The World
The increasing penetration of information communication technologies (ICTs) into every aspect of our lives has resulted in both opportunities and challenges. Today, we are witnessing ever-increasing economic growth and conveniences. Still, the opportunities presented come with challenges as well. The global cybersecurity industry has been growing exponentially over the last decade, where more and more private and public entities are paying for the protection of their ICTs and in case of failure, purchasing cyber insurance to minimize risks.
States find themselves in an increasingly interconnected world with a diverse threat spectrum. The power and danger of cyberspace is the relationship that information has with the world around it. Computers monitor the emergency systems of Metsamor Nuclear Power Plant, the industrial control systems of gas and water pipelines, among others, and ensure the safe and efficient functioning of most of the infrastructure today. The extent of cyber’s effect cannot be overstated: from its consideration as a new domain of military operations to the recent United States Nuclear Strategy, where cyberattacks on U.S. infrastructure could trigger nuclear retaliation. The cyber domain has succinctly embedded itself as a foundation of the national security pillars (political, social, military, environmental security) of states.
For the purposes of this article, a demarcation between information security and cybersecurity is needed. There are no universally accepted definitions of either cybersecurity or information security. The international organizations concerned with the standardization and governance of ICTs have somewhat similar definitions. The International Standardization Organization (ISO) defines information security as “preservation of confidentiality, integrity and availability of information” and cybersecurity as “preservation of confidentiality, integrity and availability of information in the Cyberspace.” Meanwhile, the International Telecommunications Union (ITU) does not provide a definition of information security, but rather defines cybersecurity in a lengthy and perhaps all-encompassing way: “The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.”
Based on the above, we can state that information security and cybersecurity can be and most times are used interchangeably concerning the activities and processes aimed at the preservation of three pillars (confidentiality, integrity, availability) of information. A commonly accepted demarcation among practitioners and scholars between the two is that information security concerns both physical and electronic domains, while cybersecurity only electronic. Still, it is rather a faulty simplification, as for example, the U.S. Department of Defense Joint Terminology for Cyberspace operations defines cybersecurity “as all organizational actions required to protect information in all forms …(electronic and physical).”
“The information security of the Russian Federation (hereinafter referred to as the “information security”) is the state of protection of the individual, society and the State against internal and external information threats, allowing to ensure the constitutional human and civil rights and freedoms, the decent quality and standard of living for citizens, the sovereignty, the territorial integrity and sustainable socio-economic development of the Russian Federation, as well as defence and security of the State.”
This all-encompassing perception of information security not only includes commonly accepted threats arising from the use of ICTs (malware, DDoS attacks, etc.) and physical information domain as well (confidential government hard copy documents), but more importantly, it includes and presumably assumes the state’s role in spreading or fighting against propaganda. Furthermore, this perception about information security was presented to the UN General Assembly by Russia, China, Tajikistan and Uzbekistan in 2011, but was largely opposed by the rest of the world. One of the main disagreements was the inclusion of the notions of sovereignty and territorial integrity, which was seen by other countries as a way to legitimize censorship and state control over the Internet. This is the crux of the disagreement between the West and Russia.
Information wars, including but not limited to, censorship, misinformation/disinformation, social media bots, is certainly not a new phenomenon, but rather is gaining traction as more and more people are getting online. Recent revelations around the U.S. presidential elections is a case in point, which have evoked a global conversation around fake news, political trolling, social media bots, and the consequent weaponization of information. Russia Today, the main arm of Russia’s propaganda efforts, (RT’s parent company is TV-Novosits, which is registered as a state owned noncommercial organization within the Russian Ministry of Defense) established in 2005 had a startup cost of about $30 million. As of late 2016, the budget has grown tenfold reaching around $307 million. The chief editor of RT, Margarita Simonyan, in a 2012 interview with Kommersant explained and laid down the vision and necessity of RT. In her own words, RT is needed “for about the same reason as why the country needs a Defense Ministry.” RT is capable of “conducting an information war against the whole Western world.” This feeling is also echoed in Russia’s military thinking. In 2013, General Valery Gerasimov—Russia’s chief of the General Staff—published a 2000-word article, “The Value of Science is in the Foresight,” (later known as the Gerasimov doctrine) in the weekly Russian paper Military-Industrial Kurier. The Gerasimov Doctrine declares that non-military tactics (information weapons) are not supplementary to the use of force but rather the preferred way to win: they are, in fact, the actual war. Gerasimov also specifies that the objective is to achieve an environment of permanent unrest and conflict within an enemy state.
Recent controversy around the U.S. presidential election with four U.S. intelligence agencies (the CIA, NSA, FBI, Office of the Director of National Intelligence) that concluded with “high confidence” that Russia had tried to interfere with the elections, sparked controversy among decision makers and left the U.S. bewildered, to a certain degree. How do you respond to a national security threat, which is neither addressed nor identified in national security or national cybersecurity strategies? Rand Waltzman, a senior information specialist at Rand Corporation, offered the concept of cognitive security for fighting information wars in his testimony presented before the Senate Armed Services Committee, Subcommittee on Cybersecurity in April, 2017. And as recently as February 2, the U.S. State Department announced that the two offices, the Office of the Cybersecurity Coordinator and the Bureau of Economic Affairs’ Office of International Communications and Information Policy, would be unified in the proposed Bureau for Cyberspace and the Digital Economy. NATO and the EU for their part have established two strategic initiatives aimed at ‘information wars:’ The NATO Strategic Communications Centre of Excellence in 2014 and the European External Action Service East Stratcom Task Force in 2015.
Armenia
So why this lengthy deliberation on cybersecurity strategies, policies and terms? Well, it is the only domain of war with no national boundaries, and a threat emerging on one continent can and usually spreads throughout the whole world. In recent years, Armenia has seen an unprecedented rise in ICTs sector, more and more people are connected to the Internet, 4G network coverage is a commonplace phenomenon. Aaron Brantly in his latest piece argues, that a state’s cyberpower is reciprocal to national digital vulnerability (cyberpower = cyber force multiplied by capabilities divided over national digital dependence vulnerabilities). The more a state becomes connected, the more vulnerabilities it acquires. According to the 2017 ITU Cybersecurity Index, Armenia was ranked 111th. This relatively low ranking does not confirm or establish that Armenia’s cyberspace is not secure, but rather suggests that whole-of-government approach is missing.
Armenia is Russia’s strategic partner, is a member of the Collective Security Treaty Organization (CSTO) and the Eurasian Economic Union (EEU), and has obligations in this regard, therefore it is no surprise that Armenia chose to adopt ‘Russian’ approaches. The process of national governance of the information security/cybersecurity sphere in Armenia began in 2009 with the adoption of the “Information Security Concept” (hereafter: Concept), a rather lengthy document, with no clear assignment of duties and responsibilities. More importantly, it was a copy paste of Russia’s 2000 “Information Security Doctrine” with minor additions regarding the Armenian Church, the Diaspora and preservation of Armenian culture and heritage. The definition of information security in the Concept is similar to the Russian one including both physical and electronic domains, as well as statutes related to the content of information. Almost a decade has passed since the adoption of the Concept and recorded national efforts are marginal. In 2009, the Government of Armenia assigned the State Security Service with the lead role in cybersecurity. Separate units were established within the RA Police for combating cybercrime.