The increasing penetration of information communication technologies (ICTs) into every aspect of our lives has resulted in both opportunities and challenges. Today, we are witnessing ever-increasing economic growth and conveniences. Still, the opportunities presented come with challenges as well. The global cybersecurity industry has been growing exponentially over the last decade, where more and more private and public entities are paying for the protection of their ICTs and in case of failure, purchasing cyber insurance to minimize risks.
States find themselves in an increasingly interconnected world with a diverse threat spectrum. The power and danger of cyberspace is the relationship that information has with the world around it. Computers monitor the emergency systems of Metsamor Nuclear Power Plant, the industrial control systems of gas and water pipelines, among others, and ensure the safe and efficient functioning of most of the infrastructure today. The extent of cyber’s effect cannot be overstated: from its consideration as a new domain of military operations to the recent United States Nuclear Strategy, where cyberattacks on U.S. infrastructure could trigger nuclear retaliation. The cyber domain has succinctly embedded itself as a foundation of the national security pillars (political, social, military, environmental security) of states.
For the purposes of this article, a demarcation between information security and cybersecurity is needed. There are no universally accepted definitions of either cybersecurity or information security. The international organizations concerned with the standardization and governance of ICTs have somewhat similar definitions. The International Standardization Organization (ISO) defines information security as “preservation of confidentiality, integrity and availability of information” and cybersecurity as “preservation of confidentiality, integrity and availability of information in the Cyberspace.” Meanwhile, the International Telecommunications Union (ITU) does not provide a definition of information security, but rather defines cybersecurity in a lengthy and perhaps all-encompassing way: “The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user's assets.”
Based on the above, we can state that information security and cybersecurity can be and most times are used interchangeably concerning the activities and processes aimed at the preservation of three pillars (confidentiality, integrity, availability) of information. A commonly accepted demarcation among practitioners and scholars between the two is that information security concerns both physical and electronic domains, while cybersecurity only electronic. Still, it is rather a faulty simplification, as for example, the U.S. Department of Defense Joint Terminology for Cyberspace operations defines cybersecurity “as all organizational actions required to protect information in all forms …(electronic and physical).”
Most of the Western world prefers the use of the term ‘cybersecurity’ for a number of reasons. First and foremost, ICTs have penetrated every aspect of the physical domain and continue to do so. Now, most of our activities and processes have become “cyber-ated” and they are either carried out through the use of ICTs or are ICTs themselves. Hence, from the perspective of Western policymakers the use of information security, both physical and electronic, in national security discourse is becoming to a certain degree redundant. The etymology of ‘cyber’ shows it is derived from the word cybernetics, first used around the 1940s, while ‘information’ has been in use since the dawn of history. It is rather convenient to denote a new term ‘cyber’ for a new man-made domain (i.e. cyberspace), rather than to mix and cause confusion with information and the domains it includes.
Still, this perplexity is present to this day and one needs to examine the strategic documents of states (strategies, doctrines, concepts) to understand how they define and envision the governance and protection of this man-made domain - cyberspace. Countries started to recognize cybersecurity as a national security matter in the early 2000s. The United States was the first country to adopt ‘cybersecurity strategy’ when it published the National Strategy to Secure Cyberspace in 2003. Soon after, Germany followed with the adoption of the “National Plan for Information Infrastructure Protection” in 2005. In contrast, Russia adopted its “Information Security Doctrine” in 2000 and revised it in 2016. These strategic documents are mainly aimed at defining governance framework and appropriate mechanisms for cyber security, outlining and defining necessary policy and regulatory measures, setting the goals and means to develop national cyber capabilities, identify critical information infrastructures, defining a systematic and integrated approach to national risk management, setting the goals for awareness-raising campaigns and international cooperation clauses.
A cross-examination of Russia’s and Western countries’ strategies reveals the differences in state approaches to ICTs and their effect on societies. While the national strategies of European countries and the U.S. opt to embrace the above-mentioned definitions by the ITU and ISO, the Russian Federation’s 2000 and 2016 Information Security Doctrines have adopted a more far-reaching and all-inclusive definition. In the 2016 doctrine, information security reads as;
“The information security of the Russian Federation (hereinafter referred to as the "information security") is the state of protection of the individual, society and the State against internal and external information threats, allowing to ensure the constitutional human and civil rights and freedoms, the decent quality and standard of living for citizens, the sovereignty, the territorial integrity and sustainable socio-economic development of the Russian Federation, as well as defence and security of the State.”
This all-encompassing perception of information security not only includes commonly accepted threats arising from the use of ICTs (malware, DDoS attacks, etc.) and physical information domain as well (confidential government hard copy documents), but more importantly, it includes and presumably assumes the state’s role in spreading or fighting against propaganda. Furthermore, this perception about information security was presented to the UN General Assembly by Russia, China, Tajikistan and Uzbekistan in 2011, but was largely opposed by the rest of the world. One of the main disagreements was the inclusion of the notions of sovereignty and territorial integrity, which was seen by other countries as a way to legitimize censorship and state control over the Internet. This is the crux of the disagreement between the West and Russia.
Information wars, including but not limited to, censorship, misinformation/disinformation, social media bots, is certainly not a new phenomenon, but rather is gaining traction as more and more people are getting online. Recent revelations around the U.S. presidential elections is a case in point, which have evoked a global conversation around fake news, political trolling, social media bots, and the consequent weaponization of information. Russia Today, the main arm of Russia’s propaganda efforts, (RT’s parent company is TV-Novosits, which is registered as a state owned noncommercial organization within the Russian Ministry of Defense) established in 2005 had a startup cost of about $30 million. As of late 2016, the budget has grown tenfold reaching around $307 million. The chief editor of RT, Margarita Simonyan, in a 2012 interview with Kommersant explained and laid down the vision and necessity of RT. In her own words, RT is needed “for about the same reason as why the country needs a Defense Ministry.” RT is capable of “conducting an information war against the whole Western world.” This feeling is also echoed in Russia’s military thinking. In 2013, General Valery Gerasimov—Russia’s chief of the General Staff—published a 2000-word article, “The Value of Science is in the Foresight,” (later known as the Gerasimov doctrine) in the weekly Russian paper Military-Industrial Kurier. The Gerasimov Doctrine declares that non-military tactics (information weapons) are not supplementary to the use of force but rather the preferred way to win: they are, in fact, the actual war. Gerasimov also specifies that the objective is to achieve an environment of permanent unrest and conflict within an enemy state.
Recent controversy around the U.S. presidential election with four U.S. intelligence agencies (the CIA, NSA, FBI, Office of the Director of National Intelligence) that concluded with “high confidence” that Russia had tried to interfere with the elections, sparked controversy among decision makers and left the U.S. bewildered, to a certain degree. How do you respond to a national security threat, which is neither addressed nor identified in national security or national cybersecurity strategies? Rand Waltzman, a senior information specialist at Rand Corporation, offered the concept of cognitive security for fighting information wars in his testimony presented before the Senate Armed Services Committee, Subcommittee on Cybersecurity in April, 2017. And as recently as February 2, the U.S. State Department announced that the two offices, the Office of the Cybersecurity Coordinator and the Bureau of Economic Affairs’ Office of International Communications and Information Policy, would be unified in the proposed Bureau for Cyberspace and the Digital Economy. NATO and the EU for their part have established two strategic initiatives aimed at ‘information wars:’ The NATO Strategic Communications Centre of Excellence in 2014 and the European External Action Service East Stratcom Task Force in 2015.
So why this lengthy deliberation on cybersecurity strategies, policies and terms? Well, it is the only domain of war with no national boundaries, and a threat emerging on one continent can and usually spreads throughout the whole world. In recent years, Armenia has seen an unprecedented rise in ICTs sector, more and more people are connected to the Internet, 4G network coverage is a commonplace phenomenon. Aaron Brantly in his latest piece argues, that a state’s cyberpower is reciprocal to national digital vulnerability (cyberpower = cyber force multiplied by capabilities divided over national digital dependence vulnerabilities). The more a state becomes connected, the more vulnerabilities it acquires. According to the 2017 ITU Cybersecurity Index, Armenia was ranked 111th. This relatively low ranking does not confirm or establish that Armenia’s cyberspace is not secure, but rather suggests that whole-of-government approach is missing.
Armenia is Russia’s strategic partner, is a member of the Collective Security Treaty Organization (CSTO) and the Eurasian Economic Union (EEU), and has obligations in this regard, therefore it is no surprise that Armenia chose to adopt ‘Russian’ approaches. The process of national governance of the information security/cybersecurity sphere in Armenia began in 2009 with the adoption of the “Information Security Concept” (hereafter: Concept), a rather lengthy document, with no clear assignment of duties and responsibilities. More importantly, it was a copy paste of Russia’s 2000 “Information Security Doctrine” with minor additions regarding the Armenian Church, the Diaspora and preservation of Armenian culture and heritage. The definition of information security in the Concept is similar to the Russian one including both physical and electronic domains, as well as statutes related to the content of information. Almost a decade has passed since the adoption of the Concept and recorded national efforts are marginal. In 2009, the Government of Armenia assigned the State Security Service with the lead role in cybersecurity. Separate units were established within the RA Police for combating cybercrime.
Still, from 2009 till today there is no strategic document adopted by the government outlining the governance framework, roles, responsibilities, critical information infrastructure protection, etc. The National Defense Research University of Armenia was one of the initiators, where in early 2014 it began the elaboration of a “National Cybersecurity Strategy” in close cooperation with the U.S. National Defense University and Harvard University and the final version was published in 2017. Simultaneously, in the fall of 2017, Armenia's National Security Council adopted the “Information Security and Information Policy Concept,” whose provisions envision development of a national strategy (including specified roles, responsibilities, etc.). Certainly, a good step forward, but a little bit slow in this day and age.
What is certain is that the outlook of Armenia’s political leadership on cyberspace is similar to that of other CSTO countries: encompassing the whole information sphere, including the content of information. This is not an inherently bad position, nor does it presume censorship or state control over the Internet. According to Freedom House’s “Freedom on the Net 2017” report Armenia is considered a ‘partially free’ country with a score of 32 while neighboring Azerbaijan has a score of 58 (0-100 interval, 0-best score). No telecommunications company is owned by the state, there is no Internet censorship or control over the content of information. One is free to view, comment on and share information of his/her choice. Furthermore, given the military situation with Azerbaijan and its state propaganda machine, this approach to information security is a rather reasonable one. Much has been reported on the Information War between Armenia and Azerbaijan (see Armenia, Azerbaijan and the War on Information), and classical ‘Western’ approaches to cybersecurity do not cope with information threats like these, and maybe recent developments even suggest that the ‘Russian’ holistic view of information sphere was right from the beginning.
The Way Forward
Recent advancements including the creation of the Digital Armenia Foundation and consequent elaboration of the “Digital Armenia Strategy” including a chapter on cybersecurity are positive developments in this field. Furthermore, the adoption of the “Information Security and Information Policy Strategy” of 2017 can be a good signal to the outside world showing Armenia’s willingness and commitment of pursuing a whole-of-government approach to cybersecurity (technical part of informational security), which will certainly boost Armenia’s ranking in ITUs cybersecurity index. As for the content part of information security, no country publicly declares or publishes its policy (i.e. Russia in regard to Russia Today or Sputnik News) and it is unreasonable to expect one from Armenia. Rather a careful and targeted use of information will serve as one the main components of developing Armenia’s soft power.