Placeholder canvas

The FSB: A Formidable Player in Russia’s Information Security Domain

Publication: Eurasia Daily Monitor Volume: 15 Issue: 46

FSB Chief Bortnikov (Source: Sputnik)

The long-running legal conflict between the Federal Security Service (FSB) and Telegram Messenger Limited, a cloud-based instant messaging service created by Pavel Durov, finally seemed to come to an end on March 20. That day, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) demanded that Telegram provide the FSB with fully de-coded information pertaining to private correspondence of the messenger’s clients (Rosbalt, March 20). Specifically, all information (including all the codes and specific instructions) pertaining to incoming, outgoing and/or processed electronic messages must be handed over to the FSB within 30 days. If Telegram fails to comply by this deadline, Russian Internet service providers (ISP) will be charged with blocking online access to the instant messenger. This decision followed provisions engrained in Article 10.1 of the Federal Law “On Information, Information Technologies and Protection of Information,” adopted in 2006 (Consultant.ru, July 27, 2006).

In fact, the outbreak of the open conflict between the FSB and Telegram started in October 2017, when a justice of the peace (mirovoj sud) in Moscow found Telegram Messenger LLP guilty of refusing to comply with the FSB’s demand that the company hand over the required information to the security services. Telegram appealed the ruling but was beaten again, when the Supreme Court of the Russian Federation sided with the FSB (Rosbalt, March 20, 2018). The Russian media sees the recent decision by Roskomnadzor as the final defeat of Telegram. The Russian tech company’s leadership, however, appears to believe that it can find justice by appealing to international institutions.

On March 22, representatives of Telegram submitted a complaint to the European Court of Human Rights (ECHR), arguing that the FSB violated the company’s rights to freely disseminate information without interference from the authorities. The complaint further alleges that the FSB failed to balance the state’s responsibility to uphold public safety with the need to protect individuals’ right to privacy. According to Vedomosti, the case could affect 100 million people around the world who use Telegram (Vedomosti, March 21).

On the surface, the idea to appeal to the ECHR has an important precedent: in 2015, the international court ruled (in Zakharov v. Russia) that the Russian legal system is incapable of granting full protection to Russian citizens from unauthorized surveillance by the government. In theory, this three-year-old decision should have forced Russia to transform or at least alter the country’s existing legislation pertaining to the System for Operative Investigative Activities (SORM)—the technical specification for lawful interception of telecommunications and telephone networks operating in Russia. But Moscow never acted on the ECHR ruling. Rather, since then, the Russian side adopted a range of even more repressive measures (the Yarovaya Package being perhaps the most notorious such case—see EDM, February 9, 2017). According to Kirill Koroteev, of the non-governmental rights organization Memorial, Telegram might use a similar set of arguments as in 2015 to build its case before the ECHR. But the chances that the court’s decision will subsequently be implemented by the Russian government are rather dubious (Vedomosti, March 21, 2018).

Meanwhile, Russia’s Minister of Communications and Mass Media Nikolay Nikiforov has stated that Telegram must comply with the decision of the Supreme Court and provide the FSB with all the required data (RIA Novosti, March 20). A much sharper declaration came from the Federal Security Service itself: “the private exchange of information between Russian citizens via the use of various messengers is not something that requires the FSB to seek a court’s approval in order to gain access to it” (News.ru, March 20). This is a telling assertion, especially in light of the ongoing legal changes to Russia’s information security regime and the role of the FSB therein.

On December 22, 2017, President Vladimir Putin signed a pivotal decree that de jure transformed the FSB into one of the main custodians of Russian cyber security. The document obliges the FSB to assume vast responsibilities to protect Russia’s Critical Information Infrastructure (CII) against potential cyberattacks. Namely, the FSB becomes responsible for “securing the functioning of the state system of detection, pre-emption and liquidation of consequences of computer attacks on Russian CII—information systems, information telecommunication networks located on the territory of the Russian Federation, in diplomatic missions and consulates of the Russian Federation abroad” (Pravo.gov.ru, December 22, 2017).

The Kremlin has justified the December 2017 decree by pointing to the acute necessity to protect Russia’s information space from international cyber criminals. According to research (carried out in eight regions of the Russian Federation) conducted by the NAFI Research Center, the overall losses suffered by Russian businesses in 2017 alone, reached a staggering 116 billion rubles ($2 billion) (Rosbalt, December 22, 2017). Yet, this explanation demonstrates merely one side of a broader picture: importantly, Russia has been working to institutionalize the principles outlined in key documents pertaining to its information security strategy. Namely, the Doctrine on Information Security of the Russian Federation (adopted on December 5, 2016)—aside from demonstrating Russian authorities’ changing attitude toward the concept of “information”—establishes the “information vertical,” which is reshaping the framework of the domestic information security architecture. Specifically, the document outlines the division of responsibilities between governmental bodies/agencies responsible for Russian information security (see EDM, December 16, 2016). It appears that the FSB and the Russian Armed Forces are to become the two main players (with shared responsibilities) within the “cyber” component of Russia’s information security regime.

President Putin has repeatedly praised the FSB for its ability to “outmaneuver foreign intelligence services” and its director, Alexander Bortnikov, for managing “to prevent economic crimes that could have resulted in major financial losses” (RT, December 20, 2017). Now, clearly, the FSB is going to formally become a vital player in Russia’s cyberspace.