Makpal Abrazakova, 25, uses her computer to chat with friends in her home in Aksu-Ayuly in central Kazakhstan, February 23, 2012. REUTERS/Shamil Zhumatov
This August, Google, Apple, and Mozilla moved to have their
web browsers block the Kazakhstan root Certificate Authority (CA) certificate—just
one of only a handful of times that tech companies have decided to block a CA
because of the risk it might be enabling surveillance of internet users.
A CA is an entity responsible for issuing digital
certificates that permit websites, devices, and users to assert their online
identity. The use of these digital certificates helps enable secure
communication on the web. If User A wants to connect to Website B, the
certificate issued by a CA allows Website B to make a verifiable claim about
their identity. This claim is used to establish an encrypted tunnel between
User A and Website B, permitting secure and encrypted communication between
users and websites. This encrypted tunnel is run through a secure version of
the old hyper-text transfer protocol (HTTPS).
As nation-states acquire new cyber tools and capabilities,
they will need to decide how they will utilize this new technology and where
along the spectrum between permissive approaches and more aggressive control they
choose to place themselves. If used haphazardly, new technology and
capabilities may compromise the personal privacy of their citizens or the
legitimacy of government, but also could facilitate the achievement of certain political,
economic, or security goals. Statecraft in the cyber domain is ultimately a
balancing act where governments have to balance the opportunities of new technologies
with the risk that these technologies will have negative impacts on domestic politics,
international relations, the rights of their citizens, and more. In this case,
the Kazakh government made a decision to create an explicitly government-controlled
Certificate Authority, enabling the interception of what should have been
secure communication between Kazakhtelecom users and websites.
This decision by Mozilla and the others followed reports
that Kazakhtelecom, Kazakhstan’s largest Internet Service Provider (ISP), required
users to install these government-issued HTTPS certificates. This meant that Kazakhtelecom
could intercept communication between users and websites, facilitating the
surveillance of users’ activity on social media sites including Facebook,
Twitter, Instagram, Vkontakte, and more. After internet users were forced to
install the fake root CA, HTTPS communication between users and websites were
intercepted on 7 percent of Kazakhstan’s HTTPS servers, concentrated amongst social media
services.
When the technology companies acted, amid outcry from the domestic legal community, the Kazakh government argued that the certificate was being used as part of a program to improve the nation’s cybersecurity. Since then, the Kazakh National Security Committee has backtracked, claiming the program was simply a test and then provided instructions on how to uninstall the certificate.
Why now?
Just this March, Nursultan Nazerbayev, Kazakhstan’s
president for nearly thirty years, resigned and was succeeded by interim
President Kassym-Jomart Tokayev. While Nazerbayev stepped down as president, he
continues to serve as chair of the country’s influential security council and
leader of his political party. Tokayev subsequently won popular elections in
June with roughly 70 percent of the vote, amid allegations of vote rigging and large protests and arrests in multiple cities.
Tokayev inherited a country with a growing youth population and sluggish economy that relies heavily on energy exports. Complicating things further, the ethnic makeup of the country includes a small, but dwindling, Russian minority whose interests Russian President Vladimir Putin has promised to protect. The June election represents the first non-violent transfer of power from one leader to another in independent Kazakhstan, setting a precedent for succession for other aging authoritarian leaders in the region. It also demonstrated how the strategic use of democratic institutions by authoritarian governments and restrictions on opposition activists and independent journalists can undermine truly free and fair elections.
Nazerbayev practiced a softer version of authoritarianism
than other Central Asian leaders, but he allowed little room for critics of
government policies; and things have improved perhaps only slightly under his
successor. So in a country where opposition
newspapers and journalists are often targeted by government, social media
sites play a critical role in providing an outlet for dissident commentary,
challenging trust in governmental institutions, and the legitimacy of political
leaders. Facing the resignation of an aging leader, social tensions, and a
growing youth population, the Kazakh government made a choice to utilize
surveillance technology to monitor communications on the Internet, especially
social media sites. This decision was aimed at preserving authoritarian
stability while the Kazakh government experiences daunting challenges—changes in
leadership for the first time in almost thirty years, the struggle of economic
diversification, and a burgeoning youth population that makes up nearly 40
percent of its total population.
In the digital age, governments have the novel opportunity
to use technology and cyberspace as a tool to achieve political, security,
economic, and social goals—some governments make the choice to leverage
technology to the greatest extent, while other opt to use technology in
smaller, varying degrees, depending on their interests and priorities. In the
mid-2000s, the Kazakh government developed an online presence for government
ministries and even rolled out digital government services. Since then,
internet penetration has increased, and social media sites have become popular
in Kazakhstan to provide an outlet for dissent and mobilize citizens. Adapting
to these developments, the Kazakh government reevaluated the role of technology
in public affairs, leveraging legislation, cyberspace, and technology to track—and
potentially limit—online dissent and criticism of government policies.
The Kazakh case serves as an example of irresponsible cyber
statecraft, when governments use cyberspace and technological tools to achieve specific
political goals, placing the rights of citizens, as well as their political
legitimacy, on the line.
Safa Shahwan is assistant director of the Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy.
Further reading
Tue, Sep 17, 2019
The Cyber Vault collection shows the complexity in design and executing offensive cyber operations which help distinguish an ‘American way’ of cyber warfare—one that is no doubt closely mirrored by many of our allies.
New Atlanticist
by
JD Work
Fri, Sep 6, 2019
If the national security community continues to focus on immediate threats and managing current emergencies, it will never escape a cycle of crises, nor manage to impose a strategy to shape tomorrow’s environment.
Report
by
John Watts, Ben Jensen, JD Work, Nina Kollars, and Chris Whyte
Wed, May 22, 2019
Did the IDF’s airstrike ‘cross the Rubicon’ by using lethal force in response to hacking? On the weekend of May 5, a month after a truce was agreed between Israel and Hamas forces in the Gaza Strip, violence again rose to levels not seen since 2014.
New Atlanticist
by
Jack Watson and William Loomis
The Kazakh case serves as an example of irresponsible cyber statecraft, when governments use cyberspace and technological tools to achieve specific political goals, placing the rights of citizens, as well as their political legitimacy, on the line.
|
