, if you and I, Tim, were to call up our local ISP and say, “Hey I’d like to hire your internet services. Would you mind giving me a different IP address 100 times per second?”
Tim Callan“Don’t worry about why.”Jason SorokoYeah. “Don’t ask any questions, but that’s what’s I need.” In Russia that happens every day. In North America, they’ll probably call the police on you. It’s a different world.Tim CallanIt’ll be interesting to see if it really happens. I think you brought up a good point which is there’s a difference between saying you’re going to do this and actually doing it, and it may be that saying you’re going to do this accomplishes their goals. If it really goes on there are going to be consequences, and there are going to be people in Russia who are hurt by those consequences.Jason SorokoYes, even if it was very brief. Russia has a lot of people. And a lot of them are our audience.It’s incredible how connected a lot of people’s lives are. Don’t forget there’s also a lot of very legitimate commercial activity in Russia that will be affected.
Tim CallanYou bet. There are lots of tech savvy business people who just want to be business people and want to be part of the global economy, and this is a kick in the teeth to those people if this really happens.Jason SorokoIt’s a very fascinating subject, Russia wanting to always exert itself and exert its powers. This is one way of doing it.Tim CallanWe will continue to follow this story, and in the event that they actually do disconnect, we’ll come back and talk about it and what we think and what happened. But in the meantime, I just can’t wait to see what goes on. I'm just fascinated and baffled and just dying to see how it all plays out.Jason SorokoAs you always say at the top of the podcast, you know it’s a couple PKI guys watching the world and both of us look at this subject and just shake our heads like, “Hey does anybody know how the internet actually works?“Tim CallanIt’s a, “Who woulda thunk it?” moment. You know I always say that governments don’t recognize that the internet is bigger than they are, and this seems to be an example of that.But at the same time I know that Russia has an awful lot of very smart computer scientists. A lot of them are much smarter than I am, and surely somebody asked these questions. So, unless it’s just posturing, it feels like they think that this is viable.
Jason SorokoWell, during the Australia podcast, we considered the fact that a very smart western government felt that it was above the laws of physics.Tim CallanRight.Jason SorokoBut you know, it may still take some time for them to find out otherwise. It may be the same case in Russia right now.Tim CallanThat could be what’s happening right now here. You know whenever governments try to be bigger than the internet, it has never worked out, but maybe this one will be different. It’s really going to be interesting.Jason SorokoIt’s something to keep an eye on.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
