▶ This paper delves into the possible implications of the evolution in Russian cyberspace on the digital transformation of Central Asia.

▶ It scrutinizes how the state-centric model of cybersecurity adopted by Russia may shape the cybersecurity strategies of Central Asian nations, given that they shared a common digital space.

▶ The decisions made and measures implemented will not only shape the digital futures of these individual nations, but also establish a precedent for the collective cybersecurity posture of the region. The implications extend beyond Central Asia, potentially impacting broader global cybersecurity norms and practices.

Russia’s Cybersecurity Concept

This paper delves into the possible implications of the evolution in Russian cyberspace on the digital transformation of Central Asia. It scrutinizes how the state-centric model of cybersecurity adopted by Russia may shape the cybersecurity strategies of Central Asian nations, given that they shared a common digital space.

In 2016, the Russian government introduced the so-called “Yarovaya Law,” which obliged internet operators to provide state authorities, such as the Federal Security Service, access to user information, text messages, and other forms of electronic communications. Subsequently, in 2017, Russia adopted the Law on Security of Information Infrastructure aimed at ensuring the safety and stability of the information infrastructure against potential cyberattacks. This law mandates that critical infrastructure entities primarily use domestic software and hardware by 2025. In 2019, Russia further tightened its grip on cyberspace by introducing the “sovereign internet” laws. These laws established a National Domain Name System (NSDI) to replace the functions of the global DNS. They also required internet service providers (ISPs) to install filter technology that enables authorities to bypass providers, block banned content, and reroute internet traffic.

The Russian government has implemented these measures, which are firmly rooted in their interpretation of cybersecurity, as demonstrated in their recent proposal to the UN Open-Ended Working Group on Security of and in the Use of Information and Communications Technologies (OEWG) in March 2023. In this proposal, Russia suggests establishing a UN Convention on Ensuring International Information Security, identifying the main cyber threats as foreign states using online propaganda and cyberattacks to undermine state sovereignty, interfere in the internal affairs of other countries, and disrupt their socio-economic stability. This position implies that, in the name of stability and security, some internet freedoms and personal data protection might be curtailed. Consequently, Russia's approach to cybersecurity suggests that national cyberspace should be viewed similarly to physical national territory.

Recent trends point towards increasing state control over the Russian internet space, a development that scholars argue is designed to boost online surveillance within Russia and potentially isolate its cyberspace from the global internet to ultimately consolidate state control. Such measures may also have broader implications, affecting regions beyond Russia's national borders, such as Central Asia.

Russia’s Influence in Central Asian Cyberspace

"RuNet" refers to the Russian-speaking segment of the internet. It encompasses not only websites and services hosted in Russia but also Russian language internet content and communities worldwide, particularly in former Soviet regions. RuNet has a notable presence on the global internet. W3Techs (2023) reports that Russian (4.9%) is the third most frequently used language on the Internet in terms of website numbers, following English (55%) and Spanish (5.0%). The influence of RuNet extends beyond Russia's borders, especially into former Soviet territories like Central Asia. Countries such as Kazakhstan, Kyrgyzstan, Tajikistan, Turkmenistan, and Uzbekistan still have a significant Russian-speaking demographic, albeit gradually declining. This linguistic connection contributes to high traffic from these nations on Russian websites, platforms, and services. Many Central Asian internet users rely on Russian platforms and news sources for information. Websites from Russia, especially those serving a Russian-speaking audience, frequently rank among the top visited in several Central Asian countries. For example, the Russian search engine Yandex.ru consistently ranks among the most popular search engines used in all five Central Asian countries. Russian social media platforms like VKontakte (VK), Odnoklassniki, and mail.ru are also prevalent in Central Asia. Moreover, the region’s digital economies depend heavily on Russian online commerce platforms and payment systems, demonstrating a deep commercial integration with RuNet.

However, the influence of RuNet in Central Asia also raises concerns. Russia’s dominant position in the region’s digital landscape can serve as a tool for soft power influence. Moreover, if Russia adopts isolationist digital policies, it could have implications for Central Asian nations, particularly if they are reliant on Russian internet infrastructure. In addition, as the Central Asian countries continue their digital transformation, Russia’s cybersecurity policies and practices could influence their national cybersecurity strategies. Indeed, Central Asian countries implemented similar cybersecurity laws. For example, Both Kazakhstan have been bolstering its cybersecurity landscapes, with several laws mirroring those in Russia. In Kazakhstan, laws require internet service providers to store user data within the country and potentially allow national security agencies access. This echoes Russia's “Yarovaya Law” which requires similar data storage and provision of encryption keys to authorities. Additionally, both countries have made efforts to control content and block platforms that are deemed a threat or non-compliant with national regulations.

Uzbekistan, similarly, has shown interest in data localization, comparable to Russia's law requiring the storage of Russian citizens’ data on domestic servers. Uzbekistan’s regulation of online content aligns with Russia’s strict online content laws, targeting material considered extremist or challenging to state stability. Furthermore, disputes with messaging services, such as Telegram, over security concerns have surfaced in both Uzbekistan and Russia, emphasizing a regional trend towards tightening controls on encrypted communication platforms. In essence, Kazakhstan's and Uzbekistan's evolving cybersecurity frameworks highlight a broader Central Asian trend of emphasizing national security, data sovereignty, and online regulation.

Central Asian states also collaborate with Russia on building a regional and global cybersecurity regime. The Collective Security Treaty Organization (CSTO) adopted the new collective security strategy in 2016 and the Agreement on Cooperation in Provision of Information Security in 2017. Both documents identify cybersecurity threats as the use of information technology to create a destructive impact on social and economic stability and manipulate public sentiment as the primary cybersecurity challenges (CSTO Strategy, 2016). The Shanghai Cooperation Organization (China, India, Kazakhstan, Kyrgyzstan, Russia, Pakistan, Tajikistan and Uzbekistan) has also adopted cybersecurity cooperation strategies and conventions as early as 2009. In 2011, China, Russia, Tajikistan, and Uzbekistan jointly proposed the establishment of an international code of conduct for cybersecurity to the UN General Assembly, which called for the recognition of the “rights and responsibilities of states in information space” (United Nations General Assembly, 2011). This proposal led to the establishment of the UN OEWG.

Conclusion

Russia’s state-centric approach to cybersecurity may herald the emergence of a unique geopolitical cyberspace model. This model encapsulates elements of strong state control, heightened surveillance, data localization, and the potential for internet isolation. Russia's cybersecurity measures serve not only as a protective mechanism against foreign cyber threats, but also as a tool for internal control and possible soft power influence over Central Asia, a region with similar linguistic and cultural legacies. However, Central Asia's journey towards digital transformation is replete with complexities. These nations are confronted with the daunting task of striking a balance between bolstering national security and preserving personal data and internet freedoms. The decisions made and measures implemented will not only shape the digital futures of these individual nations, but also establish a precedent for the collective cybersecurity posture of the region. The implications extend beyond Central Asia, potentially impacting broader global cybersecurity norms and practices.